Edit tour

Windows Analysis Report
2tytrCyNuF.msi

Overview

General Information

Sample name:	2tytrCyNuF.msi renamed because original name is a hash value
Original sample name:	19adf18044aa497dc793d0f117dfb1b68800c93e0cfde82837aa1aecc24bd70e.msi
Analysis ID:	1592144
MD5:	8438efc424aca0df22b0987e54ebedf9
SHA1:	8f1f9a179a4784d3543c7a476c01181bceb93b18
SHA256:	19adf18044aa497dc793d0f117dfb1b68800c93e0cfde82837aa1aecc24bd70e
Tags:	bankerlatammsitrojanuser-johnk3r
Infos:

Detection

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Machine Learning detection for dropped file

Overwrites code with function prologues

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

PE file contains section with special chars

Switches to a custom stack to bypass stack traces

Checks for available system drives (often done to infect USB drives)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Entry point lies outside standard sections

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Launches processes in debugging mode, may be used to hinder debugging

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

msiexec.exe (PID: 7596 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\2tytrCyNuF.msi" MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 7628 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 7696 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 7DBAA4AD04C4E7682ABB0AAAF07D1209 MD5: 9D09DC1EDA745A5F87553048E57620CF)

Flexpcis.exe (PID: 7836 cmdline: "C:\Users\user\AppData\Roaming\@Klabin\Microsoft Corporativa\Flexpcis.exe" MD5: E04F15D35A1807C4D74D2538D5FE28C9)

cleanup

Static PE information: Resource name: RT_VERSION type: Intel ia64 COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970

Source: Drivespan.dll.1.dr

Static PE information: Number of sections : 13 > 10

Source: 2tytrCyNuF.msi

Binary or memory string: OriginalFilenameAICustAct.dllF vs 2tytrCyNuF.msi

Source: classification engine

Classification label: mal88.evad.winMSI@6/26@0/0

Source: C:\Users\user\AppData\Roaming\@Klabin\Microsoft Corporativa\Flexpcis.exe

Code function: 3_2_009F1510 GetModuleFileNameW,GetCurrentProcessId,Process32NextW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,Sleep,CloseHandle,Sleep,

3_2_009F1510

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\CML40BF.tmp

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\TEMP\~DF9A96319E3287E2A1.TMP

Jump to behavior

Source: C:\Users\user\AppData\Roaming\@Klabin\Microsoft Corporativa\Flexpcis.exe	Command line argument: 3Ro	3_2_009F17A0
Source: C:\Users\user\AppData\Roaming\@Klabin\Microsoft Corporativa\Flexpcis.exe	Command line argument: -Restart	3_2_009F17A0
Source: C:\Users\user\AppData\Roaming\@Klabin\Microsoft Corporativa\Flexpcis.exe	Command line argument: drivespan.dll	3_2_009F17A0
Source: C:\Users\user\AppData\Roaming\@Klabin\Microsoft Corporativa\Flexpcis.exe	Command line argument: drivespan.dll	3_2_009F17A0
Source: C:\Users\user\AppData\Roaming\@Klabin\Microsoft Corporativa\Flexpcis.exe	Command line argument: run	3_2_009F17A0

Source: C:\Users\user\AppData\Roaming\@Klabin\Microsoft Corporativa\Flexpcis.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Users\user\AppData\Roaming\@Klabin\Microsoft Corporativa\Flexpcis.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior

Source: C:\Users\user\AppData\Roaming\@Klabin\Microsoft Corporativa\Flexpcis.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 2tytrCyNuF.msi	Virustotal: Detection: 11%
Source: 2tytrCyNuF.msi	ReversingLabs: Detection: 13%

Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\2tytrCyNuF.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 7DBAA4AD04C4E7682ABB0AAAF07D1209
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Users\user\AppData\Roaming\@Klabin\Microsoft Corporativa\Flexpcis.exe "C:\Users\user\AppData\Roaming\@Klabin\Microsoft Corporativa\Flexpcis.exe"
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 7DBAA4AD04C4E7682ABB0AAAF07D1209	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Users\user\AppData\Roaming\@Klabin\Microsoft Corporativa\Flexpcis.exe "C:\Users\user\AppData\Roaming\@Klabin\Microsoft Corporativa\Flexpcis.exe"	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.ui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windowmanagementapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.ui.immersive.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@Klabin\Microsoft Corporativa\Flexpcis.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@Klabin\Microsoft Corporativa\Flexpcis.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@Klabin\Microsoft Corporativa\Flexpcis.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@Klabin\Microsoft Corporativa\Flexpcis.exe	Section loaded: drivespan.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@Klabin\Microsoft Corporativa\Flexpcis.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@Klabin\Microsoft Corporativa\Flexpcis.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@Klabin\Microsoft Corporativa\Flexpcis.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@Klabin\Microsoft Corporativa\Flexpcis.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@Klabin\Microsoft Corporativa\Flexpcis.exe	Section loaded: security.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@Klabin\Microsoft Corporativa\Flexpcis.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@Klabin\Microsoft Corporativa\Flexpcis.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@Klabin\Microsoft Corporativa\Flexpcis.exe	Section loaded: olepro32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@Klabin\Microsoft Corporativa\Flexpcis.exe	Section loaded: kernel.appcore.dll	Jump to behavior

Source: 2tytrCyNuF.msi

Static file information: File size 20951552 > 1048576

Source:	Binary string: c:\builds\workspace\Applications\Transfer_common\src\Release\Transfer.pdb source: Flexpcis.exe, 00000003.00000002.2045227113.00000000009FF000.00000002.00000001.01000000.00000003.sdmp, Flexpcis.exe, 00000003.00000000.1747695042.00000000009FF000.00000002.00000001.01000000.00000003.sdmp, Flexpcis.exe.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: 2tytrCyNuF.msi, MSI3AF2.tmp.1.dr, 4937c9.msi.1.dr, MSI3D58.tmp.1.dr, 4937c6.msi.1.dr

Source: C:\Users\user\AppData\Roaming\@Klabin\Microsoft Corporativa\Flexpcis.exe

Code function: 3_2_009F1000 SHGetFolderPathW,PathFileExistsW,PathFileExistsW,PathFileExistsW,MoveFileExW,PathFileExistsW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,FreeLibrary,LoadLibraryW,GetProcAddress,FreeLibrary,LoadLibraryW,GetProcAddress,FreeLibrary,FreeLibrary,

3_2_009F1000

Source: initial sample

Static PE information: section where entry point is pointing to: .fd>

Source: Drivespan.dll.1.dr	Static PE information: section name: .didata
Source: Drivespan.dll.1.dr	Static PE information: section name: .,Lm
Source: Drivespan.dll.1.dr	Static PE information: section name: .j'<
Source: Drivespan.dll.1.dr	Static PE information: section name: .fd>
Source: MSI3AF2.tmp.1.dr	Static PE information: section name: .fptable
Source: MSI3B61.tmp.1.dr	Static PE information: section name: .fptable
Source: MSI3BA0.tmp.1.dr	Static PE information: section name: .fptable
Source: MSI3CDA.tmp.1.dr	Static PE information: section name: .fptable
Source: MSI3D58.tmp.1.dr	Static PE information: section name: .fptable

Source: C:\Users\user\AppData\Roaming\@Klabin\Microsoft Corporativa\Flexpcis.exe

Code function: 3_2_009F3016 push ecx; ret

3_2_009F3029

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3BA0.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\@Klabin\Microsoft Corporativa\Flexpcis.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3AF2.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3B61.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\@Klabin\Microsoft Corporativa\Drivespan.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3CDA.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3D58.tmp	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3BA0.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3AF2.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3B61.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3CDA.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3D58.tmp	Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Overwrites code with function prologues

Source: C:\Users\user\AppData\Roaming\@Klabin\Microsoft Corporativa\Flexpcis.exe	Memory written: PID: 7836 base: 76ECBA30 value: 8B FF 55 8B EC	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@Klabin\Microsoft Corporativa\Flexpcis.exe	Memory written: PID: 7836 base: 75BF4D90 value: 8B FF 55 8B EC	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@Klabin\Microsoft Corporativa\Flexpcis.exe	Memory written: PID: 7836 base: 75C0EBF0 value: 8B FF 55 8B EC	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@Klabin\Microsoft Corporativa\Flexpcis.exe	Memory written: PID: 7836 base: 74FD8A90 value: 8B FF 55 8B EC	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@Klabin\Microsoft Corporativa\Flexpcis.exe	Memory written: PID: 7836 base: 75000230 value: 8B FF 55 8B EC	Jump to behavior

