Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
F_4_T_U_R_4___nf____0992344.4354.msi

Overview

General Information

Sample Name:F_4_T_U_R_4___nf____0992344.4354.msi
Analysis ID:825405
MD5:c318d63f64c2b8274c35a4b20964ff9b
SHA1:5605ec59345bfc315abd005415b5ac778b80c175
SHA256:003a2316ff87962fef3f26f662a04c111f41c1832cc6b9716377767219981594
Tags:msi
Infos:

Detection

Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Detected unpacking (overwrites its own PE header)
Multi AV Scanner detection for dropped file
Hides threads from debuggers
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file has a writeable .text section
Tries to detect virtualization through RDTSC time measurements
Machine Learning detection for dropped file
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Creates files inside the system directory
PE file contains sections with non-standard names
JA3 SSL client fingerprint seen in connection with other malware
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Entry point lies outside standard sections
Creates a DirectInput object (often for capturing keystrokes)
AV process strings found (often used to terminate AV products)
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Allocates memory with a write watch (potentially for evading sandboxes)
Drops PE files
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
Checks if the current process is being debugged
Queries keyboard layouts
Yara detected Keylogger Generic
Launches processes in debugging mode, may be used to hinder debugging
Checks for available system drives (often done to infect USB drives)
Dropped file seen in connection with other malware

Classification

Process Tree

  • System is w10x64
  • msiexec.exe (PID: 5928 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\F_4_T_U_R_4___nf____0992344.4354.msi" MD5: 4767B71A318E201188A0D0A420C8B608)
  • msiexec.exe (PID: 6048 cmdline: C:\Windows\system32\msiexec.exe /V MD5: 4767B71A318E201188A0D0A420C8B608)
    • msiexec.exe (PID: 5148 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding F7A68C9D91CEF59A808028AAB00F5DA2 MD5: 12C17B5A5C2A7B97342C362CA467E9A2)
    • abd1 .exe (PID: 1380 cmdline: C:\Users\user\AppData\Roaming\abd1 .exe MD5: CEEF4762B36067F1D32A0DB621EE967E)
  • abd1 .exe (PID: 5448 cmdline: "C:\Users\user\AppData\Roaming\abd1 .exe" MD5: CEEF4762B36067F1D32A0DB621EE967E)
  • abd1 .exe (PID: 5600 cmdline: "C:\Users\user\AppData\Roaming\abd1 .exe" MD5: CEEF4762B36067F1D32A0DB621EE967E)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Roaming\abd1 .exeJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000003.00000000.309835873.0000000000401000.00000020.00000001.01000000.00000003.sdmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
      00000007.00000002.580116505.0000000004D6D000.00000040.00000020.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
        00000003.00000002.609204022.0000000004D78000.00000040.00000020.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
          00000003.00000003.325220220.0000000004B87000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
            Process Memory Space: abd1 .exe PID: 1380JoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
              Click to see the 1 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              3.0.abd1 .exe.400000.0.unpackJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security

                Sigma Signatures

                No Sigma rule has matched

                Snort Signatures

                No Snort rule has matched

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Multi AV Scanner detection for submitted file
                Source: F_4_T_U_R_4___nf____0992344.4354.msiReversingLabs: Detection: 23%
                Source: F_4_T_U_R_4___nf____0992344.4354.msiVirustotal: Detection: 33%Perma Link
                Multi AV Scanner detection for dropped file
                Source: C:\Users\user\AppData\Roaming\WebUI.dllReversingLabs: Detection: 33%
                Machine Learning detection for dropped file
                Source: C:\Users\user\AppData\Roaming\WebUI.dllJoe Sandbox ML: detected
                Source: 3.2.abd1 .exe.be0000.1.unpackAvira: Label: TR/PWS.Sinowal.Gen2

                Compliance

                barindex
                Detected unpacking (overwrites its own PE header)
                Source: C:\Users\user\AppData\Roaming\abd1 .exeUnpacked PE file: 3.2.abd1 .exe.400000.0.unpack
                Source: unknownHTTPS traffic detected: 187.45.187.42:443 -> 192.168.2.5:49692 version: TLS 1.2
                Source: Binary string: iphlpapi.pdbUGP source: abd1 .exe, 00000003.00000002.608656956.0000000004BEA000.00000040.00000800.00020000.00000000.sdmp, abd1 .exe, 00000006.00000003.496844525.0000000000937000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 00000007.00000003.529162765.0000000000957000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 00000007.00000002.577309236.000000000471A000.00000040.00000800.00020000.00000000.sdmp
                Source: Binary string: wkernel32.pdb source: abd1 .exe, 00000003.00000003.327212332.00000000047F3000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 00000003.00000002.605952221.0000000004915000.00000040.00000020.00020000.00000000.sdmp, abd1 .exe, 00000007.00000002.577954731.00000000048A9000.00000040.00000020.00020000.00000000.sdmp
                Source: Binary string: advapi32.pdbUGP source: abd1 .exe, 00000003.00000002.608656956.0000000004B80000.00000040.00000800.00020000.00000000.sdmp, abd1 .exe, 00000006.00000003.495942233.0000000000937000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 00000007.00000002.577309236.00000000046B0000.00000040.00000800.00020000.00000000.sdmp
                Source: Binary string: iphlpapi.pdb source: abd1 .exe, 00000003.00000002.608656956.0000000004BEA000.00000040.00000800.00020000.00000000.sdmp, abd1 .exe, 00000006.00000003.496844525.0000000000937000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 00000007.00000003.529162765.0000000000957000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 00000007.00000002.577309236.000000000471A000.00000040.00000800.00020000.00000000.sdmp
                Source: Binary string: wkernelbase.pdb source: abd1 .exe, 00000003.00000002.609204022.0000000004D78000.00000040.00000020.00020000.00000000.sdmp, abd1 .exe, 00000003.00000003.325220220.0000000004B87000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 00000007.00000002.580116505.0000000004D6D000.00000040.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdbUGP source: abd1 .exe, 00000003.00000002.606582814.00000000049E3000.00000040.00000020.00020000.00000000.sdmp, abd1 .exe, 00000003.00000003.322294682.00000000047FD000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 00000007.00000002.578545339.00000000049D1000.00000040.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: abd1 .exe, 00000003.00000002.606582814.00000000049E3000.00000040.00000020.00020000.00000000.sdmp, abd1 .exe, 00000003.00000003.322294682.00000000047FD000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 00000007.00000002.578545339.00000000049D1000.00000040.00000020.00020000.00000000.sdmp
                Source: Binary string: wuser32.pdb source: abd1 .exe, 00000003.00000003.334656021.0000000004B8E000.00000004.00000800.00020000.00000000.sdmp, abd1 .exe, 00000003.00000002.610670790.0000000004F6B000.00000040.00000800.00020000.00000000.sdmp, abd1 .exe, 00000007.00000002.582270338.0000000004F64000.00000040.00000800.00020000.00000000.sdmp
                Source: Binary string: wkernelbase.pdbUGP source: abd1 .exe, 00000003.00000002.609204022.0000000004D78000.00000040.00000020.00020000.00000000.sdmp, abd1 .exe, 00000003.00000003.325220220.0000000004B87000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 00000007.00000002.580116505.0000000004D6D000.00000040.00000020.00020000.00000000.sdmp
                Source: Binary string: advapi32.pdb source: abd1 .exe, 00000003.00000002.608656956.0000000004B80000.00000040.00000800.00020000.00000000.sdmp, abd1 .exe, 00000006.00000003.495942233.0000000000937000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 00000007.00000002.577309236.00000000046B0000.00000040.00000800.00020000.00000000.sdmp
                Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: F_4_T_U_R_4___nf____0992344.4354.msi, MSIFE0F.tmp.1.dr, MSIFD51.tmp.1.dr, MSIFDB0.tmp.1.dr, 58f706.msi.1.dr
                Source: Binary string: wkernel32.pdbGCTL source: abd1 .exe, 00000003.00000003.327212332.00000000047F3000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 00000003.00000002.605952221.0000000004915000.00000040.00000020.00020000.00000000.sdmp, abd1 .exe, 00000007.00000002.577954731.00000000048A9000.00000040.00000020.00020000.00000000.sdmp
                Source: Binary string: wuser32.pdbUGP source: abd1 .exe, 00000003.00000003.334656021.0000000004B8E000.00000004.00000800.00020000.00000000.sdmp, abd1 .exe, 00000003.00000002.610670790.0000000004F6B000.00000040.00000800.00020000.00000000.sdmp, abd1 .exe, 00000007.00000002.582270338.0000000004F64000.00000040.00000800.00020000.00000000.sdmp
                Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: c:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior
                Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                Source: Joe Sandbox ViewIP Address: 15.228.77.178 15.228.77.178
                Source: global trafficHTTP traffic detected: GET /imagens/bo/inspecionando.php HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ebaoffice.com.brConnection: Keep-Alive
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49692
                Source: unknownNetwork traffic detected: HTTP traffic on port 49692 -> 443
                Source: unknownTCP traffic detected without corresponding DNS query: 15.228.77.178
                Source: unknownTCP traffic detected without corresponding DNS query: 15.228.77.178
                Source: unknownTCP traffic detected without corresponding DNS query: 15.228.77.178
                Source: abd1 .exe.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                Source: F_4_T_U_R_4___nf____0992344.4354.msi, MSIFE0F.tmp.1.dr, MSIFD51.tmp.1.dr, MSIFDB0.tmp.1.dr, 58f706.msi.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                Source: abd1 .exe.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
                Source: abd1 .exe.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA.crt0
                Source: abd1 .exe.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
                Source: abd1 .exe.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
                Source: F_4_T_U_R_4___nf____0992344.4354.msi, MSIFE0F.tmp.1.dr, MSIFD51.tmp.1.dr, MSIFDB0.tmp.1.dr, 58f706.msi.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                Source: F_4_T_U_R_4___nf____0992344.4354.msi, MSIFE0F.tmp.1.dr, MSIFD51.tmp.1.dr, MSIFDB0.tmp.1.dr, 58f706.msi.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                Source: abd1 .exe, 00000003.00000002.571627415.0000000000930000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                Source: F_4_T_U_R_4___nf____0992344.4354.msi, MSIFE0F.tmp.1.dr, MSIFD51.tmp.1.dr, MSIFDB0.tmp.1.dr, 58f706.msi.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                Source: abd1 .exe.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
                Source: abd1 .exe.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
                Source: F_4_T_U_R_4___nf____0992344.4354.msi, MSIFE0F.tmp.1.dr, MSIFD51.tmp.1.dr, MSIFDB0.tmp.1.dr, 58f706.msi.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                Source: F_4_T_U_R_4___nf____0992344.4354.msi, MSIFE0F.tmp.1.dr, MSIFD51.tmp.1.dr, MSIFDB0.tmp.1.dr, 58f706.msi.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                Source: abd1 .exe.1.drString found in binary or memory: http://crl3.digicert.com/EVCodeSigning-g1.crl03
                Source: abd1 .exe.1.drString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
                Source: abd1 .exe.1.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
                Source: abd1 .exe.1.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                Source: abd1 .exe.1.drString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
                Source: abd1 .exe.1.drString found in binary or memory: http://crl4.digicert.com/EVCodeSigning-g1.crl0K
                Source: abd1 .exe.1.drString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
                Source: abd1 .exe.1.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
                Source: F_4_T_U_R_4___nf____0992344.4354.msi, MSIFE0F.tmp.1.dr, MSIFD51.tmp.1.dr, MSIFDB0.tmp.1.dr, 58f706.msi.1.drString found in binary or memory: http://ocsp.digicert.com0A
                Source: F_4_T_U_R_4___nf____0992344.4354.msi, MSIFE0F.tmp.1.dr, MSIFD51.tmp.1.dr, MSIFDB0.tmp.1.dr, abd1 .exe.1.dr, 58f706.msi.1.drString found in binary or memory: http://ocsp.digicert.com0C
                Source: abd1 .exe.1.drString found in binary or memory: http://ocsp.digicert.com0H
                Source: abd1 .exe.1.drString found in binary or memory: http://ocsp.digicert.com0I
                Source: abd1 .exe.1.drString found in binary or memory: http://ocsp.digicert.com0O
                Source: F_4_T_U_R_4___nf____0992344.4354.msi, MSIFE0F.tmp.1.dr, MSIFD51.tmp.1.dr, MSIFDB0.tmp.1.dr, 58f706.msi.1.drString found in binary or memory: http://ocsp.digicert.com0X
                Source: abd1 .exe, 00000003.00000000.309835873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, abd1 .exe.1.drString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                Source: abd1 .exe, 00000003.00000000.309835873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, abd1 .exe.1.drString found in binary or memory: http://stats.itopvpn.com/iusage.php
                Source: F_4_T_U_R_4___nf____0992344.4354.msi, MSIFE0F.tmp.1.dr, MSIFD51.tmp.1.dr, MSIFDB0.tmp.1.dr, 58f706.msi.1.drString found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
                Source: F_4_T_U_R_4___nf____0992344.4354.msi, MSIFE0F.tmp.1.dr, MSIFD51.tmp.1.dr, MSIFDB0.tmp.1.dr, 58f706.msi.1.drString found in binary or memory: http://t2.symcb.com0
                Source: F_4_T_U_R_4___nf____0992344.4354.msi, MSIFE0F.tmp.1.dr, MSIFD51.tmp.1.dr, MSIFDB0.tmp.1.dr, 58f706.msi.1.drString found in binary or memory: http://tl.symcb.com/tl.crl0
                Source: F_4_T_U_R_4___nf____0992344.4354.msi, MSIFE0F.tmp.1.dr, MSIFD51.tmp.1.dr, MSIFDB0.tmp.1.dr, 58f706.msi.1.drString found in binary or memory: http://tl.symcb.com/tl.crt0
                Source: F_4_T_U_R_4___nf____0992344.4354.msi, MSIFE0F.tmp.1.dr, MSIFD51.tmp.1.dr, MSIFDB0.tmp.1.dr, 58f706.msi.1.drString found in binary or memory: http://tl.symcd.com0&
                Source: abd1 .exe.1.drString found in binary or memory: http://www.digicert.com/CPS0
                Source: abd1 .exe.1.drString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
                Source: abd1 .exe, abd1 .exe, 00000007.00000002.571458526.0000000000FAF000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: http://www.indyproject.org/
                Source: abd1 .exe, 00000003.00000002.571627415.00000000008AC000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 00000003.00000002.571627415.0000000000930000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ebaoffice.com.br/
                Source: abd1 .exe, 00000003.00000002.571627415.0000000000930000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 00000003.00000002.572900338.0000000000BE1000.00000040.00000001.01000000.00000004.sdmp, abd1 .exe, 00000003.00000002.613044083.0000000008AC8000.00000004.00000800.00020000.00000000.sdmp, abd1 .exe, 00000003.00000002.613702934.0000000009085000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ebaoffice.com.br/imagens/bo/inspecionando.php
                Source: abd1 .exe, 00000003.00000002.613416696.0000000008D90000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 00000003.00000002.571627415.00000000008BB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ebaoffice.com.br/imagens/bo/inspecionando.php...
                Source: abd1 .exe, 00000003.00000002.571627415.0000000000930000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ebaoffice.com.br/imagens/bo/inspecionando.php:
                Source: abd1 .exe, 00000003.00000002.613416696.0000000008D90000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ebaoffice.com.br/imagens/bo/inspecionando.phpC:
                Source: abd1 .exe, 00000003.00000002.571627415.00000000008AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ebaoffice.com.br/imagens/bo/inspecionando.phpI
                Source: abd1 .exe, 00000003.00000002.571627415.00000000008BB000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 00000003.00000002.571627415.0000000000930000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ebaoffice.com.br/imagens/bo/inspecionando.phpJ
                Source: abd1 .exe, 00000003.00000002.571627415.0000000000930000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ebaoffice.com.br/imagens/bo/inspecionando.phpU
                Source: abd1 .exe, 00000003.00000002.613416696.0000000008D90000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ebaoffice.com.br/imagens/bo/inspecionando.phpiu
                Source: abd1 .exe, 00000003.00000002.571627415.00000000008BB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ebaoffice.com.br/imagens/bo/inspecionando.phpokiesm_
                Source: abd1 .exe, 00000003.00000002.571627415.0000000000930000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ebaoffice.com.br/imagens/bo/inspecionando.phps/bo/inspecionando.phpo.php
                Source: abd1 .exe, 00000003.00000002.571627415.0000000000901000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.comt
                Source: F_4_T_U_R_4___nf____0992344.4354.msi, MSIFE0F.tmp.1.dr, MSIFD51.tmp.1.dr, MSIFDB0.tmp.1.dr, 58f706.msi.1.drString found in binary or memory: https://www.advancedinstaller.com
                Source: abd1 .exe.1.drString found in binary or memory: https://www.digicert.com/CPS0
                Source: F_4_T_U_R_4___nf____0992344.4354.msi, MSIFE0F.tmp.1.dr, MSIFD51.tmp.1.dr, MSIFDB0.tmp.1.dr, 58f706.msi.1.drString found in binary or memory: https://www.thawte.com/cps0/
                Source: F_4_T_U_R_4___nf____0992344.4354.msi, MSIFE0F.tmp.1.dr, MSIFD51.tmp.1.dr, MSIFDB0.tmp.1.dr, 58f706.msi.1.drString found in binary or memory: https://www.thawte.com/repository0W
                Source: unknownDNS traffic detected: queries for: ebaoffice.com.br
                Source: global trafficHTTP traffic detected: GET /imagens/bo/inspecionando.php HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ebaoffice.com.brConnection: Keep-Alive
                Source: unknownHTTPS traffic detected: 187.45.187.42:443 -> 192.168.2.5:49692 version: TLS 1.2
                Source: abd1 .exe, 00000003.00000002.609204022.0000000004D78000.00000040.00000020.00020000.00000000.sdmpBinary or memory string: DirectInput8Create
                Source: abd1 .exe, 00000003.00000002.610670790.0000000004F6B000.00000040.00000800.00020000.00000000.sdmpBinary or memory string: GetRawInputData
                Source: Yara matchFile source: 00000007.00000002.580116505.0000000004D6D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.609204022.0000000004D78000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000003.325220220.0000000004B87000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: abd1 .exe PID: 1380, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: abd1 .exe PID: 5600, type: MEMORYSTR

                System Summary

                barindex
                PE file has a writeable .text section
                Source: WebUI.dll.1.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\MSIFB1D.tmpJump to behavior
                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\58f706.msiJump to behavior
                Source: F_4_T_U_R_4___nf____0992344.4354.msiBinary or memory string: OriginalFilenameAICustAct.dllF vs F_4_T_U_R_4___nf____0992344.4354.msi
                Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeSection loaded: webui.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeSection loaded: webui.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeSection loaded: webui.dllJump to behavior
                Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\abd1 .exe EFB6169BBB869A849AFB91184A75B906FE509CBF6E672B6B4F3311C02343BBBB
                Source: F_4_T_U_R_4___nf____0992344.4354.msiReversingLabs: Detection: 23%
                Source: F_4_T_U_R_4___nf____0992344.4354.msiVirustotal: Detection: 33%
                Source: C:\Users\user\AppData\Roaming\abd1 .exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: unknownProcess created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\F_4_T_U_R_4___nf____0992344.4354.msi"
                Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding F7A68C9D91CEF59A808028AAB00F5DA2
                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Users\user\AppData\Roaming\abd1 .exe C:\Users\user\AppData\Roaming\abd1 .exe
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\abd1 .exe "C:\Users\user\AppData\Roaming\abd1 .exe"
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\abd1 .exe "C:\Users\user\AppData\Roaming\abd1 .exe"
                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding F7A68C9D91CEF59A808028AAB00F5DA2Jump to behavior
                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Users\user\AppData\Roaming\abd1 .exe C:\Users\user\AppData\Roaming\abd1 .exeJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8856F961-340A-11D0-A96B-00C04FD705A2}\InProcServer32Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\WebUI.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSI8f437.LOGJump to behavior
                Source: classification engineClassification label: mal84.evad.winMSI@8/27@1/2
                Source: C:\Users\user\AppData\Roaming\abd1 .exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                Source: F_4_T_U_R_4___nf____0992344.4354.msiStatic file information: TRID: Microsoft Windows Installer (77509/1) 52.18%
                Source: C:\Users\user\AppData\Roaming\abd1 .exeMutant created: \Sessions\1\BaseNamedObjects\madExceptSettingsMtx$564
                Source: Yara matchFile source: 3.0.abd1 .exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000003.00000000.309835873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: C:\Users\user\AppData\Roaming\abd1 .exe, type: DROPPED
                Source: C:\Users\user\AppData\Roaming\abd1 .exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: F_4_T_U_R_4___nf____0992344.4354.msiStatic file information: File size 8618496 > 1048576
                Source: Binary string: iphlpapi.pdbUGP source: abd1 .exe, 00000003.00000002.608656956.0000000004BEA000.00000040.00000800.00020000.00000000.sdmp, abd1 .exe, 00000006.00000003.496844525.0000000000937000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 00000007.00000003.529162765.0000000000957000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 00000007.00000002.577309236.000000000471A000.00000040.00000800.00020000.00000000.sdmp
                Source: Binary string: wkernel32.pdb source: abd1 .exe, 00000003.00000003.327212332.00000000047F3000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 00000003.00000002.605952221.0000000004915000.00000040.00000020.00020000.00000000.sdmp, abd1 .exe, 00000007.00000002.577954731.00000000048A9000.00000040.00000020.00020000.00000000.sdmp
                Source: Binary string: advapi32.pdbUGP source: abd1 .exe, 00000003.00000002.608656956.0000000004B80000.00000040.00000800.00020000.00000000.sdmp, abd1 .exe, 00000006.00000003.495942233.0000000000937000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 00000007.00000002.577309236.00000000046B0000.00000040.00000800.00020000.00000000.sdmp
                Source: Binary string: iphlpapi.pdb source: abd1 .exe, 00000003.00000002.608656956.0000000004BEA000.00000040.00000800.00020000.00000000.sdmp, abd1 .exe, 00000006.00000003.496844525.0000000000937000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 00000007.00000003.529162765.0000000000957000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 00000007.00000002.577309236.000000000471A000.00000040.00000800.00020000.00000000.sdmp
                Source: Binary string: wkernelbase.pdb source: abd1 .exe, 00000003.00000002.609204022.0000000004D78000.00000040.00000020.00020000.00000000.sdmp, abd1 .exe, 00000003.00000003.325220220.0000000004B87000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 00000007.00000002.580116505.0000000004D6D000.00000040.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdbUGP source: abd1 .exe, 00000003.00000002.606582814.00000000049E3000.00000040.00000020.00020000.00000000.sdmp, abd1 .exe, 00000003.00000003.322294682.00000000047FD000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 00000007.00000002.578545339.00000000049D1000.00000040.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: abd1 .exe, 00000003.00000002.606582814.00000000049E3000.00000040.00000020.00020000.00000000.sdmp, abd1 .exe, 00000003.00000003.322294682.00000000047FD000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 00000007.00000002.578545339.00000000049D1000.00000040.00000020.00020000.00000000.sdmp
                Source: Binary string: wuser32.pdb source: abd1 .exe, 00000003.00000003.334656021.0000000004B8E000.00000004.00000800.00020000.00000000.sdmp, abd1 .exe, 00000003.00000002.610670790.0000000004F6B000.00000040.00000800.00020000.00000000.sdmp, abd1 .exe, 00000007.00000002.582270338.0000000004F64000.00000040.00000800.00020000.00000000.sdmp
                Source: Binary string: wkernelbase.pdbUGP source: abd1 .exe, 00000003.00000002.609204022.0000000004D78000.00000040.00000020.00020000.00000000.sdmp, abd1 .exe, 00000003.00000003.325220220.0000000004B87000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 00000007.00000002.580116505.0000000004D6D000.00000040.00000020.00020000.00000000.sdmp
                Source: Binary string: advapi32.pdb source: abd1 .exe, 00000003.00000002.608656956.0000000004B80000.00000040.00000800.00020000.00000000.sdmp, abd1 .exe, 00000006.00000003.495942233.0000000000937000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 00000007.00000002.577309236.00000000046B0000.00000040.00000800.00020000.00000000.sdmp
                Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: F_4_T_U_R_4___nf____0992344.4354.msi, MSIFE0F.tmp.1.dr, MSIFD51.tmp.1.dr, MSIFDB0.tmp.1.dr, 58f706.msi.1.dr
                Source: Binary string: wkernel32.pdbGCTL source: abd1 .exe, 00000003.00000003.327212332.00000000047F3000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 00000003.00000002.605952221.0000000004915000.00000040.00000020.00020000.00000000.sdmp, abd1 .exe, 00000007.00000002.577954731.00000000048A9000.00000040.00000020.00020000.00000000.sdmp
                Source: Binary string: wuser32.pdbUGP source: abd1 .exe, 00000003.00000003.334656021.0000000004B8E000.00000004.00000800.00020000.00000000.sdmp, abd1 .exe, 00000003.00000002.610670790.0000000004F6B000.00000040.00000800.00020000.00000000.sdmp, abd1 .exe, 00000007.00000002.582270338.0000000004F64000.00000040.00000800.00020000.00000000.sdmp

