Edit tour

Windows Analysis Report
NPKpnpi8wd.exe

Overview

General Information

Sample name:	NPKpnpi8wd.exe renamed because original name is a hash value
Original sample name:	f8dfb6485af80dcacc00312132e88298.exe
Analysis ID:	1494153
MD5:	f8dfb6485af80dcacc00312132e88298
SHA1:	067ba3a9f385ec33d5984461c0233b37d2abd1ef
SHA256:	c1740fcf9eb097117502faa6db7b82c98b85c58c752da69d99cdcf57477d2b41
Tags:	exe
Infos:

Detection

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Hides threads from debuggers

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

PE file contains section with special chars

Switches to a custom stack to bypass stack traces

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to evade analysis by execution special instruction (VM detection)

AV process strings found (often used to terminate AV products)

Checks for available system drives (often done to infect USB drives)

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

Checks if the current process is being debugged

Creates files inside the system directory

Deletes files inside the Windows folder

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Entry point lies outside standard sections

Found dropped PE file which has not been started or loaded

IP address seen in connection with other malware

Launches processes in debugging mode, may be used to hinder debugging

May check the online IP address of the machine

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Classification

Process Tree

System is w10x64

NPKpnpi8wd.exe (PID: 6876 cmdline: "C:\Users\user\Desktop\NPKpnpi8wd.exe" MD5: F8DFB6485AF80DCACC00312132E88298)

msiexec.exe (PID: 6916 cmdline: msiexec.exe /i C:\Users\user\AppData\Local\Temp\MSI742.tmp MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 6972 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 3228 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 22F5A9CBC8CA689F01C752EE1468F3EF MD5: 9D09DC1EDA745A5F87553048E57620CF)

abd2.exe (PID: 4284 cmdline: "C:\Program Files (x86)\mercado Livre\abd2.exe" MD5: 098AC4621EE0E855E0710710736C2955)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Program Files (x86)\mercado Livre\abd2.exe	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000004.00000000.1705415801.0000000000401000.00000020.00000001.01000000.00000004.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
4.0.abd2.exe.400000.0.unpack	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

String found in binary or memory: INSERT INTO `` (`Property`, `Order`, `Value`, `Text`) VALUES (?,?,?,?) TEMPORARYComboBoxListBoxSELECT * FROM `%s` WHERE `Property`='%s' AND `Value`='%s'SELECT * FROM `%s` WHERE `Property`='%s'EditSELECT `Message` FROM `Error` WHERE `Error` = %sSELECT `Text` FROM `UIText` WHERE `Key` = '%s'tmpALLUSERS = 1ALLUSERS = 2MSIINSTALLPERUSER = 1AI_PACKAGE_TYPE = "x64"AI_PACKAGE_TYPE = "Intel64"SELECT * FROM `Control` WHERE `Dialog_` = '%s' AND `Control` = '%s'SELECT `Attributes` FROM `Control` WHERE `Dialog_` = '%s' AND `Control` = '%s'$=3WS_BORDERWS_CAPTIONWS_CHILDWS_CHILDWINDOWWS_CLIPCHILDRENWS_CLIPSIBLINGSWS_DISABLEDWS_DLGFRAMEWS_GROUPWS_HSCROLLWS_ICONICWS_SIZEBOXWS_SYSMENUWS_TABSTOPWS_THICKFRAMEWS_VISIBLEWS_VSCROLLWS_MAXIMIZEBOXWS_MAXIMIZEWS_MINIMIZEBOXWS_MINIMIZEWS_OVERLAPPEDWINDOWWS_OVERLAPPEDWS_POPUPWINDOWWS_POPUPWS_TILEDWINDOWWS_TILEDWS_EX_ACCEPTFILESWS_EX_APPWINDOWWS_EX_CLIENTEDGEWS_EX_CONTEXTHELPWS_EX_CONTROLPARENTWS_EX_DLGMODALFRAMEWS_EX_LEFTWS_EX_LEFTSCROLLBARWS_EX_LTRREADINGWS_EX_MDICHILDWS_EX_NOPARENTNOTIFYWS_EX_OVERLAPPEDWINDOWWS_EX_PALETTEWINDOWWS_EX_RTLREADINGWS_EX_STATICEDGEWS_EX_TOOLWINDOWWS_EX_TOPMOSTWS_EX_TRANSPARENTWS_EX_WINDOWEDGEWS_EX_RIGHTSCROLLBARWS_EX_RIGHTWS_EX_LAYEREDWS_EX_NOACTIVATEWS_EX_NOINHERITLAYOUTWS_EX_LAYOUTRTLWS_EX_COMPOSITEDWS_EXAI_TRIAL_MESSAGE_BODYAI_MSM_TRIAL_MESSAGE_BODYAI_APP_FILEAI_README_FILEAI_APP_ARGSAI_RUN_AS_ADMINMsiLogFileLocation[ProgramFilesFolder][LocalAppDataFolder]Programs\[ProgramFiles64Folder][CommonFilesFolder][LocalAppDataFolder]Programs\Common\[CommonFiles64Folder][WindowsFolder][LocalAppDataFolder][SystemFolder][WindowsVolume][ProgramMenuFolder][DesktopFolder][StartupFolder][TemplateFolder][AdminToolsFolder][AI_UserProgramFiles][WindowsVolume]Program Files (x86)\[AI_ProgramFiles][WindowsVolume]Program Files\MIGRATEFindRelatedProductsMigrateFeatureStatesAI_SETMIXINSTLOCATIONAPPDIRAI_RESTORE_LOCATIONSELECT `ActionProperty` FROM `Upgrade`ActionTarget`Action`='SET_APPDIR' OR `Action`='SET_SHORTCUTDIR'CustomActionSET_APPDIRSET_SHORTCUTDIRSHORTCUTDIRProgramMenuFolderAI_SH_INITEDBrowseDlgCancelDlgDiskCostDlgExitDialogMsiRMFilesInUseOutOfDiskDlgOutOfRbDiskDlgDialog_Control_(`Control_` = 'Next' OR `Control_` = 'Install') AND `Event` = 'EndDialog' AND `Argument` = 'Return'ControlEventAI_INSTALLPERUSER = "0"ALLUSERSVersionMsi >= "5.0"2MSIINSTALLPERUSERAI_NEWINSTProductLanguageAI_INTANCE_LOCATIONAI_UPGRADENoLanguageVersionStringInstallLocationAI_REPLACE_PRODUCTSAI_Replaced_Versions_ListAI_Upgrade_Replace_Question_YesBackUp_AI_Upgrade_Question_YesAI_Upgrade_Question_YesAI_Upgrade_Replace_Question_NoBackUp_AI_Upgrade_Question_NoAI_Upgrade_Question_NoYesDELETE FROM `Shortcut` WHERE `Shortcut`.`Directory_`='%s'DELETE FROM `IniFile` WHERE `IniFile`.`Section`='InternetShortcut' AND`IniFile`.`DirProperty`='%s'SELECT * FROM `%s`ShortcutIniFileAI_DESKTOP_SH0AI_STARTMENU_SHAI_QUICKLAUNCH_SHAI_STARTUP_SHAI_SHORTCUTSREGNot InstalledDesktopFolderQuickLaunch_DirStartupFolderAI_SH_DIRProductNameRiched20.dll -user -mach