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Source: C:\Users\user\AppData\Roaming\@Klabin\Microsoft Corporativa\Flexpcis.exe	Memory written: PID: 7836 base: B60005 value: E9 8B 2F 3A 76	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@Klabin\Microsoft Corporativa\Flexpcis.exe	Memory written: PID: 7836 base: 76F02F90 value: E9 7A D0 C5 89	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@Klabin\Microsoft Corporativa\Flexpcis.exe	Memory written: PID: 7836 base: D80005 value: E9 2B BA 14 76	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@Klabin\Microsoft Corporativa\Flexpcis.exe	Memory written: PID: 7836 base: 76ECBA30 value: E9 DA 45 EB 89	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@Klabin\Microsoft Corporativa\Flexpcis.exe	Memory written: PID: 7836 base: D90008 value: E9 8B 8E 18 76	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@Klabin\Microsoft Corporativa\Flexpcis.exe	Memory written: PID: 7836 base: 76F18E90 value: E9 80 71 E7 89	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@Klabin\Microsoft Corporativa\Flexpcis.exe	Memory written: PID: 7836 base: DB0005 value: E9 8B 4D E4 74	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@Klabin\Microsoft Corporativa\Flexpcis.exe	Memory written: PID: 7836 base: 75BF4D90 value: E9 7A B2 1B 8B	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@Klabin\Microsoft Corporativa\Flexpcis.exe	Memory written: PID: 7836 base: DC0005 value: E9 EB EB E4 74	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@Klabin\Microsoft Corporativa\Flexpcis.exe	Memory written: PID: 7836 base: 75C0EBF0 value: E9 1A 14 1B 8B	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@Klabin\Microsoft Corporativa\Flexpcis.exe	Memory written: PID: 7836 base: DD0005 value: E9 8B 8A 20 74	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@Klabin\Microsoft Corporativa\Flexpcis.exe	Memory written: PID: 7836 base: 74FD8A90 value: E9 7A 75 DF 8B	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@Klabin\Microsoft Corporativa\Flexpcis.exe	Memory written: PID: 7836 base: DE0005 value: E9 2B 02 22 74	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@Klabin\Microsoft Corporativa\Flexpcis.exe	Memory written: PID: 7836 base: 75000230 value: E9 DA FD DD 8B	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@Klabin\Microsoft Corporativa\Flexpcis.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@Klabin\Microsoft Corporativa\Flexpcis.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@Klabin\Microsoft Corporativa\Flexpcis.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@Klabin\Microsoft Corporativa\Flexpcis.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@Klabin\Microsoft Corporativa\Flexpcis.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@Klabin\Microsoft Corporativa\Flexpcis.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@Klabin\Microsoft Corporativa\Flexpcis.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@Klabin\Microsoft Corporativa\Flexpcis.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@Klabin\Microsoft Corporativa\Flexpcis.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@Klabin\Microsoft Corporativa\Flexpcis.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@Klabin\Microsoft Corporativa\Flexpcis.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\AppData\Roaming\@Klabin\Microsoft Corporativa\Flexpcis.exe	API/Special instruction interceptor: Address: 59A1406
Source: C:\Users\user\AppData\Roaming\@Klabin\Microsoft Corporativa\Flexpcis.exe	API/Special instruction interceptor: Address: 48527FD
Source: C:\Users\user\AppData\Roaming\@Klabin\Microsoft Corporativa\Flexpcis.exe	API/Special instruction interceptor: Address: 594E3E1
Source: C:\Users\user\AppData\Roaming\@Klabin\Microsoft Corporativa\Flexpcis.exe	API/Special instruction interceptor: Address: 47D5F9A
Source: C:\Users\user\AppData\Roaming\@Klabin\Microsoft Corporativa\Flexpcis.exe	API/Special instruction interceptor: Address: 4746189
Source: C:\Users\user\AppData\Roaming\@Klabin\Microsoft Corporativa\Flexpcis.exe	API/Special instruction interceptor: Address: 58D04F1
Source: C:\Users\user\AppData\Roaming\@Klabin\Microsoft Corporativa\Flexpcis.exe	API/Special instruction interceptor: Address: 477A6A8
Source: C:\Users\user\AppData\Roaming\@Klabin\Microsoft Corporativa\Flexpcis.exe	API/Special instruction interceptor: Address: 595D280
Source: C:\Users\user\AppData\Roaming\@Klabin\Microsoft Corporativa\Flexpcis.exe	API/Special instruction interceptor: Address: 475A291
Source: C:\Users\user\AppData\Roaming\@Klabin\Microsoft Corporativa\Flexpcis.exe	API/Special instruction interceptor: Address: 58EB78C
Source: C:\Users\user\AppData\Roaming\@Klabin\Microsoft Corporativa\Flexpcis.exe	API/Special instruction interceptor: Address: 594E51A
Source: C:\Users\user\AppData\Roaming\@Klabin\Microsoft Corporativa\Flexpcis.exe	API/Special instruction interceptor: Address: 592A582
Source: C:\Users\user\AppData\Roaming\@Klabin\Microsoft Corporativa\Flexpcis.exe	API/Special instruction interceptor: Address: 592D746
Source: C:\Users\user\AppData\Roaming\@Klabin\Microsoft Corporativa\Flexpcis.exe	API/Special instruction interceptor: Address: 57E6EA9
Source: C:\Users\user\AppData\Roaming\@Klabin\Microsoft Corporativa\Flexpcis.exe	API/Special instruction interceptor: Address: 47C5024
Source: C:\Users\user\AppData\Roaming\@Klabin\Microsoft Corporativa\Flexpcis.exe	API/Special instruction interceptor: Address: 4BB90E7
Source: C:\Users\user\AppData\Roaming\@Klabin\Microsoft Corporativa\Flexpcis.exe	API/Special instruction interceptor: Address: 4AF0BD8
Source: C:\Users\user\AppData\Roaming\@Klabin\Microsoft Corporativa\Flexpcis.exe	API/Special instruction interceptor: Address: 4B0B734

Source: C:\Users\user\AppData\Roaming\@Klabin\Microsoft Corporativa\Flexpcis.exe

Code function: 3_2_009F1510 GetModuleFileNameW,GetCurrentProcessId,Process32NextW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,Sleep,CloseHandle,Sleep,

3_2_009F1510

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI3BA0.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI3AF2.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI3B61.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI3CDA.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI3D58.tmp	Jump to dropped file

Source: C:\Users\user\AppData\Roaming\@Klabin\Microsoft Corporativa\Flexpcis.exe

API coverage: 8.9 %

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Roaming\@Klabin\Microsoft Corporativa\Flexpcis.exe

Code function: 3_2_009F55D7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

3_2_009F55D7

Source: C:\Users\user\AppData\Roaming\@Klabin\Microsoft Corporativa\Flexpcis.exe

Code function: 3_2_009F1510 GetModuleFileNameW,GetCurrentProcessId,Process32NextW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,Sleep,CloseHandle,Sleep,

3_2_009F1510

Source: C:\Users\user\AppData\Roaming\@Klabin\Microsoft Corporativa\Flexpcis.exe

3_2_009F1000

Source: C:\Users\user\AppData\Roaming\@Klabin\Microsoft Corporativa\Flexpcis.exe

Code function: 3_2_009F6268 mov eax, dword ptr fs:[00000030h]

3_2_009F6268

Source: C:\Users\user\AppData\Roaming\@Klabin\Microsoft Corporativa\Flexpcis.exe

Code function: 3_2_009F9302 GetProcessHeap,

3_2_009F9302

Source: C:\Windows\System32\msiexec.exe

Process created: C:\Users\user\AppData\Roaming\@Klabin\Microsoft Corporativa\Flexpcis.exe "C:\Users\user\AppData\Roaming\@Klabin\Microsoft Corporativa\Flexpcis.exe"

Jump to behavior

Source: C:\Users\user\AppData\Roaming\@Klabin\Microsoft Corporativa\Flexpcis.exe	Code function: 3_2_009F2821 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_009F2821
Source: C:\Users\user\AppData\Roaming\@Klabin\Microsoft Corporativa\Flexpcis.exe	Code function: 3_2_009F55D7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_009F55D7
Source: C:\Users\user\AppData\Roaming\@Klabin\Microsoft Corporativa\Flexpcis.exe	Code function: 3_2_009F2DC9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_009F2DC9
Source: C:\Users\user\AppData\Roaming\@Klabin\Microsoft Corporativa\Flexpcis.exe	Code function: 3_2_009F2F17 SetUnhandledExceptionFilter,	3_2_009F2F17

Source: C:\Users\user\AppData\Roaming\@Klabin\Microsoft Corporativa\Flexpcis.exe

Code function: 3_2_009F305C cpuid

3_2_009F305C

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\AppData\Roaming\@Klabin\Microsoft Corporativa\Flexpcis.exe

Code function: 3_2_009F2CB2 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

3_2_009F2CB2

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Replication Through Removable Media	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Process Injection	21 Masquerading	1 Credential API Hooking	1 System Time Discovery	Remote Services	1 Credential API Hooking	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	23 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Process Injection	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	11 Peripheral Device Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	123 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 File Deletion	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
2tytrCyNuF.msi	12%	Virustotal		Browse
2tytrCyNuF.msi	13%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\@Klabin\Microsoft Corporativa\Drivespan.dll	100%	Avira	HEUR/AGEN.1327653
C:\Users\user\AppData\Roaming\@Klabin\Microsoft Corporativa\Drivespan.dll	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\@Klabin\Microsoft Corporativa\Drivespan.dll	32%	Virustotal		Browse
C:\Users\user\AppData\Roaming\@Klabin\Microsoft Corporativa\Flexpcis.exe	0%	ReversingLabs
C:\Users\user\AppData\Roaming\@Klabin\Microsoft Corporativa\Flexpcis.exe	0%	Virustotal		Browse
C:\Windows\Installer\MSI3AF2.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI3AF2.tmp	0%	Virustotal		Browse
C:\Windows\Installer\MSI3B61.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI3B61.tmp	0%	Virustotal		Browse
C:\Windows\Installer\MSI3BA0.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI3BA0.tmp	0%	Virustotal		Browse
C:\Windows\Installer\MSI3CDA.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI3CDA.tmp	0%	Virustotal		Browse
C:\Windows\Installer\MSI3D58.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI3D58.tmp	0%	Virustotal		Browse

Name	Source	Malicious	Reputation
http://www.indyproject.org/	Flexpcis.exe, 00000003.00000003.2042407030.0000000005C3F000.00000004.00001000.00020000.00000000.sdmp	false	high
http://crl.thawte.com/ThawteTimestampingCA.crl0	Flexpcis.exe.1.dr	false	high
http://www.symauth.com/cps0(	Flexpcis.exe.1.dr	false	high
http://www.symauth.com/rpa00	Flexpcis.exe.1.dr	false	high
http://ocsp.thawte.com0	Flexpcis.exe.1.dr	false	high
http://www.nero.com	Flexpcis.exe.1.dr	false	high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1592144
Start date and time:	2025-01-15 20:34:13 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 18s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	2tytrCyNuF.msi renamed because original name is a hash value
Original Sample Name:	19adf18044aa497dc793d0f117dfb1b68800c93e0cfde82837aa1aecc24bd70e.msi
Detection:	MAL
Classification:	mal88.evad.winMSI@6/26@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 93% Number of executed functions: 5 Number of non-executed functions: 23
Cookbook Comments:	Found application associated with file extension: .msi

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 52.168.117.173, 52.149.20.212, 13.107.246.45
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\@Klabin\Microsoft Corporativa\Flexpcis.exe	IRPF2024-0940959038w904598304w985036.msi	Get hash	malicious	Unknown	Browse
	NFeNFCe.msi	Get hash	malicious	Unknown	Browse
	Fct63e39.msi	Get hash	malicious	Unknown	Browse
C:\Windows\Installer\MSI3AF2.tmp	msit.exe	Get hash	malicious	LummaC Stealer	Browse
	msit.msi	Get hash	malicious	LummaC Stealer	Browse
	Fact30.NATURGY.LUNESGRLNOPAGOID3012021414252024.MSI.msi	Get hash	malicious	Unknown	Browse
	Fact28.NATURGY.SABADONOPAGOID28122024.MSI.msi	Get hash	malicious	Unknown	Browse
	bmouJCkvam.msi	Get hash	malicious	Unknown	Browse
	FS-SZHAJCVS.msi	Get hash	malicious	Unknown	Browse
	FS-JFDIBGWE.msi	Get hash	malicious	Unknown	Browse
	http://propdfhub.com	Get hash	malicious	Unknown	Browse
	http://res.pdfonestartlive.com	Get hash	malicious	Unknown	Browse
	740d3a.msi	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Config.Msi\4937c8.rbs

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	modified
Size (bytes):	9993
Entropy (8bit):	5.548322894194191
Encrypted:	false
SSDEEP:	192:mlhWLuxksRewixSauWf3w3ujMOE+X3ujMOkls+tByr2V6L/p+yz2FCPw/6:ml8ixksjvauWfgejMsXejM7lRtByr2Ve
MD5:	5DCE66C6DE333C03E98DAA6EECC59E36
SHA1:	8CF31F608B725209E0C7FD8306F195F992976761
SHA-256:	D2F0A7220BF08B44D149818D1E3DDBC5B8832032B8D71E28F381E4A92F4B1D73
SHA-512:	C6FD2BB15A289B8C33AB2799ECD2B52C1C490D20E27BCD36DCDE010C3CEB56683D8BEBAD0D649DBBE8DADE79F77150B91C83A3E2DEC741C09AAD8AFDEDE6F61A
Malicious:	false
Reputation:	low
Preview:	...@IXOS.@.....@ft/Z.@.....@.....@.....@.....@.....@......&.{E49D674A-6F2A-43F2-A5F6-7C3AABA5E5C8}..Microsoft Corporativa..2tytrCyNuF.msi.@.....@.....@.....@........&.{70E7C985-4726-4956-A0F5-45A631F7DDEE}.....@.....@.....@.....@.......@.....@.....@.......@......Microsoft Corporativa......Rollback..A.....o. .d.e. .r.e.s.t.a.u.r.a.....o.....RollbackCleanup..Removendo arquivos de backup..Arquivo: [1]....ProcessComponents%.Atualizando o registro de componentes..&.{CDEA45A4-A39D-41FB-B2DA-1FD0E8595250}&.{E49D674A-6F2A-43F2-A5F6-7C3AABA5E5C8}.@......&.{676D84DC-BFDA-4068-9A01-16D4BF1D67D8}&.{E49D674A-6F2A-43F2-A5F6-7C3AABA5E5C8}.@......&.{B4AEC35F-8627-4D8B-B76B-3F5B9A45B1D9}&.{E49D674A-6F2A-43F2-A5F6-7C3AABA5E5C8}.@......&.{AFCBD693-8D7A-436E-B38F-8184EB8332E6}&.{E49D674A-6F2A-43F2-A5F6-7C3AABA5E5C8}.@........CreateFolders..Criando novas pastas..Pasta: [1]#.=.C:\Users\user\AppData\Roaming\@Klabin\Microsoft Corporativa\.@........InstallFiles..Copiando arquivos novos*.A.r.q.u.i.v.o.:. .[.1.