                Data Obfuscation

                barindex
                Detected unpacking (overwrites its own PE header)
                Source: C:\Users\user\AppData\Roaming\abd1 .exeUnpacked PE file: 3.2.abd1 .exe.400000.0.unpack
                Source: WebUI.dll.1.drStatic PE information: section name: .sedata
                Source: WebUI.dll.1.drStatic PE information: section name: .sedata
                Source: initial sampleStatic PE information: section where entry point is pointing to: .sedata
                Source: initial sampleStatic PE information: section name: .sedata entropy: 7.108882420070699
                Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\abd1 .exeJump to dropped file
                Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\WebUI.dllJump to dropped file
                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIFB1D.tmpJump to dropped file
                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIFCE3.tmpJump to dropped file
                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIFDB0.tmpJump to dropped file
                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIFE0F.tmpJump to dropped file
                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIFD51.tmpJump to dropped file
                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIFB1D.tmpJump to dropped file
                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIFCE3.tmpJump to dropped file
                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIFDB0.tmpJump to dropped file
                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIFE0F.tmpJump to dropped file
                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIFD51.tmpJump to dropped file
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run abd1 .exeJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run abd1 .exeJump to behavior

                Hooking and other Techniques for Hiding and Protection

                barindex
                Overwrites code with unconditional jumps - possibly settings hooks in foreign process
                Source: C:\Users\user\AppData\Roaming\abd1 .exeMemory written: PID: 1380 base: 4A3E60 value: E9 FB 65 06 00 Jump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeMemory written: PID: 1380 base: 4A397C value: E9 FB 68 06 00 Jump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeMemory written: PID: 1380 base: 49FCC0 value: E9 0B E7 06 00 Jump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeMemory written: PID: 1380 base: 49FCE4 value: E9 6B E7 06 00 Jump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeMemory written: PID: 1380 base: 49FCF4 value: E9 FF E8 06 00 Jump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeMemory written: PID: 1380 base: 49FCB0 value: E9 B7 EA 06 00 Jump to behavior
                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: NOGPFAULTERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002EECFE4 second address: 0000000002EED03D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0B68A48A2Ah 0x00000004 sub esp, 0Fh 0x00000007 mov ax, dx 0x0000000a call 00007F0B68A48A88h 0x0000000f mov dword ptr [esp+10h], eax 0x00000013 or ch, FFFFFF81h 0x00000016 push word ptr [esp+06h] 0x0000001b pushad 0x0000001c jmp 00007F0B68A48A2Dh 0x0000001e mov dx, 0084h 0x00000022 bsf ebx, edx 0x00000025 mov ebx, dword ptr [esp+2Fh] 0x00000029 mov bx, cx 0x0000002c jmp 00007F0B68A48AB3h 0x0000002e xchg word ptr [esp+14h], bx 0x00000033 mov word ptr [esp+07h], si 0x00000038 push word ptr [esp+2Bh] 0x0000003d sub esp, 01h 0x00000040 pop edx 0x00000041 xchg dword ptr [esp+28h], eax 0x00000045 jmp 00007F0B68A48A12h 0x00000047 lea ebp, dword ptr [edi+2363DC3Fh] 0x0000004d mov ecx, 1D25122Fh 0x00000052 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002EED03D second address: 0000000002EED134 instructions: 0x00000000 rdtsc 0x00000002 pop si 0x00000004 mov bh, dl 0x00000006 cld 0x00000007 jmp 00007F0B68A48A7Eh 0x00000009 mov dword ptr [esp+24h], edi 0x0000000d stc 0x0000000e popad 0x0000000f push word ptr [esp+0Ch] 0x00000014 mov word ptr [esp+01h], di 0x00000019 xchg word ptr [esp+06h], ax 0x0000001e jmp 00007F0B68A48A9Dh 0x00000020 mov bx, word ptr [esp+0Dh] 0x00000025 pop word ptr [esp+0Ah] 0x0000002a sub esp, 03h 0x0000002d rcr dl, 00000000h 0x00000030 pop dword ptr [esp+06h] 0x00000034 dec ebx 0x00000035 jmp 00007F0B68A48A14h 0x00000037 sub esp, 12h 0x0000003a bswap esi 0x0000003c mov ecx, esp 0x0000003e setnl cl 0x00000041 cmc 0x00000042 xchg edi, eax 0x00000044 jmp 00007F0B68A48AC8h 0x00000046 xchg ax, di 0x00000048 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002EED134 second address: 0000000002EED0C4 instructions: 0x00000000 rdtsc 0x00000002 call 00007F0B68C4F2C6h 0x00000007 bts cx, bp 0x0000000b pop ebp 0x0000000c rol dx, cl 0x0000000f rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002EED0C4 second address: 0000000002EED111 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0B68A48A8Bh 0x00000004 lea edi, dword ptr [edi+ebp] 0x00000007 mov dword ptr [esp+11h], eax 0x0000000b sub bp, E0F4h 0x00000010 xchg dword ptr [esp+1Bh], ebx 0x00000014 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002EED42F second address: 0000000002EED40B instructions: 0x00000000 rdtsc 0x00000002 or edx, esi 0x00000004 jmp 00007F0B68C4F2B9h 0x00000009 mov edx, 8C0A744Fh 0x0000000e cmc 0x0000000f xor cl, 0000005Fh 0x00000012 rcl dx, cl 0x00000015 mov dword ptr [esp+07h], ebp 0x00000019 jmp 00007F0B68C4F369h 0x0000001b push dword ptr [esp+0Ch] 0x0000001f not eax 0x00000021 setp bl 0x00000024 setbe bl 0x00000027 not si 0x0000002a mov word ptr [esp+11h], dx 0x0000002f jmp 00007F0B68C4F316h 0x00000031 bswap ebp 0x00000033 push word ptr [esp+05h] 0x00000038 lea edi, dword ptr [eax+edi] 0x0000003b mov si, B3B3h 0x0000003f jmp 00007F0B68C4F35Eh 0x00000041 mov dh, byte ptr [esp+16h] 0x00000045 add esp, 15h 0x00000048 mov bl, F0h 0x0000004a mov cx, word ptr [esp+04h] 0x0000004f pop bp 0x00000051 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002EED40B second address: 0000000002EED495 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0B68A48AAFh 0x00000004 xchg ebx, ecx 0x00000006 pushad 0x00000007 pop dword ptr [esp+1Bh] 0x0000000b pop dword ptr [esp+04h] 0x0000000f bsr bx, ax 0x00000013 mov dl, F8h 0x00000015 jmp 00007F0B68A48A21h 0x00000017 xchg esi, edx 0x00000019 mov ch, ah 0x0000001b pop bx 0x0000001d pop edi 0x0000001e lea ebp, dword ptr [eax-0000F067h] 0x00000024 mov dx, 84EDh 0x00000028 jmp 00007F0B68A48A29h 0x0000002a mov edi, 9BCCFFF5h 0x0000002f add ebx, eax 0x00000031 add ax, 000084CAh 0x00000035 mov word ptr [esp+11h], ax 0x0000003a jmp 00007F0B68A48A9Dh 0x0000003c rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002EED525 second address: 0000000002EED5A8 instructions: 0x00000000 rdtsc 0x00000002 mov ax, bp 0x00000005 bsr ax, cx 0x00000009 push dword ptr [esp+12h] 0x0000000d pop ax 0x0000000f jmp 00007F0B68C4F377h 0x00000011 xchg dword ptr [esp+0Dh], ecx 0x00000015 lea esp, dword ptr [esp+0Bh] 0x00000019 mov byte ptr [esp+05h], dl 0x0000001d xchg bl, bh 0x0000001f lea esp, dword ptr [esp+10h] 0x00000023 mov dh, AFh 0x00000025 jmp 00007F0B68C4F316h 0x00000027 std 0x00000028 call 00007F0B68C4F3EBh 0x0000002d push dword ptr [esp+02h] 0x00000031 mov esi, 77201D02h 0x00000036 lea edx, dword ptr [esp+1F709682h] 0x0000003d bswap edi 0x0000003f cpuid 0x00000041 jmp 00007F0B68C4F2FDh 0x00000043 sbb bx, si 0x00000046 xchg word ptr [esp], di 0x0000004a lea eax, dword ptr [00000000h+edi*4] 0x00000051 xchg word ptr [esp+03h], cx 0x00000056 xchg byte ptr [esp+04h], dl 0x0000005a cpuid 0x0000005c jmp 00007F0B68C4F30Ch 0x0000005e sub esp, 10h 0x00000061 push dword ptr [esp+06h] 0x00000065 lea esp, dword ptr [esp+15h] 0x00000069 lea esi, dword ptr [00000000h+esi*4] 0x00000070 jmp 00007F0B68C4F318h 0x00000072 lea esp, dword ptr [esp+08h] 0x00000076 bsr ebx, esi 0x00000079 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002EED7DE second address: 0000000002EED861 instructions: 0x00000000 rdtsc 0x00000002 lea esi, dword ptr [eax+6F971120h] 0x00000008 xchg bx, si 0x0000000b jmp 00007F0B68A48A67h 0x0000000d mov dl, cl 0x0000000f std 0x00000010 mov bx, word ptr [esp] 0x00000014 xchg ebx, ebp 0x00000016 xchg ebp, edx 0x00000018 lea edi, dword ptr [edx+ebx] 0x0000001b jmp 00007F0B68A48A98h 0x0000001d xchg eax, ebp 0x0000001e mov di, ax 0x00000021 std 0x00000022 neg bx 0x00000025 setb ah 0x00000028 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002EED9FA second address: 0000000002EED9D6 instructions: 0x00000000 rdtsc 0x00000002 dec cx 0x00000004 push dword ptr [esp+05h] 0x00000008 mov ebp, dword ptr [esp+33h] 0x0000000c lea edx, dword ptr [00000000h+ebp*4] 0x00000013 push dword ptr [esp+32h] 0x00000017 jmp 00007F0B68C4F2FEh 0x00000019 mov dword ptr [esp+25h], ecx 0x0000001d setnl dh 0x00000020 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002EED9D6 second address: 0000000002EEDA7E instructions: 0x00000000 rdtsc 0x00000002 xchg ecx, esi 0x00000004 lea ebx, dword ptr [ecx+edi] 0x00000007 xchg byte ptr [esp+19h], cl 0x0000000b call 00007F0B68A48A99h 0x00000010 jmp 00007F0B68A48A39h 0x00000012 push bp 0x00000014 xchg byte ptr [esp+11h], cl 0x00000018 pop edx 0x00000019 mov bh, dh 0x0000001b mov byte ptr [esp+2Dh], dh 0x0000001f mov ebp, ebx 0x00000021 jmp 00007F0B68A48A76h 0x00000023 pop word ptr [esp+13h] 0x00000028 mov word ptr [esp+2Ch], bx 0x0000002d bt ecx, ebp 0x00000030 mov edx, ebx 0x00000032 neg si 0x00000035 clc 0x00000036 jmp 00007F0B68A48A21h 0x00000038 sbb esi, E0A84136h 0x0000003e mov word ptr [esp+02h], di 0x00000043 lea esi, dword ptr [378A0432h] 0x00000049 xchg di, bp 0x0000004c xchg edi, ebp 0x0000004e jmp 00007F0B68A48A81h 0x00000050 push dword ptr [esp+29h] 0x00000054 mov ebp, DF4D6296h 0x00000059 pop bp 0x0000005b rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002EEDDF5 second address: 0000000002EEDDBC instructions: 0x00000000 rdtsc 0x00000002 lea esp, dword ptr [esp+01h] 0x00000006 push word ptr [esp+02h] 0x0000000b mov esi, 2EED7EFDh 0x00000010 sub esp, 0Dh 0x00000013 jmp 00007F0B68C4F2F4h 0x00000015 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002DF4997 second address: 0000000002DF49D9 instructions: 0x00000000 rdtsc 0x00000002 btc cx, bx 0x00000006 je 00007F0B68A48A0Ah 0x00000008 clc 0x00000009 jmp 00007F0B68A48A26h 0x0000000b xor dx, A906h 0x00000010 jmp 00007F0B68A48A9Fh 0x00000012 lea ecx, dword ptr [edi+50h] 0x00000015 mov dx, ax 0x00000018 mov dl, byte ptr [esp] 0x0000001b lea eax, dword ptr [eax+0000D183h] 0x00000021 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002DFDCA2 second address: 0000000002DFDC76 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, 4D026007h 0x00000007 sub esi, 04h 0x0000000a jmp 00007F0B68C4F303h 0x0000000c lea edx, dword ptr [00000000h+ecx*4] 0x00000013 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002DEF054 second address: 0000000002DEF276 instructions: 0x00000000 rdtsc 0x00000002 mov ax, CFB1h 0x00000006 push dword ptr [esp+10h] 0x0000000a retn 0014h 0x0000000d call 00007F0B68A489EEh 0x00000012 lea esp, dword ptr [esp+02h] 0x00000016 call 00007F0B68A48AFAh 0x0000001b mov cx, word ptr [esp] 0x0000001f sub esp, 09h 0x00000022 mov ah, D2h 0x00000024 dec edx 0x00000025 inc al 0x00000027 jmp 00007F0B68A48A2Eh 0x00000029 lea esp, dword ptr [esp+01h] 0x0000002d xchg dword ptr [esp+08h], eax 0x00000031 sets ch 0x00000034 mov edx, ebx 0x00000036 pushfd 0x00000037 jmp 00007F0B68A48A66h 0x00000039 lea esp, dword ptr [esp+01h] 0x0000003d lea ecx, dword ptr [A28040EFh] 0x00000043 lea esp, dword ptr [esp+03h] 0x00000047 jmp 00007F0B68A48F0Eh 0x0000004c lea eax, dword ptr [eax+6Bh] 0x0000004f mov dh, AEh 0x00000051 setp dh 0x00000054 push bx 0x00000056 lea ecx, dword ptr [00000000h+ecx*4] 0x0000005d lea esp, dword ptr [esp+02h] 0x00000061 jmp 00007F0B68A48732h 0x00000066 xchg dword ptr [esp+08h], eax 0x0000006a inc eax 0x0000006b mov al, 99h 0x0000006d sets cl 0x00000070 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002DEF276 second address: 0000000002DEF106 instructions: 0x00000000 rdtsc 0x00000002 push dword ptr [esp+08h] 0x00000006 retn 000Ch 0x00000009 jmp 00007F0B68C4F3E2h 0x0000000e rol edi, 00000000h 0x00000011 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002DEF106 second address: 0000000002DEF145 instructions: 0x00000000 rdtsc 0x00000002 mov ax, dx 0x00000005 shl al, cl 0x00000007 jc 00007F0B68A48A2Fh 0x00000009 jnc 00007F0B68A48A17h 0x0000000b mov ch, byte ptr [esp] 0x0000000e mov dl, 36h 0x00000010 jmp 00007F0B68A48B0Eh 0x00000015 lea esp, dword ptr [esp+18h] 0x00000019 neg edi 0x0000001b rol al, 00000006h 0x0000001e jns 00007F0B68A48A07h 0x00000020 bswap ecx 0x00000022 push esp 0x00000023 rol edi, 00000000h 0x00000026 lea eax, dword ptr [00000000h+ebp*4] 0x0000002d call 00007F0B68A48A2Ch 0x00000032 lea ecx, dword ptr [edx+edi] 0x00000035 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002E00B44 second address: 0000000002E00BE4 instructions: 0x00000000 rdtsc 0x00000002 setnb ah 0x00000005 bsr ax, bx 0x00000009 jle 00007F0B68C4F34Fh 0x0000000b jnle 00007F0B68C4F34Dh 0x0000000d add esi, 04h 0x00000010 jmp 00007F0B68C4F346h 0x00000012 mov eax, A32D9BDBh 0x00000017 sub esp, 0Dh 0x0000001a jo 00007F0B68C4F36Eh 0x0000001c pop cx 0x0000001e jmp 00007F0B68C4F354h 0x00000020 xchg dword ptr [esp+04h], edx 0x00000024 lea esp, dword ptr [esp+03h] 0x00000028 jmp 00007F0B68C4F358h 0x0000002a push ebp 0x0000002b xchg al, cl 0x0000002d jmp 00007F0B68C4F37Ch 0x0000002f rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002E3867B second address: 0000000002E3870C instructions: 0x00000000 rdtsc 0x00000002 dec edx 0x00000003 lea ecx, dword ptr [00000000h+ebx*4] 0x0000000a xchg cx, dx 0x0000000d cmc 0x0000000e jmp 00007F0B68A48AC7h 0x00000010 xchg dword ptr [esp], ecx 0x00000013 not dx 0x00000016 bsr dx, bx 0x0000001a ror dh, cl 0x0000001c rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002E0726B second address: 0000000002E02051 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0B68C4A11Ch 0x00000007 neg al 0x00000009 jmp 00007F0B68C4F380h 0x0000000b jnle 00007F0B68C4F306h 0x0000000d rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002E01E2B second address: 0000000002E01E6B instructions: 0x00000000 rdtsc 0x00000002 sub esp, 1Fh 0x00000005 js 00007F0B68A48A2Eh 0x00000007 jns 00007F0B68A48A5Ah 0x00000009 add esp, 02h 0x0000000c xor dx, di 0x0000000f push dword ptr [esp+10h] 0x00000013 jmp 00007F0B68A48A8Bh 0x00000015 pop dword ptr [esp+12h] 0x00000019 lea esp, dword ptr [esp+01h] 0x0000001d jmp 00007F0B68A48A28h 0x0000001f lea esp, dword ptr [esp+1Ch] 0x00000023 inc cl 0x00000025 bswap edx 0x00000027 jmp 00007F0B68A48A88h 0x00000029 mov dl, D7h 0x0000002b sub cl, 0000005Ah 0x0000002e lea eax, dword ptr [esi+edi] 0x00000031 mov eax, 459BDAAEh 0x00000036 mov eax, 797942E0h 0x0000003b jmp 00007F0B68A48A08h 0x0000003d rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002E01E6B second address: 0000000002E01E99 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 setle al 0x00000006 mov word ptr [esp+01h], dx 0x0000000b jmp 00007F0B68C4F355h 0x0000000d lea esp, dword ptr [esp+04h] 0x00000011 add cl, FFFFFF8Ah 0x00000014 lea eax, dword ptr [00000000h+ecx*4] 0x0000001b rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002E07224 second address: 0000000002E02051 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0B68A43873h 0x00000007 neg al 0x00000009 jmp 00007F0B68A48A90h 0x0000000b jnle 00007F0B68A48A16h 0x0000000d rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002E0CB10 second address: 0000000002E0C193 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0B68C4E9BDh 0x00000007 mov ecx, edi 0x00000009 not al 0x0000000b rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002E0024C second address: 0000000002E00402 instructions: 0x00000000 rdtsc 0x00000002 not cx 0x00000005 mov dx, di 0x00000008 neg ax 0x0000000b jmp 00007F0B68A48BF2h 0x00000010 jnc 00007F0B68A488C9h 0x00000016 mov bx, sp 0x00000019 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002E00402 second address: 0000000002DEEF12 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0B68C4F2B9h 0x00000007 lea edx, dword ptr [esi+2B069A91h] 0x0000000d jmp 00007F0B68C4F23Ah 0x00000012 lea eax, dword ptr [00000000h+edi*4] 0x00000019 sets bl 0x0000001c neg dx 0x0000001f jmp 00007F0B68C4F350h 0x00000021 jl 00007F0B68C4F369h 0x00000023 mov ebx, dword ptr [esp] 0x00000026 lea esp, dword ptr [esp+04h] 0x0000002a jmp 00007F0B68C3DECCh 0x0000002f mov ebx, edi 0x00000031 jmp 00007F0B68C4F31Ah 0x00000033 xor cx, 1B47h 0x00000038 jno 00007F0B68C4F325h 0x0000003a lea ecx, dword ptr [00000000h+edx*4] 0x00000041 mov edx, dword ptr [esp] 0x00000044 jmp 00007F0B68C4F38Ah 0x00000046 mov dx, word ptr [esp] 0x0000004a sub esp, 0Eh 0x0000004d pop dword ptr [esp+02h] 0x00000051 jmp 00007F0B68C4F31Fh 0x00000053 add esp, 06h 0x00000056 push bp 0x00000058 cmc 0x00000059 jnbe 00007F0B68C4F3B9h 0x0000005b xchg dword ptr [esp], edx 0x0000005e lea esp, dword ptr [esp+02h] 0x00000062 call 00007F0B68C4F377h 0x00000067 lea ecx, dword ptr [ebp-0E4DF243h] 0x0000006d xchg dx, cx 0x00000070 mov eax, esi 0x00000072 jmp 00007F0B68C4F373h 0x00000074 or ch, FFFFFFA1h 0x00000077 dec eax 0x00000078 xchg dword ptr [esp], edi 0x0000007b dec dl 0x0000007d mov ax, bx 0x00000080 lea eax, dword ptr [D78CC83Fh] 0x00000086 jmp 00007F0B68C4F380h 0x00000088 lea edx, dword ptr [esi+ebp] 0x0000008b lea edi, dword ptr [edi+4Ch] 0x0000008e pushfd 0x0000008f bswap edx 0x00000091 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002E01475 second address: 0000000002E015DC instructions: 0x00000000 rdtsc 0x00000002 lea edx, dword ptr [ecx+67h] 0x00000005 push ebx 0x00000006 clc 0x00000007 jle 00007F0B68A48AA3h 0x00000009 bswap ebp 0x0000000b lea ebp, dword ptr [esi+edi] 0x0000000e xchg dl, cl 0x00000010 call 00007F0B68A48B65h 0x00000015 mov bh, byte ptr [esp] 0x00000018 mov ch, bh 0x0000001a btc dx, bx 0x0000001e jmp 00007F0B68A48A89h 0x00000020 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002E43DA9 second address: 0000000002E43DAB instructions: 0x00000000 rdtsc 0x00000002 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002E44726 second address: 0000000002E44652 instructions: 0x00000000 rdtsc 0x00000002 stc 0x00000003 jmp 00007F0B68A488B4h 0x00000008 mov dl, byte ptr [esp] 0x0000000b not ax 0x0000000e push dword ptr [esp+08h] 0x00000012 retn 000Ch 0x00000015 mov ecx, 49808F39h 0x0000001a lea ecx, dword ptr [edx+esi] 0x0000001d lea esp, dword ptr [esp+02h] 0x00000021 jmp 00007F0B68A48AAEh 0x00000023 mov edx, esi 0x00000025 mov ecx, dword ptr [edx] 0x00000027 mov dh, byte ptr [esp] 0x0000002a call 00007F0B68A48ACFh 0x0000002f setl dh 0x00000032 jmp 00007F0B68A489FFh 0x00000034 mov edx, dword ptr [esp+01h] 0x00000038 add esi, 04h 0x0000003b call 00007F0B68A48A31h 0x00000040 push dword ptr [esp] 0x00000043 je 00007F0B68A48A87h 0x00000045 jne 00007F0B68A48A6Fh 0x00000047 bsf dx, dx 0x0000004b call 00007F0B68A48B64h 0x00000050 lea edx, dword ptr [00000000h+edi*4] 0x00000057 mov ax, word ptr [esp] 0x0000005b mov dx, word ptr [esp] 0x0000005f bts ax, dx 0x00000063 xchg ax, dx 0x00000065 jmp 00007F0B68A4898Ch 0x0000006a xchg dword ptr [esp], edi 0x0000006d push edx 0x0000006e pop dx 0x00000070 xchg al, dh 0x00000072 bt eax, ecx 0x00000075 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002E3DB28 second address: 0000000002E0C193 instructions: 0x00000000 rdtsc 0x00000002 mov cl, byte ptr [esp] 0x00000005 mov ecx, 6AB4FF8Eh 0x0000000a mov cl, al 0x0000000c jmp 00007F0B68C4F6BBh 0x00000011 sub esi, 08h 0x00000014 bsf ecx, ebp 0x00000017 je 00007F0B68C4F012h 0x0000001d lea ecx, dword ptr [B11B85EFh] 0x00000023 sub esp, 1Ch 0x00000026 jmp 00007F0B68C4EFDEh 0x0000002b mov dword ptr [esi], edx 0x0000002d sub esp, 10h 0x00000030 jmp 00007F0B68C4F466h 0x00000035 jg 00007F0B68C4F220h 0x0000003b lea ecx, dword ptr [97B3A23Bh] 0x00000041 jmp 00007F0B68C4F415h 0x00000046 mov dword ptr [esi+04h], eax 0x00000049 mov ax, word ptr [esp] 0x0000004d not ax 0x00000050 mov dh, CEh 0x00000052 lea eax, dword ptr [00000000h+ebx*4] 0x00000059 jmp 00007F0B68C1D874h 0x0000005e mov ecx, edi 0x00000060 not al 0x00000062 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002E2FC3D second address: 0000000002E2FC27 instructions: 0x00000000 rdtsc 0x00000002 sub esp, 18h 0x00000005 mov eax, 1C7ADB84h 0x0000000a jmp 00007F0B68A48A2Dh 0x0000000c mov ecx, dword ptr [ebp+08h] 0x0000000f rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002E2FF18 second address: 0000000002E2FF1E instructions: 0x00000000 rdtsc 0x00000002 bsf ax, di 0x00000006 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002E0A0A5 second address: 0000000002E0A101 instructions: 0x00000000 rdtsc 0x00000002 rol cl, 00000006h 0x00000005 jns 00007F0B68A48B5Ah 0x0000000b xchg eax, edx 0x0000000c sub esi, 04h 0x0000000f xchg dx, ax 0x00000012 adc cx, si 0x00000015 jnl 00007F0B68A48975h 0x0000001b inc cl 0x0000001d cmc 0x0000001e jmp 00007F0B68A48985h 0x00000023 mov cx, ss 0x00000025 mov al, byte ptr [esp] 0x00000028 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002E57A67 second address: 0000000002E57AE8 instructions: 0x00000000 rdtsc 0x00000002 mov eax, dword ptr [esp] 0x00000005 mov ah, ch 0x00000007 jmp 00007F0B68C4F362h 0x00000009 sub esi, 02h 0x0000000c xchg eax, edx 0x0000000d stc 0x0000000e jmp 00007F0B68C4F389h 0x00000010 jle 00007F0B68C4F2FDh 0x00000012 jnle 00007F0B68C4F2FBh 0x00000014 or word ptr [esi+04h], cx 0x00000018 mov edx, esp 0x0000001a call 00007F0B68C4F367h 0x0000001f mov al, B4h 0x00000021 jmp 00007F0B68C4F31Ch 0x00000023 pushfd 0x00000024 jmp 00007F0B68C4F37Bh 0x00000026 pop dword ptr [esi] 0x00000028 mov al, C9h 0x0000002a mov edx, esp 0x0000002c rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002E57AE8 second address: 0000000002E02051 instructions: 0x00000000 rdtsc 0x00000002 xchg dl, al 0x00000004 jmp 00007F0B689F2FADh 0x00000009 neg al 0x0000000b jmp 00007F0B68A48A90h 0x0000000d jnle 00007F0B68A48A16h 0x0000000f rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002E38778 second address: 0000000002E38788 instructions: 0x00000000 rdtsc 0x00000002 bsf dx, di 0x00000006 jmp 00007F0B68C4F346h 0x00000008 jo 00007F0B68C4F316h 0x0000000a neg edx 0x0000000c rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002E3F6A1 second address: 0000000002E02051 instructions: 0x00000000 rdtsc 0x00000002 mov ax, D373h 0x00000006 mov dx, word ptr [esp] 0x0000000a xchg eax, edx 0x0000000b mov ax, 0531h 0x0000000f shl eax, 13h 0x00000012 jmp 00007F0B68A48AF5h 0x00000017 jbe 00007F0B68A489BCh 0x0000001d ja 00007F0B68A489B6h 0x00000023 inc cx 0x00000025 mov dx, word ptr [esp] 0x00000029 mov ax, word ptr [esp] 0x0000002d mov dl, byte ptr [esp] 0x00000030 jmp 00007F0B68A48A87h 0x00000032 sub cx, 635Ah 0x00000037 not dh 0x00000039 lea edx, dword ptr [eax+esi] 0x0000003c mov edx, dword ptr [esp] 0x0000003f mov dx, word ptr [esp] 0x00000043 jmp 00007F0B68A48A0Ah 0x00000045 xchg edx, eax 0x00000047 dec dl 0x00000049 jns 00007F0B68A48A6Bh 0x0000004b add cx, 108Ah 0x00000050 lea edx, dword ptr [edx+esi] 0x00000053 jmp 00007F0B68A48A87h 0x00000055 mov ah, 76h 0x00000057 mov dx, 6461h 0x0000005b call 00007F0B68A48A34h 0x00000060 mov word ptr [esi], cx 0x00000063 pushad 0x00000064 lea eax, dword ptr [00000000h+ebx*4] 0x0000006b jmp 00007F0B68A48A66h 0x0000006d lea ecx, dword ptr [esp+42h] 0x00000071 lea edx, dword ptr [00000000h+ebx*4] 0x00000078 jmp 00007F0B68A0B352h 0x0000007d neg al 0x0000007f jmp 00007F0B68A48A90h 0x00000081 jnle 00007F0B68A48A16h 0x00000083 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002E35A2C second address: 0000000002E0C193 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0B68C4F315h 0x00000004 call 00007F0B68C4F328h 0x00000009 jmp 00007F0B68C4F35Dh 0x0000000b xchg eax, ecx 0x0000000c sets dh 0x0000000f lea edx, dword ptr [00000000h+edi*4] 0x00000016 bswap edx 0x00000018 jmp 00007F0B68C4F44Dh 0x0000001d cbw 0x0000001f mov dh, C8h 0x00000021 not dl 0x00000023 lea edx, dword ptr [eax+ebx] 0x00000026 sub esp, 1Eh 0x00000029 jmp 00007F0B68C4F279h 0x0000002e jnc 00007F0B68C4F3A4h 0x00000030 lea esp, dword ptr [esp+02h] 0x00000034 xchg eax, ecx 0x00000035 mov dx, word ptr [esp] 0x00000039 jmp 00007F0B68C4F2B2h 0x0000003e mov edx, esp 0x00000040 lea edx, dword ptr [edi-31FB5232h] 0x00000046 bswap edx 0x00000048 mov word ptr [esi], cx 0x0000004b setle dl 0x0000004e jmp 00007F0B68C4F31Ah 0x00000050 lea edx, dword ptr [00000000h+edi*4] 0x00000057 btc edx, esi 0x0000005a jle 00007F0B68C4F38Bh 0x0000005c mov dx, word ptr [esp] 0x00000060 jmp 