Source: unknown	Process created: C:\Users\user\Desktop\NPKpnpi8wd.exe "C:\Users\user\Desktop\NPKpnpi8wd.exe"
Source: C:\Users\user\Desktop\NPKpnpi8wd.exe	Process created: C:\Windows\SysWOW64\msiexec.exe msiexec.exe /i C:\Users\user\AppData\Local\Temp\MSI742.tmp
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 22F5A9CBC8CA689F01C752EE1468F3EF
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\mercado Livre\abd2.exe "C:\Program Files (x86)\mercado Livre\abd2.exe"
Source: C:\Users\user\Desktop\NPKpnpi8wd.exe	Process created: C:\Windows\SysWOW64\msiexec.exe msiexec.exe /i C:\Users\user\AppData\Local\Temp\MSI742.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 22F5A9CBC8CA689F01C752EE1468F3EF	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\mercado Livre\abd2.exe "C:\Program Files (x86)\mercado Livre\abd2.exe"	Jump to behavior

Source: C:\Users\user\Desktop\NPKpnpi8wd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NPKpnpi8wd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Section loaded: webui.dll	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Section loaded: magnification.dll	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Section loaded: d3d9.dll	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Section loaded: security.dll	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Section loaded: olepro32.dll	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Section loaded: colorui.dll	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Section loaded: mscms.dll	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Section loaded: coloradapterclient.dll	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Section loaded: compstui.dll	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Section loaded: inetres.dll	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Section loaded: idndl.dll	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Program Files (x86)\mercado Livre\abd2.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: NPKpnpi8wd.exe

Static file information: File size 23650304 > 1048576

Source: NPKpnpi8wd.exe

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x167e000

Source: NPKpnpi8wd.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: e:\Develope\msi2exe\release\msi2exestub.pdb source: NPKpnpi8wd.exe
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: NPKpnpi8wd.exe, MSI10F8.tmp.2.dr, MSI10A8.tmp.2.dr, MSI1167.tmp.2.dr, 700afb.msi.2.dr

Source: initial sample

Static PE information: section where entry point is pointing to: .xdC

Source: WebUi.dll.2.dr	Static PE information: section name: .didata
Source: WebUi.dll.2.dr	Static PE information: section name: .L"5
Source: WebUi.dll.2.dr	Static PE information: section name: .T%@
Source: WebUi.dll.2.dr	Static PE information: section name: .xdC

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI10A8.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1127.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1167.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI10F8.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\mercado Livre\abd2.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\mercado Livre\WebUi.dll	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI10A8.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1127.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1167.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI10F8.tmp	Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Memory written: PID: 4284 base: 7B0005 value: E9 8B 2F 75 76	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Memory written: PID: 4284 base: 76F02F90 value: E9 7A D0 8A 89	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Memory written: PID: 4284 base: 7C0007 value: E9 EB DF 77 76	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Memory written: PID: 4284 base: 76F3DFF0 value: E9 1E 20 88 89	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Memory written: PID: 4284 base: 7D0005 value: E9 2B BA 6F 76	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Memory written: PID: 4284 base: 76ECBA30 value: E9 DA 45 90 89	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Memory written: PID: 4284 base: 2290008 value: E9 8B 8E C8 74	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Memory written: PID: 4284 base: 76F18E90 value: E9 80 71 37 8B	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Memory written: PID: 4284 base: 22A0005 value: E9 8B 4D 95 73	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Memory written: PID: 4284 base: 75BF4D90 value: E9 7A B2 6A 8C	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Memory written: PID: 4284 base: 22B0005 value: E9 EB EB 95 73	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Memory written: PID: 4284 base: 75C0EBF0 value: E9 1A 14 6A 8C	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Memory written: PID: 4284 base: 22C0005 value: E9 8B 8A D1 72	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Memory written: PID: 4284 base: 74FD8A90 value: E9 7A 75 2E 8D	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Memory written: PID: 4284 base: 22D0005 value: E9 2B 02 D3 72	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Memory written: PID: 4284 base: 75000230 value: E9 DA FD 2C 8D	Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Program Files (x86)\mercado Livre\abd2.exe	API/Special instruction interceptor: Address: 6B9D738D
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	API/Special instruction interceptor: Address: 6B6664CA
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	API/Special instruction interceptor: Address: 6BA0BF70
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	API/Special instruction interceptor: Address: 6BB46817
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	API/Special instruction interceptor: Address: 6BAE6894
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	API/Special instruction interceptor: Address: 6CAECF66
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	API/Special instruction interceptor: Address: 6C92D627
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	API/Special instruction interceptor: Address: 6CAA9D74
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	API/Special instruction interceptor: Address: 6CAC4AD2
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	API/Special instruction interceptor: Address: 6CAB2577
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	API/Special instruction interceptor: Address: 6C8A2199
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	API/Special instruction interceptor: Address: 6B98E272
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	API/Special instruction interceptor: Address: 6CA900C9
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	API/Special instruction interceptor: Address: 6B6A7394
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	API/Special instruction interceptor: Address: 6C8DEA87
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	API/Special instruction interceptor: Address: 6B6A529B
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	API/Special instruction interceptor: Address: 6BB7371C
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	API/Special instruction interceptor: Address: 6BB4A22A
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	API/Special instruction interceptor: Address: 6B9E202E
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	API/Special instruction interceptor: Address: 6C96E826
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	API/Special instruction interceptor: Address: 6C90461F
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	API/Special instruction interceptor: Address: 6CA7F4B8
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	API/Special instruction interceptor: Address: 6B97C1DC
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	API/Special instruction interceptor: Address: 6BB49FE4
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	API/Special instruction interceptor: Address: 6C94A48B
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	API/Special instruction interceptor: Address: 6B6E16C1

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: abd2.exe, 00000004.00000002.2911973162.00000000694F1000.00000020.00000001.01000000.00000005.sdmp	Binary or memory string: PROCESSHACKER.EXEU
Source: abd2.exe, 00000004.00000002.2911973162.00000000694F1000.00000020.00000001.01000000.00000005.sdmp	Binary or memory string: WIRESHARK.EXE

Tries to evade analysis by execution special instruction (VM detection)

Source: C:\Program Files (x86)\mercado Livre\abd2.exe

Special instruction interceptor: First address: 6BB62ECB instructions rdtsc caused by: RDTSC with Trap Flag (TF)

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI10A8.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI1127.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI1167.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI10F8.tmp	Jump to dropped file

Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: abd2.exe, 00000004.00000002.2910084027.0000000000877000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllJ

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Thread information set: HideFromDebugger			Jump to behavior

Source: C:\Program Files (x86)\mercado Livre\abd2.exe

System information queried: KernelDebuggerInformation

Jump to behavior

Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Windows\System32\msiexec.exe

Process created: C:\Program Files (x86)\mercado Livre\abd2.exe "C:\Program Files (x86)\mercado Livre\abd2.exe"