C:\Users\user\AppData\Roaming\@Klabin\Microsoft Corporativa\Drivespan.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19726848
Entropy (8bit):	7.975847496143139
Encrypted:	false
SSDEEP:	393216:x6cc0NIYj5K5IEOa3QrWrah6loH7JQu8WW+NJsW084ijkjml:xRcBsQ3OoQirah6e7J8mqq4i4jm
MD5:	F05A4BC3F0A887D1EFF099D7DE6D6EB5
SHA1:	AB372E891921C8D77AD3407EAC0FDC68EB5CD58E
SHA-256:	BE446EFCACEFF36613FCF9092164AE37E8F27D662D6E088A15C1126A8471E1C8
SHA-512:	8C9160B1DDF5BD64772C8251FAC279EEE9DF4CFC1DDAF0531D07D4B6688A329B9B592B5C43A3C8EA94771F84887E5443AD7CC3C46F5B60D0AF47DFEA63E118CE
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Virustotal, Detection: 32%, Browse
Reputation:	low
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........PE..L...-..g.................l9...)...............9...@..................................................................#.................X.......................D.......................................................d...t........................text....>9......................... ..`.itext...+...P9..................... ..`.data.........9.....................@....bss....pv...`:..........................idata...4....:.....................@....didata.h.... ;.....................@....edata.......0;.....................@..@.rdata..E....@;.....................@..@.,Lm.........P;..................... ..`.j'<....\|...........................@....fd>....`.,.......,................. ..`.rsrc...X.............,.............@..@.reloc..D.............,.............@..B.....................0d......Zc.............@..@........................................................

C:\Users\user\AppData\Roaming\@Klabin\Microsoft Corporativa\Flexpcis.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	138520
Entropy (8bit):	5.97678172694547
Encrypted:	false
SSDEEP:	3072:h1tkoMvK2ZjKlrH5ySykwTzwk5aOz1b3aDczMns53:h1tkpZyCj1mDcIu3
MD5:	E04F15D35A1807C4D74D2538D5FE28C9
SHA1:	9A42B387BABDEA719D54C1E11BAAE9FDB9897F71
SHA-256:	7E4132835419E4C415D048B64A5FC2813B8D2FF72BB5586D857DCDF6A90A45F2
SHA-512:	0FA81E472CC65AC3E0DC6427D72002905C577B61C98CBB2859829EF5A139B1AC81FA09D680614C4EA94D599919E67C62F28475AF813400106DDDABE57180AAE9
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: IRPF2024-0940959038w904598304w985036.msi, Detection: malicious, Browse Filename: NFeNFCe.msi, Detection: malicious, Browse Filename: Fct63e39.msi, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......`u.h$.f;$.f;$.f;...;-.f;...;].f;...;<.f;.Je:6.f;.Jc:..f;.Jb:6.f;..;-.f;$.g;y.f;.Jo:&.f;.J.;%.f;$..;%.f;.Jd:%.f;Rich$.f;........PE..L....&.].........."..................(............@..........................@......Q.....@.................................DI..d.......8................3...0......@;..p............................;..@...............4............................text.../........................... ..`.rdata..L`.......b..................@..@.data........`.......8..............@....gfids...............B..............@..@.rsrc...8............D..............@..@.reloc.......0......................@..B................................................................................................................................................................................................................................................................

C:\Windows\Installer\4937c6.msi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {70E7C985-4726-4956-A0F5-45A631F7DDEE}, Number of Words: 10, Subject: Microsoft Corporativa, Author: @Klabin, Name of Creating Application: Microsoft Corporativa, Template: ;1046, Comments: A base dados do instalador contm a lgica e os dados necessrios para instalar o Microsoft Corporativa., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Tue Jan 14 00:51:03 2025, Last Saved Time/Date: Tue Jan 14 00:51:03 2025, Last Printed: Tue Jan 14 00:51:03 2025, Number of Pages: 450
Category:	dropped
Size (bytes):	20951552
Entropy (8bit):	7.9673458298105695
Encrypted:	false
SSDEEP:	393216:tktwyY0daED8wromlva/UNzoGFaCwn/gRUgTD0Hsc23sfr:tkYcaEQw8mha/UNZFabnekscisfr
MD5:	8438EFC424ACA0DF22B0987E54EBEDF9
SHA1:	8F1F9A179A4784D3543C7A476C01181BCEB93B18
SHA-256:	19ADF18044AA497DC793D0F117DFB1B68800C93E0CFDE82837AA1AECC24BD70E
SHA-512:	3AF72B150EF511391CCB89866BCC55B7D060EB6316B04E8BDDC178F57A4EFCE8DFD4FC637C8E406105D70C0E4A999DD8B227C8BD65411FEF98AED6DB9018FB5C
Malicious:	false
Reputation:	low
Preview:	......................>...................@...................................F.......c.......o...........................................................................................................................................................................................................................................................................................................................................................................................................................................<...........!...4............................................................................................... ...+..."...#...$...%...&...'...(...)...*...1...,...-......./...0...5...2...3...=...?...6...7...8...9...:...;...E.......>.......@...A...B...C...D...............H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Windows\Installer\4937c9.msi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {70E7C985-4726-4956-A0F5-45A631F7DDEE}, Number of Words: 10, Subject: Microsoft Corporativa, Author: @Klabin, Name of Creating Application: Microsoft Corporativa, Template: ;1046, Comments: A base dados do instalador contm a lgica e os dados necessrios para instalar o Microsoft Corporativa., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Tue Jan 14 00:51:03 2025, Last Saved Time/Date: Tue Jan 14 00:51:03 2025, Last Printed: Tue Jan 14 00:51:03 2025, Number of Pages: 450
Category:	dropped
Size (bytes):	20951552
Entropy (8bit):	7.9673458298105695
Encrypted:	false
SSDEEP:	393216:tktwyY0daED8wromlva/UNzoGFaCwn/gRUgTD0Hsc23sfr:tkYcaEQw8mha/UNZFabnekscisfr
MD5:	8438EFC424ACA0DF22B0987E54EBEDF9
SHA1:	8F1F9A179A4784D3543C7A476C01181BCEB93B18
SHA-256:	19ADF18044AA497DC793D0F117DFB1B68800C93E0CFDE82837AA1AECC24BD70E
SHA-512:	3AF72B150EF511391CCB89866BCC55B7D060EB6316B04E8BDDC178F57A4EFCE8DFD4FC637C8E406105D70C0E4A999DD8B227C8BD65411FEF98AED6DB9018FB5C
Malicious:	false
Preview:	......................>...................@...................................F.......c.......o...........................................................................................................................................................................................................................................................................................................................................................................................................................................<...........!...4............................................................................................... ...+..."...#...$...%...&...'...(...)...*...1...,...-......./...0...5...2...3...=...?...6...7...8...9...:...;...E.......>.......@...A...B...C...D...............H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Windows\Installer\MSI3AF2.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1021792
Entropy (8bit):	6.608380087035959
Encrypted:	false
SSDEEP:	24576:ccNkyRsKx6NapcjRh0lhSMXltuGVJ8Wea/xwuC:jNkyRmopy4duG/8Wea/xwuC
MD5:	EC6EBF65FE4F361A73E473F46730E05C
SHA1:	01F946DFBF773F977AF5ADE7C27FFFC7FE311149
SHA-256:	D3614D7BECE53E0D408E31DA7D9B0FF2F7285A7DD544C778847ED0C5DED5D52F
SHA-512:	E4D7AAFA75D07A3071D2739D18B4C2B0A3798F754B339C349DB9A6004D031BF02F3970B030CEC4A5F55B4C19F03794B0CE186A303D936C222E7E6E8726FFFFF7
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: msit.exe, Detection: malicious, Browse Filename: msit.msi, Detection: malicious, Browse Filename: Fact30.NATURGY.LUNESGRLNOPAGOID3012021414252024.MSI.msi, Detection: malicious, Browse Filename: Fact28.NATURGY.SABADONOPAGOID28122024.MSI.msi, Detection: malicious, Browse Filename: bmouJCkvam.msi, Detection: malicious, Browse Filename: FS-SZHAJCVS.msi, Detection: malicious, Browse Filename: FS-JFDIBGWE.msi, Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: 740d3a.msi, Detection: malicious, Browse
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L...l..f.........."!...).....`............... ......................................Di....@A............................L...,...@....................Z..`=......h....K..p....................L...... K..@............ ...............................text...Z........................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..h...........................@..B................................................................................................................................................................................................................................

C:\Windows\Installer\MSI3B61.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1021792
Entropy (8bit):	6.608380087035959
Encrypted:	false
SSDEEP:	24576:ccNkyRsKx6NapcjRh0lhSMXltuGVJ8Wea/xwuC:jNkyRmopy4duG/8Wea/xwuC
MD5:	EC6EBF65FE4F361A73E473F46730E05C
SHA1:	01F946DFBF773F977AF5ADE7C27FFFC7FE311149
SHA-256:	D3614D7BECE53E0D408E31DA7D9B0FF2F7285A7DD544C778847ED0C5DED5D52F
SHA-512:	E4D7AAFA75D07A3071D2739D18B4C2B0A3798F754B339C349DB9A6004D031BF02F3970B030CEC4A5F55B4C19F03794B0CE186A303D936C222E7E6E8726FFFFF7
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L...l..f.........."!...).....`............... ......................................Di....@A............................L...,...@....................Z..`=......h....K..p....................L...... K..@............ ...............................text...Z........................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..h...........................@..B................................................................................................................................................................................................................................

C:\Windows\Installer\MSI3BA0.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1021792
Entropy (8bit):	6.608380087035959
Encrypted:	false
SSDEEP:	24576:ccNkyRsKx6NapcjRh0lhSMXltuGVJ8Wea/xwuC:jNkyRmopy4duG/8Wea/xwuC
MD5:	EC6EBF65FE4F361A73E473F46730E05C
SHA1:	01F946DFBF773F977AF5ADE7C27FFFC7FE311149
SHA-256:	D3614D7BECE53E0D408E31DA7D9B0FF2F7285A7DD544C778847ED0C5DED5D52F
SHA-512:	E4D7AAFA75D07A3071D2739D18B4C2B0A3798F754B339C349DB9A6004D031BF02F3970B030CEC4A5F55B4C19F03794B0CE186A303D936C222E7E6E8726FFFFF7
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L...l..f.........."!...).....`............... ......................................Di....@A............................L...,...@....................Z..`=......h....K..p....................L...... K..@............ ...............................text...Z........................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..h...........................@..B................................................................................................................................................................................................................................