00007F0B68C25A8Fh 0x00000065 mov ecx, edi 0x00000067 not al 0x00000069 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002E403BA second address: 0000000002E403BA instructions: 0x00000000 rdtsc 0x00000002 xor dx, E322h 0x00000007 mov dword ptr [esp+1Ch], ecx 0x0000000b popad 0x0000000c sub esp, 19h 0x0000000f jmp 00007F0B68A489D8h 0x00000011 lea esp, dword ptr [esp+01h] 0x00000015 shr eax, 10h 0x00000018 lea esp, dword ptr [esp+18h] 0x0000001c test ax, ax 0x0000001f jmp 00007F0B68A489E5h 0x00000021 je 00007F0B68A488D0h 0x00000027 inc edx 0x00000028 jmp 00007F0B68A48B49h 0x0000002d push bp 0x0000002f lea esp, dword ptr [esp+02h] 0x00000033 jmp 00007F0B68A48A6Ah 0x00000035 inc edx 0x00000036 dec esi 0x00000037 jne 00007F0B68A48976h 0x0000003d movzx eax, word ptr [edx] 0x00000040 jmp 00007F0B68A48E3Ch 0x00000045 cmc 0x00000046 add ecx, eax 0x00000048 xor ax, ax 0x0000004b pushad 0x0000004c jmp 00007F0B68A4885Bh 0x00000051 xchg dx, bp 0x00000054 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002E38D61 second address: 0000000002E0C193 instructions: 0x00000000 rdtsc 0x00000002 xchg ax, dx 0x00000004 sub esi, 02h 0x00000007 jmp 00007F0B68C4F372h 0x00000009 mov edx, esi 0x0000000b lea edx, dword ptr [ebx+ebx] 0x0000000e mov al, 56h 0x00000010 call 00007F0B68C4F323h 0x00000015 add word ptr [esi+04h], cx 0x00000019 mov al, dl 0x0000001b jmp 00007F0B68C4F35Ch 0x0000001d xchg dx, ax 0x00000020 pushfd 0x00000021 pop dword ptr [esi] 0x00000023 xchg dh, ah 0x00000025 jmp 00007F0B68C4F38Bh 0x00000027 mov ax, 7B2Bh 0x0000002b xchg ax, dx 0x0000002d mov dh, 75h 0x0000002f jmp 00007F0B68C226CEh 0x00000034 mov ecx, edi 0x00000036 not al 0x00000038 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002ED543E second address: 0000000002ED5440 instructions: 0x00000000 rdtsc 0x00000002 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002ED5440 second address: 0000000002ED5442 instructions: 0x00000000 rdtsc 0x00000002 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002D1CFE4 second address: 0000000002D1D03D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0B68A48A2Ah 0x00000004 sub esp, 0Fh 0x00000007 mov ax, dx 0x0000000a call 00007F0B68A48A88h 0x0000000f mov dword ptr [esp+10h], eax 0x00000013 or ch, FFFFFF81h 0x00000016 push word ptr [esp+06h] 0x0000001b pushad 0x0000001c jmp 00007F0B68A48A2Dh 0x0000001e mov dx, 0084h 0x00000022 bsf ebx, edx 0x00000025 mov ebx, dword ptr [esp+2Fh] 0x00000029 mov bx, cx 0x0000002c jmp 00007F0B68A48AB3h 0x0000002e xchg word ptr [esp+14h], bx 0x00000033 mov word ptr [esp+07h], si 0x00000038 push word ptr [esp+2Bh] 0x0000003d sub esp, 01h 0x00000040 pop edx 0x00000041 xchg dword ptr [esp+28h], eax 0x00000045 jmp 00007F0B68A48A12h 0x00000047 lea ebp, dword ptr [edi+2363DC3Fh] 0x0000004d mov ecx, 1D25122Fh 0x00000052 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002D1D03D second address: 0000000002D1D134 instructions: 0x00000000 rdtsc 0x00000002 pop si 0x00000004 mov bh, dl 0x00000006 cld 0x00000007 jmp 00007F0B68C4F36Eh 0x00000009 mov dword ptr [esp+24h], edi 0x0000000d stc 0x0000000e popad 0x0000000f push word ptr [esp+0Ch] 0x00000014 mov word ptr [esp+01h], di 0x00000019 xchg word ptr [esp+06h], ax 0x0000001e jmp 00007F0B68C4F38Dh 0x00000020 mov bx, word ptr [esp+0Dh] 0x00000025 pop word ptr [esp+0Ah] 0x0000002a sub esp, 03h 0x0000002d rcr dl, 00000000h 0x00000030 pop dword ptr [esp+06h] 0x00000034 dec ebx 0x00000035 jmp 00007F0B68C4F304h 0x00000037 sub esp, 12h 0x0000003a bswap esi 0x0000003c mov ecx, esp 0x0000003e setnl cl 0x00000041 cmc 0x00000042 xchg edi, eax 0x00000044 jmp 00007F0B68C4F3B8h 0x00000046 xchg ax, di 0x00000048 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002D1D134 second address: 0000000002D1D0C4 instructions: 0x00000000 rdtsc 0x00000002 call 00007F0B68A489D6h 0x00000007 bts cx, bp 0x0000000b pop ebp 0x0000000c rol dx, cl 0x0000000f rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002D1D0C4 second address: 0000000002D1D111 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0B68C4F37Bh 0x00000004 lea edi, dword ptr [edi+ebp] 0x00000007 mov dword ptr [esp+11h], eax 0x0000000b sub bp, E0F4h 0x00000010 xchg dword ptr [esp+1Bh], ebx 0x00000014 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002D1D42F second address: 0000000002D1D40B instructions: 0x00000000 rdtsc 0x00000002 or edx, esi 0x00000004 jmp 00007F0B68A489C9h 0x00000009 mov edx, 8C0A744Fh 0x0000000e cmc 0x0000000f xor cl, 0000005Fh 0x00000012 rcl dx, cl 0x00000015 mov dword ptr [esp+07h], ebp 0x00000019 jmp 00007F0B68A48A79h 0x0000001b push dword ptr [esp+0Ch] 0x0000001f not eax 0x00000021 setp bl 0x00000024 setbe bl 0x00000027 not si 0x0000002a mov word ptr [esp+11h], dx 0x0000002f jmp 00007F0B68A48A26h 0x00000031 bswap ebp 0x00000033 push word ptr [esp+05h] 0x00000038 lea edi, dword ptr [eax+edi] 0x0000003b mov si, B3B3h 0x0000003f jmp 00007F0B68A48A6Eh 0x00000041 mov dh, byte ptr [esp+16h] 0x00000045 add esp, 15h 0x00000048 mov bl, F0h 0x0000004a mov cx, word ptr [esp+04h] 0x0000004f pop bp 0x00000051 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002D1D40B second address: 0000000002D1D495 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0B68C4F39Fh 0x00000004 xchg ebx, ecx 0x00000006 pushad 0x00000007 pop dword ptr [esp+1Bh] 0x0000000b pop dword ptr [esp+04h] 0x0000000f bsr bx, ax 0x00000013 mov dl, F8h 0x00000015 jmp 00007F0B68C4F311h 0x00000017 xchg esi, edx 0x00000019 mov ch, ah 0x0000001b pop bx 0x0000001d pop edi 0x0000001e lea ebp, dword ptr [eax-0000F067h] 0x00000024 mov dx, 84EDh 0x00000028 jmp 00007F0B68C4F319h 0x0000002a mov edi, 9BCCFFF5h 0x0000002f add ebx, eax 0x00000031 add ax, 000084CAh 0x00000035 mov word ptr [esp+11h], ax 0x0000003a jmp 00007F0B68C4F38Dh 0x0000003c rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002D1D525 second address: 0000000002D1D5A8 instructions: 0x00000000 rdtsc 0x00000002 mov ax, bp 0x00000005 bsr ax, cx 0x00000009 push dword ptr [esp+12h] 0x0000000d pop ax 0x0000000f jmp 00007F0B68A48A87h 0x00000011 xchg dword ptr [esp+0Dh], ecx 0x00000015 lea esp, dword ptr [esp+0Bh] 0x00000019 mov byte ptr [esp+05h], dl 0x0000001d xchg bl, bh 0x0000001f lea esp, dword ptr [esp+10h] 0x00000023 mov dh, AFh 0x00000025 jmp 00007F0B68A48A26h 0x00000027 std 0x00000028 call 00007F0B68A48AFBh 0x0000002d push dword ptr [esp+02h] 0x00000031 mov esi, 77201D02h 0x00000036 lea edx, dword ptr [esp+1F709682h] 0x0000003d bswap edi 0x0000003f cpuid 0x00000041 jmp 00007F0B68A48A0Dh 0x00000043 sbb bx, si 0x00000046 xchg word ptr [esp], di 0x0000004a lea eax, dword ptr [00000000h+edi*4] 0x00000051 xchg word ptr [esp+03h], cx 0x00000056 xchg byte ptr [esp+04h], dl 0x0000005a cpuid 0x0000005c jmp 00007F0B68A48A1Ch 0x0000005e sub esp, 10h 0x00000061 push dword ptr [esp+06h] 0x00000065 lea esp, dword ptr [esp+15h] 0x00000069 lea esi, dword ptr [00000000h+esi*4] 0x00000070 jmp 00007F0B68A48A28h 0x00000072 lea esp, dword ptr [esp+08h] 0x00000076 bsr ebx, esi 0x00000079 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002D1D7DE second address: 0000000002D1D861 instructions: 0x00000000 rdtsc 0x00000002 lea esi, dword ptr [eax+6F971120h] 0x00000008 xchg bx, si 0x0000000b jmp 00007F0B68C4F357h 0x0000000d mov dl, cl 0x0000000f std 0x00000010 mov bx, word ptr [esp] 0x00000014 xchg ebx, ebp 0x00000016 xchg ebp, edx 0x00000018 lea edi, dword ptr [edx+ebx] 0x0000001b jmp 00007F0B68C4F388h 0x0000001d xchg eax, ebp 0x0000001e mov di, ax 0x00000021 std 0x00000022 neg bx 0x00000025 setb ah 0x00000028 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002D1D9FA second address: 0000000002D1D9D6 instructions: 0x00000000 rdtsc 0x00000002 dec cx 0x00000004 push dword ptr [esp+05h] 0x00000008 mov ebp, dword ptr [esp+33h] 0x0000000c lea edx, dword ptr [00000000h+ebp*4] 0x00000013 push dword ptr [esp+32h] 0x00000017 jmp 00007F0B68A48A0Eh 0x00000019 mov dword ptr [esp+25h], ecx 0x0000001d setnl dh 0x00000020 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002D1D9D6 second address: 0000000002D1DA7E instructions: 0x00000000 rdtsc 0x00000002 xchg ecx, esi 0x00000004 lea ebx, dword ptr [ecx+edi] 0x00000007 xchg byte ptr [esp+19h], cl 0x0000000b call 00007F0B68C4F389h 0x00000010 jmp 00007F0B68C4F329h 0x00000012 push bp 0x00000014 xchg byte ptr [esp+11h], cl 0x00000018 pop edx 0x00000019 mov bh, dh 0x0000001b mov byte ptr [esp+2Dh], dh 0x0000001f mov ebp, ebx 0x00000021 jmp 00007F0B68C4F366h 0x00000023 pop word ptr [esp+13h] 0x00000028 mov word ptr [esp+2Ch], bx 0x0000002d bt ecx, ebp 0x00000030 mov edx, ebx 0x00000032 neg si 0x00000035 clc 0x00000036 jmp 00007F0B68C4F311h 0x00000038 sbb esi, E0A84136h 0x0000003e mov word ptr [esp+02h], di 0x00000043 lea esi, dword ptr [378A0432h] 0x00000049 xchg di, bp 0x0000004c xchg edi, ebp 0x0000004e jmp 00007F0B68C4F371h 0x00000050 push dword ptr [esp+29h] 0x00000054 mov ebp, DF4D6296h 0x00000059 pop bp 0x0000005b rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002D1DDF5 second address: 0000000002D1DDBC instructions: 0x00000000 rdtsc 0x00000002 lea esp, dword ptr [esp+01h] 0x00000006 push word ptr [esp+02h] 0x0000000b mov esi, 2EED7EFDh 0x00000010 sub esp, 0Dh 0x00000013 jmp 00007F0B68A48A04h 0x00000015 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002C24997 second address: 0000000002C249D9 instructions: 0x00000000 rdtsc 0x00000002 btc cx, bx 0x00000006 je 00007F0B68C4F2FAh 0x00000008 clc 0x00000009 jmp 00007F0B68C4F316h 0x0000000b xor dx, A906h 0x00000010 jmp 00007F0B68C4F38Fh 0x00000012 lea ecx, dword ptr [edi+50h] 0x00000015 mov dx, ax 0x00000018 mov dl, byte ptr [esp] 0x0000001b lea eax, dword ptr [eax+0000D183h] 0x00000021 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002C2DCA2 second address: 0000000002C2DC76 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, 4D026007h 0x00000007 sub esi, 04h 0x0000000a jmp 00007F0B68A48A13h 0x0000000c lea edx, dword ptr [00000000h+ecx*4] 0x00000013 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002C1F054 second address: 0000000002C1F276 instructions: 0x00000000 rdtsc 0x00000002 mov ax, CFB1h 0x00000006 push dword ptr [esp+10h] 0x0000000a retn 0014h 0x0000000d call 00007F0B68C4F2DEh 0x00000012 lea esp, dword ptr [esp+02h] 0x00000016 call 00007F0B68C4F3EAh 0x0000001b mov cx, word ptr [esp] 0x0000001f sub esp, 09h 0x00000022 mov ah, D2h 0x00000024 dec edx 0x00000025 inc al 0x00000027 jmp 00007F0B68C4F31Eh 0x00000029 lea esp, dword ptr [esp+01h] 0x0000002d xchg dword ptr [esp+08h], eax 0x00000031 sets ch 0x00000034 mov edx, ebx 0x00000036 pushfd 0x00000037 jmp 00007F0B68C4F356h 0x00000039 lea esp, dword ptr [esp+01h] 0x0000003d lea ecx, dword ptr [A28040EFh] 0x00000043 lea esp, dword ptr [esp+03h] 0x00000047 jmp 00007F0B68C4F7FEh 0x0000004c lea eax, dword ptr [eax+6Bh] 0x0000004f mov dh, AEh 0x00000051 setp dh 0x00000054 push bx 0x00000056 lea ecx, dword ptr [00000000h+ecx*4] 0x0000005d lea esp, dword ptr [esp+02h] 0x00000061 jmp 00007F0B68C4F022h 0x00000066 xchg dword ptr [esp+08h], eax 0x0000006a inc eax 0x0000006b mov al, 99h 0x0000006d sets cl 0x00000070 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002C1F276 second address: 0000000002C1F106 instructions: 0x00000000 rdtsc 0x00000002 push dword ptr [esp+08h] 0x00000006 retn 000Ch 0x00000009 jmp 00007F0B68A48AF2h 0x0000000e rol edi, 00000000h 0x00000011 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002C1F106 second address: 0000000002C1F145 instructions: 0x00000000 rdtsc 0x00000002 mov ax, dx 0x00000005 shl al, cl 0x00000007 jc 00007F0B68C4F31Fh 0x00000009 jnc 00007F0B68C4F307h 0x0000000b mov ch, byte ptr [esp] 0x0000000e mov dl, 36h 0x00000010 jmp 00007F0B68C4F3FEh 0x00000015 lea esp, dword ptr [esp+18h] 0x00000019 neg edi 0x0000001b rol al, 00000006h 0x0000001e jns 00007F0B68C4F2F7h 0x00000020 bswap ecx 0x00000022 push esp 0x00000023 rol edi, 00000000h 0x00000026 lea eax, dword ptr [00000000h+ebp*4] 0x0000002d call 00007F0B68C4F31Ch 0x00000032 lea ecx, dword ptr [edx+edi] 0x00000035 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002C30B44 second address: 0000000002C30BE4 instructions: 0x00000000 rdtsc 0x00000002 setnb ah 0x00000005 bsr ax, bx 0x00000009 jle 00007F0B68A48A5Fh 0x0000000b jnle 00007F0B68A48A5Dh 0x0000000d add esi, 04h 0x00000010 jmp 00007F0B68A48A56h 0x00000012 mov eax, A32D9BDBh 0x00000017 sub esp, 0Dh 0x0000001a jo 00007F0B68A48A7Eh 0x0000001c pop cx 0x0000001e jmp 00007F0B68A48A64h 0x00000020 xchg dword ptr [esp+04h], edx 0x00000024 lea esp, dword ptr [esp+03h] 0x00000028 jmp 00007F0B68A48A68h 0x0000002a push ebp 0x0000002b xchg al, cl 0x0000002d jmp 00007F0B68A48A8Ch 0x0000002f rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002C6867B second address: 0000000002C6870C instructions: 0x00000000 rdtsc 0x00000002 dec edx 0x00000003 lea ecx, dword ptr [00000000h+ebx*4] 0x0000000a xchg cx, dx 0x0000000d cmc 0x0000000e jmp 00007F0B68C4F3B7h 0x00000010 xchg dword ptr [esp], ecx 0x00000013 not dx 0x00000016 bsr dx, bx 0x0000001a ror dh, cl 0x0000001c rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002C3726B second address: 0000000002C32051 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0B68A4382Ch 0x00000007 neg al 0x00000009 jmp 00007F0B68A48A90h 0x0000000b jnle 00007F0B68A48A16h 0x0000000d rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002C31E2B second address: 0000000002C31E6B instructions: 0x00000000 rdtsc 0x00000002 sub esp, 1Fh 0x00000005 js 00007F0B68C4F31Eh 0x00000007 jns 00007F0B68C4F34Ah 0x00000009 add esp, 02h 0x0000000c xor dx, di 0x0000000f push dword ptr [esp+10h] 0x00000013 jmp 00007F0B68C4F37Bh 0x00000015 pop dword ptr [esp+12h] 0x00000019 lea esp, dword ptr [esp+01h] 0x0000001d jmp 00007F0B68C4F318h 0x0000001f lea esp, dword ptr [esp+1Ch] 0x00000023 inc cl 0x00000025 bswap edx 0x00000027 jmp 00007F0B68C4F378h 0x00000029 mov dl, D7h 0x0000002b sub cl, 0000005Ah 0x0000002e lea eax, dword ptr [esi+edi] 0x00000031 mov eax, 459BDAAEh 0x00000036 mov eax, 797942E0h 0x0000003b jmp 00007F0B68C4F2F8h 0x0000003d rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002C31E6B second address: 0000000002C31E99 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 setle al 0x00000006 mov word ptr [esp+01h], dx 0x0000000b jmp 00007F0B68A48A65h 0x0000000d lea esp, dword ptr [esp+04h] 0x00000011 add cl, FFFFFF8Ah 0x00000014 lea eax, dword ptr [00000000h+ecx*4] 0x0000001b rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002C37224 second address: 0000000002C3208D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0B68C4A163h 0x00000007 neg al 0x00000009 jmp 00007F0B68C4F380h 0x0000000b jnle 00007F0B68C4F306h 0x0000000d rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002C3CB10 second address: 0000000002C3C193 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0B68A480CDh 0x00000007 mov ecx, edi 0x00000009 not al 0x0000000b rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002C3024C second address: 0000000002C30402 instructions: 0x00000000 rdtsc 0x00000002 not cx 0x00000005 mov dx, di 0x00000008 neg ax 0x0000000b jmp 00007F0B68C4F4E2h 0x00000010 jnc 00007F0B68C4F1B9h 0x00000016 mov bx, sp 0x00000019 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002C30402 second address: 0000000002C1EF12 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0B68A489C9h 0x00000007 lea edx, dword ptr [esi+2B069A91h] 0x0000000d jmp 00007F0B68A4894Ah 0x00000012 lea eax, dword ptr [00000000h+edi*4] 0x00000019 sets bl 0x0000001c neg dx 0x0000001f jmp 00007F0B68A48A60h 0x00000021 jl 00007F0B68A48A79h 0x00000023 mov ebx, dword ptr [esp] 0x00000026 lea esp, dword ptr [esp+04h] 0x0000002a jmp 00007F0B68A375DCh 0x0000002f mov ebx, edi 0x00000031 jmp 00007F0B68A48A2Ah 0x00000033 xor cx, 1B47h 0x00000038 jno 00007F0B68A48A35h 0x0000003a lea ecx, dword ptr [00000000h+edx*4] 0x00000041 mov edx, dword ptr [esp] 0x00000044 jmp 00007F0B68A48A9Ah 0x00000046 mov dx, word ptr [esp] 0x0000004a sub esp, 0Eh 0x0000004d pop dword ptr [esp+02h] 0x00000051 jmp 00007F0B68A48A2Fh 0x00000053 add esp, 06h 0x00000056 push bp 0x00000058 cmc 0x00000059 jnbe 00007F0B68A48AC9h 0x0000005b xchg dword ptr [esp], edx 0x0000005e lea esp, dword ptr [esp+02h] 0x00000062 call 00007F0B68A48A87h 0x00000067 lea ecx, dword ptr [ebp-0E4DF243h] 0x0000006d xchg dx, cx 0x00000070 mov eax, esi 0x00000072 jmp 00007F0B68A48A83h 0x00000074 or ch, FFFFFFA1h 0x00000077 dec eax 0x00000078 xchg dword ptr [esp], edi 0x0000007b dec dl 0x0000007d mov ax, bx 0x00000080 lea eax, dword ptr [D78CC83Fh] 0x00000086 jmp 00007F0B68A48A90h 0x00000088 lea edx, dword ptr [esi+ebp] 0x0000008b lea edi, dword ptr [edi+4Ch] 0x0000008e pushfd 0x0000008f bswap edx 0x00000091 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002C31475 second address: 0000000002C315DC instructions: 0x00000000 rdtsc 0x00000002 lea edx, dword ptr [ecx+67h] 0x00000005 push ebx 0x00000006 clc 0x00000007 jle 00007F0B68C4F393h 0x00000009 bswap ebp 0x0000000b lea ebp, dword ptr [esi+edi] 0x0000000e xchg dl, cl 0x00000010 call 00007F0B68C4F455h 0x00000015 mov bh, byte ptr [esp] 0x00000018 mov ch, bh 0x0000001a btc dx, bx 0x0000001e jmp 00007F0B68C4F379h 0x00000020 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002C73DA9 second address: 0000000002C73DAB instructions: 0x00000000 rdtsc 0x00000002 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002C74726 second address: 0000000002C74652 instructions: 0x00000000 rdtsc 0x00000002 stc 0x00000003 jmp 00007F0B68C4F1A4h 0x00000008 mov dl, byte ptr [esp] 0x0000000b not ax 0x0000000e push dword ptr [esp+08h] 0x00000012 retn 000Ch 0x00000015 mov ecx, 49808F39h 0x0000001a lea ecx, dword ptr [edx+esi] 0x0000001d lea esp, dword ptr [esp+02h] 0x00000021 jmp 00007F0B68C4F39Eh 0x00000023 mov edx, esi 0x00000025 mov ecx, dword ptr [edx] 0x00000027 mov dh, byte ptr [esp] 0x0000002a call 00007F0B68C4F3BFh 0x0000002f setl dh 0x00000032 jmp 00007F0B68C4F2EFh 0x00000034 mov edx, dword ptr [esp+01h] 0x00000038 add esi, 04h 0x0000003b call 00007F0B68C4F321h 0x00000040 push dword ptr [esp] 0x00000043 je 00007F0B68C4F377h 0x00000045 jne 00007F0B68C4F35Fh 0x00000047 bsf dx, dx 0x0000004b call 00007F0B68C4F454h 0x00000050 lea edx, dword ptr [00000000h+edi*4] 0x00000057 mov ax, word ptr [esp] 0x0000005b mov dx, word ptr [esp] 0x0000005f bts ax, dx 0x00000063 xchg ax, dx 0x00000065 jmp 00007F0B68C4F27Ch 0x0000006a xchg dword ptr [esp], edi 0x0000006d push edx 0x0000006e pop dx 0x00000070 xchg al, dh 0x00000072 bt eax, ecx 0x00000075 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002C6DB28 second address: 0000000002C3C193 instructions: 0x00000000 rdtsc 0x00000002 mov cl, byte ptr [esp] 0x00000005 mov ecx, 6AB4FF8Eh 0x0000000a mov cl, al 0x0000000c jmp 00007F0B68A48DCBh 0x00000011 sub esi, 08h 0x00000014 bsf ecx, ebp 0x00000017 je 00007F0B68A48722h 0x0000001d lea ecx, dword ptr [B11B85EFh] 0x00000023 sub esp, 1Ch 0x00000026 jmp 00007F0B68A486EEh 0x0000002b mov dword ptr [esi], edx 0x0000002d sub esp, 10h 0x00000030 jmp 00007F0B68A48B76h 0x00000035 jg 00007F0B68A48930h 0x0000003b lea ecx, dword ptr [97B3A23Bh] 0x00000041 jmp 00007F0B68A48B25h 0x00000046 mov dword ptr [esi+04h], eax 0x00000049 mov ax, word ptr [esp] 0x0000004d not ax 0x00000050 mov dh, CEh 0x00000052 lea eax, dword ptr [00000000h+ebx*4] 0x00000059 jmp 00007F0B68A16F84h 0x0000005e mov ecx, edi 0x00000060 not al 0x00000062 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002C5FC3D second address: 0000000002C5FC27 instructions: 0x00000000 rdtsc 0x00000002 sub esp, 18h 0x00000005 mov eax, 1C7ADB84h 0x0000000a jmp 00007F0B68C4F31Dh 0x0000000c mov ecx, dword ptr [ebp+08h] 0x0000000f rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002C5FF18 second address: 0000000002C5FF1E instructions: 0x00000000 rdtsc 0x00000002 bsf ax, di 0x00000006 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002C3A0A5 second address: 0000000002C3A101 instructions: 0x00000000 rdtsc 0x00000002 rol cl, 00000006h 0x00000005 jns 00007F0B68C4F44Ah 0x0000000b xchg eax, edx 0x0000000c sub esi, 04h 0x0000000f xchg dx, ax 0x00000012 adc cx, si 0x00000015 jnl 00007F0B68C4F265h 0x0000001b inc cl 0x0000001d cmc 0x0000001e jmp 00007F0B68C4F275h 0x00000023 mov cx, ss 0x00000025 mov al, byte ptr [esp] 0x00000028 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002C87A67 second address: 0000000002C87AE8 instructions: 0x00000000 rdtsc 0x00000002 mov eax, dword ptr [esp] 0x00000005 mov ah, ch 0x00000007 jmp 00007F0B68A48A72h 0x00000009 sub esi, 02h 0x0000000c xchg eax, edx 0x0000000d stc 0x0000000e jmp 00007F0B68A48A99h 0x00000010 jle 00007F0B68A48A0Dh 0x00000012 jnle 00007F0B68A48A0Bh 0x00000014 or word ptr [esi+04h], cx 0x00000018 mov edx, esp 0x0000001a call 00007F0B68A48A77h 0x0000001f mov al, B4h 0x00000021 jmp 00007F0B68A48A2Ch 0x00000023 pushfd 0x00000024 jmp 00007F0B68A48A8Bh 0x00000026 pop dword ptr [esi] 0x00000028 mov al, C9h 0x0000002a mov edx, esp 0x0000002c rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002C87AE8 second address: 0000000002C32051 instructions: 0x00000000 rdtsc 0x00000002 xchg dl, al 0x00000004 jmp 00007F0B68BF989Dh 0x00000009 neg al 0x0000000b jmp 00007F0B68C4F380h 0x0000000d jnle 00007F0B68C4F306h 0x0000000f rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002C68778 second address: 0000000002C68788 instructions: 0x00000000 rdtsc 0x00000002 bsf dx, di 0x00000006 jmp 00007F0B68A48A56h 0x00000008 jo 00007F0B68A48A26h 0x0000000a neg edx 0x0000000c rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002E3CFE4 second address: 0000000002E3D03D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0B68C4F31Ah 0x00000004 sub esp, 0Fh 0x00000007 mov ax, dx 0x0000000a call 00007F0B68C4F378h 0x0000000f mov dword ptr [esp+10h], eax 0x00000013 or ch, FFFFFF81h 0x00000016 push word ptr [esp+06h] 0x0000001b pushad 0x0000001c jmp 00007F0B68C4F31Dh 0x0000001e mov dx, 0084h 0x00000022 bsf ebx, edx 0x00000025 mov ebx, dword ptr [esp+2Fh] 0x00000029 mov bx, cx 0x0000002c jmp 00007F0B68C4F3A3h 0x0000002e xchg word ptr [esp+14h], bx 0x00000033 mov word ptr [esp+07h], si 0x00000038 push word ptr [esp+2Bh] 0x0000003d sub esp, 01h 0x00000040 pop edx 0x00000041 xchg dword ptr [esp+28h], eax 0x00000045 jmp 00007F0B68C4F302h 0x00000047 lea ebp, dword ptr [edi+2363DC3Fh] 0x0000004d mov ecx, 1D25122Fh 0x00000052 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002E3D03D second address: 0000000002E3D134 instructions: 0x00000000 rdtsc 0x00000002 pop si 0x00000004 mov bh, dl 0x00000006 cld 0x00000007 jmp 00007F0B68A48A7Eh 0x00000009 mov dword ptr [esp+24h], edi 0x0000000d stc 0x0000000e popad 0x0000000f push word ptr [esp+0Ch] 0x00000014 mov word ptr [esp+01h], di 0x00000019 xchg word ptr [esp+06h], ax 0x0000001e jmp 00007F0B68A48A9Dh 0x00000020 mov bx, word ptr [esp+0Dh] 0x00000025 pop word ptr [esp+0Ah] 0x0000002a sub esp, 03h 0x0000002d rcr dl, 00000000h 0x00000030 pop dword ptr [esp+06h] 0x00000034 dec ebx 0x00000035 jmp 00007F0B68A48A14h 0x00000037 sub esp, 12h 0x0000003a bswap esi 0x0000003c mov ecx, esp 0x0000003e setnl cl 0x00000041 cmc 0x00000042 xchg edi, eax 0x00000044 jmp 00007F0B68A48AC8h 0x00000046 xchg ax, di 0x00000048 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002E3D134 second address: 0000000002E3D0C4 instructions: 0x00000000 rdtsc 0x00000002 call 00007F0B68C4F2C6h 0x00000007 bts cx, bp 0x0000000b pop ebp 0x0000000c rol dx, cl 0x0000000f rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002E3D0C4 second address: 0000000002E3D111 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0B68A48A8Bh 0x00000004 lea edi, dword ptr [edi+ebp] 0x00000007 mov dword ptr [esp+11h], eax 0x0000000b sub bp, E0F4h 0x00000010 xchg dword ptr [esp+1Bh], ebx 0x00000014 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002E3D42F second address: 0000000002E3D40B instructions: 0x00000000 rdtsc 0x00000002 or edx, esi 0x00000004 jmp 00007F0B68C4F2B9h 0x00000009 mov edx, 8C0A744Fh 0x0000000e cmc 0x0000000f xor cl, 0000005Fh 0x00000012 rcl dx, cl 0x00000015 mov dword ptr [esp+07h], ebp 0x00000019 jmp 00007F0B68C4F369h 0x0000001b push dword ptr [esp+0Ch] 0x0000001f not eax 0x00000021 setp bl 0x00000024 setbe bl 0x00000027 not si 0x0000002a mov word ptr [esp+11h], dx 0x0000002f jmp 00007F0B68C4F316h 0x00000031 bswap ebp 0x00000033 push word ptr [esp+05h] 0x00000038 lea edi, dword ptr [eax+edi] 0x0000003b mov si, B3B3h 0x0000003f jmp 00007F0B68C4F35Eh 0x00000041 mov dh, byte ptr [esp+16h] 0x00000045 add esp, 15h 0x00000048 mov bl, F0h 0x0000004a mov cx, word ptr [esp+04h] 0x0000004f pop bp 0x00000051 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002E3D40B second address: 0000000002E3D495 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0B68A48AAFh 0x00000004 xchg ebx, ecx 0x00000006 pushad 0x00000007 pop dword ptr [esp+1Bh] 0x0000000b pop dword ptr [esp+04h] 0x0000000f bsr