Jump to behavior

Source: abd2.exe, 00000004.00000002.2911973162.00000000694F1000.00000020.00000001.01000000.00000005.sdmp	Binary or memory string: Shell_TrayWndSVW
Source: abd2.exe, 00000004.00000002.2911072484.0000000002C6C000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: abd2.exe, 00000004.00000002.2911973162.00000000694F1000.00000020.00000001.01000000.00000005.sdmp	Binary or memory string: Shell_TrayWnd
Source: abd2.exe, 00000004.00000002.2911072484.0000000002C6C000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Program Managera
Source: abd2.exe, 00000004.00000002.2911072484.0000000002C6C000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Program Manager!
Source: abd2.exe, 00000004.00000002.2911072484.0000000002C6C000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Program ManagerA
Source: abd2.exe, 00000004.00000002.2911072484.0000000002C6C000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: program managera
Source: abd2.exe, 00000004.00000002.2911072484.0000000002C6C000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: program manager!
Source: abd2.exe, 00000004.00000002.2911072484.0000000002C6C000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: program managerA
Source: abd2.exe, 00000004.00000002.2910543154.00000000024D0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Program ManagerC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3DC2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F83655D23DCA3AD961C62F356208552BB9ED529077096966D670C354E4ABC9804F1746C08CA18217C32905E462E36CE3BE39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9DE2BCBF6955817183995497CEA956AE515D2261898FA051015728E5A8AAAC42DAD33170D04507A33A85521ABDF1CBA64ECFB850458DBEF0A8AEA71575D060C7DB3970F85A6E1E4C7ABF5AE8CDB0933D71E8C94E04A25619DCEE3D2261AD2EE6BF12FFA06D98A0864D87602733EC86A64521F2B18177B200CBBE117577A615D6C770988C0BAD946E208E24FA074E5AB3143DB5BFCE0FD108E4B82D120A92108011A723C12A787E6D788719A10BDBA5B2699C327186AF4E23C1A946834B6150BDA2583E9CA2AD44CE8DBBBC2DB04DE8EF92E8EFC141FBECAA6287C59474E6BC05D99B2964FA090C3A2233BA186515BE7ED1F612970CEE2D7AFB81BDD762170481CD0069127D5B05AA993B4EA988D8FDDC186FFB7DC90A6C08F4DF435C934063199FFFFFFFFFFFFFFFF
Source: abd2.exe, 00000004.00000002.2911072484.0000000002C6C000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Program ManagerQ
Source: abd2.exe, 00000004.00000002.2911072484.0000000002C6C000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Program Managerq
Source: abd2.exe, 00000004.00000002.2911072484.0000000002C6C000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Program Manager1
Source: abd2.exe, 00000004.00000002.2911072484.0000000002C6C000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: program managerQ
Source: abd2.exe, 00000004.00000002.2911072484.0000000002C6C000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: program manager
Source: abd2.exe, 00000004.00000000.1705415801.0000000000401000.00000020.00000001.01000000.00000004.sdmp, abd2.exe.2.dr	Binary or memory string: ProgmanU
Source: abd2.exe, 00000004.00000002.2911973162.00000000694F1000.00000020.00000001.01000000.00000005.sdmp	Binary or memory string: Shell_TrayWndU
Source: abd2.exe, 00000004.00000002.2911973162.00000000694F1000.00000020.00000001.01000000.00000005.sdmp	Binary or memory string: Shell_TrayWndReBarWindow32MSTaskSwWClassToolbarWindow32SV

Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Queries volume information: \Device\CdRom0\ VolumeInformation	Jump to behavior

Source: abd2.exe, 00000004.00000002.2911973162.00000000694F1000.00000020.00000001.01000000.00000005.sdmp