C:\Windows\Installer\MSI3CDA.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1021792
Entropy (8bit):	6.608380087035959
Encrypted:	false
SSDEEP:	24576:ccNkyRsKx6NapcjRh0lhSMXltuGVJ8Wea/xwuC:jNkyRmopy4duG/8Wea/xwuC
MD5:	EC6EBF65FE4F361A73E473F46730E05C
SHA1:	01F946DFBF773F977AF5ADE7C27FFFC7FE311149
SHA-256:	D3614D7BECE53E0D408E31DA7D9B0FF2F7285A7DD544C778847ED0C5DED5D52F
SHA-512:	E4D7AAFA75D07A3071D2739D18B4C2B0A3798F754B339C349DB9A6004D031BF02F3970B030CEC4A5F55B4C19F03794B0CE186A303D936C222E7E6E8726FFFFF7
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L...l..f.........."!...).....`............... ......................................Di....@A............................L...,...@....................Z..`=......h....K..p....................L...... K..@............ ...............................text...Z........................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..h...........................@..B................................................................................................................................................................................................................................

C:\Windows\Installer\MSI3D58.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1021792
Entropy (8bit):	6.608380087035959
Encrypted:	false
SSDEEP:	24576:ccNkyRsKx6NapcjRh0lhSMXltuGVJ8Wea/xwuC:jNkyRmopy4duG/8Wea/xwuC
MD5:	EC6EBF65FE4F361A73E473F46730E05C
SHA1:	01F946DFBF773F977AF5ADE7C27FFFC7FE311149
SHA-256:	D3614D7BECE53E0D408E31DA7D9B0FF2F7285A7DD544C778847ED0C5DED5D52F
SHA-512:	E4D7AAFA75D07A3071D2739D18B4C2B0A3798F754B339C349DB9A6004D031BF02F3970B030CEC4A5F55B4C19F03794B0CE186A303D936C222E7E6E8726FFFFF7
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L...l..f.........."!...).....`............... ......................................Di....@A............................L...,...@....................Z..`=......h....K..p....................L...... K..@............ ...............................text...Z........................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..h...........................@..B................................................................................................................................................................................................................................

C:\Windows\Installer\MSI3FD9.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	3213
Entropy (8bit):	5.458796259969811
Encrypted:	false
SSDEEP:	96:y5PkzDGWgDUALlDblDqNilDM1lDTVlDFlDv8Rg7i6plDzlDJ2NknPkt0KlDkXUIc:ylhWLbHfWg7ig2qP7zXub
MD5:	D8D57614A1C2D22BC89DACDD67B75565
SHA1:	6BB7D28A5677EB3A96972AF8F6D384DD8FCC8441
SHA-256:	3016A122844B6E015E2C3F3E79A0F3627166E3B9BCBEB91A0FF93B805DBFEEC2
SHA-512:	4B0C5250F37DE458F4077EA9FA8CF99AE7E5AAE0B98AD6C55B095213650291942D785B6827E93B8A8979EAAECA9D60CCE285D6F9F5EDFCEC66BABC3C207FD789
Malicious:	false
Preview:	...@IXOS.@.....@et/Z.@.....@.....@.....@.....@.....@......&.{E49D674A-6F2A-43F2-A5F6-7C3AABA5E5C8}..Microsoft Corporativa..2tytrCyNuF.msi.@.....@.....@.....@........&.{70E7C985-4726-4956-A0F5-45A631F7DDEE}.....@.....@.....@.....@.......@.....@.....@.......@......Microsoft Corporativa......Rollback..A.....o. .d.e. .r.e.s.t.a.u.r.a.....o.....RollbackCleanup..Removendo arquivos de backup..Arquivo: [1]...@.......@........ProcessComponents%.Atualizando o registro de componentes...@.....@.....@.]....&.{CDEA45A4-A39D-41FB-B2DA-1FD0E8595250}=.C:\Users\user\AppData\Roaming\@Klabin\Microsoft Corporativa\.@.......@.....@.....@......&.{676D84DC-BFDA-4068-9A01-16D4BF1D67D8}2.01:\Software\@Klabin\Microsoft Corporativa\Version.@.......@.....@.....@......&.{B4AEC35F-8627-4D8B-B76B-3F5B9A45B1D9}I.C:\Users\user\AppData\Roaming\@Klabin\Microsoft Corporativa\Flexpcis.exe.@.......@.....@.....@......&.{AFCBD693-8D7A-436E-B38F-8184EB8332E6}J.C:\Users\user\AppData\Roaming\@Klabin\Microsoft Corporativa\Driv

C:\Windows\Installer\SourceHash{E49D674A-6F2A-43F2-A5F6-7C3AABA5E5C8}

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.1635961277482734
Encrypted:	false
SSDEEP:	12:JSbX72FjyAGiLIlHVRpZh/7777777777777777777777777vDHFWMWtX5SCYbitr:JIQI5t4PxYiiF
MD5:	3FA2A381EA66BA3E2DA448BCADD00C77
SHA1:	D4A04BC7A6DAE7ABB301B9F46814C1F89D45B7AF
SHA-256:	B79E9BC59E479D1937967C0ED2D7C02B5F8398B522BC7A82E3EA785DFFFE60D6
SHA-512:	C2FEF509D6452ACA603CBFAEBAF73CA37A703D3C3F6AB6F183F4EF1B8D1E55E9646B570EE6B7CC5B7041010BF092BB3A90F5551076ED761F6B704C8AEB26F6CB
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\inprogressinstallinfo.ipi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.5575378309412877
Encrypted:	false
SSDEEP:	48:yy8Ph8uRc06WXJ0nT5F8sgWfxSCPAECiCytoc+xSCbT8vq:2h813nT7Fg8oECGsMv
MD5:	8B188186E9CE2FA322FB2105A840CB05
SHA1:	A2790381B3684BC2C0F55C20670BF8EB640C4491
SHA-256:	ADF243BA29EF2AF4A08368A74B9C23D202BC78B2FA7F748FE9DA283B6A23BA3D
SHA-512:	A5A9D5D8AC8BF44B7B4F8B2E363ABB4D9B30DB4B6ADEB71537F8CE87D1F30FEA75526E38D321BD7EB4CBA9F6FE2B4E051178E24D0283ACEE52BD7CA3F3915436
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	432221
Entropy (8bit):	5.375175225113304
Encrypted:	false
SSDEEP:	1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26KgauJ:zTtbmkExhMJCIpEro
MD5:	1C1BA891FB376EDD36E550749660411B
SHA1:	11F7408EBBF08581594B7A5B71EBEB6354A2F405
SHA-256:	CAA3B85B84ED1E6FBB720E13C35DEFB6BB04AFEBB1841245F2C5F3DA967EA615
SHA-512:	36B00F71176C67068D8E4AF8C1E27FB29DCCCC23513EA79E25234BFD1CA9E38B53611E3B1216A724AA5DDE44026260DAFEF0B84F37BFE4D847C666A4FB58B247
Malicious:	false
Preview:	.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

C:\Windows\Temp\~DF09AB025CB9CCFE2D.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.5575378309412877
Encrypted:	false
SSDEEP:	48:yy8Ph8uRc06WXJ0nT5F8sgWfxSCPAECiCytoc+xSCbT8vq:2h813nT7Fg8oECGsMv
MD5:	8B188186E9CE2FA322FB2105A840CB05
SHA1:	A2790381B3684BC2C0F55C20670BF8EB640C4491
SHA-256:	ADF243BA29EF2AF4A08368A74B9C23D202BC78B2FA7F748FE9DA283B6A23BA3D
SHA-512:	A5A9D5D8AC8BF44B7B4F8B2E363ABB4D9B30DB4B6ADEB71537F8CE87D1F30FEA75526E38D321BD7EB4CBA9F6FE2B4E051178E24D0283ACEE52BD7CA3F3915436
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF5A92F5594DF0CA16.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2482574677831182
Encrypted:	false
SSDEEP:	48:M90ukYM+CFXJLT5t8sgWfxSCPAECiCytoc+xSCbT8vq:o0nzTTFg8oECGsMv
MD5:	30F78ACF3C3FA5BC48BF777EB5AF1543
SHA1:	D75BC20E21FF8DCB01DEAF18B4B915B4208990E0
SHA-256:	7DA00289B9AB081A703F985336157015238873EAEB231B9E156158F6ED79CE52
SHA-512:	B6BB8DB0A3413A20A13D0B8315E34EEE41DB9F49DE793EF2349F711D743A60B22BE569A699A40C943459E36231A6913F77DFCFB35D012C90A8A74A6F66C3F4E8
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF836B5A43463758AB.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF9A96319E3287E2A1.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	0.13533708846177436
Encrypted:	false
SSDEEP:	24:FX6Y0BTxkrd/ipVkrdxkrd/ipVkrdBAEVkryjCyqOV2BwGWWTnc+OcY:FqYiTexSCsxSCPAECiCytocwncEY
MD5:	FC24EB125316813E9927BA2E1F8B0AA7
SHA1:	27BDAFF73EB8D130F32B254561FF09F86D5D8359
SHA-256:	743E7FEE9E0FDBC92322E62156506736527AFD404F902049F228ABCE21606F16
SHA-512:	DD97C6FCF47FB365F1D261777190AD8D3C2004B28019F3189F00CBA6786BB0866C57B6511E1E6DB619D4C73EFA18EC7707884A651BF342760842F98B48C5EA3D
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF9C6AB143184999BB.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2482574677831182
Encrypted:	false
SSDEEP:	48:M90ukYM+CFXJLT5t8sgWfxSCPAECiCytoc+xSCbT8vq:o0nzTTFg8oECGsMv
MD5:	30F78ACF3C3FA5BC48BF777EB5AF1543
SHA1:	D75BC20E21FF8DCB01DEAF18B4B915B4208990E0
SHA-256:	7DA00289B9AB081A703F985336157015238873EAEB231B9E156158F6ED79CE52
SHA-512:	B6BB8DB0A3413A20A13D0B8315E34EEE41DB9F49DE793EF2349F711D743A60B22BE569A699A40C943459E36231A6913F77DFCFB35D012C90A8A74A6F66C3F4E8
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFB80DDCE5BA0A590F.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFCA3C40956A044D23.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFCBD368949DA3CFA0.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFD11F0AEF1574F5AF.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.07125878327599178
Encrypted:	false
SSDEEP:	6:2/9LG7iVCnLG7iVrKOzPLHKOWMlWtXdDSCvDtgVky6lit/:2F0i8n0itFzDHFWMWtX5SCbZit/
MD5:	C971D152B12A93309934AF5EA0A425E1
SHA1:	29E0414FAF9CC797730CD01F97527C7826E23428
SHA-256:	52A0E51023A651579C1F434C85D4BD83EB8C6B3311F5F0AF0F3D3644087F45CD
SHA-512:	69DD95AF4E03261BBC7490A52E3A61BA97B1E02D249159E2BE17CD3920049E2C6F532956CA7EA5B1A0EC8D3755009C6CC33EF9FDABC54838522991A4A4D91171
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFDDE03ACD6DFB2F27.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFF3D0BFE581562593.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.5575378309412877
Encrypted:	false
SSDEEP:	48:yy8Ph8uRc06WXJ0nT5F8sgWfxSCPAECiCytoc+xSCbT8vq:2h813nT7Fg8oECGsMv
MD5:	8B188186E9CE2FA322FB2105A840CB05
SHA1:	A2790381B3684BC2C0F55C20670BF8EB640C4491
SHA-256:	ADF243BA29EF2AF4A08368A74B9C23D202BC78B2FA7F748FE9DA283B6A23BA3D
SHA-512:	A5A9D5D8AC8BF44B7B4F8B2E363ABB4D9B30DB4B6ADEB71537F8CE87D1F30FEA75526E38D321BD7EB4CBA9F6FE2B4E051178E24D0283ACEE52BD7CA3F3915436
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFF6C727A247826C1C.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2482574677831182
Encrypted:	false
SSDEEP:	48:M90ukYM+CFXJLT5t8sgWfxSCPAECiCytoc+xSCbT8vq:o0nzTTFg8oECGsMv
MD5:	30F78ACF3C3FA5BC48BF777EB5AF1543
SHA1:	D75BC20E21FF8DCB01DEAF18B4B915B4208990E0
SHA-256:	7DA00289B9AB081A703F985336157015238873EAEB231B9E156158F6ED79CE52
SHA-512:	B6BB8DB0A3413A20A13D0B8315E34EEE41DB9F49DE793EF2349F711D743A60B22BE569A699A40C943459E36231A6913F77DFCFB35D012C90A8A74A6F66C3F4E8
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {70E7C985-4726-4956-A0F5-45A631F7DDEE}, Number of Words: 10, Subject: Microsoft Corporativa, Author: @Klabin, Name of Creating Application: Microsoft Corporativa, Template: ;1046, Comments: A base dados do instalador contm a lgica e os dados necessrios para instalar o Microsoft Corporativa., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Tue Jan 14 00:51:03 2025, Last Saved Time/Date: Tue Jan 14 00:51:03 2025, Last Printed: Tue Jan 14 00:51:03 2025, Number of Pages: 450
Entropy (8bit):	7.9673458298105695
TrID:	Windows SDK Setup Transform Script (63028/2) 47.91% Microsoft Windows Installer (60509/1) 46.00% Generic OLE2 / Multistream Compound File (8008/1) 6.09%
File name:	2tytrCyNuF.msi
File size:	20'951'552 bytes
MD5:	8438efc424aca0df22b0987e54ebedf9
SHA1:	8f1f9a179a4784d3543c7a476c01181bceb93b18
SHA256:	19adf18044aa497dc793d0f117dfb1b68800c93e0cfde82837aa1aecc24bd70e
SHA512:	3af72b150ef511391ccb89866bcc55b7d060eb6316b04e8bddc178f57a4efce8dfd4fc637c8e406105d70c0e4a999dd8b227c8bd65411fef98aed6db9018fb5c
SSDEEP:	393216:tktwyY0daED8wromlva/UNzoGFaCwn/gRUgTD0Hsc23sfr:tkYcaEQw8mha/UNZFabnekscisfr
TLSH:	A2273321A2CBC42AE65D05B7E939FE2E123DBD67073045D3B2F5795A08B08C1A67DB13
File Content Preview:	........................>...................@...................................F.......c.......o..............................................................................................................................................................