bx, ax 0x00000013 mov dl, F8h 0x00000015 jmp 00007F0B68A48A21h 0x00000017 xchg esi, edx 0x00000019 mov ch, ah 0x0000001b pop bx 0x0000001d pop edi 0x0000001e lea ebp, dword ptr [eax-0000F067h] 0x00000024 mov dx, 84EDh 0x00000028 jmp 00007F0B68A48A29h 0x0000002a mov edi, 9BCCFFF5h 0x0000002f add ebx, eax 0x00000031 add ax, 000084CAh 0x00000035 mov word ptr [esp+11h], ax 0x0000003a jmp 00007F0B68A48A9Dh 0x0000003c rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002E3D525 second address: 0000000002E3D5A8 instructions: 0x00000000 rdtsc 0x00000002 mov ax, bp 0x00000005 bsr ax, cx 0x00000009 push dword ptr [esp+12h] 0x0000000d pop ax 0x0000000f jmp 00007F0B68C4F377h 0x00000011 xchg dword ptr [esp+0Dh], ecx 0x00000015 lea esp, dword ptr [esp+0Bh] 0x00000019 mov byte ptr [esp+05h], dl 0x0000001d xchg bl, bh 0x0000001f lea esp, dword ptr [esp+10h] 0x00000023 mov dh, AFh 0x00000025 jmp 00007F0B68C4F316h 0x00000027 std 0x00000028 call 00007F0B68C4F3EBh 0x0000002d push dword ptr [esp+02h] 0x00000031 mov esi, 77201D02h 0x00000036 lea edx, dword ptr [esp+1F709682h] 0x0000003d bswap edi 0x0000003f cpuid 0x00000041 jmp 00007F0B68C4F2FDh 0x00000043 sbb bx, si 0x00000046 xchg word ptr [esp], di 0x0000004a lea eax, dword ptr [00000000h+edi*4] 0x00000051 xchg word ptr [esp+03h], cx 0x00000056 xchg byte ptr [esp+04h], dl 0x0000005a cpuid 0x0000005c jmp 00007F0B68C4F30Ch 0x0000005e sub esp, 10h 0x00000061 push dword ptr [esp+06h] 0x00000065 lea esp, dword ptr [esp+15h] 0x00000069 lea esi, dword ptr [00000000h+esi*4] 0x00000070 jmp 00007F0B68C4F318h 0x00000072 lea esp, dword ptr [esp+08h] 0x00000076 bsr ebx, esi 0x00000079 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002E3D7DE second address: 0000000002E3D861 instructions: 0x00000000 rdtsc 0x00000002 lea esi, dword ptr [eax+6F971120h] 0x00000008 xchg bx, si 0x0000000b jmp 00007F0B68A48A67h 0x0000000d mov dl, cl 0x0000000f std 0x00000010 mov bx, word ptr [esp] 0x00000014 xchg ebx, ebp 0x00000016 xchg ebp, edx 0x00000018 lea edi, dword ptr [edx+ebx] 0x0000001b jmp 00007F0B68A48A98h 0x0000001d xchg eax, ebp 0x0000001e mov di, ax 0x00000021 std 0x00000022 neg bx 0x00000025 setb ah 0x00000028 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002E3D9FA second address: 0000000002E3D9D6 instructions: 0x00000000 rdtsc 0x00000002 dec cx 0x00000004 push dword ptr [esp+05h] 0x00000008 mov ebp, dword ptr [esp+33h] 0x0000000c lea edx, dword ptr [00000000h+ebp*4] 0x00000013 push dword ptr [esp+32h] 0x00000017 jmp 00007F0B68C4F2FEh 0x00000019 mov dword ptr [esp+25h], ecx 0x0000001d setnl dh 0x00000020 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002E3D9D6 second address: 0000000002E3DA7E instructions: 0x00000000 rdtsc 0x00000002 xchg ecx, esi 0x00000004 lea ebx, dword ptr [ecx+edi] 0x00000007 xchg byte ptr [esp+19h], cl 0x0000000b call 00007F0B68A48A99h 0x00000010 jmp 00007F0B68A48A39h 0x00000012 push bp 0x00000014 xchg byte ptr [esp+11h], cl 0x00000018 pop edx 0x00000019 mov bh, dh 0x0000001b mov byte ptr [esp+2Dh], dh 0x0000001f mov ebp, ebx 0x00000021 jmp 00007F0B68A48A76h 0x00000023 pop word ptr [esp+13h] 0x00000028 mov word ptr [esp+2Ch], bx 0x0000002d bt ecx, ebp 0x00000030 mov edx, ebx 0x00000032 neg si 0x00000035 clc 0x00000036 jmp 00007F0B68A48A21h 0x00000038 sbb esi, E0A84136h 0x0000003e mov word ptr [esp+02h], di 0x00000043 lea esi, dword ptr [378A0432h] 0x00000049 xchg di, bp 0x0000004c xchg edi, ebp 0x0000004e jmp 00007F0B68A48A81h 0x00000050 push dword ptr [esp+29h] 0x00000054 mov ebp, DF4D6296h 0x00000059 pop bp 0x0000005b rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002E3DDF5 second address: 0000000002E3DDBC instructions: 0x00000000 rdtsc 0x00000002 lea esp, dword ptr [esp+01h] 0x00000006 push word ptr [esp+02h] 0x0000000b mov esi, 2EED7EFDh 0x00000010 sub esp, 0Dh 0x00000013 jmp 00007F0B68C4F2F4h 0x00000015 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002D44997 second address: 0000000002D449D9 instructions: 0x00000000 rdtsc 0x00000002 btc cx, bx 0x00000006 je 00007F0B68A48A0Ah 0x00000008 clc 0x00000009 jmp 00007F0B68A48A26h 0x0000000b xor dx, A906h 0x00000010 jmp 00007F0B68A48A9Fh 0x00000012 lea ecx, dword ptr [edi+50h] 0x00000015 mov dx, ax 0x00000018 mov dl, byte ptr [esp] 0x0000001b lea eax, dword ptr [eax+0000D183h] 0x00000021 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002D4DCA2 second address: 0000000002D4DC76 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, 4D026007h 0x00000007 sub esi, 04h 0x0000000a jmp 00007F0B68C4F303h 0x0000000c lea edx, dword ptr [00000000h+ecx*4] 0x00000013 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002D3F054 second address: 0000000002D3F276 instructions: 0x00000000 rdtsc 0x00000002 mov ax, CFB1h 0x00000006 push dword ptr [esp+10h] 0x0000000a retn 0014h 0x0000000d call 00007F0B68A489EEh 0x00000012 lea esp, dword ptr [esp+02h] 0x00000016 call 00007F0B68A48AFAh 0x0000001b mov cx, word ptr [esp] 0x0000001f sub esp, 09h 0x00000022 mov ah, D2h 0x00000024 dec edx 0x00000025 inc al 0x00000027 jmp 00007F0B68A48A2Eh 0x00000029 lea esp, dword ptr [esp+01h] 0x0000002d xchg dword ptr [esp+08h], eax 0x00000031 sets ch 0x00000034 mov edx, ebx 0x00000036 pushfd 0x00000037 jmp 00007F0B68A48A66h 0x00000039 lea esp, dword ptr [esp+01h] 0x0000003d lea ecx, dword ptr [A28040EFh] 0x00000043 lea esp, dword ptr [esp+03h] 0x00000047 jmp 00007F0B68A48F0Eh 0x0000004c lea eax, dword ptr [eax+6Bh] 0x0000004f mov dh, AEh 0x00000051 setp dh 0x00000054 push bx 0x00000056 lea ecx, dword ptr [00000000h+ecx*4] 0x0000005d lea esp, dword ptr [esp+02h] 0x00000061 jmp 00007F0B68A48732h 0x00000066 xchg dword ptr [esp+08h], eax 0x0000006a inc eax 0x0000006b mov al, 99h 0x0000006d sets cl 0x00000070 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002D3F276 second address: 0000000002D3F106 instructions: 0x00000000 rdtsc 0x00000002 push dword ptr [esp+08h] 0x00000006 retn 000Ch 0x00000009 jmp 00007F0B68C4F3E2h 0x0000000e rol edi, 00000000h 0x00000011 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002D3F106 second address: 0000000002D3F145 instructions: 0x00000000 rdtsc 0x00000002 mov ax, dx 0x00000005 shl al, cl 0x00000007 jc 00007F0B68A48A2Fh 0x00000009 jnc 00007F0B68A48A17h 0x0000000b mov ch, byte ptr [esp] 0x0000000e mov dl, 36h 0x00000010 jmp 00007F0B68A48B0Eh 0x00000015 lea esp, dword ptr [esp+18h] 0x00000019 neg edi 0x0000001b rol al, 00000006h 0x0000001e jns 00007F0B68A48A07h 0x00000020 bswap ecx 0x00000022 push esp 0x00000023 rol edi, 00000000h 0x00000026 lea eax, dword ptr [00000000h+ebp*4] 0x0000002d call 00007F0B68A48A2Ch 0x00000032 lea ecx, dword ptr [edx+edi] 0x00000035 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002D50B44 second address: 0000000002D50BE4 instructions: 0x00000000 rdtsc 0x00000002 setnb ah 0x00000005 bsr ax, bx 0x00000009 jle 00007F0B68C4F34Fh 0x0000000b jnle 00007F0B68C4F34Dh 0x0000000d add esi, 04h 0x00000010 jmp 00007F0B68C4F346h 0x00000012 mov eax, A32D9BDBh 0x00000017 sub esp, 0Dh 0x0000001a jo 00007F0B68C4F36Eh 0x0000001c pop cx 0x0000001e jmp 00007F0B68C4F354h 0x00000020 xchg dword ptr [esp+04h], edx 0x00000024 lea esp, dword ptr [esp+03h] 0x00000028 jmp 00007F0B68C4F358h 0x0000002a push ebp 0x0000002b xchg al, cl 0x0000002d jmp 00007F0B68C4F37Ch 0x0000002f rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002D8867B second address: 0000000002D8870C instructions: 0x00000000 rdtsc 0x00000002 dec edx 0x00000003 lea ecx, dword ptr [00000000h+ebx*4] 0x0000000a xchg cx, dx 0x0000000d cmc 0x0000000e jmp 00007F0B68A48AC7h 0x00000010 xchg dword ptr [esp], ecx 0x00000013 not dx 0x00000016 bsr dx, bx 0x0000001a ror dh, cl 0x0000001c rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002D5726B second address: 0000000002D52051 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0B68C4A11Ch 0x00000007 neg al 0x00000009 jmp 00007F0B68C4F380h 0x0000000b jnle 00007F0B68C4F306h 0x0000000d rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002D51E2B second address: 0000000002D51E6B instructions: 0x00000000 rdtsc 0x00000002 sub esp, 1Fh 0x00000005 js 00007F0B68A48A2Eh 0x00000007 jns 00007F0B68A48A5Ah 0x00000009 add esp, 02h 0x0000000c xor dx, di 0x0000000f push dword ptr [esp+10h] 0x00000013 jmp 00007F0B68A48A8Bh 0x00000015 pop dword ptr [esp+12h] 0x00000019 lea esp, dword ptr [esp+01h] 0x0000001d jmp 00007F0B68A48A28h 0x0000001f lea esp, dword ptr [esp+1Ch] 0x00000023 inc cl 0x00000025 bswap edx 0x00000027 jmp 00007F0B68A48A88h 0x00000029 mov dl, D7h 0x0000002b sub cl, 0000005Ah 0x0000002e lea eax, dword ptr [esi+edi] 0x00000031 mov eax, 459BDAAEh 0x00000036 mov eax, 797942E0h 0x0000003b jmp 00007F0B68A48A08h 0x0000003d rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002D51E6B second address: 0000000002D51E99 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 setle al 0x00000006 mov word ptr [esp+01h], dx 0x0000000b jmp 00007F0B68C4F355h 0x0000000d lea esp, dword ptr [esp+04h] 0x00000011 add cl, FFFFFF8Ah 0x00000014 lea eax, dword ptr [00000000h+ecx*4] 0x0000001b rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002D57224 second address: 0000000002D52051 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0B68A43873h 0x00000007 neg al 0x00000009 jmp 00007F0B68A48A90h 0x0000000b jnle 00007F0B68A48A16h 0x0000000d rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002D5CB10 second address: 0000000002D5C193 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0B68C4E9BDh 0x00000007 mov ecx, edi 0x00000009 not al 0x0000000b rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002C6F6A1 second address: 0000000002C32051 instructions: 0x00000000 rdtsc 0x00000002 mov ax, D373h 0x00000006 mov dx, word ptr [esp] 0x0000000a xchg eax, edx 0x0000000b mov ax, 0531h 0x0000000f shl eax, 13h 0x00000012 jmp 00007F0B68A48AF5h 0x00000017 jbe 00007F0B68A489BCh 0x0000001d ja 00007F0B68A489B6h 0x00000023 inc cx 0x00000025 mov dx, word ptr [esp] 0x00000029 mov ax, word ptr [esp] 0x0000002d mov dl, byte ptr [esp] 0x00000030 jmp 00007F0B68A48A87h 0x00000032 sub cx, 635Ah 0x00000037 not dh 0x00000039 lea edx, dword ptr [eax+esi] 0x0000003c mov edx, dword ptr [esp] 0x0000003f mov dx, word ptr [esp] 0x00000043 jmp 00007F0B68A48A0Ah 0x00000045 xchg edx, eax 0x00000047 dec dl 0x00000049 jns 00007F0B68A48A6Bh 0x0000004b add cx, 108Ah 0x00000050 lea edx, dword ptr [edx+esi] 0x00000053 jmp 00007F0B68A48A87h 0x00000055 mov ah, 76h 0x00000057 mov dx, 6461h 0x0000005b call 00007F0B68A48A34h 0x00000060 mov word ptr [esi], cx 0x00000063 pushad 0x00000064 lea eax, dword ptr [00000000h+ebx*4] 0x0000006b jmp 00007F0B68A48A66h 0x0000006d lea ecx, dword ptr [esp+42h] 0x00000071 lea edx, dword ptr [00000000h+ebx*4] 0x00000078 jmp 00007F0B68A0B352h 0x0000007d neg al 0x0000007f jmp 00007F0B68A48A90h 0x00000081 jnle 00007F0B68A48A16h 0x00000083 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002C65A2C second address: 0000000002C3C193 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0B68C4F315h 0x00000004 call 00007F0B68C4F328h 0x00000009 jmp 00007F0B68C4F35Dh 0x0000000b xchg eax, ecx 0x0000000c sets dh 0x0000000f lea edx, dword ptr [00000000h+edi*4] 0x00000016 bswap edx 0x00000018 jmp 00007F0B68C4F44Dh 0x0000001d cbw 0x0000001f mov dh, C8h 0x00000021 not dl 0x00000023 lea edx, dword ptr [eax+ebx] 0x00000026 sub esp, 1Eh 0x00000029 jmp 00007F0B68C4F279h 0x0000002e jnc 00007F0B68C4F3A4h 0x00000030 lea esp, dword ptr [esp+02h] 0x00000034 xchg eax, ecx 0x00000035 mov dx, word ptr [esp] 0x00000039 jmp 00007F0B68C4F2B2h 0x0000003e mov edx, esp 0x00000040 lea edx, dword ptr [edi-31FB5232h] 0x00000046 bswap edx 0x00000048 mov word ptr [esi], cx 0x0000004b setle dl 0x0000004e jmp 00007F0B68C4F31Ah 0x00000050 lea edx, dword ptr [00000000h+edi*4] 0x00000057 btc edx, esi 0x0000005a jle 00007F0B68C4F38Bh 0x0000005c mov dx, word ptr [esp] 0x00000060 jmp 00007F0B68C25A8Fh 0x00000065 mov ecx, edi 0x00000067 not al 0x00000069 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002D5024C second address: 0000000002D50402 instructions: 0x00000000 rdtsc 0x00000002 not cx 0x00000005 mov dx, di 0x00000008 neg ax 0x0000000b jmp 00007F0B68A48BF2h 0x00000010 jnc 00007F0B68A488C9h 0x00000016 mov bx, sp 0x00000019 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002D50402 second address: 0000000002D3EF12 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0B68C4F2B9h 0x00000007 lea edx, dword ptr [esi+2B069A91h] 0x0000000d jmp 00007F0B68C4F23Ah 0x00000012 lea eax, dword ptr [00000000h+edi*4] 0x00000019 sets bl 0x0000001c neg dx 0x0000001f jmp 00007F0B68C4F350h 0x00000021 jl 00007F0B68C4F369h 0x00000023 mov ebx, dword ptr [esp] 0x00000026 lea esp, dword ptr [esp+04h] 0x0000002a jmp 00007F0B68C3DECCh 0x0000002f mov ebx, edi 0x00000031 jmp 00007F0B68C4F31Ah 0x00000033 xor cx, 1B47h 0x00000038 jno 00007F0B68C4F325h 0x0000003a lea ecx, dword ptr [00000000h+edx*4] 0x00000041 mov edx, dword ptr [esp] 0x00000044 jmp 00007F0B68C4F38Ah 0x00000046 mov dx, word ptr [esp] 0x0000004a sub esp, 0Eh 0x0000004d pop dword ptr [esp+02h] 0x00000051 jmp 00007F0B68C4F31Fh 0x00000053 add esp, 06h 0x00000056 push bp 0x00000058 cmc 0x00000059 jnbe 00007F0B68C4F3B9h 0x0000005b xchg dword ptr [esp], edx 0x0000005e lea esp, dword ptr [esp+02h] 0x00000062 call 00007F0B68C4F377h 0x00000067 lea ecx, dword ptr [ebp-0E4DF243h] 0x0000006d xchg dx, cx 0x00000070 mov eax, esi 0x00000072 jmp 00007F0B68C4F373h 0x00000074 or ch, FFFFFFA1h 0x00000077 dec eax 0x00000078 xchg dword ptr [esp], edi 0x0000007b dec dl 0x0000007d mov ax, bx 0x00000080 lea eax, dword ptr [D78CC83Fh] 0x00000086 jmp 00007F0B68C4F380h 0x00000088 lea edx, dword ptr [esi+ebp] 0x0000008b lea edi, dword ptr [edi+4Ch] 0x0000008e pushfd 0x0000008f bswap edx 0x00000091 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002D51475 second address: 0000000002D515DC instructions: 0x00000000 rdtsc 0x00000002 lea edx, dword ptr [ecx+67h] 0x00000005 push ebx 0x00000006 clc 0x00000007 jle 00007F0B68A48AA3h 0x00000009 bswap ebp 0x0000000b lea ebp, dword ptr [esi+edi] 0x0000000e xchg dl, cl 0x00000010 call 00007F0B68A48B65h 0x00000015 mov bh, byte ptr [esp] 0x00000018 mov ch, bh 0x0000001a btc dx, bx 0x0000001e jmp 00007F0B68A48A89h 0x00000020 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002D93DA9 second address: 0000000002D93DAB instructions: 0x00000000 rdtsc 0x00000002 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002D94726 second address: 0000000002D94652 instructions: 0x00000000 rdtsc 0x00000002 stc 0x00000003 jmp 00007F0B68A488B4h 0x00000008 mov dl, byte ptr [esp] 0x0000000b not ax 0x0000000e push dword ptr [esp+08h] 0x00000012 retn 000Ch 0x00000015 mov ecx, 49808F39h 0x0000001a lea ecx, dword ptr [edx+esi] 0x0000001d lea esp, dword ptr [esp+02h] 0x00000021 jmp 00007F0B68A48AAEh 0x00000023 mov edx, esi 0x00000025 mov ecx, dword ptr [edx] 0x00000027 mov dh, byte ptr [esp] 0x0000002a call 00007F0B68A48ACFh 0x0000002f setl dh 0x00000032 jmp 00007F0B68A489FFh 0x00000034 mov edx, dword ptr [esp+01h] 0x00000038 add esi, 04h 0x0000003b call 00007F0B68A48A31h 0x00000040 push dword ptr [esp] 0x00000043 je 00007F0B68A48A87h 0x00000045 jne 00007F0B68A48A6Fh 0x00000047 bsf dx, dx 0x0000004b call 00007F0B68A48B64h 0x00000050 lea edx, dword ptr [00000000h+edi*4] 0x00000057 mov ax, word ptr [esp] 0x0000005b mov dx, word ptr [esp] 0x0000005f bts ax, dx 0x00000063 xchg ax, dx 0x00000065 jmp 00007F0B68A4898Ch 0x0000006a xchg dword ptr [esp], edi 0x0000006d push edx 0x0000006e pop dx 0x00000070 xchg al, dh 0x00000072 bt eax, ecx 0x00000075 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002D8DB28 second address: 0000000002D5C193 instructions: 0x00000000 rdtsc 0x00000002 mov cl, byte ptr [esp] 0x00000005 mov ecx, 6AB4FF8Eh 0x0000000a mov cl, al 0x0000000c jmp 00007F0B68C4F6BBh 0x00000011 sub esi, 08h 0x00000014 bsf ecx, ebp 0x00000017 je 00007F0B68C4F012h 0x0000001d lea ecx, dword ptr [B11B85EFh] 0x00000023 sub esp, 1Ch 0x00000026 jmp 00007F0B68C4EFDEh 0x0000002b mov dword ptr [esi], edx 0x0000002d sub esp, 10h 0x00000030 jmp 00007F0B68C4F466h 0x00000035 jg 00007F0B68C4F220h 0x0000003b lea ecx, dword ptr [97B3A23Bh] 0x00000041 jmp 00007F0B68C4F415h 0x00000046 mov dword ptr [esi+04h], eax 0x00000049 mov ax, word ptr [esp] 0x0000004d not ax 0x00000050 mov dh, CEh 0x00000052 lea eax, dword ptr [00000000h+ebx*4] 0x00000059 jmp 00007F0B68C1D874h 0x0000005e mov ecx, edi 0x00000060 not al 0x00000062 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002D7FC3D second address: 0000000002D7FC27 instructions: 0x00000000 rdtsc 0x00000002 sub esp, 18h 0x00000005 mov eax, 1C7ADB84h 0x0000000a jmp 00007F0B68A48A2Dh 0x0000000c mov ecx, dword ptr [ebp+08h] 0x0000000f rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002D7FF18 second address: 0000000002D7FF1E instructions: 0x00000000 rdtsc 0x00000002 bsf ax, di 0x00000006 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002D5A0A5 second address: 0000000002D5A101 instructions: 0x00000000 rdtsc 0x00000002 rol cl, 00000006h 0x00000005 jns 00007F0B68A48B5Ah 0x0000000b xchg eax, edx 0x0000000c sub esi, 04h 0x0000000f xchg dx, ax 0x00000012 adc cx, si 0x00000015 jnl 00007F0B68A48975h 0x0000001b inc cl 0x0000001d cmc 0x0000001e jmp 00007F0B68A48985h 0x00000023 mov cx, ss 0x00000025 mov al, byte ptr [esp] 0x00000028 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002DA7A67 second address: 0000000002DA7AE8 instructions: 0x00000000 rdtsc 0x00000002 mov eax, dword ptr [esp] 0x00000005 mov ah, ch 0x00000007 jmp 00007F0B68C4F362h 0x00000009 sub esi, 02h 0x0000000c xchg eax, edx 0x0000000d stc 0x0000000e jmp 00007F0B68C4F389h 0x00000010 jle 00007F0B68C4F2FDh 0x00000012 jnle 00007F0B68C4F2FBh 0x00000014 or word ptr [esi+04h], cx 0x00000018 mov edx, esp 0x0000001a call 00007F0B68C4F367h 0x0000001f mov al, B4h 0x00000021 jmp 00007F0B68C4F31Ch 0x00000023 pushfd 0x00000024 jmp 00007F0B68C4F37Bh 0x00000026 pop dword ptr [esi] 0x00000028 mov al, C9h 0x0000002a mov edx, esp 0x0000002c rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002DA7AE8 second address: 0000000002D5208D instructions: 0x00000000 rdtsc 0x00000002 xchg dl, al 0x00000004 jmp 00007F0B689F2FADh 0x00000009 neg al 0x0000000b jmp 00007F0B68A48A90h 0x0000000d jnle 00007F0B68A48A16h 0x0000000f rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002D88778 second address: 0000000002D88788 instructions: 0x00000000 rdtsc 0x00000002 bsf dx, di 0x00000006 jmp 00007F0B68C4F346h 0x00000008 jo 00007F0B68C4F316h 0x0000000a neg edx 0x0000000c rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002C7B257 second address: 0000000002C7B294 instructions: 0x00000000 rdtsc 0x00000002 xchg cl, dl 0x00000004 xchg cl, ch 0x00000006 jmp 00007F0B68A48A81h 0x00000008 lea ebp, dword ptr [ebp+00000096h] 0x0000000e rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002C703BA second address: 0000000002C703BA instructions: 0x00000000 rdtsc 0x00000002 xor dx, E322h 0x00000007 mov dword ptr [esp+1Ch], ecx 0x0000000b popad 0x0000000c sub esp, 19h 0x0000000f jmp 00007F0B68C4F2C8h 0x00000011 lea esp, dword ptr [esp+01h] 0x00000015 shr eax, 10h 0x00000018 lea esp, dword ptr [esp+18h] 0x0000001c test ax, ax 0x0000001f jmp 00007F0B68C4F2D5h 0x00000021 je 00007F0B68C4F1C0h 0x00000027 inc edx 0x00000028 jmp 00007F0B68C4F439h 0x0000002d push bp 0x0000002f lea esp, dword ptr [esp+02h] 0x00000033 jmp 00007F0B68C4F35Ah 0x00000035 inc edx 0x00000036 dec esi 0x00000037 jne 00007F0B68C4F266h 0x0000003d movzx eax, word ptr [edx] 0x00000040 jmp 00007F0B68C4F72Ch 0x00000045 cmc 0x00000046 add ecx, eax 0x00000048 xor ax, ax 0x0000004b pushad 0x0000004c jmp 00007F0B68C4F14Bh 0x00000051 xchg dx, bp 0x00000054 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002D8F6A1 second address: 0000000002D52051 instructions: 0x00000000 rdtsc 0x00000002 mov ax, D373h 0x00000006 mov dx, word ptr [esp] 0x0000000a xchg eax, edx 0x0000000b mov ax, 0531h 0x0000000f shl eax, 13h 0x00000012 jmp 00007F0B68A48AF5h 0x00000017 jbe 00007F0B68A489BCh 0x0000001d ja 00007F0B68A489B6h 0x00000023 inc cx 0x00000025 mov dx, word ptr [esp] 0x00000029 mov ax, word ptr [esp] 0x0000002d mov dl, byte ptr [esp] 0x00000030 jmp 00007F0B68A48A87h 0x00000032 sub cx, 635Ah 0x00000037 not dh 0x00000039 lea edx, dword ptr [eax+esi] 0x0000003c mov edx, dword ptr [esp] 0x0000003f mov dx, word ptr [esp] 0x00000043 jmp 00007F0B68A48A0Ah 0x00000045 xchg edx, eax 0x00000047 dec dl 0x00000049 jns 00007F0B68A48A6Bh 0x0000004b add cx, 108Ah 0x00000050 lea edx, dword ptr [edx+esi] 0x00000053 jmp 00007F0B68A48A87h 0x00000055 mov ah, 76h 0x00000057 mov dx, 6461h 0x0000005b call 00007F0B68A48A34h 0x00000060 mov word ptr [esi], cx 0x00000063 pushad 0x00000064 lea eax, dword ptr [00000000h+ebx*4] 0x0000006b jmp 00007F0B68A48A66h 0x0000006d lea ecx, dword ptr [esp+42h] 0x00000071 lea edx, dword ptr [00000000h+ebx*4] 0x00000078 jmp 00007F0B68A0B352h 0x0000007d neg al 0x0000007f jmp 00007F0B68A48A90h 0x00000081 jnle 00007F0B68A48A16h 0x00000083 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002D85A2C second address: 0000000002D5C193 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0B68C4F315h 0x00000004 call 00007F0B68C4F328h 0x00000009 jmp 00007F0B68C4F35Dh 0x0000000b xchg eax, ecx 0x0000000c sets dh 0x0000000f lea edx, dword ptr [00000000h+edi*4] 0x00000016 bswap edx 0x00000018 jmp 00007F0B68C4F44Dh 0x0000001d cbw 0x0000001f mov dh, C8h 0x00000021 not dl 0x00000023 lea edx, dword ptr [eax+ebx] 0x00000026 sub esp, 1Eh 0x00000029 jmp 00007F0B68C4F279h 0x0000002e jnc 00007F0B68C4F3A4h 0x00000030 lea esp, dword ptr [esp+02h] 0x00000034 xchg eax, ecx 0x00000035 mov dx, word ptr [esp] 0x00000039 jmp 00007F0B68C4F2B2h 0x0000003e mov edx, esp 0x00000040 lea edx, dword ptr [edi-31FB5232h] 0x00000046 bswap edx 0x00000048 mov word ptr [esi], cx 0x0000004b setle dl 0x0000004e jmp 00007F0B68C4F31Ah 0x00000050 lea edx, dword ptr [00000000h+edi*4] 0x00000057 btc edx, esi 0x0000005a jle 00007F0B68C4F38Bh 0x0000005c mov dx, word ptr [esp] 0x00000060 jmp 00007F0B68C25A8Fh 0x00000065 mov ecx, edi 0x00000067 not al 0x00000069 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 0000000002D903BA second address: 0000000002D903BA instructions: 0x00000000 rdtsc 0x00000002 xor dx, E322h 0x00000007 mov dword ptr [esp+1Ch], ecx 0x0000000b popad 0x0000000c sub esp, 19h 0x0000000f jmp 00007F0B68A489D8h 0x00000011 lea esp, dword ptr [esp+01h] 0x00000015 shr eax, 10h 0x00000018 lea esp, dword ptr [esp+18h] 0x0000001c test ax, ax 0x0000001f jmp 00007F0B68A489E5h 0x00000021 je 00007F0B68A488D0h 0x00000027 inc edx 0x00000028 jmp 00007F0B68A48B49h 0x0000002d push bp 0x0000002f lea esp, dword ptr [esp+02h] 0x00000033 jmp 00007F0B68A48A6Ah 0x00000035 inc edx 0x00000036 dec esi 0x00000037 jne 00007F0B68A48976h 0x0000003d movzx eax, word ptr [edx] 0x00000040 jmp 00007F0B68A48E3Ch 0x00000045 cmc 0x00000046 add ecx, eax 0x00000048 xor ax, ax 0x0000004b pushad 0x0000004c jmp 00007F0B68A4885Bh 0x00000051 xchg dx, bp 0x00000054 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exe TID: 1348Thread sleep time: -40000s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exe TID: 6072Thread sleep count: 88 > 30Jump to behavior
                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIFDB0.tmpJump to dropped file
                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIFCE3.tmpJump to dropped file
                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIFE0F.tmpJump to dropped file
                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIFD51.tmpJump to dropped file
                Source: C:\Users\user\AppData\Roaming\abd1 .exeMemory allocated: 8A90000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeMemory allocated: 9230000 memory commit | memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeMemory allocated: 93B0000 memory commit | memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeMemory allocated: 93D0000 memory commit | memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04090409Jump to behavior
                Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: abd1 .exe, 00000003.00000002.571627415.00000000008AC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW0
                Source: abd1 .exe, 00000007.00000002.580116505.0000000004D6D000.00000040.00000020.00020000.00000000.sdmpBinary or memory string: DisableGuestVmNetworkConnectivity
                Source: abd1 .exe, 00000003.00000002.571627415.0000000000914000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: abd1 .exe, 00000003.00000002.571627415.00000000008D2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWen-USn
                Source: abd1 .exe, 00000007.00000002.580116505.0000000004D6D000.00000040.00000020.00020000.00000000.sdmpBinary or memory string: EnableGuestVmNetworkConnectivity