Binary or memory string: Wireshark.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Replication Through Removable Media	2 Command and Scripting Interpreter	1 DLL Side-Loading	2 Process Injection	21 Masquerading	1 Credential API Hooking	531 Security Software Discovery	Remote Services	1 Credential API Hooking	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	12 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	12 Virtualization/Sandbox Evasion	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	12 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Process Injection	NTDS	11 Peripheral Device Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 File Deletion	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	212 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
NPKpnpi8wd.exe	46%	ReversingLabs	Win32.Trojan.Casbaneiro
NPKpnpi8wd.exe	41%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Program Files (x86)\mercado Livre\WebUi.dll	71%	ReversingLabs	Win32.Trojan.Casbaneiro
C:\Program Files (x86)\mercado Livre\WebUi.dll	57%	Virustotal		Browse
C:\Program Files (x86)\mercado Livre\abd2.exe	3%	ReversingLabs
C:\Program Files (x86)\mercado Livre\abd2.exe	1%	Virustotal		Browse
C:\Windows\Installer\MSI10A8.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI10A8.tmp	0%	Virustotal		Browse
C:\Windows\Installer\MSI10F8.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI10F8.tmp	0%	Virustotal		Browse
C:\Windows\Installer\MSI1127.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI1127.tmp	0%	Virustotal		Browse
C:\Windows\Installer\MSI1167.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI1167.tmp	0%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
ip-api.com	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://fontawesome.io	0%	URL Reputation	safe
http://fontawesome.io	0%	URL Reputation	safe
https://www.catcert.net/verarrel	0%	URL Reputation	safe
https://www.thawte.com/cps0/	0%	URL Reputation	safe
https://www.thawte.com/repository0W	0%	URL Reputation	safe
http://schemas.xmlsoap.org/soap/envelope/	0%	URL Reputation	safe
http://www.indyproject.org/	0%	URL Reputation	safe
http://fontawesome.iohttp://fontawesome.iohttp://fontawesome.io/license/http://fontawesome.io/licens	0%	Avira URL Cloud	safe
https://www.catcert.cat/verCIT-10	0%	Avira URL Cloud	safe
https://stats.itopupdate.com/multi_app_new.php	0%	Avira URL Cloud	safe
https://www.google.com.br/	0%	Avira URL Cloud	safe
http://fontawesome.io/license/	0%	Avira URL Cloud	safe
http://ip-api.com/json/	0%	Avira URL Cloud	safe
https://ebaoffice.com.br/imagens/bo/inspecionando.phpU	100%	Avira URL Cloud	malware
http://www.catcert.cat/descarrega/acc.crt0#	0%	Avira URL Cloud	safe
https://www.catcert.cat/verCIT-10	0%	Virustotal		Browse
https://www.google.com.br/	0%	Virustotal		Browse
https://www.advancedinstaller.com	0%	Avira URL Cloud	safe
http://ip-api.com/json/	0%	Virustotal		Browse
https://ebaoffice.com.br/imagens/bo/inspecionando.phpU	4%	Virustotal		Browse
http://ocsp.catcert.cat0	0%	Avira URL Cloud	safe
http://epscd.catcert.net/crl/ec-acc.crl0.	0%	Avira URL Cloud	safe
http://www.catcert.cat/descarrega/acc.crt0#	0%	Virustotal		Browse
http://epscd2.catcert.net/crl/ec-acc.crl0	0%	Avira URL Cloud	safe
https://www.advancedinstaller.com	1%	Virustotal		Browse
https://stats.itopupdate.com/multi_app_new.php	0%	Virustotal		Browse
http://epscd2.catcert.net/crl/ec-acc.crl0	0%	Virustotal		Browse
http://epscd.catcert.net/crl/ec-acc.crl0.	0%	Virustotal		Browse
http://fontawesome.io/license/	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ip-api.com	208.95.112.1	true	false	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ip-api.com/json/	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://stats.itopupdate.com/multi_app_new.php	abd2.exe, 00000004.00000000.1705415801.0000000000401000.00000020.00000001.01000000.00000004.sdmp, abd2.exe.2.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://fontawesome.io	abd2.exe, 00000004.00000002.2910983920.0000000002AB0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://fontawesome.io/license/	abd2.exe, 00000004.00000002.2910983920.0000000002AB0000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.google.com.br/	abd2.exe, 00000004.00000002.2911973162.00000000694F1000.00000020.00000001.01000000.00000005.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.catcert.net/verarrel	abd2.exe.2.dr	false	URL Reputation: safe	unknown
http://fontawesome.iohttp://fontawesome.iohttp://fontawesome.io/license/http://fontawesome.io/licens	abd2.exe, 00000004.00000002.2910983920.0000000002AB0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.catcert.cat/verCIT-10	abd2.exe.2.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.thawte.com/cps0/	NPKpnpi8wd.exe, MSI10F8.tmp.2.dr, MSI10A8.tmp.2.dr, MSI1167.tmp.2.dr, 700afb.msi.2.dr	false	URL Reputation: safe	unknown
https://www.thawte.com/repository0W	NPKpnpi8wd.exe, MSI10F8.tmp.2.dr, MSI10A8.tmp.2.dr, MSI1167.tmp.2.dr, 700afb.msi.2.dr	false	URL Reputation: safe	unknown
https://ebaoffice.com.br/imagens/bo/inspecionando.phpU	abd2.exe, 00000004.00000002.2911973162.00000000694F1000.00000020.00000001.01000000.00000005.sdmp	false	4%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://schemas.xmlsoap.org/soap/envelope/	abd2.exe, 00000004.00000000.1705415801.0000000000401000.00000020.00000001.01000000.00000004.sdmp, abd2.exe.2.dr	false	URL Reputation: safe	unknown
http://www.catcert.cat/descarrega/acc.crt0#	abd2.exe.2.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.advancedinstaller.com	NPKpnpi8wd.exe, MSI10F8.tmp.2.dr, MSI10A8.tmp.2.dr, MSI1167.tmp.2.dr, 700afb.msi.2.dr	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://ocsp.catcert.cat0	abd2.exe.2.dr	false	Avira URL Cloud: safe	unknown
http://epscd.catcert.net/crl/ec-acc.crl0.	abd2.exe.2.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.indyproject.org/	abd2.exe, 00000004.00000002.2911973162.0000000069C09000.00000020.00000001.01000000.00000005.sdmp, abd2.exe, 00000004.00000002.2910543154.0000000002560000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://epscd2.catcert.net/crl/ec-acc.crl0	abd2.exe.2.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States		53334	TUT-ASUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1494153
Start date and time:	2024-08-17 09:14:13 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 21s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	NPKpnpi8wd.exe renamed because original name is a hash value
Original Sample Name:	f8dfb6485af80dcacc00312132e88298.exe
Detection:	MAL
Classification:	mal88.evad.winEXE@8/26@1/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
03:15:25	API Interceptor	1x Sleep call for process: abd2.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.95.112.1	RFQ.pdf.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	SecuriteInfo.com.Win64.MalwareX-gen.28480.11199.exe	Get hash	malicious	Python Stealer, Monster Stealer	Browse	ip-api.com/json
	Comprobante_swift_8986.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	zIS5Sa8XHf.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	IyPv1P2bBw.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	zIS5Sa8XHf.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	IyPv1P2bBw.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	1723808584018648727f760e361eb4efa7f955a7815a197224c23016b321ab954767b45b82703.dat-decoded.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	OC 20240814.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	Orden de compra.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ip-api.com	RFQ.pdf.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	SecuriteInfo.com.Win64.MalwareX-gen.28480.11199.exe	Get hash	malicious	Python Stealer, Monster Stealer	Browse	208.95.112.1
	Comprobante_swift_8986.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	zIS5Sa8XHf.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	IyPv1P2bBw.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	zIS5Sa8XHf.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	IyPv1P2bBw.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	1723808584018648727f760e361eb4efa7f955a7815a197224c23016b321ab954767b45b82703.dat-decoded.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	OC 20240814.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	Orden de compra.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	208.95.112.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TUT-ASUS	RFQ.pdf.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	SecuriteInfo.com.Win64.MalwareX-gen.28480.11199.exe	Get hash	malicious	Python Stealer, Monster Stealer	Browse	208.95.112.1
	Comprobante_swift_8986.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	zIS5Sa8XHf.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	IyPv1P2bBw.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	zIS5Sa8XHf.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	IyPv1P2bBw.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	1723808584018648727f760e361eb4efa7f955a7815a197224c23016b321ab954767b45b82703.dat-decoded.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	OC 20240814.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	Orden de compra.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	208.95.112.1

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Windows\Installer\MSI10A8.tmp	Honeygain_install.exe.zip	Get hash	malicious	Unknown	Browse
	tigervnc64.exe	Get hash	malicious	Babadeda	Browse
	iDyC9N8FCE.exe	Get hash	malicious	Babadeda	Browse
	IDfac-t.165.j0.msi	Get hash	malicious	Unknown	Browse
C:\Windows\Installer\MSI10F8.tmp	Honeygain_install.exe.zip	Get hash	malicious	Unknown	Browse
	tigervnc64.exe	Get hash	malicious	Babadeda	Browse
	iDyC9N8FCE.exe	Get hash	malicious	Babadeda	Browse
	IDfac-t.165.j0.msi	Get hash	malicious	Unknown	Browse

Source: C:\Program Files (x86)\mercado Livre\WebUi.dll	ReversingLabs: Detection: 70%
Source: C:\Program Files (x86)\mercado Livre\WebUi.dll	Virustotal: Detection: 57%			Perma Link

Source: NPKpnpi8wd.exe	ReversingLabs: Detection: 45%
Source: NPKpnpi8wd.exe	Virustotal: Detection: 41%			Perma Link