File Icon


Icon Hash:	2d2e3797b32b2b99

Target ID:	0
Start time:	14:35:07
Start date:	15/01/2025
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\2tytrCyNuF.msi"
Imagebase:	0x7ff678230000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	14:35:07
Start date:	15/01/2025
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\msiexec.exe /V
Imagebase:	0x7ff678230000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	14:35:08
Start date:	15/01/2025
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding 7DBAA4AD04C4E7682ABB0AAAF07D1209
Imagebase:	0xce0000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	14:35:11
Start date:	15/01/2025
Path:	C:\Users\user\AppData\Roaming\@Klabin\Microsoft Corporativa\Flexpcis.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\@Klabin\Microsoft Corporativa\Flexpcis.exe"
Imagebase:	0x9f0000
File size:	138'520 bytes
MD5 hash:	E04F15D35A1807C4D74D2538D5FE28C9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Antivirus matches:	Detection: 0%, ReversingLabs Detection: 0%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	8%
Total number of Nodes:	1329
Total number of Limit Nodes:	31

Executed Functions

Function 009F1000 Relevance: 30.1, APIs: 13, Strings: 4, Instructions: 308
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SHGetFolderPathW.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 009F109B
PathFileExistsW.KERNELBASE(?,?), ref: 009F11A3
PathFileExistsW.SHLWAPI(?), ref: 009F1250
MoveFileExW.KERNEL32(?,?,00000001), ref: 009F1282
PathFileExistsW.SHLWAPI(?), ref: 009F129D
LoadLibraryW.KERNEL32(?), ref: 009F12CD
GetProcAddress.KERNEL32(00000000,ver), ref: 009F12E5
FreeLibrary.KERNEL32(?), ref: 009F12FF
FreeLibrary.KERNEL32(?), ref: 009F1331
LoadLibraryW.KERNEL32(?), ref: 009F1371
GetProcAddress.KERNEL32(00000000,ver), ref: 009F1383
FreeLibrary.KERNEL32(?), ref: 009F1395
FreeLibrary.KERNEL32(?), ref: 009F13AF

Strings

drivespan.dll, xrefs: 009F1044
\Nero\Transfer\Update\, xrefs: 009F1102
new_drivespan.dll, xrefs: 009F1202
ver, xrefs: 009F12DF, 009F137D

Memory Dump Source

Source File: 00000003.00000002.2045203763.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.2045175617.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2045227113.00000000009FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2045249364.0000000000A06000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2045268987.0000000000A08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_Flexpcis.jbxd

Similarity

API ID: Library$FileFreePath$Exists$AddressLoadProc$FolderMove
String ID: \Nero\Transfer\Update\$drivespan.dll$new_drivespan.dll$ver
API String ID: 2307531666-2570186640
Opcode ID: 44f52940e020ae119b2ad57d1ae8c4b9e88a16c203ab3c3d4b2db30311ed67cb
Instruction ID: e57ad0cef990b48253b25cb9037c4260241548b95369c9bc64f44c36cdc0663f
Opcode Fuzzy Hash: 44f52940e020ae119b2ad57d1ae8c4b9e88a16c203ab3c3d4b2db30311ed67cb
Instruction Fuzzy Hash: 21D1447491522DDADF60DB24CC98BADB7B8FF48300F1401E9E509A2260DB75AF84CFA0

Function 009F17A0 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 98
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitCommonControlsEx.COMCTL32 ref: 009F17CE
LoadLibraryW.KERNELBASE(?,?,?,?,-Restart,?,?), ref: 009F185F
LoadLibraryW.KERNEL32(drivespan.dll,drivespan.dll,?,?,?,-Restart,?,?), ref: 009F1882
GetProcAddress.KERNEL32(00000000,run), ref: 009F1894
FreeLibrary.KERNELBASE(00000000,?,?,?,-Restart,?,?), ref: 009F18A9

Strings

-Restart, xrefs: 009F181A
3Ro, xrefs: 009F17CE
run, xrefs: 009F188E
drivespan.dll, xrefs: 009F186B, 009F187D

Memory Dump Source

Source File: 00000003.00000002.2045203763.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.2045175617.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2045227113.00000000009FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2045249364.0000000000A06000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2045268987.0000000000A08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_Flexpcis.jbxd

Similarity

API ID: Library$Load$AddressCommonControlsFreeInitProc
String ID: -Restart$drivespan.dll$run$3Ro
API String ID: 1924428465-3056770509
Opcode ID: 0dd37657c8fa47f2a79af6039f633b07b27f8bc8c49d8362ed442612e0f38007
Instruction ID: 97330f04ae4137ca8496f45f511714ff5bb83198d619b56e223b48b3c4ffe1a4
Opcode Fuzzy Hash: 0dd37657c8fa47f2a79af6039f633b07b27f8bc8c49d8362ed442612e0f38007
Instruction Fuzzy Hash: E631BE31518209EFC714AB20DC55A7F77E8FF85395F44492CFA8292190EB71DA05CBA2

Function 009F6268 Relevance: 4.5, APIs: 3, Instructions: 20
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(00000003,?,009F623E,00000003,00A04638,0000000C,009F6395,00000003,00000002,00000000,?,009F6BDA,00000003), ref: 009F6289
TerminateProcess.KERNEL32(00000000,?,009F623E,00000003,00A04638,0000000C,009F6395,00000003,00000002,00000000,?,009F6BDA,00000003), ref: 009F6290
ExitProcess.KERNEL32 ref: 009F62A2

Memory Dump Source

Source File: 00000003.00000002.2045203763.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.2045175617.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2045227113.00000000009FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2045249364.0000000000A06000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2045268987.0000000000A08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_Flexpcis.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 4bd1ee2d7a0202dbdc39b863e725eecaf4bbe917879664545104c92015434f05
Instruction ID: a5ef93995aaf43f6f5118876d1d1bfb5733a46048d5f9bfa80a59e640ba4ca70
Opcode Fuzzy Hash: 4bd1ee2d7a0202dbdc39b863e725eecaf4bbe917879664545104c92015434f05
Instruction Fuzzy Hash: 44E0B631014248ABDF116F54DE19AB93BA9FF85391F188424FA15CA122CF35ED42EB90

Function 009F8255 Relevance: 6.1, APIs: 4, Instructions: 52
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,009F81FC,?,00000000,00000000,00000000,?,009F83F9,00000006,FlsSetValue), ref: 009F8287
GetLastError.KERNEL32(?,009F81FC,?,00000000,00000000,00000000,?,009F83F9,00000006,FlsSetValue,00A00278,00A00280,00000000,00000364,?,009F7100), ref: 009F8293
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,009F81FC,?,00000000,00000000,00000000,?,009F83F9,00000006,FlsSetValue,00A00278,00A00280,00000000), ref: 009F82A1

Memory Dump Source

Source File: 00000003.00000002.2045203763.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.2045175617.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2045227113.00000000009FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2045249364.0000000000A06000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2045268987.0000000000A08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_Flexpcis.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 405809ce476bed6555f2bb00dd81004c8fda8e0da5a780b76b7b6b805d45013f
Instruction ID: 953844dd094442e3475f4703b9a9c7287d439a1b3db996da3273d2a46c36c303
Opcode Fuzzy Hash: 405809ce476bed6555f2bb00dd81004c8fda8e0da5a780b76b7b6b805d45013f
Instruction Fuzzy Hash: 5201FC3261562AABC7614B68DC58EBB379CEF057F17240630FA26D3140DF20E800C7E0

Function 009F81B9 Relevance: 3.1, APIs: 2, Instructions: 65
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(00000000,?), ref: 009F8219
__crt_fast_encode_pointer.LIBVCRUNTIME ref: 009F8226

Memory Dump Source

Source File: 00000003.00000002.2045203763.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.2045175617.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2045227113.00000000009FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2045249364.0000000000A06000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2045268987.0000000000A08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_Flexpcis.jbxd

Similarity

API ID: AddressProc__crt_fast_encode_pointer
String ID:
API String ID: 2279764990-0
Opcode ID: afb16d1ab05f8a5baabd0cbb994813821db44acecc3f4dae38f6a42c41850e1d
Instruction ID: 88a7d31e5514a3493da06994098ba735d27bb3048321abf957d4804aec0f7a81
Opcode Fuzzy Hash: afb16d1ab05f8a5baabd0cbb994813821db44acecc3f4dae38f6a42c41850e1d
Instruction Fuzzy Hash: 9511A337A5092D9BDB21DF58EC509BB7399AB807A47164620EF35AB244DE30FC0287D0