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\AppData\Roaming\abd1 .exeThread information set: HideFromDebuggerJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeThread information set: HideFromDebuggerJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeThread information set: HideFromDebuggerJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Users\user\AppData\Roaming\abd1 .exe C:\Users\user\AppData\Roaming\abd1 .exeJump to behavior
                Source: abd1 .exe, 00000003.00000002.572505728.0000000000A5F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: PROGRAM MANAGERq
                Source: abd1 .exe, 00000003.00000002.572505728.0000000000A5F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: PROGRAM MANAGER1
                Source: abd1 .exe, 00000003.00000002.610670790.0000000004F6B000.00000040.00000800.00020000.00000000.sdmp, abd1 .exe, 00000006.00000003.493786859.0000000004A8B000.00000004.00000800.00020000.00000000.sdmp, abd1 .exe, 00000007.00000002.582270338.0000000004F64000.00000040.00000800.00020000.00000000.sdmpBinary or memory string: GetProgmanWindow
                Source: abd1 .exe, 00000003.00000002.572505728.0000000000A5F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager!
                Source: abd1 .exe, 00000003.00000002.572505728.0000000000A5F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: PROGRAM MANAGER@
                Source: abd1 .exe, 00000003.00000002.572505728.0000000000A5F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: PROGRAM MANAGERA
                Source: abd1 .exe, 00000003.00000002.572505728.0000000000A5F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: PROGRAM MANAGER
                Source: abd1 .exe, 00000003.00000000.309835873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, abd1 .exe.1.drBinary or memory string: ProgmanU
                Source: abd1 .exe, 00000003.00000002.610670790.0000000004F6B000.00000040.00000800.00020000.00000000.sdmp, abd1 .exe, 00000006.00000003.493786859.0000000004A8B000.00000004.00000800.00020000.00000000.sdmp, abd1 .exe, 00000007.00000002.582270338.0000000004F64000.00000040.00000800.00020000.00000000.sdmpBinary or memory string: SetProgmanWindow
                Source: abd1 .exe, 00000003.00000002.572505728.0000000000975000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagergUHJvIDY0LWJpdA&is=YWFhYSwgYWFhYSwgYWFh&iav=V2luZG93cyBEZWZlbmRlcg
                Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
                Source: abd1 .exe, 00000003.00000002.571627415.00000000008D2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