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Source: NPKpnpi8wd.exe, MSI10F8.tmp.2.dr, MSI10A8.tmp.2.dr, MSI1167.tmp.2.dr, 700afb.msi.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: abd2.exe.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: abd2.exe.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: NPKpnpi8wd.exe, MSI10F8.tmp.2.dr, MSI10A8.tmp.2.dr, MSI1167.tmp.2.dr, 700afb.msi.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: NPKpnpi8wd.exe, MSI10F8.tmp.2.dr, MSI10A8.tmp.2.dr, MSI1167.tmp.2.dr, 700afb.msi.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: NPKpnpi8wd.exe, MSI10F8.tmp.2.dr, MSI10A8.tmp.2.dr, MSI1167.tmp.2.dr, 700afb.msi.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: abd2.exe.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: NPKpnpi8wd.exe, MSI10F8.tmp.2.dr, MSI10A8.tmp.2.dr, MSI1167.tmp.2.dr, 700afb.msi.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: NPKpnpi8wd.exe, MSI10F8.tmp.2.dr, MSI10A8.tmp.2.dr, MSI1167.tmp.2.dr, 700afb.msi.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: abd2.exe.2.dr	String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: abd2.exe.2.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: abd2.exe.2.dr	String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: abd2.exe.2.dr	String found in binary or memory: http://epscd.catcert.net/crl/ec-acc.crl0.
Source: abd2.exe.2.dr	String found in binary or memory: http://epscd2.catcert.net/crl/ec-acc.crl0
Source: abd2.exe, 00000004.00000002.2910983920.0000000002AB0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fontawesome.io
Source: abd2.exe, 00000004.00000002.2910983920.0000000002AB0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fontawesome.io/license/
Source: abd2.exe, 00000004.00000002.2910983920.0000000002AB0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fontawesome.iohttp://fontawesome.iohttp://fontawesome.io/license/http://fontawesome.io/licens
Source: abd2.exe.2.dr	String found in binary or memory: http://ocsp.catcert.cat0
Source: NPKpnpi8wd.exe, MSI10F8.tmp.2.dr, MSI10A8.tmp.2.dr, MSI1167.tmp.2.dr, 700afb.msi.2.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: NPKpnpi8wd.exe, MSI10F8.tmp.2.dr, MSI10A8.tmp.2.dr, MSI1167.tmp.2.dr, 700afb.msi.2.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: abd2.exe.2.dr	String found in binary or memory: http://ocsp.digicert.com0H
Source: abd2.exe.2.dr	String found in binary or memory: http://ocsp.digicert.com0I
Source: NPKpnpi8wd.exe, MSI10F8.tmp.2.dr, MSI10A8.tmp.2.dr, MSI1167.tmp.2.dr, 700afb.msi.2.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: abd2.exe, 00000004.00000000.1705415801.0000000000401000.00000020.00000001.01000000.00000004.sdmp, abd2.exe.2.dr	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: NPKpnpi8wd.exe, MSI10F8.tmp.2.dr, MSI10A8.tmp.2.dr, MSI1167.tmp.2.dr, 700afb.msi.2.dr	String found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: NPKpnpi8wd.exe, MSI10F8.tmp.2.dr, MSI10A8.tmp.2.dr, MSI1167.tmp.2.dr, 700afb.msi.2.dr	String found in binary or memory: http://t2.symcb.com0
Source: NPKpnpi8wd.exe, MSI10F8.tmp.2.dr, MSI10A8.tmp.2.dr, MSI1167.tmp.2.dr, 700afb.msi.2.dr	String found in binary or memory: http://tl.symcb.com/tl.crl0
Source: NPKpnpi8wd.exe, MSI10F8.tmp.2.dr, MSI10A8.tmp.2.dr, MSI1167.tmp.2.dr, 700afb.msi.2.dr	String found in binary or memory: http://tl.symcb.com/tl.crt0
Source: NPKpnpi8wd.exe, MSI10F8.tmp.2.dr, MSI10A8.tmp.2.dr, MSI1167.tmp.2.dr, 700afb.msi.2.dr	String found in binary or memory: http://tl.symcd.com0&
Source: abd2.exe.2.dr	String found in binary or memory: http://www.catcert.cat/descarrega/acc.crt0#
Source: abd2.exe.2.dr	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: abd2.exe, 00000004.00000002.2911973162.0000000069C09000.00000020.00000001.01000000.00000005.sdmp, abd2.exe, 00000004.00000002.2910543154.0000000002560000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.indyproject.org/
Source: abd2.exe, 00000004.00000002.2911973162.00000000694F1000.00000020.00000001.01000000.00000005.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1--F4MFA0VoMjrlKOrQBJllMDopSK92p-
Source: abd2.exe, 00000004.00000002.2911973162.00000000694F1000.00000020.00000001.01000000.00000005.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1-iOSQjT44_UUyF5rl6JGizL5jWNy8gne
Source: abd2.exe, 00000004.00000002.2911973162.00000000694F1000.00000020.00000001.01000000.00000005.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=12DW-nFp6uBo3zifmiESi18x3uXqgzYnu
Source: abd2.exe, 00000004.00000002.2911973162.00000000694F1000.00000020.00000001.01000000.00000005.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=12hbi1wHJPMb7N54ewv-FMziqiI1pdohj
Source: abd2.exe, 00000004.00000002.2911973162.00000000694F1000.00000020.00000001.01000000.00000005.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=13K15ZzfbiHo2_nQJWDeaR6bs-88Ex4ke
Source: abd2.exe, 00000004.00000002.2911973162.00000000694F1000.00000020.00000001.01000000.00000005.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=13STRCM4xGalbZUoToD9AEsIf2LMn0zQ3
Source: abd2.exe, 00000004.00000002.2911973162.00000000694F1000.00000020.00000001.01000000.00000005.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=13uLNkPwzmvDchyphVi80sNSec4hP-5y8
Source: abd2.exe, 00000004.00000002.2911973162.00000000694F1000.00000020.00000001.01000000.00000005.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=14_BblvoYYSUuu3FQJmE706uJDDckissj
Source: abd2.exe, 00000004.00000002.2911973162.00000000694F1000.00000020.00000001.01000000.00000005.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=16Kqbl2vlWamTAZ3tvnItoyS-mge8Rpz8
Source: abd2.exe, 00000004.00000002.2911973162.00000000694F1000.00000020.00000001.01000000.00000005.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=17Z0xMja5i9kpIoIAbo09ylxHQ_GhVVVy
Source: abd2.exe, 00000004.00000002.2911973162.00000000694F1000.00000020.00000001.01000000.00000005.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1AkiAAH6bSmRwAnjrCtE8sgC_tD5BsmYv
Source: abd2.exe, 00000004.00000002.2911973162.00000000694F1000.00000020.00000001.01000000.00000005.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1Av3dvZUyh5RrGlmWqADxKKkV62O9Q0J7