Non-executed Functions

Function 009F1510 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 172
sleepprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000100,2FAA7487), ref: 009F154C
GetCurrentProcessId.KERNEL32(?,00000001,-00000001,?), ref: 009F1650
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 009F168E
Process32FirstW.KERNEL32(00000000,0000022C), ref: 009F169E
Process32NextW.KERNEL32(00000000,0000022C), ref: 009F16B5
Process32NextW.KERNEL32(00000000,0000022C), ref: 009F171F
Sleep.KERNEL32(00000064), ref: 009F1734
CloseHandle.KERNEL32(00000000), ref: 009F173B
Sleep.KERNEL32(000000C8), ref: 009F1759

Strings

\, xrefs: 009F15B7

Memory Dump Source

Source File: 00000003.00000002.2045203763.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.2045175617.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2045227113.00000000009FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2045249364.0000000000A06000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2045268987.0000000000A08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_Flexpcis.jbxd

Similarity

API ID: Process32$NextSleep$CloseCreateCurrentFileFirstHandleModuleNameProcessSnapshotToolhelp32
String ID: \
API String ID: 8921262-2967466578
Opcode ID: deb78f4625025ad6a08c6e047cd7ddf0dfadef8e9ebb4a8064169a8cd04a33d8
Instruction ID: fc43051eb1e8c547e31e50ac962704b3d396cc26626f54103adea77ba8026c2b
Opcode Fuzzy Hash: deb78f4625025ad6a08c6e047cd7ddf0dfadef8e9ebb4a8064169a8cd04a33d8
Instruction Fuzzy Hash: FD616B7190111DDADB20AB60CD89BFAB7B8FF15344F0001E9E60AE6151EB359E85CFA4

Function 009F55D7 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,009F330B), ref: 009F56CF
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,009F330B), ref: 009F56D9
UnhandledExceptionFilter.KERNEL32(00000016,?,?,?,?,?,009F330B), ref: 009F56E6

Memory Dump Source

Source File: 00000003.00000002.2045203763.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.2045175617.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2045227113.00000000009FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2045249364.0000000000A06000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2045268987.0000000000A08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_Flexpcis.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: d97a3c7f3aa482c22671a88dcbe9f6c33724989e773cc82a5a06d680121356cc
Instruction ID: 302776046ddf7572933efe8a675fa6fb280405cab9aa601c15177f6ca3b6bffc
Opcode Fuzzy Hash: d97a3c7f3aa482c22671a88dcbe9f6c33724989e773cc82a5a06d680121356cc
Instruction Fuzzy Hash: 8231B37491122C9BCB21DF64D889B9DBBB8AF48710F5041EAE90CA7251EB709B85CF44

Function 009FCD15 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,009FCD10,?,?,00000008,?,?,009FC9B0,00000000), ref: 009FCF42

Memory Dump Source

Source File: 00000003.00000002.2045203763.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.2045175617.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2045227113.00000000009FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2045249364.0000000000A06000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2045268987.0000000000A08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_Flexpcis.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: da79d4e61c8911e3196d7f336fba96753fa86fe2a8992d91ba5053868113748b
Instruction ID: 072b02549745b47a41f10210e48fc117b9afaf9dabed851579cc1abcff6d65fc
Opcode Fuzzy Hash: da79d4e61c8911e3196d7f336fba96753fa86fe2a8992d91ba5053868113748b
Instruction Fuzzy Hash: 10B1297121060D9FD719CF28C58AB64BBE1FF45364F25C658EAAACF2A1C335E991CB40

Function 009F2F17 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00002F23,009F26A2), ref: 009F2F1C

Memory Dump Source

Source File: 00000003.00000002.2045203763.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.2045175617.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2045227113.00000000009FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2045249364.0000000000A06000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2045268987.0000000000A08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_Flexpcis.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: b1dc67b1b4dc3cbfc78417e3ce575f67b66cc0326a90dc91b10d600c92d75ba1
Instruction ID: ca589d07cbfd8171f31f154e2c34059e9d3bd2e8f27f2d079499f1f3ef808bd1
Opcode Fuzzy Hash: b1dc67b1b4dc3cbfc78417e3ce575f67b66cc0326a90dc91b10d600c92d75ba1
Instruction Fuzzy Hash:

Function 009F9302 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 009F9302

Memory Dump Source

Source File: 00000003.00000002.2045203763.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.2045175617.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2045227113.00000000009FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2045249364.0000000000A06000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2045268987.0000000000A08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_Flexpcis.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 6f2f4169c8716fd68e9b396ed29009b3bda769cf0468c243597042c30ab6e6e5
Instruction ID: f890f3258666559de3a6829179a34af754d34431f79f4a095ed5bbb30729102c
Opcode Fuzzy Hash: 6f2f4169c8716fd68e9b396ed29009b3bda769cf0468c243597042c30ab6e6e5
Instruction Fuzzy Hash: BCA01130A0C280CBA3008F30AA8822C3BA8AA00BA03080028A800C8020EA308082BA02

Function 009F8F76 Relevance: 19.6, APIs: 13, Instructions: 114
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___free_lconv_mon.LIBCMT ref: 009F8FBA

Part of subcall function 009F8AF0: _free.LIBCMT ref: 009F8B0D
Part of subcall function 009F8AF0: _free.LIBCMT ref: 009F8B1F
Part of subcall function 009F8AF0: _free.LIBCMT ref: 009F8B31
Part of subcall function 009F8AF0: _free.LIBCMT ref: 009F8B43
Part of subcall function 009F8AF0: _free.LIBCMT ref: 009F8B55
Part of subcall function 009F8AF0: _free.LIBCMT ref: 009F8B67
Part of subcall function 009F8AF0: _free.LIBCMT ref: 009F8B79
Part of subcall function 009F8AF0: _free.LIBCMT ref: 009F8B8B
Part of subcall function 009F8AF0: _free.LIBCMT ref: 009F8B9D
Part of subcall function 009F8AF0: _free.LIBCMT ref: 009F8BAF
Part of subcall function 009F8AF0: _free.LIBCMT ref: 009F8BC1
Part of subcall function 009F8AF0: _free.LIBCMT ref: 009F8BD3
Part of subcall function 009F8AF0: _free.LIBCMT ref: 009F8BE5

_free.LIBCMT ref: 009F8FAF

Part of subcall function 009F6B10: HeapFree.KERNEL32(00000000,00000000,?,009F8C85,?,00000000,?,00000000,?,009F8CAC,?,00000007,?,?,009F910E,?), ref: 009F6B26
Part of subcall function 009F6B10: GetLastError.KERNEL32(?,?,009F8C85,?,00000000,?,00000000,?,009F8CAC,?,00000007,?,?,009F910E,?,?), ref: 009F6B38

_free.LIBCMT ref: 009F8FD1
_free.LIBCMT ref: 009F8FE6
_free.LIBCMT ref: 009F8FF1
_free.LIBCMT ref: 009F9013
_free.LIBCMT ref: 009F9026
_free.LIBCMT ref: 009F9034
_free.LIBCMT ref: 009F903F
_free.LIBCMT ref: 009F9077
_free.LIBCMT ref: 009F907E
_free.LIBCMT ref: 009F909B
_free.LIBCMT ref: 009F90B3

Memory Dump Source

Source File: 00000003.00000002.2045203763.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.2045175617.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2045227113.00000000009FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2045249364.0000000000A06000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2045268987.0000000000A08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_Flexpcis.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 2f91904a9bd915cd3163bd68f95f437de8ddde0125dee3d08c64f1ec5e754f56
Instruction ID: fa7ff6405480168aade0ddeb0f65e9f85d7d1648b2b51b738acf98c49c4e9912
Opcode Fuzzy Hash: 2f91904a9bd915cd3163bd68f95f437de8ddde0125dee3d08c64f1ec5e754f56
Instruction Fuzzy Hash: 2A313931604309AFEB70AA38D845B7A73EDEF80351F144929F659D7191DF32EDA08B54

Function 009F6F39 Relevance: 15.1, APIs: 10, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_free.LIBCMT ref: 009F6F4D

Part of subcall function 009F6B10: HeapFree.KERNEL32(00000000,00000000,?,009F8C85,?,00000000,?,00000000,?,009F8CAC,?,00000007,?,?,009F910E,?), ref: 009F6B26
Part of subcall function 009F6B10: GetLastError.KERNEL32(?,?,009F8C85,?,00000000,?,00000000,?,009F8CAC,?,00000007,?,?,009F910E,?,?), ref: 009F6B38

_free.LIBCMT ref: 009F6F59
_free.LIBCMT ref: 009F6F64
_free.LIBCMT ref: 009F6F6F
_free.LIBCMT ref: 009F6F7A
_free.LIBCMT ref: 009F6F85
_free.LIBCMT ref: 009F6F90
_free.LIBCMT ref: 009F6F9B
_free.LIBCMT ref: 009F6FA6
_free.LIBCMT ref: 009F6FB4

Memory Dump Source

Source File: 00000003.00000002.2045203763.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.2045175617.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2045227113.00000000009FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2045249364.0000000000A06000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2045268987.0000000000A08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_Flexpcis.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 8d1209b246d896589b8e65678d904a31742781ebad39db0be88aac7ebf73013e
Instruction ID: 347b7536ff5718fbc9c21f4d921f55e3b3ca76b0b0f93fbdadc133fe2f0ba922
Opcode Fuzzy Hash: 8d1209b246d896589b8e65678d904a31742781ebad39db0be88aac7ebf73013e
Instruction Fuzzy Hash: 4E11587661420CBFCB01EF54C952EEE3BA9EF44391B5145A5FB088F632DA31DE509B90

Function 009FA33F Relevance: 12.2, APIs: 8, Instructions: 216
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,?,00000000,?,?,?,009FA590,?,?,00000000), ref: 009FA399
__alloca_probe_16.LIBCMT ref: 009FA3D1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,009FA590,?,?,00000000,?,?,?), ref: 009FA41F
__alloca_probe_16.LIBCMT ref: 009FA4B6
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 009FA519
__freea.LIBCMT ref: 009FA526

Part of subcall function 009F6B4A: RtlAllocateHeap.NTDLL(00000000,009F330B,?), ref: 009F6B7C

__freea.LIBCMT ref: 009FA52F
__freea.LIBCMT ref: 009FA554

Memory Dump Source

Source File: 00000003.00000002.2045203763.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.2045175617.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2045227113.00000000009FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2045249364.0000000000A06000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2045268987.0000000000A08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_Flexpcis.jbxd

Similarity

API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 3864826663-0
Opcode ID: b5919ce39b2eee18471e5c69cbb40f10264058497e078be3e28cdb304f9e14d0
Instruction ID: f643a0653a45187f37aa4f1441518ceb08c095b46c6a4825bc5ac862c798b960
Opcode Fuzzy Hash: b5919ce39b2eee18471e5c69cbb40f10264058497e078be3e28cdb304f9e14d0
Instruction Fuzzy Hash: BA51EEB261021AAFDB248F64DC85FBF77AEEB80750B244628FE08D6150EB74DC40D792

Function 009FAC93 Relevance: 10.7, APIs: 7, Instructions: 152
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,009FB408,?,00000000,?,00000000,00000000), ref: 009FACD5
__fassign.LIBCMT ref: 009FAD50
__fassign.LIBCMT ref: 009FAD6B
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 009FAD91
WriteFile.KERNEL32(?,?,00000000,009FB408,00000000,?,?,?,?,?,?,?,?,?,009FB408,?), ref: 009FADB0
WriteFile.KERNEL32(?,?,00000001,009FB408,00000000,?,?,?,?,?,?,?,?,?,009FB408,?), ref: 009FADE9

Memory Dump Source

Source File: 00000003.00000002.2045203763.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.2045175617.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2045227113.00000000009FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2045249364.0000000000A06000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2045268987.0000000000A08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_Flexpcis.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 472919e2deb6324db9cb700402a0726c32c26dc270cffe8f108696de92e7e956
Instruction ID: 750334f34439c9ce57e77098c2ac6094e4c21b14b9be622e496da112380724b6
Opcode Fuzzy Hash: 472919e2deb6324db9cb700402a0726c32c26dc270cffe8f108696de92e7e956
Instruction Fuzzy Hash: E351A1B1E0024D9FDB10CFA8D885AFEBBF8EF19300F14411AEA59E7291D730A941CB61

Function 009F8C93 Relevance: 10.6, APIs: 7, Instructions: 65
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 009F8C57: _free.LIBCMT ref: 009F8C80

_free.LIBCMT ref: 009F8CE1

Part of subcall function 009F6B10: HeapFree.KERNEL32(00000000,00000000,?,009F8C85,?,00000000,?,00000000,?,009F8CAC,?,00000007,?,?,009F910E,?), ref: 009F6B26
Part of subcall function 009F6B10: GetLastError.KERNEL32(?,?,009F8C85,?,00000000,?,00000000,?,009F8CAC,?,00000007,?,?,009F910E,?,?), ref: 009F6B38

_free.LIBCMT ref: 009F8CEC
_free.LIBCMT ref: 009F8CF7
_free.LIBCMT ref: 009F8D4B
_free.LIBCMT ref: 009F8D56
_free.LIBCMT ref: 009F8D61
_free.LIBCMT ref: 009F8D6C

Memory Dump Source

Source File: 00000003.00000002.2045203763.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.2045175617.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2045227113.00000000009FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2045249364.0000000000A06000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2045268987.0000000000A08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_Flexpcis.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 0bb379ea52c51a684ff9bb70345eabbbe80e5a958499be13c44c1439a6277fea
Instruction ID: 37da83b68eca802a5827932d929a5e79b808449f486502d6dcfcc0cddbf5ce61
Opcode Fuzzy Hash: 0bb379ea52c51a684ff9bb70345eabbbe80e5a958499be13c44c1439a6277fea
Instruction Fuzzy Hash: A2112B71A45B0CBADA60BBB1CC07FEB779CAF84701F404C19B3D9AA092DE75B5548760

Function 009F4AE0 Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,009F4AD7,009F3E74,00A044D8,00000010,009F363C,?,?,?,?,?,00000000,?), ref: 009F4AEE
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 009F4AFC
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 009F4B15
SetLastError.KERNEL32(00000000,009F4AD7,009F3E74,00A044D8,00000010,009F363C,?,?,?,?,?,00000000,?), ref: 009F4B67

Memory Dump Source

Source File: 00000003.00000002.2045203763.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.2045175617.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2045227113.00000000009FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2045249364.0000000000A06000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2045268987.0000000000A08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_Flexpcis.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 29df88f28be007eef3f065c0494bba323b7be6e33dbecefc00c51a06e2561d16
Instruction ID: ed14afba50c44ebe8bf81e9734c38cbd453fdea46a964c44e0e82e1335583668
Opcode Fuzzy Hash: 29df88f28be007eef3f065c0494bba323b7be6e33dbecefc00c51a06e2561d16
Instruction Fuzzy Hash: 2601B53364971E5DE7245BB47C85B7B6A9CDF553BB3210229F320851E2EE918C129344

Function 009F702E Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,009F6A8B,00A046C0,0000000C,009F2F63), ref: 009F7032
_free.LIBCMT ref: 009F7065
_free.LIBCMT ref: 009F708D
SetLastError.KERNEL32(00000000), ref: 009F709A
SetLastError.KERNEL32(00000000), ref: 009F70A6
_abort.LIBCMT ref: 009F70AC

Memory Dump Source

Source File: 00000003.00000002.2045203763.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.2045175617.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2045227113.00000000009FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2045249364.0000000000A06000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2045268987.0000000000A08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_Flexpcis.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 62a1265f359afed9a614e50a5f845577c2d8325e2d0cb956236a5278c19d488b
Instruction ID: d09214a49599ff23609bbd1eed3d805f7f980cb936bab8a6489ad3bafc0ac2be
Opcode Fuzzy Hash: 62a1265f359afed9a614e50a5f845577c2d8325e2d0cb956236a5278c19d488b
Instruction Fuzzy Hash: 45F0AF3624C70C66D62233B4AC1AB3F66699FC2762B280524FB14D62E2EE6498129324

Function 009F62ED Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,009F629E,00000003,?,009F623E,00000003,00A04638,0000000C,009F6395,00000003,00000002), ref: 009F630D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 009F6320
FreeLibrary.KERNEL32(00000000,?,?,?,009F629E,00000003,?,009F623E,00000003,00A04638,0000000C,009F6395,00000003,00000002,00000000), ref: 009F6343

Strings

CorExitProcess, xrefs: 009F6318
mscoree.dll, xrefs: 009F6306

Memory Dump Source

Source File: 00000003.00000002.2045203763.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.2045175617.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2045227113.00000000009FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2045249364.0000000000A06000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2045268987.0000000000A08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_Flexpcis.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: e0c9174c8214d7d43f0a92b13f7c1f427a24b871d4d4f610db7ff800217d6673
Instruction ID: 06833dd24a5defa01cfc5dc4f555af2aeecf10da6efce46cecb23509752f6f82
Opcode Fuzzy Hash: e0c9174c8214d7d43f0a92b13f7c1f427a24b871d4d4f610db7ff800217d6673
Instruction Fuzzy Hash: 36F04F71A1420CFBCB119F90DC6ABBDBFB8EF44716F044168FA05E22A1DB708951DB90

Function 009F6731 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 009F67A3
_free.LIBCMT ref: 009F67C3

Memory Dump Source

Source File: 00000003.00000002.2045203763.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.2045175617.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2045227113.00000000009FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2045249364.0000000000A06000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2045268987.0000000000A08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_Flexpcis.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 0aeeef7565581c08289078f5294c47c283404c382f1dbc83c6e220398d35a8a3
Instruction ID: e5b9e8385656e69af49f532fe6b4ad1d48a5e49f3c26af940901b3386d379afa
Opcode Fuzzy Hash: 0aeeef7565581c08289078f5294c47c283404c382f1dbc83c6e220398d35a8a3
Instruction Fuzzy Hash: 57419472A003189FDB24DF78C981A6DB7E5EF89718F154569E715EB281DB31AD01CB80

Function 009F8DBC Relevance: 7.6, APIs: 5, Instructions: 110COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000100,?,00000000,?,?,00000000), ref: 009F8E09
__alloca_probe_16.LIBCMT ref: 009F8E41
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 009F8E92
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 009F8EA4
__freea.LIBCMT ref: 009F8EAD

Part of subcall function 009F6B4A: RtlAllocateHeap.NTDLL(00000000,009F330B,?), ref: 009F6B7C

Memory Dump Source

Source File: 00000003.00000002.2045203763.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.2045175617.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2045227113.00000000009FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2045249364.0000000000A06000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2045268987.0000000000A08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_Flexpcis.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
String ID:
API String ID: 313313983-0
Opcode ID: 6609e1710d37b2d06ffbe336f3955b7ad5747973632b53c83e5a9be050bc3e77
Instruction ID: c661e2c8204a6f476a93730a39b46949a7aaf56081b6ee3aa09ee1d3e22dd259
Opcode Fuzzy Hash: 6609e1710d37b2d06ffbe336f3955b7ad5747973632b53c83e5a9be050bc3e77
Instruction Fuzzy Hash: 4931AB72A1020EABDF24AF64DC85EBF7BA9EF40710B144128FE15DA291EB35DD54CB90

Function 009F70B2 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(009F330B,009F330B,?,009F73D7,009F6B8D,?,?,009F47F0,?,?,00000000,?,?,009F322E,009F330B,?), ref: 009F70B7
_free.LIBCMT ref: 009F70EC
_free.LIBCMT ref: 009F7113
SetLastError.KERNEL32(00000000,?,009F330B), ref: 009F7120
SetLastError.KERNEL32(00000000,?,009F330B), ref: 009F7129

Memory Dump Source

Source File: 00000003.00000002.2045203763.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.2045175617.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2045227113.00000000009FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2045249364.0000000000A06000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2045268987.0000000000A08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_Flexpcis.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: afce24251592e463adb13ed917be1abb181f5945e1ffe2df5bc5ce7408eb92a4
Instruction ID: 509144de709d2531204a4527ce77329d6fcb99fe91e228ba09f207a18e945908
Opcode Fuzzy Hash: afce24251592e463adb13ed917be1abb181f5945e1ffe2df5bc5ce7408eb92a4
Instruction Fuzzy Hash: 7901FF3634D70C77D32267B46C86B3F666DEFC97667280424FB15D2292EE6888269320

Function 009F8BEE Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 009F8C06

Part of subcall function 009F6B10: HeapFree.KERNEL32(00000000,00000000,?,009F8C85,?,00000000,?,00000000,?,009F8CAC,?,00000007,?,?,009F910E,?), ref: 009F6B26
Part of subcall function 009F6B10: GetLastError.KERNEL32(?,?,009F8C85,?,00000000,?,00000000,?,009F8CAC,?,00000007,?,?,009F910E,?,?), ref: 009F6B38

_free.LIBCMT ref: 009F8C18
_free.LIBCMT ref: 009F8C2A
_free.LIBCMT ref: 009F8C3C
_free.LIBCMT ref: 009F8C4E

Memory Dump Source

Source File: 00000003.00000002.2045203763.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.2045175617.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2045227113.00000000009FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2045249364.0000000000A06000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2045268987.0000000000A08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_Flexpcis.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 1b1afe586e9167c469f197ea8535835df9f37a4ddedd321823955a5dc9335a06
Instruction ID: 5d8a733c7d4aa78cadf4ab07b4e246e6541b9a7fc61ca063eb87ebc98fef145d
Opcode Fuzzy Hash: 1b1afe586e9167c469f197ea8535835df9f37a4ddedd321823955a5dc9335a06
Instruction Fuzzy Hash: 12F0127250A20C7BC768EBA4E5C6D7773EDAA40715B640C09F244D7501CF31FC928764

Function 009F6980 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 009F699E

Part of subcall function 009F6B10: HeapFree.KERNEL32(00000000,00000000,?,009F8C85,?,00000000,?,00000000,?,009F8CAC,?,00000007,?,?,009F910E,?), ref: 009F6B26
Part of subcall function 009F6B10: GetLastError.KERNEL32(?,?,009F8C85,?,00000000,?,00000000,?,009F8CAC,?,00000007,?,?,009F910E,?,?), ref: 009F6B38

_free.LIBCMT ref: 009F69B0
_free.LIBCMT ref: 009F69C3
_free.LIBCMT ref: 009F69D4
_free.LIBCMT ref: 009F69E5

Memory Dump Source

Source File: 00000003.00000002.2045203763.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.2045175617.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2045227113.00000000009FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2045249364.0000000000A06000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2045268987.0000000000A08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_Flexpcis.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 52c8d33e45fe117d03ad3f7abab358d6e5fd031b3f0bd8e9c18c2f3730bcfbd4
Instruction ID: 6b20eabefbe3b5ceb6c8c589a19e87df2fce4c85283082b631be11e10fd80e8a
Opcode Fuzzy Hash: 52c8d33e45fe117d03ad3f7abab358d6e5fd031b3f0bd8e9c18c2f3730bcfbd4
Instruction Fuzzy Hash: 8BF03074D0831CABDA11EFA4BC5195D37B4F7447253004606F914D62B5CB3178639F96