                Mitre Att&ck Matrix

                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                1
                Replication Through Removable Media                		1
                Windows Management Instrumentation                		1
                Registry Run Keys / Startup Folder                		2
                Process Injection                		21
                Masquerading                		1
                Credential API Hooking                		331
                Security Software Discovery                		1
                Replication Through Removable Media                		1
                Credential API Hooking                		Exfiltration Over Other Network Medium1
                Encrypted Channel                		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                Default AccountsScheduled Task/Job1
                DLL Side-Loading                		1
                Registry Run Keys / Startup Folder                		1
                Disable or Modify Tools                		21
                Input Capture                		13
                Virtualization/Sandbox Evasion                		Remote Desktop Protocol21
                Input Capture                		Exfiltration Over Bluetooth1
                Ingress Tool Transfer                		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                Domain AccountsAt (Linux)Logon Script (Windows)1
                DLL Side-Loading                		13
                Virtualization/Sandbox Evasion                		Security Account Manager2
                Process Discovery                		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration2
                Non-Application Layer Protocol                		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)2
                Process Injection                		NTDS11
                Peripheral Device Discovery                		Distributed Component Object ModelInput CaptureScheduled Transfer13
                Application Layer Protocol                		SIM Card SwapCarrier Billing Fraud
                Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                Obfuscated Files or Information                		LSA Secrets1
                Remote System Discovery                		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                Replication Through Removable MediaLaunchdRc.commonRc.common12
                Software Packing                		Cached Domain Credentials122
                System Information Discovery                		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                External Remote ServicesScheduled TaskStartup ItemsStartup Items1
                DLL Side-Loading                		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
                File Deletion                		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                F_4_T_U_R_4___nf____0992344.4354.msi23%ReversingLabsBinary.Trojan.Razy
                F_4_T_U_R_4___nf____0992344.4354.msi33%VirustotalBrowse

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Roaming\WebUI.dll100%Joe Sandbox ML
                C:\Users\user\AppData\Roaming\WebUI.dll33%ReversingLabsWin32.Trojan.Razy
                C:\Users\user\AppData\Roaming\abd1 .exe0%ReversingLabs
                C:\Windows\Installer\MSIFB1D.tmp0%ReversingLabs
                C:\Windows\Installer\MSIFCE3.tmp0%ReversingLabs
                C:\Windows\Installer\MSIFD51.tmp0%ReversingLabs
                C:\Windows\Installer\MSIFDB0.tmp0%ReversingLabs
                C:\Windows\Installer\MSIFE0F.tmp0%ReversingLabs

                Unpacked PE Files

                SourceDetectionScannerLabelLinkDownload
                3.2.abd1 .exe.be0000.1.unpack100%AviraTR/PWS.Sinowal.Gen2Download File
                3.2.abd1 .exe.400000.0.unpack100%AviraHEUR/AGEN.1204765Download File

                Domains

                SourceDetectionScannerLabelLink
                ebaoffice.com.br0%VirustotalBrowse

                URLs

                SourceDetectionScannerLabelLink
                http://www.indyproject.org/0%URL Reputationsafe
                https://ebaoffice.com.br/imagens/bo/inspecionando.phpiu0%Avira URL Cloudsafe
                https://ebaoffice.com.br/imagens/bo/inspecionando.phpokiesm_0%Avira URL Cloudsafe
                https://ebaoffice.com.br/imagens/bo/inspecionando.php:0%Avira URL Cloudsafe
                http://stats.itopvpn.com/iusage.php0%VirustotalBrowse
                http://stats.itopvpn.com/iusage.php0%Avira URL Cloudsafe
                https://ebaoffice.com.br/0%Avira URL Cloudsafe
                https://ebaoffice.com.br/imagens/bo/inspecionando.phps/bo/inspecionando.phpo.php0%Avira URL Cloudsafe
                https://ebaoffice.com.br/imagens/bo/inspecionando.php...0%Avira URL Cloudsafe
                https://ebaoffice.com.br/imagens/bo/inspecionando.php0%Avira URL Cloudsafe
                https://ebaoffice.com.br/imagens/bo/inspecionando.phpU0%Avira URL Cloudsafe
                https://ebaoffice.com.br/imagens/bo/inspecionando.phpC:0%Avira URL Cloudsafe
                https://ebaoffice.com.br/imagens/bo/inspecionando.phpI0%Avira URL Cloudsafe
                https://ebaoffice.com.br/imagens/bo/inspecionando.phpJ0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                ebaoffice.com.br
                		187.45.187.42
                		truefalseunknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                https://ebaoffice.com.br/imagens/bo/inspecionando.phpfalse
                • Avira URL Cloud: safe
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://stats.itopvpn.com/iusage.phpabd1 .exe, 00000003.00000000.309835873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, abd1 .exe.1.drfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://ebaoffice.com.br/imagens/bo/inspecionando.phpiuabd1 .exe, 00000003.00000002.613416696.0000000008D90000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://ebaoffice.com.br/imagens/bo/inspecionando.phpokiesm_abd1 .exe, 00000003.00000002.571627415.00000000008BB000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://www.thawte.com/cps0/F_4_T_U_R_4___nf____0992344.4354.msi, MSIFE0F.tmp.1.dr, MSIFD51.tmp.1.dr, MSIFDB0.tmp.1.dr, 58f706.msi.1.drfalse
                  		high
                  https://ebaoffice.com.br/imagens/bo/inspecionando.php:abd1 .exe, 00000003.00000002.571627415.0000000000930000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://www.thawte.com/repository0WF_4_T_U_R_4___nf____0992344.4354.msi, MSIFE0F.tmp.1.dr, MSIFD51.tmp.1.dr, MSIFDB0.tmp.1.dr, 58f706.msi.1.drfalse
                    		high
                    https://ebaoffice.com.br/abd1 .exe, 00000003.00000002.571627415.00000000008AC000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 00000003.00000002.571627415.0000000000930000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://ebaoffice.com.br/imagens/bo/inspecionando.phpUabd1 .exe, 00000003.00000002.571627415.0000000000930000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://ebaoffice.com.br/imagens/bo/inspecionando.phps/bo/inspecionando.phpo.phpabd1 .exe, 00000003.00000002.571627415.0000000000930000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/soap/envelope/abd1 .exe, 00000003.00000000.309835873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, abd1 .exe.1.drfalse
                      		high
                      https://ebaoffice.com.br/imagens/bo/inspecionando.php...abd1 .exe, 00000003.00000002.613416696.0000000008D90000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 00000003.00000002.571627415.00000000008BB000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://www.advancedinstaller.comF_4_T_U_R_4___nf____0992344.4354.msi, MSIFE0F.tmp.1.dr, MSIFD51.tmp.1.dr, MSIFDB0.tmp.1.dr, 58f706.msi.1.drfalse
                        		high
                        http://www.indyproject.org/abd1 .exe, abd1 .exe, 00000007.00000002.571458526.0000000000FAF000.00000040.00000001.01000000.00000004.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://ebaoffice.com.br/imagens/bo/inspecionando.phpC:abd1 .exe, 00000003.00000002.613416696.0000000008D90000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://ebaoffice.com.br/imagens/bo/inspecionando.phpJabd1 .exe, 00000003.00000002.571627415.00000000008BB000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 00000003.00000002.571627415.0000000000930000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://ebaoffice.com.br/imagens/bo/inspecionando.phpIabd1 .exe, 00000003.00000002.571627415.00000000008AC000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        15.228.77.178
                        		unknownUnited States
                        		16509AMAZON-02USfalse
                        187.45.187.42
                        		ebaoffice.com.brBrazil
                        		33182DIMENOCUSfalse

                        General Information

                        Joe Sandbox Version:37.0.0 Beryl
                        Analysis ID:825405
                        Start date and time:2023-03-13 13:38:47 +01:00
                        Joe Sandbox Product:CloudBasic
                        Overall analysis duration:0h 9m 53s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                        Number of analysed new started processes analysed:9
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • HDC enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample file name:F_4_T_U_R_4___nf____0992344.4354.msi
                        Detection:MAL
                        Classification:mal84.evad.winMSI@8/27@1/2
                        EGA Information:Failed
                        HDC Information:
                        • Successful, ratio: 66.7% (good quality ratio 0%)
                        • Quality average: 0%
                        • Quality standard deviation: 0%
                        HCA Information:Failed
                        Cookbook Comments:
                        • Found application associated with file extension: .msi

                        Warnings

                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, conhost.exe
                        • Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
                        • Execution Graph export aborted for target abd1 .exe, PID 1380 because there are no executed function
                        • Execution Graph export aborted for target abd1 .exe, PID 5600 because there are no executed function
                        • Not all processes where analyzed, report is missing behavior information
                        • Report creation exceeded maximum time and may have missing disassembly code information.
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.
                        • Report size getting too big, too many NtSetInformationFile calls found.

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        13:40:33API Interceptor1x Sleep call for process: abd1 .exe modified
                        13:40:58AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run abd1.exe C:\Users\user\AppData\Roaming\abd1.exe
                        13:41:06AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run abd1.exe C:\Users\user\AppData\Roaming\abd1.exe

                        Joe Sandbox View / Context

                        IPs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        15.228.77.178rPEDIDOS-10032023-X491kkum.msiGet hashmaliciousUnknownBrowse
                          z93nf_e_mnhhh345553.msiGet hashmaliciousUnknownBrowse
                            z1n_f_e_Fa_tu_r4_03.msiGet hashmaliciousUnknownBrowse
                              PEDIDOS-08032023-X388omke.msiGet hashmaliciousUnknownBrowse
                                Nota-LG-emitida-13488mhqt.msiGet hashmaliciousUnknownBrowse
                                  __B0L3T0_06Marc_23_f4tur4__.msiGet hashmaliciousUnknownBrowse
                                    __B0L3T0_06Marc_23_f4tur4__.msiGet hashmaliciousUnknownBrowse
                                      rPedido-Danfe-03-03-202316872pnlc.msiGet hashmaliciousUnknownBrowse
                                        Autos-Processo 27-02-2023 ligh.msiGet hashmaliciousUnknownBrowse
                                          rEmita-Danfe-01-03-20234076czdg.msiGet hashmaliciousUnknownBrowse
                                            187.45.187.42z93nf_e_mnhhh345553.msiGet hashmaliciousUnknownBrowse
                                              z1n_f_e_Fa_tu_r4_03.msiGet hashmaliciousUnknownBrowse
                                                __B0L3T0_06Marc_23_f4tur4__.msiGet hashmaliciousUnknownBrowse
                                                  __B0L3T0_06Marc_23_f4tur4__.msiGet hashmaliciousUnknownBrowse

                                                    Domains

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    ebaoffice.com.brz93nf_e_mnhhh345553.msiGet hashmaliciousUnknownBrowse
                                                    • 187.45.187.42
                                                    z1n_f_e_Fa_tu_r4_03.msiGet hashmaliciousUnknownBrowse
                                                    • 187.45.187.42
                                                    __B0L3T0_06Marc_23_f4tur4__.msiGet hashmaliciousUnknownBrowse
                                                    • 187.45.187.42
                                                    __B0L3T0_06Marc_23_f4tur4__.msiGet hashmaliciousUnknownBrowse
                                                    • 187.45.187.42

                                                    ASNs

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    AMAZON-02UShttps://thepointofview.net/office/?owner=aHR0cHM6Ly9zMy5hbWF6b25hd3MuY29tL2FwcGZvcmVzdF91Zi9mMTY3NzQxODYwMjI2OHgzNDQ1NTI5NTUyODczMTQxMDAvaW5kZXguaHRtbCNjcm9nZXJzQGhhcnJpc3dpbGxpYW1zLmNvbQ==Get hashmaliciousHTMLPhisherBrowse
                                                    • 52.216.18.179
                                                    aaYFJC4N64.exeGet hashmaliciousFormBookBrowse
                                                    • 3.64.163.50
                                                    https://linkprotect.cudasvc.com/url?a=https%3a%2f%2flogin.00003326.com%2ftmflgCwk&c=E,1,JTWj2bHuNr1TNMAZHSMgieyKpIn8dpJDNdQeH6NJ4lxBOFuCMB0cFLijyNE_9E6Hph9NREkq_nGU0tMcH-mD0tt9fn4_tZcE1pr5DQWIEg,,&typo=1Get hashmaliciousUnknownBrowse
                                                    • 18.157.218.44
                                                    https://linkprotect.cudasvc.com/url?a=https%3a%2f%2flogin.00003326.com%2ftmflgCwk&c=E,1,ENk6ydP8bLnlFhmTaMk0TWi8O97HbXlOHKIn7jtgReTbUyGmJIMsjax8759GgBIc7JrYOBqvMoVyb1wLOJ294xEswjW5k00C8ZRwHyAcAw,,&typo=1Get hashmaliciousUnknownBrowse
                                                    • 3.15.89.126
                                                    https://linkprotect.cudasvc.com/url?a=https%3a%2f%2flogin.00003326.com%2ftmflgCwk&c=E,1,ho1NY684sGRkyhTT8x634A04hI7UGaYvSsWuJIt2p4vky_v0JfwtQsORnZAt5YoqdNihWTqGnuoATRQ1KonlMfoDnI-_vgtoyeex8PmnKd1_tyTk47UnxOs5Uzs,&typo=1Get hashmaliciousUnknownBrowse
                                                    • 3.122.110.44
                                                    rPEDIDOS-10032023-X491kkum.msiGet hashmaliciousUnknownBrowse
                                                    • 15.228.77.178
                                                    https://idhelp23049215812893444.web.app/Get hashmaliciousUnknownBrowse
                                                    • 18.185.166.222
                                                    PO-230803-S00.exeGet hashmaliciousFormBookBrowse
                                                    • 3.69.136.55
                                                    https://awholelevelkpo.s3.us-east-2.amazonaws.com/index.htmlGet hashmaliciousUnknownBrowse
                                                    • 52.219.107.10
                                                    qtXuN5sDix.rtfGet hashmaliciousRemcos, FormBookBrowse
                                                    • 18.190.160.39
                                                    https://www.msn.com/pt-pt/noticias/other/greve-de-maquinistas-cp-antecipa-especial-impacto-na-sexta-feira/ar-AA18pim3?ocid=entnewsntp&cvid=5309aaea6b164ccbb2cf47bd8a788782&ei=13Get hashmaliciousUnknownBrowse
                                                    • 3.66.118.193
                                                    trttrabalhodocseis.msiGet hashmaliciousUnknownBrowse
                                                    • 52.218.220.1
                                                    hua.apkGet hashmaliciousUnknownBrowse
                                                    • 13.228.23.243
                                                    hua.apkGet hashmaliciousUnknownBrowse
                                                    • 13.228.23.243
                                                    quotation.doc23.exeGet hashmaliciousFormBookBrowse
                                                    • 3.13.31.214
                                                    SATIN_ALMA_EMR#U0130.exeGet hashmaliciousFormBookBrowse
                                                    • 3.64.163.50
                                                    http://47.87.201.129:71/sdjdshdgdsdsfsfausjashsaggsafsfaa.x86Get hashmaliciousUnknownBrowse
                                                    • 54.149.38.208
                                                    php.iniGet hashmaliciousUnknownBrowse
                                                    • 3.64.163.50
                                                    https://links.info.tjx.com/ctt?m=17231935&rnxghs=MjY0MDEyMzU5MzU0S0&b=0&j=MTc4MTczNTAyNwS2&k=Portal%20URL&kx=1&kt=12&kd=https://vegasvalleypainting.com%2F%2F%2F%2F/password/%2F%2F%2F%2Fverification/mhbsptk%2F%2F%2F%2Ftest.user@outlook.comGet hashmaliciousHTMLPhisherBrowse
                                                    • 13.224.189.7
                                                    Ro7iDwFIKA.exeGet hashmaliciousFormBookBrowse
                                                    • 3.64.163.50
                                                    DIMENOCUSCOTIZACIONES_GOYMA.xlsx.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 184.171.242.24
                                                    z93nf_e_mnhhh345553.msiGet hashmaliciousUnknownBrowse
                                                    • 187.45.187.42
                                                    z1n_f_e_Fa_tu_r4_03.msiGet hashmaliciousUnknownBrowse
                                                    • 187.45.187.42
                                                    https://darudar.org/external/?link=https://ymxvy2thdhrhy2tz-x54vm.pagemaker.link/ymxv-y-2-thd-h-rh-y-2-tz?draftGet hashmaliciousHTMLPhisherBrowse
                                                    • 98.142.99.242
                                                    http://links.next-retail.mkt4934.com/ctt?m=34617369&r=LTU2NTczOTM1NjIS1&b=0&j=MjMwMzU2NDUwOQS2&k=TrackYourOrder&kx=1&kt=5&kd=https://grupocrusol.com.mx/new/auth//1v5egwymixx7f//kmccormick@elkandelk.comGet hashmaliciousHTMLPhisherBrowse
                                                    • 98.142.99.242
                                                    __B0L3T0_06Marc_23_f4tur4__.msiGet hashmaliciousUnknownBrowse
                                                    • 187.45.187.42
                                                    __B0L3T0_06Marc_23_f4tur4__.msiGet hashmaliciousUnknownBrowse
                                                    • 187.45.187.42
                                                    arm7.elfGet hashmaliciousMirai, MoobotBrowse
                                                    • 212.18.238.174
                                                    https://affiliate.insider.com/?amazonTrackingID=biauto-1053-20&postID=61b8efc8f2a36b1ac9f42d54&site=in&u=http://Motional.houseoflegendsusa.com/Motional/zeb.dawson@motional.comGet hashmaliciousHTMLPhisherBrowse
                                                    • 198.49.73.146
                                                    Employees New Payroll Amendment.htmGet hashmaliciousHTMLPhisher, ReCaptcha PhishBrowse
                                                    • 187.45.187.106
                                                    ORDEN DE COMPRA 80107.vbsGet hashmaliciousAgentTeslaBrowse
                                                    • 184.171.242.24
                                                    Scanned documents. Tuesday February 7 2023 (12.6 KB).msgGet hashmaliciousHTMLPhisherBrowse
                                                    • 67.23.248.124
                                                    MvgLSNs1B8.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                    • 184.171.242.24
                                                    91#U03a3.vbsGet hashmaliciousAgentTeslaBrowse
                                                    • 184.171.242.24
                                                    Teknik veri sayfas#U0131.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 186.227.194.42
                                                    Statement 210826.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 138.128.163.242
                                                    1194 FE7191PO1.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 138.128.163.242
                                                    91#U03a3.vbsGet hashmaliciousAgentTeslaBrowse
                                                    • 184.171.242.24
                                                    20518497.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 138.128.163.242
                                                    http://soporte.seven.com.co/@@/GlobalSources/index.php?email=hzelenske@latshawdrilling.comGet hashmaliciousUnknownBrowse
                                                    • 107.161.186.122