Source: abd2.exe, 00000004.00000002.2911973162.00000000694F1000.00000020.00000001.01000000.00000005.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1HhfYIn2HeZ3ujaAtoyraHnJbWxa0shSx
Source: abd2.exe, 00000004.00000002.2911973162.00000000694F1000.00000020.00000001.01000000.00000005.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1HrvY1XzgByk0HXPxq4eUUMA30KY6UHUU
Source: abd2.exe, 00000004.00000002.2911973162.00000000694F1000.00000020.00000001.01000000.00000005.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1I6BIaJsGGPMlnE5wye-wPGuBoN6sDYqfS
Source: abd2.exe, 00000004.00000002.2911973162.00000000694F1000.00000020.00000001.01000000.00000005.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1Li90uyQO5NIWhjb7IgkvMihB_9yF8xql
Source: abd2.exe, 00000004.00000002.2911973162.00000000694F1000.00000020.00000001.01000000.00000005.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1QrBIdxKh7w-iOrliq9_K9CVlUC3YNHdNU
Source: abd2.exe, 00000004.00000002.2911973162.00000000694F1000.00000020.00000001.01000000.00000005.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1UF8RdVspwB0sWoZO4QgXwdshfp29vgVA
Source: abd2.exe, 00000004.00000002.2911973162.00000000694F1000.00000020.00000001.01000000.00000005.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1VTKGhw5qXNh2DmhfjmJjGTSllsTTrOJW
Source: abd2.exe, 00000004.00000002.2911973162.00000000694F1000.00000020.00000001.01000000.00000005.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1YCogkU8Av_wfl15TB4G6lq-XgerOPsrP
Source: abd2.exe, 00000004.00000002.2911973162.00000000694F1000.00000020.00000001.01000000.00000005.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1YFVDOpe1Oyk0D-FTJKtc6Vhc08qysxxM
Source: abd2.exe, 00000004.00000002.2911973162.00000000694F1000.00000020.00000001.01000000.00000005.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1_UFOoZ-uwZVw4LY4XGXYAoNqEBUJCrfs
Source: abd2.exe, 00000004.00000002.2911973162.00000000694F1000.00000020.00000001.01000000.00000005.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1aRlo1_02LB06Kr_RAPSCHI4DX1ROKX4r
Source: abd2.exe, 00000004.00000002.2911973162.00000000694F1000.00000020.00000001.01000000.00000005.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1bCvsOaCjHHuL6YWQ6jWCKh-sPeBXHGth
Source: abd2.exe, 00000004.00000002.2911973162.00000000694F1000.00000020.00000001.01000000.00000005.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1d39BiXw2wNcoXhqR-mzNe6HjTQzfPSB2
Source: abd2.exe, 00000004.00000002.2911973162.00000000694F1000.00000020.00000001.01000000.00000005.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1hJBTH9ZBK47ZO477SdV8lUCQs_lgVIy3
Source: abd2.exe, 00000004.00000002.2911973162.00000000694F1000.00000020.00000001.01000000.00000005.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1jqT6NE5N9O2dIBh0yKdK8Et-glqsaL0H
Source: abd2.exe, 00000004.00000002.2911973162.00000000694F1000.00000020.00000001.01000000.00000005.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1lQNCt3A2gFkbUl_282f2fU38KYu6Lv7b
Source: abd2.exe, 00000004.00000002.2911973162.00000000694F1000.00000020.00000001.01000000.00000005.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1m5V-2ixfaDRNusMWGKoF9q3F5aU9WhOd
Source: abd2.exe, 00000004.00000002.2911973162.00000000694F1000.00000020.00000001.01000000.00000005.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1o0UC8dT-3YFn9NBbYjFniQJp3-Q2GMgg
Source: abd2.exe, 00000004.00000002.2911973162.00000000694F1000.00000020.00000001.01000000.00000005.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1oFGu0v-pph6aXW_jH5z5raZcuozE-NwP
Source: abd2.exe, 00000004.00000002.2911973162.00000000694F1000.00000020.00000001.01000000.00000005.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1p9bf6JYW7cMzOx-kU2GKg_jUM-RIdTE0
Source: abd2.exe, 00000004.00000002.2911973162.00000000694F1000.00000020.00000001.01000000.00000005.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1rhjOyVuGuWQRqf3mXVrSXmivxhU6q_iI
Source: abd2.exe, 00000004.00000002.2911973162.00000000694F1000.00000020.00000001.01000000.00000005.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1uIe9zD2U6ZsefeYtpYDiFpqfBQjWGaM-
Source: abd2.exe, 00000004.00000002.2911973162.00000000694F1000.00000020.00000001.01000000.00000005.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1uKiAnXTUejCWVfY_9cK1DruQdqX4RW1p
Source: abd2.exe, 00000004.00000002.2911973162.00000000694F1000.00000020.00000001.01000000.00000005.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1uv91IKisZ2Q-Of1xJn7F2K3nWbsnTKCJ
Source: abd2.exe, 00000004.00000002.2911973162.00000000694F1000.00000020.00000001.01000000.00000005.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1y_zhnuEMDrpJ0p1yxO06bQDkcySt2Zqm
Source: abd2.exe, 00000004.00000002.2911973162.00000000694F1000.00000020.00000001.01000000.00000005.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1zT0cA5RJjA8bMCenecf7X-TlZJ9KSf-8
Source: abd2.exe, 00000004.00000002.2911973162.00000000694F1000.00000020.00000001.01000000.00000005.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1zoNuWfLbmiKQ6Cv-CdYplhz9hLQOKgFu
Source: abd2.exe, 00000004.00000002.2911973162.00000000694F1000.00000020.00000001.01000000.00000005.sdmp	String found in binary or memory: https://ebaoffice.com.br/imagens/bo/inspecionando.phpU
Source: abd2.exe, 00000004.00000000.1705415801.0000000000401000.00000020.00000001.01000000.00000004.sdmp, abd2.exe.2.dr	String found in binary or memory: https://stats.itopupdate.com/multi_app_new.php
Source: NPKpnpi8wd.exe, MSI10F8.tmp.2.dr, MSI10A8.tmp.2.dr, MSI1167.tmp.2.dr, 700afb.msi.2.dr	String found in binary or memory: https://www.advancedinstaller.com
Source: abd2.exe.2.dr	String found in binary or memory: https://www.catcert.cat/verCIT-10
Source: abd2.exe.2.dr	String found in binary or memory: https://www.catcert.net/verarrel
Source: abd2.exe.2.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: abd2.exe, 00000004.00000002.2911973162.00000000694F1000.00000020.00000001.01000000.00000005.sdmp	String found in binary or memory: https://www.google.com.br/
Source: NPKpnpi8wd.exe, MSI10F8.tmp.2.dr, MSI10A8.tmp.2.dr, MSI1167.tmp.2.dr, 700afb.msi.2.dr	String found in binary or memory: https://www.thawte.com/cps0/
Source: NPKpnpi8wd.exe, MSI10F8.tmp.2.dr, MSI10A8.tmp.2.dr, MSI1167.tmp.2.dr, 700afb.msi.2.dr	String found in binary or memory: https://www.thawte.com/repository0W