Function 009F5AFF Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\AppData\Roaming\@Klabin\Microsoft Corporativa\Flexpcis.exe,00000104), ref: 009F5B3A
_free.LIBCMT ref: 009F5C05
_free.LIBCMT ref: 009F5C0F

Strings

C:\Users\user\AppData\Roaming\@Klabin\Microsoft Corporativa\Flexpcis.exe, xrefs: 009F5B31, 009F5B38, 009F5B67, 009F5B9F

Memory Dump Source

Source File: 00000003.00000002.2045203763.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.2045175617.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2045227113.00000000009FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2045249364.0000000000A06000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2045268987.0000000000A08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_Flexpcis.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\AppData\Roaming\@Klabin\Microsoft Corporativa\Flexpcis.exe
API String ID: 2506810119-3704016030
Opcode ID: ac2ed4efaf0539fb359cdeb89a7ecd3e72710eebf4156788890bd3e88321b0bc
Instruction ID: 57539270c5564143f333d2445d092d0226c71196ae5ee541f9cd057bd367a86f
Opcode Fuzzy Hash: ac2ed4efaf0539fb359cdeb89a7ecd3e72710eebf4156788890bd3e88321b0bc
Instruction Fuzzy Hash: 45317A71E0475CEFDB21DF999885DAEBBBCEB85311B1140A6EB0497211D6B09E41CBA0

Function 009F1E40 Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 009F1EC4

Part of subcall function 009F32DD: __CxxThrowException@8.LIBVCRUNTIME ref: 009F32F4

Concurrency::cancel_current_task.LIBCPMT ref: 009F1ED9
new.LIBCMT ref: 009F1EDF
new.LIBCMT ref: 009F1EF3

Memory Dump Source

Source File: 00000003.00000002.2045203763.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.2045175617.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2045227113.00000000009FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2045249364.0000000000A06000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2045268987.0000000000A08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_Flexpcis.jbxd

Similarity

API ID: Concurrency::cancel_current_task$Exception@8Throw
String ID:
API String ID: 3339364867-0
Opcode ID: 166f44b9b2f9fb4f0d3fc0ede0629c709bb95d123eca62436eb2dea707dd1053
Instruction ID: 095b509843c682cbb2977fb041f40b7b2e102b63831f41aa89219b225373a50d
Opcode Fuzzy Hash: 166f44b9b2f9fb4f0d3fc0ede0629c709bb95d123eca62436eb2dea707dd1053
Instruction Fuzzy Hash: 9941B371A10609DBD724DF24D98167AB7F9EB44760F200B2DFA66C7290E734E904CBE1

Function 009F35F7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 009F360E

Part of subcall function 009F3C46: ___AdjustPointer.LIBCMT ref: 009F3C90

_UnwindNestedFrames.LIBCMT ref: 009F3625
___FrameUnwindToState.LIBVCRUNTIME ref: 009F3637
CallCatchBlock.LIBVCRUNTIME ref: 009F365B

Memory Dump Source

Source File: 00000003.00000002.2045203763.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.2045175617.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2045227113.00000000009FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2045249364.0000000000A06000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2045268987.0000000000A08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_Flexpcis.jbxd

Similarity

API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
String ID:
API String ID: 2633735394-0
Opcode ID: c818ee3c194d0a60d1f22e1fc4dc6d3ef6eda792af7de8886e093e75c8865d1b
Instruction ID: c47511a74097aa8c5cae83fc5c0d4c3a947c7a1d6a8fc0c819954811617e2ee5
Opcode Fuzzy Hash: c818ee3c194d0a60d1f22e1fc4dc6d3ef6eda792af7de8886e093e75c8865d1b
Instruction Fuzzy Hash: 1501E93200010DBBCF125F55CC02EEA7BBAFF88754F158114FE5865121D73AE961DBA4

Function 009F2090 Relevance: 6.0, APIs: 4, Instructions: 40COMMON

Download Yara Rule

APIs

new.LIBCMT ref: 009F20BA

Memory Dump Source

Source File: 00000003.00000002.2045203763.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.2045175617.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2045227113.00000000009FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2045249364.0000000000A06000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2045268987.0000000000A08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_Flexpcis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b4d3f94c81d3943c378cad470bf1a73962749ad578d4a4a79ac19c895b724af
Instruction ID: 0507a94dd56e0b9eb5dded574325afd6c5fdc3bdfc23ce9add0d1fd6ca9379f5
Opcode Fuzzy Hash: 4b4d3f94c81d3943c378cad470bf1a73962749ad578d4a4a79ac19c895b724af
Instruction Fuzzy Hash: 8BF0A7B370420C0AD718E7749C66B7E72988B643607144639F32AC6281FD21D994C759

Function 009F48B6 Relevance: 6.0, APIs: 4, Instructions: 14COMMON

Download Yara Rule

APIs

___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 009F48B6
___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 009F48BB
___vcrt_initialize_locks.LIBVCRUNTIME ref: 009F48C0

Part of subcall function 009F514E: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 009F515F

___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 009F48D5

Memory Dump Source

Source File: 00000003.00000002.2045203763.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true

Associated: 00000003.00000002.2045175617.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2045227113.00000000009FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2045249364.0000000000A06000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2045268987.0000000000A08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9f0000_Flexpcis.jbxd

Similarity

API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
String ID:
API String ID: 1761009282-0
Opcode ID: e092bf8d1f2de1a436e08f72e43c775e9d4ad525a9e452ad70d54133d921d8c2
Instruction ID: 824bea240295fcd0a8d843af64d6df62f685461a5793dfe19e4666a9e4e9c166
Opcode Fuzzy Hash: e092bf8d1f2de1a436e08f72e43c775e9d4ad525a9e452ad70d54133d921d8c2
Instruction Fuzzy Hash: F6C04C14155A8D551C247AF165123BF03041CD37C6BA226C1EBA11781399095C5B1B77

Source: Flexpcis.exe.1.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: Flexpcis.exe.1.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: Flexpcis.exe.1.dr	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: Flexpcis.exe.1.dr	String found in binary or memory: http://s.symcd.com06
Source: Flexpcis.exe.1.dr	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: Flexpcis.exe.1.dr	String found in binary or memory: http://s2.symcb.com0
Source: Flexpcis.exe.1.dr	String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: Flexpcis.exe.1.dr	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: Flexpcis.exe.1.dr	String found in binary or memory: http://sv.symcd.com0&
Source: Flexpcis.exe.1.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: Flexpcis.exe.1.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: Flexpcis.exe.1.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: Flexpcis.exe.1.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: Flexpcis.exe.1.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: Flexpcis.exe.1.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: Flexpcis.exe, 00000003.00000003.2042407030.0000000005C3F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.indyproject.org/
Source: Flexpcis.exe.1.dr	String found in binary or memory: http://www.nero.com
Source: Flexpcis.exe.1.dr	String found in binary or memory: http://www.symauth.com/cps0(
Source: Flexpcis.exe.1.dr	String found in binary or memory: http://www.symauth.com/rpa00
Source: Flexpcis.exe.1.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: Flexpcis.exe.1.dr	String found in binary or memory: https://d.symcb.com/rpa0
Source: Flexpcis.exe.1.dr	String found in binary or memory: https://d.symcb.com/rpa0.

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Roaming\@Klabin\Microsoft Corporativa\Flexpcis.exe 7E4132835419E4C415D048B64A5FC2813B8D2FF72BB5586D857DCDF6A90A45F2
Source: Joe Sandbox View	Dropped File: C:\Windows\Installer\MSI3AF2.tmp D3614D7BECE53E0D408E31DA7D9B0FF2F7285A7DD544C778847ED0C5DED5D52F

Input	Output
URL: email Model: Joe Sandbox AI	{ "risk_score": 1, "reasoning": [ "No headers provided to analyze", "Cannot make security assessment without header information", "Default to low risk score due to lack of evidence" ] }
Date: unknown

Source: 2tytrCyNuF.msi	Virustotal: Detection: 11%			Perma Link
Source: 2tytrCyNuF.msi	ReversingLabs: Detection: 13%

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\4937c6.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3AF2.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3B61.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3BA0.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3CDA.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3D58.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{E49D674A-6F2A-43F2-A5F6-7C3AABA5E5C8}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3FD9.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\4937c9.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\4937c9.msi	Jump to behavior

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	Process: OS API Execution, Process: Process Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 2tytrCyNuF.msi

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Config.Msi\4937c8.rbs

C:\Users\user\AppData\Roaming\@Klabin\Microsoft Corporativa\Drivespan.dll

C:\Users\user\AppData\Roaming\@Klabin\Microsoft Corporativa\Flexpcis.exe

C:\Windows\Installer\4937c6.msi

C:\Windows\Installer\4937c9.msi

C:\Windows\Installer\MSI3AF2.tmp

C:\Windows\Installer\MSI3B61.tmp

C:\Windows\Installer\MSI3BA0.tmp

C:\Windows\Installer\MSI3CDA.tmp

C:\Windows\Installer\MSI3D58.tmp

C:\Windows\Installer\MSI3FD9.tmp

C:\Windows\Installer\SourceHash{E49D674A-6F2A-43F2-A5F6-7C3AABA5E5C8}

C:\Windows\Installer\inprogressinstallinfo.ipi

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

C:\Windows\Temp\~DF09AB025CB9CCFE2D.TMP

C:\Windows\Temp\~DF5A92F5594DF0CA16.TMP

C:\Windows\Temp\~DF836B5A43463758AB.TMP

C:\Windows\Temp\~DF9A96319E3287E2A1.TMP

C:\Windows\Temp\~DF9C6AB143184999BB.TMP

C:\Windows\Temp\~DFB80DDCE5BA0A590F.TMP

C:\Windows\Temp\~DFCA3C40956A044D23.TMP

C:\Windows\Temp\~DFCBD368949DA3CFA0.TMP

C:\Windows\Temp\~DFD11F0AEF1574F5AF.TMP

C:\Windows\Temp\~DFDDE03ACD6DFB2F27.TMP

Windows Analysis Report
2tytrCyNuF.msi

Function 009F1000 Relevance: 30.1, APIs: 13, Strings: 4, Instructions: 308
libraryloaderCOMMON

Function 009F17A0 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 98
libraryloaderCOMMON

Function 009F6268 Relevance: 4.5, APIs: 3, Instructions: 20
COMMONLIBRARYCODE

Function 009F8255 Relevance: 6.1, APIs: 4, Instructions: 52
libraryCOMMONLIBRARYCODE

Function 009F81B9 Relevance: 3.1, APIs: 2, Instructions: 65
libraryloaderCOMMONLIBRARYCODE

Function 009F1510 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 172
sleepprocessCOMMON

Function 009F8F76 Relevance: 19.6, APIs: 13, Instructions: 114
COMMONLIBRARYCODE

Function 009F6F39 Relevance: 15.1, APIs: 10, Instructions: 54
COMMON

Function 009FA33F Relevance: 12.2, APIs: 8, Instructions: 216
COMMON

Function 009FAC93 Relevance: 10.7, APIs: 7, Instructions: 152
fileCOMMON

Function 009F8C93 Relevance: 10.6, APIs: 7, Instructions: 65
COMMONLIBRARYCODE