                                                    JA3 Fingerprints

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    37f463bf4616ecd445d4a1937da06e19dYnCG9EA36.exeGet hashmaliciousAmadey, Djvu, RedLine, SmokeLoaderBrowse
                                                    • 187.45.187.42
                                                    SHIPPPING-DOC..exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                    • 187.45.187.42
                                                    cnCBwuJbqc.exeGet hashmaliciousAmadey, Djvu, SmokeLoaderBrowse
                                                    • 187.45.187.42
                                                    file.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                    • 187.45.187.42
                                                    Gea_Order.vbsGet hashmaliciousFormBookBrowse
                                                    • 187.45.187.42
                                                    factura.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                    • 187.45.187.42
                                                    setup.exeGet hashmaliciousDjvu, HTMLPhisherBrowse
                                                    • 187.45.187.42
                                                    setup.exeGet hashmaliciousDjvuBrowse
                                                    • 187.45.187.42
                                                    setup.exeGet hashmaliciousAmadey, Djvu, Fabookie, RedLine, SmokeLoaderBrowse
                                                    • 187.45.187.42
                                                    rSC_TR11670000.exeGet hashmaliciousGuLoader, LokibotBrowse
                                                    • 187.45.187.42
                                                    file.exeGet hashmaliciousAmadey, Djvu, Fabookie, SmokeLoaderBrowse
                                                    • 187.45.187.42
                                                    file.exeGet hashmaliciousVidarBrowse
                                                    • 187.45.187.42
                                                    file.exeGet hashmaliciousVidarBrowse
                                                    • 187.45.187.42
                                                    file.exeGet hashmaliciousAmadey, Djvu, RedLine, SmokeLoaderBrowse
                                                    • 187.45.187.42
                                                    file.exeGet hashmaliciousRaccoon Stealer v2, VidarBrowse
                                                    • 187.45.187.42
                                                    setup.exeGet hashmaliciousClipboard Hijacker, DjvuBrowse
                                                    • 187.45.187.42
                                                    setup.exeGet hashmaliciousBabuk, Clipboard Hijacker, Djvu, VidarBrowse
                                                    • 187.45.187.42
                                                    Vl6yCluU0y.exeGet hashmaliciousBabuk, Clipboard Hijacker, Djvu, VidarBrowse
                                                    • 187.45.187.42
                                                    file.exeGet hashmaliciousAmadey, Djvu, RedLine, SmokeLoaderBrowse
                                                    • 187.45.187.42
                                                    file.exeGet hashmaliciousVidarBrowse
                                                    • 187.45.187.42

                                                    Dropped Files

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    C:\Users\user\AppData\Roaming\abd1 .exerPEDIDOS-10032023-X491kkum.msiGet hashmaliciousUnknownBrowse
                                                      j3PHT0tBBF.msiGet hashmaliciousUnknownBrowse
                                                        j3PHT0tBBF.msiGet hashmaliciousUnknownBrowse
                                                          B0LET0 VENC 060320234273168 WFTBCLZUJMVFEDSWZXMLWSBRA.msiGet hashmaliciousUnknownBrowse
                                                            rPedido-Danfe-03-03-202316872pnlc.msiGet hashmaliciousUnknownBrowse
                                                              Autos-Processo 27-02-2023 ligh.msiGet hashmaliciousUnknownBrowse
                                                                rEmita-Danfe-01-03-20234076czdg.msiGet hashmaliciousUnknownBrowse
                                                                  Formulario_20183.msiGet hashmaliciousHidden Macro 4.0Browse

                                                                    Created / dropped Files

                                                                    C:\Config.Msi\58f708.rbs

                                                                    Download File
                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                    File Type:data
                                                                    Category:modified
                                                                    Size (bytes):1656
                                                                    Entropy (8bit):5.446938038017148
                                                                    Encrypted:false
                                                                    SSDEEP:24:egc/ZLE4x8ZlTi6OZh26AN3dHXXj/qz/l79M/lpek/f/6+uw4ib+w4ib3idnw4io:eXUARud3XLWl7WLeAK+D/l8IAX6H70
                                                                    MD5:8F001D1A885A06EB99F6E3BF7D91C55F
                                                                    SHA1:861FC42F5EC6D42C98A971468E529D8ABF264824
                                                                    SHA-256:7BDE73B3CDF3BDD5819420620265A869C5B35C719670AB6E4BF6D0A8DADCDB8C
                                                                    SHA-512:406E3C3AD41B2708D36954EDE2B8AAF7214573A26B0FB29569E95B8E267522429C537F4467BAF8B72F6BDFDA58C9FBA653235DA519FD8A872875B4F47EE313A5
                                                                    Malicious:false
                                                                    Reputation:low
                                                                    Preview:...@IXOS.@.....@.lmV.@.....@.....@.....@.....@.....@......&.{5B6DD163-ACCC-4C96-9556-2D5AA8D5D479}..S.e.g.u.r.a.n...a.$.F_4_T_U_R_4___nf____0992344.4354.msi.@.....@.....@.....@........&.{1591EB4C-34D2-4BDA-9089-24064DA0F2CC}.....@.....@.....@.....@.......@.....@.....@.......@......S.e.g.u.r.a.n...a.......Rollback..A.....o. .d.e. .r.e.s.t.a.u.r.a.....o.....RollbackCleanup..Removendo arquivos de backup..Arquivo: [1]....ProcessComponents%.Atualizando o registro de componentes..&.{1A573064-1B56-414E-839D-1FB0EE20F8DE}&.{5B6DD163-ACCC-4C96-9556-2D5AA8D5D479}.@......&.{9F670939-91D7-4A6F-B74F-10A75617B066}&.{5B6DD163-ACCC-4C96-9556-2D5AA8D5D479}.@......&.{44F4F922-693E-4C6F-9440-2DED29A4557D}&.{5B6DD163-ACCC-4C96-9556-2D5AA8D5D479}.@......&.{6974057C-0176-4435-83DE-6C1B9EDBDB20}&.{5B6DD163-ACCC-4C96-9556-2D5AA8D5D479}.@........CreateFolders..Criando novas pastas..Pasta: [1]". .C:\Users\user\AppData\Roaming\.@..............0.......L...................I..~.......................I..~.......

                                                                    C:\Users\user\AppData\Local\899552

                                                                    Download File
                                                                    Process:C:\Users\user\AppData\Roaming\abd1 .exe
                                                                    File Type:ASCII text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):32
                                                                    Entropy (8bit):4.327819531114783
                                                                    Encrypted:false
                                                                    SSDEEP:3:1EypyeW509ov:1Xpy3Z
                                                                    MD5:97EA5ECE2D14772C65395E336D4AF5A1
                                                                    SHA1:49ABA2B8C9F6C9890298AB499084EDD22886CB68
                                                                    SHA-256:732A37B3463B73065E8C16DE9E155503EFB67A077F294CF103F9871D20C2D4BD
                                                                    SHA-512:E9B22B56A5480FF4F4F8B78A81C89A5805D1977759ADD8A5565FE2562D3439116F173984462E36F396448D2B40A3AF9119493825A77F69E4D9BF7F9EC5957154
                                                                    Malicious:false
                                                                    Reputation:low
                                                                    Preview:[Generate Pasta]..opyWsdjokjKX..

                                                                    C:\Users\user\AppData\Local\Temp\MSI8f437.LOG

                                                                    Download File
                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):158954
                                                                    Entropy (8bit):3.8024922526481184
                                                                    Encrypted:false
                                                                    SSDEEP:1536:8KDfNp060a9zcoDvqiHMco8F/plAs4A9vfgstcAnLcfAw/BZ/Q8hA7AKA0AmAmSk:8j4nhPJrF
                                                                    MD5:3440F5A49B4C4717D1E78B19A704B7A7
                                                                    SHA1:0804F6E1AD5522C3F0A16D2110DF1441404522BB
                                                                    SHA-256:6A01B709474F6E76B263A06A2103EA2E7725742EAD0921B6321A5B6669142F44
                                                                    SHA-512:546AE61E3A1E09DCF96E4FD8BAA9682FD7C2BBDA31FFDECED2DE30811D96E0B446C38190A1562943753CB2D7D655414FA467BEE82C994A73FCCE37E0A8C6558B
                                                                    Malicious:false
                                                                    Preview:..=.=.=. .V.e.r.b.o.s.e. .l.o.g.g.i.n.g. .s.t.a.r.t.e.d.:. .3./.1.3./.2.0.2.3. . .1.3.:.3.9.:.4.3. . .B.u.i.l.d. .t.y.p.e.:. .S.H.I.P. .U.N.I.C.O.D.E. .5...0.0...1.0.0.1.1...0.0. . .C.a.l.l.i.n.g. .p.r.o.c.e.s.s.:. .C.:.\.W.i.n.d.o.w.s.\.S.y.s.t.e.m.3.2.\.m.s.i.e.x.e.c...e.x.e. .=.=.=.....M.S.I. .(.c.). .(.2.8.:.2.0.). .[.1.3.:.3.9.:.4.3.:.6.1.0.].:. .F.o.n.t. .c.r.e.a.t.e.d... . .C.h.a.r.s.e.t.:. .R.e.q.=.0.,. .R.e.t.=.0.,. .F.o.n.t.:. .R.e.q.=.M.S. .S.h.e.l.l. .D.l.g.,. .R.e.t.=.M.S. .S.h.e.l.l. .D.l.g.......M.S.I. .(.c.). .(.2.8.:.2.0.). .[.1.3.:.3.9.:.4.3.:.6.1.0.].:. .F.o.n.t. .c.r.e.a.t.e.d... . .C.h.a.r.s.e.t.:. .R.e.q.=.0.,. .R.e.t.=.0.,. .F.o.n.t.:. .R.e.q.=.M.S. .S.h.e.l.l. .D.l.g.,. .R.e.t.=.M.S. .S.h.e.l.l. .D.l.g.......M.S.I. .(.c.). .(.2.8.:.A.8.). .[.1.3.:.3.9.:.4.3.:.6.5.7.].:. .R.e.s.e.t.t.i.n.g. .c.a.c.h.e.d. .p.o.l.i.c.y. .v.a.l.u.e.s.....M.S.I. .(.c.). .(.2.8.:.A.8.). .[.1.3.:.3.9.:.4.3.:.6.5.7.].:. .M.a.c.h.i.n.e. .p.o.l.i.c.y. .v.a.l.u.e. .'.D.e.b.u.g.'. .i.s. .0.

                                                                    C:\Users\user\AppData\Roaming\WebUI.dll

                                                                    Download File
                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):7307264
                                                                    Entropy (8bit):7.860116919084681
                                                                    Encrypted:false
                                                                    SSDEEP:196608:5Z4bJLpoDpOhtKsyRZJblXp02pazEidho:5W1ibtD02paNho
                                                                    MD5:EB4A24BA27770A4F2869EA7171841AF2
                                                                    SHA1:35E3748B5C640043B5785EAED7F4E3600EA6BF8D
                                                                    SHA-256:33CCC92CD172916356FD88135D5EAB1CE25FA21B6BC185BBD12319A597D9224B
                                                                    SHA-512:E46144E43B3EC04ED17699104185E9CFFD706DD80004C0CF44D80ED5FD8297C10A5F0662F1DCB921D633B906A15BE3B301A3703C282488B141C7854EA653516E
                                                                    Malicious:true
                                                                    Antivirus:
                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                    • Antivirus: ReversingLabs, Detection: 33%
                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....J.d............................"01...........@...........................=.......o.............................I.0......P=.h....`=......................p=......................................................................................text....`.......~Q.................`....sedata......p........Q............. ....idata.......P=......bo.............@....rsrc........`=......ho.............@....reloc.......p=......lo.............@..B.sedata.......=......po.............@..@................................................................................................................................................................................................................................................................

                                                                    C:\Users\user\AppData\Roaming\abd1 .exe

                                                                    Download File
                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):1856512
                                                                    Entropy (8bit):6.763893864307226
                                                                    Encrypted:false
                                                                    SSDEEP:24576:fMWohhojVlG981FE03Pb+Cp67LkDdlXUi+nNv3O5AcAQNwuWSfJST4HCLgCGT/TH:KhujVl6p8UiaAKRT4HCUN1
                                                                    MD5:CEEF4762B36067F1D32A0DB621EE967E
                                                                    SHA1:D23DA38DF6B0FCA8C524B641C59C700A2338648E
                                                                    SHA-256:EFB6169BBB869A849AFB91184A75B906FE509CBF6E672B6B4F3311C02343BBBB
                                                                    SHA-512:6301871A95E48F2873B60C706757AF38D956C895112F14C28EAC4C4A83456A1ACDF15D0A5B1CD35F267A4149DC78B2469C427BDE6A1BF5AA99DE51D5E824D1B3
                                                                    Malicious:true
                                                                    Yara Hits:
                                                                    • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Roaming\abd1 .exe, Author: Joe Security
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    Joe Sandbox View:
                                                                    • Filename: rPEDIDOS-10032023-X491kkum.msi, Detection: malicious, Browse
                                                                    • Filename: j3PHT0tBBF.msi, Detection: malicious, Browse
                                                                    • Filename: j3PHT0tBBF.msi, Detection: malicious, Browse
                                                                    • Filename: B0LET0 VENC 060320234273168 WFTBCLZUJMVFEDSWZXMLWSBRA.msi, Detection: malicious, Browse
                                                                    • Filename: rPedido-Danfe-03-03-202316872pnlc.msi, Detection: malicious, Browse
                                                                    • Filename: Autos-Processo 27-02-2023 ligh.msi, Detection: malicious, Browse
                                                                    • Filename: rEmita-Danfe-01-03-20234076czdg.msi, Detection: malicious, Browse
                                                                    • Filename: Formulario_20183.msi, Detection: malicious, Browse
                                                                    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....a..................................... ....@........................... .................@......................P....@...F.......................@......@....................................................L...............................text...t........................... ..`.itext.............................. ..`.data........ ......................@....bss.....f...............................idata...F...@...H..................@....edata..P...........................@..@.tls....L................................rdata..............................@..@.reloc..@...........................@..B.rsrc...............................@..@....................................@..@........................................................

                                                                    C:\Windows\Installer\58f706.msi

                                                                    Download File
                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                    File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {1591EB4C-34D2-4BDA-9089-24064DA0F2CC}, Number of Words: 10, Subject: Segurana, Author: windows, Name of Creating Application: Segurana, Template: ;1046, Comments: windows, Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Sun Mar 12 22:04:38 2023, Number of Pages: 200
                                                                    Category:dropped
                                                                    Size (bytes):8618496
                                                                    Entropy (8bit):7.924242405761148
                                                                    Encrypted:false
                                                                    SSDEEP:196608:oI7uo7rto7HsTmjJ+f6bZLFrxxaj5nYm1/3g:oISYOLVNxxguW3
                                                                    MD5:C318D63F64C2B8274C35A4B20964FF9B
                                                                    SHA1:5605EC59345BFC315ABD005415B5AC778B80C175
                                                                    SHA-256:003A2316FF87962FEF3F26F662A04C111F41C1832CC6B9716377767219981594
                                                                    SHA-512:315DBBB6DC6ED49D7839EB9EC4CD4F6C749CBA380D94A29D88D74D44FA76AAC31BFEB4B9543FB0B07CEB0C63832CA8D03094DFFB468A6B7E3ADF6D44A7C8D99E
                                                                    Malicious:false
                                                                    Preview:......................>.......................................................E.......b.......n...............................................e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...{...|...}...~.......................................................................................................................................................................................................................................................................................<...........!...4............................................................................................... ...+..."...#...$...%...&...'...(...)...*...1...,...-......./...0...5...2...3...=...?...6...7...8...9...:...;...........>.......@...A...B...C...D...........G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                                                    C:\Windows\Installer\MSIA0.tmp

                                                                    Download File
                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):2003
                                                                    Entropy (8bit):5.094615970553156
                                                                    Encrypted:false
                                                                    SSDEEP:48:jXUA4Z3XRJw7Uo/tMNekD+cdqZCcGAX657TmD:jXUAmzOt4qZNGi6RmD
                                                                    MD5:F1C23349E4FDAC9057B3BC3F0204EF79
                                                                    SHA1:EE181FCCB7438E14A5D0A748946B1865D8D622A8
                                                                    SHA-256:C9FE1690B2C1535EED7C4CC9E767D04FAB7AA0B306E50C5923157CB1B1E3D2F0
                                                                    SHA-512:1A2FCE0CA22C1778EFF21F7AC8F7E80D58B3D896F3C71B3441C5FCED6775C9BA0B4488E99A46326BFC52F9106E469A340DADBAAE96D5E74128A02381814FBB0F
                                                                    Malicious:false
                                                                    Preview:...@IXOS.@.....@.lmV.@.....@.....@.....@.....@.....@......&.{5B6DD163-ACCC-4C96-9556-2D5AA8D5D479}..S.e.g.u.r.a.n...a.$.F_4_T_U_R_4___nf____0992344.4354.msi.@.....@.....@.....@........&.{1591EB4C-34D2-4BDA-9089-24064DA0F2CC}.....@.....@.....@.....@.......@.....@.....@.......@......S.e.g.u.r.a.n...a.......Rollback..A.....o. .d.e. .r.e.s.t.a.u.r.a.....o.....RollbackCleanup..Removendo arquivos de backup..Arquivo: [1]...@.......@........ProcessComponents%.Atualizando o registro de componentes...@.....@.....@.]....&.{1A573064-1B56-414E-839D-1FB0EE20F8DE} .C:\Users\user\AppData\Roaming\.@.......@.....@.....@......&.{9F670939-91D7-4A6F-B74F-10A75617B066}&.0.1.:.\.S.o.f.t.w.a.r.e.\.w.i.n.d.o.w.s.\.S.e.g.u.r.a.n...a.\.V.e.r.s.i.o.n..@.......@.....@.....@......&.{44F4F922-693E-4C6F-9440-2DED29A4557D}).C:\Users\user\AppData\Roaming\WebUI.dll.@.......@.....@.....@......&.{6974057C-0176-4435-83DE-6C1B9EDBDB20}).C.:.\.U.s.e.r.s.\.a.l.f.o.n.s.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.a.b.d.1.....e.x.e..@

                                                                    C:\Windows\Installer\MSIFB1D.tmp

                                                                    Download File
                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):592288
                                                                    Entropy (8bit):6.451258406471538
                                                                    Encrypted:false
                                                                    SSDEEP:6144:AgfrHltQFK4iVWYFkkc0V1koKRcWyxjg3AOqQb985Gt5A6U:AgDfnzVbkY1kdRlz8M98536U
                                                                    MD5:89AFE34385AB2B63A7CB0121792BE070
                                                                    SHA1:56CDF3F32D03AA4A175FA69A33A21AAF5B42078D
                                                                    SHA-256:36E35EAFC91451A38AD7E7958156841CD2F004D5791FD862D5AFA4D5F9DF9103
                                                                    SHA-512:14A851B3B4D3B8DBB9A2B3EA84D3C30FC9884A8924AF0726A717C68DB5E8F5E717DC78CA62E5F455010E46C1FECF294791B89F7426CC14FFDD4C84945518BB9C
                                                                    Malicious:true
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........w.g...4...4...4Sd.5...4Sd.5+..4.j.5...4.j.5...4.j.5...4Sd.5...4Sd.5...4Sd.5...4...48..4Fj.5...4Fj.5...4Fju4...4...4...4Fj.5...4Rich...4........................PE..L......d.........."!...".6...........R.......P...............................0............@..........................W..(...(`..,........................#.......g..x...p...............................@............P..P............................text....5.......6.................. ..`.rdata...+...P...,...:..............@..@.data... %...........f..............@....rsrc................v..............@..@.reloc...g.......h...~..............@..B........................................................................................................................................................................................................................................................................

                                                                    C:\Windows\Installer\MSIFCE3.tmp

                                                                    Download File
                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):592288
                                                                    Entropy (8bit):6.451258406471538
                                                                    Encrypted:false
                                                                    SSDEEP:6144:AgfrHltQFK4iVWYFkkc0V1koKRcWyxjg3AOqQb985Gt5A6U:AgDfnzVbkY1kdRlz8M98536U
                                                                    MD5:89AFE34385AB2B63A7CB0121792BE070
                                                                    SHA1:56CDF3F32D03AA4A175FA69A33A21AAF5B42078D
                                                                    SHA-256:36E35EAFC91451A38AD7E7958156841CD2F004D5791FD862D5AFA4D5F9DF9103
                                                                    SHA-512:14A851B3B4D3B8DBB9A2B3EA84D3C30FC9884A8924AF0726A717C68DB5E8F5E717DC78CA62E5F455010E46C1FECF294791B89F7426CC14FFDD4C84945518BB9C
                                                                    Malicious:true
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........w.g...4...4...4Sd.5...4Sd.5+..4.j.5...4.j.5...4.j.5...4Sd.5...4Sd.5...4Sd.5...4...48..4Fj.5...4Fj.5...4Fju4...4...4...4Fj.5...4Rich...4........................PE..L......d.........."!...".6...........R.......P...............................0............@..........................W..(...(`..,........................#.......g..x...p...............................@............P..P............................text....5.......6.................. ..`.rdata...+...P...,...:..............@..@.data... %...........f..............@....rsrc................v..............@..@.reloc...g.......h...~..............@..B........................................................................................................................................................................................................................................................................

                                                                    C:\Windows\Installer\MSIFD51.tmp

                                                                    Download File
                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):592288
                                                                    Entropy (8bit):6.451258406471538
                                                                    Encrypted:false
                                                                    SSDEEP:6144:AgfrHltQFK4iVWYFkkc0V1koKRcWyxjg3AOqQb985Gt5A6U:AgDfnzVbkY1kdRlz8M98536U
                                                                    MD5:89AFE34385AB2B63A7CB0121792BE070
                                                                    SHA1:56CDF3F32D03AA4A175FA69A33A21AAF5B42078D
                                                                    SHA-256:36E35EAFC91451A38AD7E7958156841CD2F004D5791FD862D5AFA4D5F9DF9103
                                                                    SHA-512:14A851B3B4D3B8DBB9A2B3EA84D3C30FC9884A8924AF0726A717C68DB5E8F5E717DC78CA62E5F455010E46C1FECF294791B89F7426CC14FFDD4C84945518BB9C
                                                                    Malicious:true
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........w.g...4...4...4Sd.5...4Sd.5+..4.j.5...4.j.5...4.j.5...4Sd.5...4Sd.5...4Sd.5...4...48..4Fj.5...4Fj.5...4Fju4...4...4...4Fj.5...4Rich...4........................PE..L......d.........."!...".6...........R.......P...............................0............@..........................W..(...(`..,........................#.......g..x...p...............................@............P..P............................text....5.......6.................. ..`.rdata...+...P...,...:..............@..@.data... %...........f..............@....rsrc................v..............@..@.reloc...g.......h...~..............@..B........................................................................................................................................................................................................................................................................

                                                                    C:\Windows\Installer\MSIFDB0.tmp

                                                                    Download File
                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):592288
                                                                    Entropy (8bit):6.451258406471538
                                                                    Encrypted:false
                                                                    SSDEEP:6144:AgfrHltQFK4iVWYFkkc0V1koKRcWyxjg3AOqQb985Gt5A6U:AgDfnzVbkY1kdRlz8M98536U
                                                                    MD5:89AFE34385AB2B63A7CB0121792BE070
                                                                    SHA1:56CDF3F32D03AA4A175FA69A33A21AAF5B42078D
                                                                    SHA-256:36E35EAFC91451A38AD7E7958156841CD2F004D5791FD862D5AFA4D5F9DF9103
                                                                    SHA-512:14A851B3B4D3B8DBB9A2B3EA84D3C30FC9884A8924AF0726A717C68DB5E8F5E717DC78CA62E5F455010E46C1FECF294791B89F7426CC14FFDD4C84945518BB9C
                                                                    Malicious:true
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........w.g...4...4...4Sd.5...4Sd.5+..4.j.5...4.j.5...4.j.5...4Sd.5...4Sd.5...4Sd.5...4...48..4Fj.5...4Fj.5...4Fju4...4...4...4Fj.5...4Rich...4........................PE..L......d.........."!...".6...........R.......P...............................0............@..........................W..(...(`..,........................#.......g..x...p...............................@............P..P............................text....5.......6.................. ..`.rdata...+...P...,...:..............@..@.data... %...........f..............@....rsrc................v..............@..@.reloc...g.......h...~..............@..B........................................................................................................................................................................................................................................................................