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\700afb.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI10A8.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI10F8.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1127.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1167.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{EE6CA973-EE86-4C1D-9907-F513A108BAE0}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI11F5.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\700afe.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\700afe.msi	Jump to behavior

Source: Joe Sandbox View	Dropped File: C:\Windows\Installer\MSI10A8.tmp 84F8A39D32775639BB3F8875B8E871E0E2344F2A96C52AB6660E65D5C33FD7F9
Source: Joe Sandbox View	Dropped File: C:\Windows\Installer\MSI10F8.tmp 84F8A39D32775639BB3F8875B8E871E0E2344F2A96C52AB6660E65D5C33FD7F9

Source: Yara match	File source: 4.0.abd2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000000.1705415801.0000000000401000.00000020.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: C:\Program Files (x86)\mercado Livre\abd2.exe, type: DROPPED

Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Program Files (x86)\mercado Livre\abd2.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	modified
Size (bytes):	9108
Entropy (8bit):	5.438137996982202
Encrypted:	false
SSDEEP:	192:ECcKti33cJcucGc3QiP7RrBbucCciOEmceucCciO16asOBmcIqnJMQhtQFwpI6aq:E5KZu1tgIz15iLe15iKDLCu
MD5:	434C939738664F98905860369A325887
SHA1:	63E25E3982A9EE5DDD6F751D2695991B8E30F3F0
SHA-256:	D5A8255B07F2CED75909BC48D0EF8A7C73DEA0E6739B9E954762302601E8AA28
SHA-512:	3252027DFE2991A0CCF3F34FE7BBE30DAAFE4BDD5BAFB698064100649EEE32636C53CC92DE21413CEB939E0F52619092F7CFBB9BA84961DF36F8AC4FE6392574
Malicious:	false
Reputation:	low
Preview:	...@IXOS.@.....@...Y.@.....@.....@.....@.....@.....@......&.{EE6CA973-EE86-4C1D-9907-F513A108BAE0}..A.u.t.o.r.i.z.a...a.o. .d.e. .E.n.v.i.o...MSI742.tmp.@.....@.....@.....@........&.{2CD2E442-0988-4D88-87D4-2F79D1FFD051}.....@.....@.....@.....@.......@.....@.....@.......@......A.u.t.o.r.i.z.a...a.o. .d.e. .E.n.v.i.o.......Rollback..A.....o. .d.e. .r.e.s.t.a.u.r.a.....o.....RollbackCleanup..Removendo arquivos de backup..Arquivo: [1]....ProcessComponents%.Atualizando o registro de componentes..&.{2DFFD89C-A97E-4ED4-A160-5BDD3E288FDA}&.{EE6CA973-EE86-4C1D-9907-F513A108BAE0}.@......&.{B539A853-9E17-4ABB-A53E-FB9969EBE4EB}&.{EE6CA973-EE86-4C1D-9907-F513A108BAE0}.@......&.{D30A8351-E1B3-48E5-8BD7-5EFDECE9218B}&.{EE6CA973-EE86-4C1D-9907-F513A108BAE0}.@......&.{97BC1F04-68DC-4C80-96DA-B0660BA89839}&.{EE6CA973-EE86-4C1D-9907-F513A108BAE0}.@........CreateFolders..Criando novas pastas..Pasta: [1]#.%.C:\Program Files (x86)\mercado Livre\.@........InstallFiles..Copiando arquivos novos*.A.r.q.u.i.v.

Process:	C:\Users\user\Desktop\NPKpnpi8wd.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {2CD2E442-0988-4D88-87D4-2F79D1FFD051}, Number of Words: 2, Subject: Autorizaao de Envio, Author: mercado Livre, Name of Creating Application: Autorizaao de Envio, Template: ;1046, Comments: A base dados do instalador contm a lgica e os dados necessrios para instalar o Autorizaao de Envio., Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
Category:	dropped
Size (bytes):	23576576
Entropy (8bit):	7.980583881914744
Encrypted:	false
SSDEEP:	393216:z6fbAiuO3Q1FiWWmfMfQsE313jsAzJnAmfI5mVPfN0yliI6/VZsnCH4VVQc75O:zofgPiJfOps0J7Ggind7aH
MD5:	42DA280A5EF8F137B80235598F23329B
SHA1:	29BB7FAA671A15990CBDB67C1DB2215487544849
SHA-256:	B86B3B74457FFD33FEC3782371AD23C96F57FD502FAE1A3194A9445FB843D8CC
SHA-512:	D441DB8994CE605AC23520709959D703520EB3477264B3322AB5888DD54BD6CAE911B4CDED6E446E2B68297C6D284A05F6FC51D8293354978FEDE5DA26598540
Malicious:	false
Reputation:	low
Preview:	......................>...................h...................................F.......b.......o.......................................c.........../...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...{...\|...}...~...........................................................<...........!...3............................................................................................... ...+..."...#...$...%...&...'...(...)...*...1...,...-......./...0...4...2...;...?...5...6...7...8...9...:...E...=.......>.......@...A...B...C...D...............H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.978633384914657
TrID:	Win32 Executable (generic) a (10002005/4) 99.53% InstallShield setup (43055/19) 0.43% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	NPKpnpi8wd.exe
File size:	23'650'304 bytes
MD5:	f8dfb6485af80dcacc00312132e88298
SHA1:	067ba3a9f385ec33d5984461c0233b37d2abd1ef
SHA256:	c1740fcf9eb097117502faa6db7b82c98b85c58c752da69d99cdcf57477d2b41
SHA512:	5faaf6fa4ce68dc02f50e55451b02ed82a36378864361d81781f03a274eab9a65b8b830144684e1000f81b57d9915b0a3ad3daea0bde2fcb41258b99848942be
SSDEEP:	393216:T6fbAiuO3Q1FiWWmfMfQsE313jsAzJnAmfI5mVPfN0yliI6/VZsnCH4VVQc75Oo:TofgPiJfOps0J7Ggind7aHn
TLSH:	C6373315B29BC936CA0D05BBE859FF1E4079BF63073501D7B7E53C9E48B08C1A6B9A42
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........m..............&~......&m......&n.......^..............&q......&.......&{.....Rich............................PE..L.....kI...

Entrypoint:	0x401f54
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x496BFC80 [Tue Jan 13 02:29:20 2009 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	0f7d0ed8477bf9ca9b4b2ce07e02a90e

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xe5e8	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x12000	0x167d658	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0xc200	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xde78	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xc000	0x1b4	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xa494	0xb000	faa20d416cf66a0e758d51d62d506053	False	0.5961692116477273	data	6.374283196502087	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xc000	0x2f56	0x3000	191e5dfc6ac85f3b137e574ecc199dee	False	0.3616536458333333	data	5.33958366807718	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xf000	0x2d3c	0x1000	605cb8f363da7eb9d3c143ecb2c1f1c2	False	0.22607421875	data	2.365699420498644	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x12000	0x167d658	0x167e000	147c92574ff3072463640211672fd487	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
MSI	0x121d4	0x167c000	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {2CD2E442-0988-4D88-87D4-2F79D1FFD051}, Number of Words: 2, Subject: Autorizaao de Envio, Author: mercado Livre, Name of Creating Application: Autorizaao de Envio, Template: ;1046, Comments: A base dados do instalador contm a lgica e os dados necessrios para instalar o Autorizaao de Envio., Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200	English	United States	0.44672203063964844
RT_ICON	0x168e1d4	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	English	United States	0.4637096774193548
RT_ICON	0x168e4bc	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	United States	0.5675675675675675
RT_ICON	0x168e5e4	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1152	English	United States	0.3935018050541516
RT_ICON	0x168ee8c	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 320	English	United States	0.4486994219653179
RT_GROUP_ICON	0x168f3f4	0x3e	data	English	United States	0.8225806451612904
RT_MANIFEST	0x168f434	0x221	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5486238532110091