                                                                    C:\Windows\Installer\MSIFE0F.tmp

                                                                    Download File
                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):592288
                                                                    Entropy (8bit):6.451258406471538
                                                                    Encrypted:false
                                                                    SSDEEP:6144:AgfrHltQFK4iVWYFkkc0V1koKRcWyxjg3AOqQb985Gt5A6U:AgDfnzVbkY1kdRlz8M98536U
                                                                    MD5:89AFE34385AB2B63A7CB0121792BE070
                                                                    SHA1:56CDF3F32D03AA4A175FA69A33A21AAF5B42078D
                                                                    SHA-256:36E35EAFC91451A38AD7E7958156841CD2F004D5791FD862D5AFA4D5F9DF9103
                                                                    SHA-512:14A851B3B4D3B8DBB9A2B3EA84D3C30FC9884A8924AF0726A717C68DB5E8F5E717DC78CA62E5F455010E46C1FECF294791B89F7426CC14FFDD4C84945518BB9C
                                                                    Malicious:true
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........w.g...4...4...4Sd.5...4Sd.5+..4.j.5...4.j.5...4.j.5...4Sd.5...4Sd.5...4Sd.5...4...48..4Fj.5...4Fj.5...4Fju4...4...4...4Fj.5...4Rich...4........................PE..L......d.........."!...".6...........R.......P...............................0............@..........................W..(...(`..,........................#.......g..x...p...............................@............P..P............................text....5.......6.................. ..`.rdata...+...P...,...:..............@..@.data... %...........f..............@....rsrc................v..............@..@.reloc...g.......h...~..............@..B........................................................................................................................................................................................................................................................................

                                                                    C:\Windows\Installer\SourceHash{5B6DD163-ACCC-4C96-9556-2D5AA8D5D479}

                                                                    Download File
                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                    File Type:Composite Document File V2 Document, Cannot read section info
                                                                    Category:dropped
                                                                    Size (bytes):20480
                                                                    Entropy (8bit):1.1758928807700233
                                                                    Encrypted:false
                                                                    SSDEEP:12:JSbX72FjCJAGiLIlHVRpHh/7777777777777777777777777vDHFlsJ4l0i8Q:JgJQI5j34F
                                                                    MD5:D20AAD8DA4F52315DA89B7E5209F3F77
                                                                    SHA1:4436EB7B1200336CB0A39FEB555F2111567FAB8A
                                                                    SHA-256:AA67DD5E816396318EB44327CB9F8045042ED3E42847B4AC26B029CB4BD32422
                                                                    SHA-512:D7DB6F6D287D45FE0CA889601CE4633DE7595034A92368E25A9D3A7E3F90886A4A5A204FFB3C75DCC6C231684F39B652CFAB04F05D53ECC0331435C06228FB17
                                                                    Malicious:false
                                                                    Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\Windows\Installer\inprogressinstallinfo.ipi

                                                                    Download File
                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                    File Type:Composite Document File V2 Document, Cannot read section info
                                                                    Category:dropped
                                                                    Size (bytes):20480
                                                                    Entropy (8bit):1.5099761127893134
                                                                    Encrypted:false
                                                                    SSDEEP:48:Y8Phj7uRc06WXJKFT5TaMEOCXSnAErCyjMHWSjTqs:nhj71BFTNaMEbXBwC0M2J
                                                                    MD5:B817BFF28C5F35C99E8E6FF52204B97D
                                                                    SHA1:FBA33B8F78A97A228129AEAFC778846AF9CB3023
                                                                    SHA-256:74400664761A54D800D6FD78B3460D8D6EF340B8E2F8C43E62D2AF67FB587E8C
                                                                    SHA-512:9A29E83C1B2CB4015CCFBB31221447E8F2206F621B3962856C9D32F168EFDC31C56E29A2B09840938FAB976CA993F552FF303953DCBD86D16E6B44886696D254
                                                                    Malicious:false
                                                                    Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

                                                                    Download File
                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                    File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):81287
                                                                    Entropy (8bit):5.298775936415313
                                                                    Encrypted:false
                                                                    SSDEEP:192:XL/vcrZZDZo/ZrXczaIcO/gcMH5elWSLc:XDvsDZGrkaIcO/Y5Xuc
                                                                    MD5:2F3D5B70BEC9C069CAAA060F169DE2A5
                                                                    SHA1:EED2BCFF8ABFB22EDEA1A54084294775E2420BF8
                                                                    SHA-256:8635476EF9046834E980D901FCC94D6C607BEB80905DB991B12977178913FDB9
                                                                    SHA-512:B7D64D9AF649224E4CE85D3DBC7D61D3BB2E1173CA2A50EBAD79618A9E4FEC053C535E2A14739565747F9C7DDC6155673FEFBBCF49264C945D80827F9A32867E
                                                                    Malicious:false
                                                                    Preview:.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..07/23/2020 10:38:04.497 [4552]: Command line: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install Microsoft.Office.Tools.Outlook, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A /queue:3 /NoDependencies ..07/23/2020 10:38:04.513 [4552]: ngen returning 0x00000000..07/23/2020 10:38:04.559 [4480]: Command line: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install Microsoft.Office.Tools.Word, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A /queue:3 /NoDependencies ..07/23/2020 10:38:04.559 [4480]: ngen returning 0x00000000..07/23/2020 10:38:04.622 [4256]: Command line: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install Microsoft.Office.Tools.Common.Implementation, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A /queue:3 /NoDependencies ..07/23/2020 10:38:04.622 [

                                                                    C:\Windows\Temp\~DF0B773963AF545D92.TMP

                                                                    Download File
                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):32768
                                                                    Entropy (8bit):0.08056744163790577
                                                                    Encrypted:false
                                                                    SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKOOubs3WvIYVky6l4:2F0i8n0itFzDHFlsJ4
                                                                    MD5:7A47E7A63A81F466CCDDB3E569CA3A35
                                                                    SHA1:4C8962EA57E71EC97E77227A28D55DDCC69895FE
                                                                    SHA-256:B80EE1CE89D94F2A4146584A0FE2A4A5004B6469321FA7E11C0E57414568E2CE
                                                                    SHA-512:07AA105F164783B903BC73D3903AF56E81FD25C84755B1B36684D004CFDED03D448B473725DF6B8652989813B08995EF3EDF9B5528F35722267F73102C643E05
                                                                    Malicious:false
                                                                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\Windows\Temp\~DF1BD615FBB0C044A5.TMP

                                                                    Download File
                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):512
                                                                    Entropy (8bit):0.0
                                                                    Encrypted:false
                                                                    SSDEEP:3::
                                                                    MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                    SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                    SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                    SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                    Malicious:false
                                                                    Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\Windows\Temp\~DF22B26591E9CD6DFC.TMP

                                                                    Download File
                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):512
                                                                    Entropy (8bit):0.0
                                                                    Encrypted:false
                                                                    SSDEEP:3::
                                                                    MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                    SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                    SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                    SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                    Malicious:false
                                                                    Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\Windows\Temp\~DF61504E5604D01A45.TMP

                                                                    Download File
                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):512
                                                                    Entropy (8bit):0.0
                                                                    Encrypted:false
                                                                    SSDEEP:3::
                                                                    MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                    SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                    SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                    SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                    Malicious:false
                                                                    Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\Windows\Temp\~DF6920D62E33BE2C82.TMP

                                                                    Download File
                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):512
                                                                    Entropy (8bit):0.0
                                                                    Encrypted:false
                                                                    SSDEEP:3::
                                                                    MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                    SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                    SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                    SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                    Malicious:false
                                                                    Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\Windows\Temp\~DF76AB5F16A751A1EE.TMP

                                                                    Download File
                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                    File Type:Composite Document File V2 Document, Cannot read section info
                                                                    Category:dropped
                                                                    Size (bytes):20480
                                                                    Entropy (8bit):1.5099761127893134
                                                                    Encrypted:false
                                                                    SSDEEP:48:Y8Phj7uRc06WXJKFT5TaMEOCXSnAErCyjMHWSjTqs:nhj71BFTNaMEbXBwC0M2J
                                                                    MD5:B817BFF28C5F35C99E8E6FF52204B97D
                                                                    SHA1:FBA33B8F78A97A228129AEAFC778846AF9CB3023
                                                                    SHA-256:74400664761A54D800D6FD78B3460D8D6EF340B8E2F8C43E62D2AF67FB587E8C
                                                                    SHA-512:9A29E83C1B2CB4015CCFBB31221447E8F2206F621B3962856C9D32F168EFDC31C56E29A2B09840938FAB976CA993F552FF303953DCBD86D16E6B44886696D254
                                                                    Malicious:false
                                                                    Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\Windows\Temp\~DFA3B751AC86CE9CE9.TMP

                                                                    Download File
                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                    File Type:Composite Document File V2 Document, Cannot read section info
                                                                    Category:dropped
                                                                    Size (bytes):32768
                                                                    Entropy (8bit):1.2139294912318463
                                                                    Encrypted:false
                                                                    SSDEEP:48:pir7ulO+CFXJ7T5laMEOCXSnAErCyjMHWSjTqs:gr7FjTDaMEbXBwC0M2J
                                                                    MD5:2462556B2A6FF0FA111FE005FBEF7E7C
                                                                    SHA1:255A5C348F220A7FB4B1BB162F523508DE467955
                                                                    SHA-256:EC565BD4FB6A7923C4348BA89BA223AF36E39F78C8BBB0BB8505DBB124D6E828
                                                                    SHA-512:119AF33CF24242501D0FB876A6E316711C5C458586414E6249A83BA12197130558371629544DAF55A26512C7ADF4CEC18CE1B046EDACDB61946E756E24A40366
                                                                    Malicious:false
                                                                    Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\Windows\Temp\~DFC75B9CA4D73C0F0F.TMP

                                                                    Download File
                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                    File Type:Composite Document File V2 Document, Cannot read section info
                                                                    Category:dropped
                                                                    Size (bytes):32768
                                                                    Entropy (8bit):1.2139294912318463
                                                                    Encrypted:false
                                                                    SSDEEP:48:pir7ulO+CFXJ7T5laMEOCXSnAErCyjMHWSjTqs:gr7FjTDaMEbXBwC0M2J
                                                                    MD5:2462556B2A6FF0FA111FE005FBEF7E7C
                                                                    SHA1:255A5C348F220A7FB4B1BB162F523508DE467955
                                                                    SHA-256:EC565BD4FB6A7923C4348BA89BA223AF36E39F78C8BBB0BB8505DBB124D6E828
                                                                    SHA-512:119AF33CF24242501D0FB876A6E316711C5C458586414E6249A83BA12197130558371629544DAF55A26512C7ADF4CEC18CE1B046EDACDB61946E756E24A40366
                                                                    Malicious:false
                                                                    Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\Windows\Temp\~DFCC1B15A7345C6D35.TMP

                                                                    Download File
                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):73728
                                                                    Entropy (8bit):0.11639707920874585
                                                                    Encrypted:false
                                                                    SSDEEP:24:XNt8q+eTx0wipV0a0wipV0SAEV0yjCyjMHVQwGQ7b+voM0:X5/T9S7SnAErCyjMHfbOoM0
                                                                    MD5:6843D322CE40F7ABECE6E58BC047BD92
                                                                    SHA1:8AB4E1AF26A5FAFFC726867C625E12CB60C67A7F
                                                                    SHA-256:3CC6CB2D2FEED2EC62F9DBBAF558A3260FDC34DEA23E12CB65808B7E10BED935
                                                                    SHA-512:E123B403C0BF600895BAB27FCF88F85905764982AF4238255630BE201726F015E40580DF6E862AEC4194798DCEB8A759CF225A50FCD2ABE971C1441BFCD5ABC5
                                                                    Malicious:false
                                                                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\Windows\Temp\~DFDEC4E627A830896E.TMP

                                                                    Download File
                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                    File Type:Composite Document File V2 Document, Cannot read section info
                                                                    Category:dropped
                                                                    Size (bytes):20480
                                                                    Entropy (8bit):1.5099761127893134
                                                                    Encrypted:false
                                                                    SSDEEP:48:Y8Phj7uRc06WXJKFT5TaMEOCXSnAErCyjMHWSjTqs:nhj71BFTNaMEbXBwC0M2J
                                                                    MD5:B817BFF28C5F35C99E8E6FF52204B97D
                                                                    SHA1:FBA33B8F78A97A228129AEAFC778846AF9CB3023
                                                                    SHA-256:74400664761A54D800D6FD78B3460D8D6EF340B8E2F8C43E62D2AF67FB587E8C
                                                                    SHA-512:9A29E83C1B2CB4015CCFBB31221447E8F2206F621B3962856C9D32F168EFDC31C56E29A2B09840938FAB976CA993F552FF303953DCBD86D16E6B44886696D254
                                                                    Malicious:false
                                                                    Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\Windows\Temp\~DFE197EBC20B296331.TMP

                                                                    Download File
                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                    File Type:Composite Document File V2 Document, Cannot read section info
                                                                    Category:dropped
                                                                    Size (bytes):32768
                                                                    Entropy (8bit):1.2139294912318463
                                                                    Encrypted:false
                                                                    SSDEEP:48:pir7ulO+CFXJ7T5laMEOCXSnAErCyjMHWSjTqs:gr7FjTDaMEbXBwC0M2J
                                                                    MD5:2462556B2A6FF0FA111FE005FBEF7E7C
                                                                    SHA1:255A5C348F220A7FB4B1BB162F523508DE467955
                                                                    SHA-256:EC565BD4FB6A7923C4348BA89BA223AF36E39F78C8BBB0BB8505DBB124D6E828
                                                                    SHA-512:119AF33CF24242501D0FB876A6E316711C5C458586414E6249A83BA12197130558371629544DAF55A26512C7ADF4CEC18CE1B046EDACDB61946E756E24A40366
                                                                    Malicious:false
                                                                    Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\Windows\Temp\~DFEF539B92B5C56F9E.TMP

                                                                    Download File
                                                                    Process:C:\Windows\System32\msiexec.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):512
                                                                    Entropy (8bit):0.0
                                                                    Encrypted:false
                                                                    SSDEEP:3::
                                                                    MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                    SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                    SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                    SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                    Malicious:false
                                                                    Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    Static File Info

                                                                    General

                                                                    File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {1591EB4C-34D2-4BDA-9089-24064DA0F2CC}, Number of Words: 10, Subject: Segurana, Author: windows, Name of Creating Application: Segurana, Template: ;1046, Comments: windows, Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Sun Mar 12 22:04:38 2023, Number of Pages: 200
                                                                    Entropy (8bit):7.924242405761148
                                                                    TrID:
                                                                    • Microsoft Windows Installer (77509/1) 52.18%
                                                                    • Windows SDK Setup Transform Script (63028/2) 42.43%
                                                                    • Generic OLE2 / Multistream Compound File (8008/1) 5.39%
                                                                    File name:F_4_T_U_R_4___nf____0992344.4354.msi
                                                                    File size:8618496
                                                                    MD5:c318d63f64c2b8274c35a4b20964ff9b
                                                                    SHA1:5605ec59345bfc315abd005415b5ac778b80c175
                                                                    SHA256:003a2316ff87962fef3f26f662a04c111f41c1832cc6b9716377767219981594
                                                                    SHA512:315dbbb6dc6ed49d7839eb9ec4cd4f6c749cba380d94a29d88d74d44fa76aac31bfeb4b9543fb0b07ceb0c63832ca8d03094dffb468a6b7e3adf6d44a7c8d99e
                                                                    SSDEEP:196608:oI7uo7rto7HsTmjJ+f6bZLFrxxaj5nYm1/3g:oISYOLVNxxguW3
                                                                    TLSH:08962326E2C7C922C55C027BF419FF5E15757EA3473001E3FAE9396E88F08C1A6BA645
                                                                    File Content Preview:........................>.......................................................E.......b.......n...............................................e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...{...|...}...~..........

                                                                    File Icon

                                                                    Icon Hash:a2a0b496b2caca72

                                                                    Network Behavior

                                                                    Network Port Distribution

                                                                    TCP Packets

                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    Mar 13, 2023 13:40:34.317219973 CET49692443192.168.2.5187.45.187.42
                                                                    Mar 13, 2023 13:40:34.317285061 CET44349692187.45.187.42192.168.2.5
                                                                    Mar 13, 2023 13:40:34.317380905 CET49692443192.168.2.5187.45.187.42
                                                                    Mar 13, 2023 13:40:34.401356936 CET49692443192.168.2.5187.45.187.42
                                                                    Mar 13, 2023 13:40:34.401411057 CET44349692187.45.187.42192.168.2.5
                                                                    Mar 13, 2023 13:40:34.570044041 CET4969380192.168.2.515.228.77.178
                                                                    Mar 13, 2023 13:40:35.111449957 CET44349692187.45.187.42192.168.2.5
                                                                    Mar 13, 2023 13:40:35.111655951 CET49692443192.168.2.5187.45.187.42
                                                                    Mar 13, 2023 13:40:35.374905109 CET49692443192.168.2.5187.45.187.42
                                                                    Mar 13, 2023 13:40:35.374941111 CET44349692187.45.187.42192.168.2.5
                                                                    Mar 13, 2023 13:40:35.375363111 CET44349692187.45.187.42192.168.2.5
                                                                    Mar 13, 2023 13:40:35.375452042 CET49692443192.168.2.5187.45.187.42
                                                                    Mar 13, 2023 13:40:35.377639055 CET49692443192.168.2.5187.45.187.42
                                                                    Mar 13, 2023 13:40:35.377667904 CET44349692187.45.187.42192.168.2.5
                                                                    Mar 13, 2023 13:40:36.007750034 CET44349692187.45.187.42192.168.2.5
                                                                    Mar 13, 2023 13:40:36.007823944 CET49692443192.168.2.5187.45.187.42
                                                                    Mar 13, 2023 13:40:36.007843018 CET44349692187.45.187.42192.168.2.5
                                                                    Mar 13, 2023 13:40:36.008141994 CET49692443192.168.2.5187.45.187.42
                                                                    Mar 13, 2023 13:40:36.008193970 CET49692443192.168.2.5187.45.187.42
                                                                    Mar 13, 2023 13:40:36.008222103 CET44349692187.45.187.42192.168.2.5
                                                                    Mar 13, 2023 13:40:36.008243084 CET49692443192.168.2.5187.45.187.42
                                                                    Mar 13, 2023 13:40:36.008299112 CET49692443192.168.2.5187.45.187.42
                                                                    Mar 13, 2023 13:40:37.573622942 CET4969380192.168.2.515.228.77.178
                                                                    Mar 13, 2023 13:40:43.589778900 CET4969380192.168.2.515.228.77.178

                                                                    UDP Packets

                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    Mar 13, 2023 13:40:34.068526030 CET5695353192.168.2.58.8.8.8
                                                                    Mar 13, 2023 13:40:34.296238899 CET53569538.8.8.8192.168.2.5

                                                                    DNS Queries

                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                    Mar 13, 2023 13:40:34.068526030 CET192.168.2.58.8.8.80xc378Standard query (0)ebaoffice.com.brA (IP address)IN (0x0001)false

                                                                    DNS Answers

                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                    Mar 13, 2023 13:40:34.296238899 CET8.8.8.8192.168.2.50xc378No error (0)ebaoffice.com.br187.45.187.42A (IP address)IN (0x0001)false

                                                                    HTTP Request Dependency Graph

                                                                    • ebaoffice.com.br

                                                                    HTTPS Proxied Packets

                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                    0192.168.2.549692187.45.187.42443C:\Users\user\AppData\Roaming\abd1 .exe
                                                                    TimestampkBytes transferredDirectionData
                                                                    2023-03-13 12:40:35 UTC0OUTGET /imagens/bo/inspecionando.php HTTP/1.1
                                                                    Accept: */*
                                                                    Accept-Language: en-US
                                                                    Accept-Encoding: gzip, deflate
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                    Host: ebaoffice.com.br
                                                                    Connection: Keep-Alive
                                                                    2023-03-13 12:40:36 UTC0INHTTP/1.1 200 OK
                                                                    Connection: close
                                                                    x-powered-by: PHP/5.6.40
                                                                    content-type: text/html; charset=UTF-8
                                                                    cache-control: public, max-age=0
                                                                    expires: Mon, 13 Mar 2023 12:40:35 GMT
                                                                    content-length: 0
                                                                    date: Mon, 13 Mar 2023 12:40:35 GMT
                                                                    server: LiteSpeed
                                                                    x-ua-compatible: IE=Edge,chrome=1
                                                                    alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"


                                                                    Chrome Debug Log

                                                                    Statistics

                                                                    CPU Usage

                                                                    Click to jump to process

                                                                    Memory Usage

                                                                    Click to jump to process

                                                                    High Level Behavior Distribution

                                                                    Click to dive into process behavior distribution

                                                                    Behavior

                                                                    Click to jump to process

                                                                    System Behavior

                                                                    General

                                                                    Target ID:0
                                                                    Start time:13:39:43
                                                                    Start date:13/03/2023
                                                                    Path:C:\Windows\System32\msiexec.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\F_4_T_U_R_4___nf____0992344.4354.msi"
                                                                    Imagebase:0x7ff68d1e0000
                                                                    File size:66048 bytes
                                                                    MD5 hash:4767B71A318E201188A0D0A420C8B608
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high

                                                                    General

                                                                    Target ID:1
                                                                    Start time:13:39:43
                                                                    Start date:13/03/2023
                                                                    Path:C:\Windows\System32\msiexec.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\msiexec.exe /V
                                                                    Imagebase:0x7ff68d1e0000
                                                                    File size:66048 bytes
                                                                    MD5 hash:4767B71A318E201188A0D0A420C8B608
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high

                                                                    General

                                                                    Target ID:2
                                                                    Start time:13:39:45
                                                                    Start date:13/03/2023
                                                                    Path:C:\Windows\SysWOW64\msiexec.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding F7A68C9D91CEF59A808028AAB00F5DA2
                                                                    Imagebase:0x13d0000
                                                                    File size:59904 bytes
                                                                    MD5 hash:12C17B5A5C2A7B97342C362CA467E9A2
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high

                                                                    General

                                                                    Target ID:3
                                                                    Start time:13:39:47
                                                                    Start date:13/03/2023
                                                                    Path:C:\Users\user\AppData\Roaming\abd1 .exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Users\user\AppData\Roaming\abd1 .exe
                                                                    Imagebase:0x400000
                                                                    File size:1856512 bytes
                                                                    MD5 hash:CEEF4762B36067F1D32A0DB621EE967E
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:Borland Delphi
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000003.00000000.309835873.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000003.00000002.609204022.0000000004D78000.00000040.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000003.00000003.325220220.0000000004B87000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Roaming\abd1 .exe, Author: Joe Security
                                                                    Antivirus matches:
                                                                    • Detection: 0%, ReversingLabs
                                                                    Reputation:low

                                                                    General

                                                                    Target ID:6
                                                                    Start time:13:41:06
                                                                    Start date:13/03/2023
                                                                    Path:C:\Users\user\AppData\Roaming\abd1 .exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Users\user\AppData\Roaming\abd1 .exe"
                                                                    Imagebase:0x400000
                                                                    File size:1856512 bytes
                                                                    MD5 hash:CEEF4762B36067F1D32A0DB621EE967E
                                                                    Has elevated privileges:false
                                                                    Has administrator privileges:false
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:low

                                                                    General

                                                                    Target ID:7
                                                                    Start time:13:41:15
                                                                    Start date:13/03/2023
                                                                    Path:C:\Users\user\AppData\Roaming\abd1 .exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Users\user\AppData\Roaming\abd1 .exe"
                                                                    Imagebase:0x400000
                                                                    File size:1856512 bytes
                                                                    MD5 hash:CEEF4762B36067F1D32A0DB621EE967E
                                                                    Has elevated privileges:false
                                                                    Has administrator privileges:false
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000007.00000002.580116505.0000000004D6D000.00000040.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                    Reputation:low

                                                                    Disassembly

                                                                    No disassembly