DLL	Import
KERNEL32.dll	GetTempPathW, GetTempFileNameW, FindResourceW, SizeofResource, LoadResource, LockResource, CreateThread, CreateFileW, DeleteFileW, CreateFileA, GetStringTypeW, GetStringTypeA, LCMapStringW, LCMapStringA, WriteConsoleW, GetConsoleOutputCP, WriteConsoleA, ExitProcess, CreateProcessW, GetLastError, WriteFile, FlushFileBuffers, CloseHandle, GetProcAddress, GetModuleHandleA, HeapFree, GetVersionExA, HeapAlloc, GetProcessHeap, GetStartupInfoW, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, GetCurrentThreadId, InterlockedDecrement, GetStdHandle, GetModuleFileNameA, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, LoadLibraryA, InitializeCriticalSection, GetModuleFileNameW, FreeEnvironmentStringsA, MultiByteToWideChar, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetCommandLineW, SetHandleCount, GetFileType, GetStartupInfoA, HeapDestroy, HeapCreate, VirtualFree, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, SetFilePointer, WideCharToMultiByte, GetConsoleCP, GetConsoleMode, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, Sleep, HeapSize, RtlUnwind, GetLocaleInfoA, VirtualAlloc, HeapReAlloc, SetStdHandle, RaiseException
USER32.dll	DefWindowProcW, PostQuitMessage, EndPaint, BeginPaint, UpdateWindow, ShowWindow, CreateWindowExW, GetSystemMetrics, RegisterClassExW, GetSysColorBrush, LoadCursorW, PostMessageW, DispatchMessageW, TranslateMessage, GetMessageW, MessageBoxW, InvalidateRect
GDI32.dll	TextOutW, SetBkMode, SelectObject, GetStockObject, DeleteObject

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 17, 2024 09:15:26.197905064 CEST	49736	80	192.168.2.4	208.95.112.1
Aug 17, 2024 09:15:26.202847958 CEST	80	49736	208.95.112.1	192.168.2.4
Aug 17, 2024 09:15:26.202924013 CEST	49736	80	192.168.2.4	208.95.112.1
Aug 17, 2024 09:15:26.203176975 CEST	49736	80	192.168.2.4	208.95.112.1
Aug 17, 2024 09:15:26.208018064 CEST	80	49736	208.95.112.1	192.168.2.4
Aug 17, 2024 09:15:26.659723043 CEST	80	49736	208.95.112.1	192.168.2.4
Aug 17, 2024 09:15:26.702903032 CEST	49736	80	192.168.2.4	208.95.112.1
Aug 17, 2024 09:16:21.868608952 CEST	80	49736	208.95.112.1	192.168.2.4
Aug 17, 2024 09:16:21.868866920 CEST	49736	80	192.168.2.4	208.95.112.1

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 17, 2024 09:15:26.177953959 CEST	50829	53	192.168.2.4	1.1.1.1
Aug 17, 2024 09:15:26.184756994 CEST	53	50829	1.1.1.1	192.168.2.4

Timestamp	Bytes transferred	Direction	Data
Aug 17, 2024 09:15:26.203176975 CEST	166	OUT	GET /json/ HTTP/1.1 Host: ip-api.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 User-Agent: Mozilla/3.0 (compatible; Indy Library)
Aug 17, 2024 09:15:26.659723043 CEST	482	IN	HTTP/1.1 200 OK Date: Sat, 17 Aug 2024 07:15:26 GMT Content-Type: application/json; charset=utf-8 Content-Length: 305 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 55 53 22 2c 22 72 65 67 69 6f 6e 22 3a 22 4e 59 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 7a 69 70 22 3a 22 31 30 31 32 33 22 2c 22 6c 61 74 22 3a 34 30 2e 37 31 32 38 2c 22 6c 6f 6e 22 3a 2d 37 34 2e 30 30 36 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 22 2c 22 69 73 70 22 3a 22 4c 65 76 65 6c 20 33 22 2c 22 6f 72 67 22 3a 22 43 65 6e 74 75 72 79 4c 69 6e 6b 20 43 6f 6d 6d 75 6e 69 63 61 74 69 6f 6e 73 2c 20 4c 4c 43 22 2c 22 61 73 22 3a 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20 33 20 50 61 72 65 6e 74 2c 20 4c 4c 43 22 2c 22 71 75 65 72 79 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 7d Data Ascii: {"status":"success","country":"United States","countryCode":"US","region":"NY","regionName":"New York","city":"New York","zip":"10123","lat":40.7128,"lon":-74.006,"timezone":"America/New_York","isp":"Level 3","org":"CenturyLink Communications, LLC","as":"AS3356 Level 3 Parent, LLC","query":"8.46.123.33"}

Target ID:	0
Start time:	03:15:03
Start date:	17/08/2024
Path:	C:\Users\user\Desktop\NPKpnpi8wd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\NPKpnpi8wd.exe"
Imagebase:	0x400000
File size:	23'650'304 bytes
MD5 hash:	F8DFB6485AF80DCACC00312132E88298
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report NPKpnpi8wd.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Config.Msi\700afd.rbs

C:\Program Files (x86)\mercado Livre\WebUi.dll

C:\Program Files (x86)\mercado Livre\abd2.exe

C:\Users\user\AppData\Local\Temp\MSI742.tmp

C:\Windows\Installer\700afb.msi

C:\Windows\Installer\700afe.msi

C:\Windows\Installer\MSI10A8.tmp

C:\Windows\Installer\MSI10F8.tmp

C:\Windows\Installer\MSI1127.tmp

C:\Windows\Installer\MSI1167.tmp

C:\Windows\Installer\MSI11F5.tmp

C:\Windows\Installer\SourceHash{EE6CA973-EE86-4C1D-9907-F513A108BAE0}

C:\Windows\Installer\inprogressinstallinfo.ipi

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

C:\Windows\Temp\~DF252A0D068D4595F0.TMP

C:\Windows\Temp\~DF481ECB40FE4D18A9.TMP

C:\Windows\Temp\~DF48ED6A521FFEA8AE.TMP

Windows Analysis Report
NPKpnpi8wd.exe

Target ID:	3
Start time:	03:15:05
Start date:	17/08/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding 22F5A9CBC8CA689F01C752EE1468F3EF
Imagebase:	0xc40000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	4
Start time:	03:15:07
Start date:	17/08/2024
Path:	C:\Program Files (x86)\mercado Livre\abd2.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\mercado Livre\abd2.exe"
Imagebase:	0x400000
File size:	1'909'504 bytes
MD5 hash:	098AC4621EE0E855E0710710736C2955
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000004.00000000.1705415801.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Program Files (x86)\mercado Livre\abd2.exe, Author: Joe Security
Antivirus matches:	Detection: 3%, ReversingLabs Detection: 1%, Virustotal, Browse
Reputation:	low
Has exited:	false

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre