Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
z1F_4_T_U_r_4_2024mfdfgryry5.msi

Overview

General Information

Sample Name:z1F_4_T_U_r_4_2024mfdfgryry5.msi
Analysis ID:826204
MD5:61ff4cdae6f7986ef209560f4fe38fbf
SHA1:f780332539b013a07bc84943c98b04d155619fc5
SHA256:4735b8e4cb072fa17ede40fc38737fe87ed2b1e6be7bd72a6f28e4f037613e13
Tags:msi
Infos:

Detection

Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Multi AV Scanner detection for dropped file
Hides threads from debuggers
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file has a writeable .text section
Tries to detect virtualization through RDTSC time measurements
Machine Learning detection for dropped file
Queries the volume information (name, serial number etc) of a device
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
PE file contains sections with non-standard names
Detected potential crypto function
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Entry point lies outside standard sections
Creates a DirectInput object (often for capturing keystrokes)
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Allocates memory with a write watch (potentially for evading sandboxes)
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
Checks if the current process is being debugged
Queries keyboard layouts
Yara detected Keylogger Generic
Launches processes in debugging mode, may be used to hinder debugging
Checks for available system drives (often done to infect USB drives)
Dropped file seen in connection with other malware

Classification

Process Tree

  • System is w10x64
  • msiexec.exe (PID: 1516 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\z1F_4_T_U_r_4_2024mfdfgryry5.msi" MD5: 4767B71A318E201188A0D0A420C8B608)
  • msiexec.exe (PID: 5232 cmdline: C:\Windows\system32\msiexec.exe /V MD5: 4767B71A318E201188A0D0A420C8B608)
    • msiexec.exe (PID: 5696 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 8691F6983ACCABCCE0C9446FEF7BF02E MD5: 12C17B5A5C2A7B97342C362CA467E9A2)
    • abd1 .exe (PID: 2348 cmdline: C:\Users\user\AppData\Roaming\abd1 .exe MD5: CEEF4762B36067F1D32A0DB621EE967E)
  • abd1 .exe (PID: 5692 cmdline: "C:\Users\user\AppData\Roaming\abd1 .exe" MD5: CEEF4762B36067F1D32A0DB621EE967E)
  • abd1 .exe (PID: 4792 cmdline: "C:\Users\user\AppData\Roaming\abd1 .exe" MD5: CEEF4762B36067F1D32A0DB621EE967E)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Roaming\abd1 .exeJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000006.00000002.514615623.0000000002A80000.00000040.00000020.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
      00000003.00000003.325986773.0000000002802000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
        00000007.00000002.527493811.0000000002853000.00000040.00000020.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
          00000003.00000002.587390780.00000000029FF000.00000040.00000020.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
            00000003.00000000.310275166.0000000000401000.00000020.00000001.01000000.00000003.sdmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
              Click to see the 3 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              3.0.abd1 .exe.400000.0.unpackJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security

                Sigma Signatures

                No Sigma rule has matched

                Snort Signatures

                No Snort rule has matched

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Multi AV Scanner detection for submitted file
                Source: z1F_4_T_U_r_4_2024mfdfgryry5.msiReversingLabs: Detection: 28%
                Source: z1F_4_T_U_r_4_2024mfdfgryry5.msiVirustotal: Detection: 41%Perma Link
                Multi AV Scanner detection for dropped file
                Source: C:\Users\user\AppData\Roaming\WebUI.dllReversingLabs: Detection: 30%
                Machine Learning detection for dropped file
                Source: C:\Users\user\AppData\Roaming\WebUI.dllJoe Sandbox ML: detected
                Source: unknownHTTPS traffic detected: 187.45.187.42:443 -> 192.168.2.4:49695 version: TLS 1.2
                Source: Binary string: iphlpapi.pdbUGP source: abd1 .exe, 00000003.00000002.586726358.0000000002878000.00000040.00000800.00020000.00000000.sdmp, abd1 .exe, 00000006.00000002.513033436.00000000028DA000.00000040.00000800.00020000.00000000.sdmp, abd1 .exe, 00000006.00000003.461669663.00000000008B7000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 00000007.00000002.525664822.00000000026D8000.00000040.00000800.00020000.00000000.sdmp
                Source: Binary string: wkernel32.pdb source: abd1 .exe, 00000003.00000003.327377830.00000000023A5000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 00000003.00000002.584442919.0000000002551000.00000040.00000020.00020000.00000000.sdmp, abd1 .exe, 00000006.00000002.508812747.00000000025B1000.00000040.00000020.00020000.00000000.sdmp, abd1 .exe, 00000007.00000002.522810867.0000000002441000.00000040.00000020.00020000.00000000.sdmp
                Source: Binary string: advapi32.pdbUGP source: abd1 .exe, 00000003.00000002.586726358.0000000002800000.00000040.00000800.00020000.00000000.sdmp, abd1 .exe, 00000006.00000002.513033436.0000000002870000.00000040.00000800.00020000.00000000.sdmp, abd1 .exe, 00000006.00000003.459882009.00000000008B7000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 00000007.00000002.525664822.0000000002660000.00000040.00000800.00020000.00000000.sdmp
                Source: Binary string: iphlpapi.pdb source: abd1 .exe, 00000003.00000002.586726358.0000000002878000.00000040.00000800.00020000.00000000.sdmp, abd1 .exe, 00000006.00000002.513033436.00000000028DA000.00000040.00000800.00020000.00000000.sdmp, abd1 .exe, 00000006.00000003.461669663.00000000008B7000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 00000007.00000002.525664822.00000000026D8000.00000040.00000800.00020000.00000000.sdmp
                Source: Binary string: wkernelbase.pdb source: abd1 .exe, 00000003.00000003.325986773.0000000002802000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 00000003.00000002.587390780.00000000029FF000.00000040.00000020.00020000.00000000.sdmp, abd1 .exe, 00000006.00000002.514615623.0000000002A80000.00000040.00000020.00020000.00000000.sdmp, abd1 .exe, 00000007.00000002.527493811.0000000002853000.00000040.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdbUGP source: abd1 .exe, 00000003.00000003.324124673.00000000024D2000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 00000003.00000002.585197149.000000000266E000.00000040.00000020.00020000.00000000.sdmp, abd1 .exe, 00000006.00000002.510145403.00000000026D5000.00000040.00000020.00020000.00000000.sdmp, abd1 .exe, 00000007.00000002.523736457.00000000024CD000.00000040.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: abd1 .exe, 00000003.00000003.324124673.00000000024D2000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 00000003.00000002.585197149.000000000266E000.00000040.00000020.00020000.00000000.sdmp, abd1 .exe, 00000006.00000002.510145403.00000000026D5000.00000040.00000020.00020000.00000000.sdmp, abd1 .exe, 00000007.00000002.523736457.00000000024CD000.00000040.00000020.00020000.00000000.sdmp
                Source: Binary string: wuser32.pdb source: abd1 .exe, 00000003.00000003.329021627.000000000280B000.00000004.00000800.00020000.00000000.sdmp, abd1 .exe, 00000003.00000002.589051217.0000000002BFD000.00000040.00000800.00020000.00000000.sdmp, abd1 .exe, 00000006.00000002.517303228.0000000002C7A000.00000040.00000800.00020000.00000000.sdmp, abd1 .exe, 00000007.00000002.536181812.0000000002A4B000.00000040.00000800.00020000.00000000.sdmp
                Source: Binary string: wkernelbase.pdbUGP source: abd1 .exe, 00000003.00000003.325986773.0000000002802000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 00000003.00000002.587390780.00000000029FF000.00000040.00000020.00020000.00000000.sdmp, abd1 .exe, 00000006.00000002.514615623.0000000002A80000.00000040.00000020.00020000.00000000.sdmp, abd1 .exe, 00000007.00000002.527493811.0000000002853000.00000040.00000020.00020000.00000000.sdmp
                Source: Binary string: advapi32.pdb source: abd1 .exe, 00000003.00000002.586726358.0000000002800000.00000040.00000800.00020000.00000000.sdmp, abd1 .exe, 00000006.00000002.513033436.0000000002870000.00000040.00000800.00020000.00000000.sdmp, abd1 .exe, 00000006.00000003.459882009.00000000008B7000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 00000007.00000002.525664822.0000000002660000.00000040.00000800.00020000.00000000.sdmp
                Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: z1F_4_T_U_r_4_2024mfdfgryry5.msi, MSI71AA.tmp.1.dr, MSI714B.tmp.1.dr, MSI7277.tmp.1.dr, MSI71E9.tmp.1.dr
                Source: Binary string: wkernel32.pdbGCTL source: abd1 .exe, 00000003.00000003.327377830.00000000023A5000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 00000003.00000002.584442919.0000000002551000.00000040.00000020.00020000.00000000.sdmp, abd1 .exe, 00000006.00000002.508812747.00000000025B1000.00000040.00000020.00020000.00000000.sdmp, abd1 .exe, 00000007.00000002.522810867.0000000002441000.00000040.00000020.00020000.00000000.sdmp
                Source: Binary string: wuser32.pdbUGP source: abd1 .exe, 00000003.00000003.329021627.000000000280B000.00000004.00000800.00020000.00000000.sdmp, abd1 .exe, 00000003.00000002.589051217.0000000002BFD000.00000040.00000800.00020000.00000000.sdmp, abd1 .exe, 00000006.00000002.517303228.0000000002C7A000.00000040.00000800.00020000.00000000.sdmp, abd1 .exe, 00000007.00000002.536181812.0000000002A4B000.00000040.00000800.00020000.00000000.sdmp
                Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: c:Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior
                Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                Source: Joe Sandbox ViewIP Address: 15.228.77.178 15.228.77.178
                Source: Joe Sandbox ViewIP Address: 187.45.187.42 187.45.187.42
                Source: global trafficHTTP traffic detected: GET /imagens/bo/inspecionando.php HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ebaoffice.com.brConnection: Keep-Alive
                Source: unknownNetwork traffic detected: HTTP traffic on port 49695 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49695
                Source: unknownTCP traffic detected without corresponding DNS query: 15.228.77.178
                Source: unknownTCP traffic detected without corresponding DNS query: 15.228.77.178
                Source: unknownTCP traffic detected without corresponding DNS query: 15.228.77.178
                Source: abd1 .exe.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                Source: z1F_4_T_U_r_4_2024mfdfgryry5.msi, MSI71AA.tmp.1.dr, MSI714B.tmp.1.dr, MSI7277.tmp.1.dr, MSI71E9.tmp.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                Source: abd1 .exe.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
                Source: abd1 .exe.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA.crt0
                Source: abd1 .exe.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
                Source: abd1 .exe.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
                Source: z1F_4_T_U_r_4_2024mfdfgryry5.msi, MSI71AA.tmp.1.dr, MSI714B.tmp.1.dr, MSI7277.tmp.1.dr, MSI71E9.tmp.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                Source: z1F_4_T_U_r_4_2024mfdfgryry5.msi, MSI71AA.tmp.1.dr, MSI714B.tmp.1.dr, MSI7277.tmp.1.dr, MSI71E9.tmp.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                Source: abd1 .exe, 00000006.00000002.507443605.0000000000927000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                Source: z1F_4_T_U_r_4_2024mfdfgryry5.msi, MSI71AA.tmp.1.dr, MSI714B.tmp.1.dr, MSI7277.tmp.1.dr, MSI71E9.tmp.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                Source: abd1 .exe.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
                Source: abd1 .exe.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
                Source: z1F_4_T_U_r_4_2024mfdfgryry5.msi, MSI71AA.tmp.1.dr, MSI714B.tmp.1.dr, MSI7277.tmp.1.dr, MSI71E9.tmp.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                Source: z1F_4_T_U_r_4_2024mfdfgryry5.msi, MSI71AA.tmp.1.dr, MSI714B.tmp.1.dr, MSI7277.tmp.1.dr, MSI71E9.tmp.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                Source: abd1 .exe.1.drString found in binary or memory: http://crl3.digicert.com/EVCodeSigning-g1.crl03
                Source: abd1 .exe.1.drString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
                Source: abd1 .exe.1.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
                Source: abd1 .exe.1.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                Source: abd1 .exe.1.drString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
                Source: abd1 .exe.1.drString found in binary or memory: http://crl4.digicert.com/EVCodeSigning-g1.crl0K
                Source: abd1 .exe.1.drString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
                Source: abd1 .exe.1.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
                Source: z1F_4_T_U_r_4_2024mfdfgryry5.msi, MSI71AA.tmp.1.dr, MSI714B.tmp.1.dr, MSI7277.tmp.1.dr, MSI71E9.tmp.1.drString found in binary or memory: http://ocsp.digicert.com0A
                Source: z1F_4_T_U_r_4_2024mfdfgryry5.msi, MSI71AA.tmp.1.dr, MSI714B.tmp.1.dr, MSI7277.tmp.1.dr, abd1 .exe.1.dr, MSI71E9.tmp.1.drString found in binary or memory: http://ocsp.digicert.com0C
                Source: abd1 .exe.1.drString found in binary or memory: http://ocsp.digicert.com0H
                Source: abd1 .exe.1.drString found in binary or memory: http://ocsp.digicert.com0I
                Source: abd1 .exe.1.drString found in binary or memory: http://ocsp.digicert.com0O
                Source: z1F_4_T_U_r_4_2024mfdfgryry5.msi, MSI71AA.tmp.1.dr, MSI714B.tmp.1.dr, MSI7277.tmp.1.dr, MSI71E9.tmp.1.drString found in binary or memory: http://ocsp.digicert.com0X
                Source: abd1 .exe, 00000003.00000000.310275166.0000000000401000.00000020.00000001.01000000.00000003.sdmp, abd1 .exe.1.drString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                Source: abd1 .exe, 00000003.00000000.310275166.0000000000401000.00000020.00000001.01000000.00000003.sdmp, abd1 .exe.1.drString found in binary or memory: http://stats.itopvpn.com/iusage.php
                Source: z1F_4_T_U_r_4_2024mfdfgryry5.msi, MSI71AA.tmp.1.dr, MSI714B.tmp.1.dr, MSI7277.tmp.1.dr, MSI71E9.tmp.1.drString found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
                Source: z1F_4_T_U_r_4_2024mfdfgryry5.msi, MSI71AA.tmp.1.dr, MSI714B.tmp.1.dr, MSI7277.tmp.1.dr, MSI71E9.tmp.1.drString found in binary or memory: http://t2.symcb.com0
                Source: z1F_4_T_U_r_4_2024mfdfgryry5.msi, MSI71AA.tmp.1.dr, MSI714B.tmp.1.dr, MSI7277.tmp.1.dr, MSI71E9.tmp.1.drString found in binary or memory: http://tl.symcb.com/tl.crl0
                Source: z1F_4_T_U_r_4_2024mfdfgryry5.msi, MSI71AA.tmp.1.dr, MSI714B.tmp.1.dr, MSI7277.tmp.1.dr, MSI71E9.tmp.1.drString found in binary or memory: http://tl.symcb.com/tl.crt0
                Source: z1F_4_T_U_r_4_2024mfdfgryry5.msi, MSI71AA.tmp.1.dr, MSI714B.tmp.1.dr, MSI7277.tmp.1.dr, MSI71E9.tmp.1.drString found in binary or memory: http://tl.symcd.com0&
                Source: abd1 .exe.1.drString found in binary or memory: http://www.digicert.com/CPS0
                Source: abd1 .exe.1.drString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
                Source: abd1 .exe, 00000003.00000002.590563639.0000000002F20000.00000004.00000800.00020000.00000000.sdmp, abd1 .exe, 00000006.00000002.519324588.000000006A7F9000.00000040.00000001.01000000.00000004.sdmp, abd1 .exe, 00000006.00000002.518434684.0000000002EA0000.00000004.00000800.00020000.00000000.sdmp, abd1 .exe, 00000007.00000002.538859224.0000000002D70000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.indyproject.org/
                Source: abd1 .exe, 00000006.00000002.507443605.0000000000927000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ebaoffice.com.br
                Source: abd1 .exe, 00000006.00000002.507443605.0000000000927000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ebaoffice.com.br/
                Source: abd1 .exe, 00000006.00000002.507443605.000000000096C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ebaoffice.com.br/9P
                Source: abd1 .exe, 00000006.00000002.507443605.000000000096C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ebaoffice.com.br/IP
                Source: abd1 .exe, 00000006.00000002.507443605.0000000000927000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ebaoffice.com.br/imagens/bo/inspecionand
                Source: abd1 .exe, 00000007.00000002.521027541.0000000000195000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: https://ebaoffice.com.br/imagens/bo/inspecionando.php
                Source: abd1 .exe, 00000003.00000002.592601515.00000000069D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ebaoffice.com.br/imagens/bo/inspecionando.php%
                Source: abd1 .exe, 00000006.00000002.507443605.00000000008F7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ebaoffice.com.br/imagens/bo/inspecionando.php2
                Source: abd1 .exe, 00000003.00000002.592601515.00000000069D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ebaoffice.com.br/imagens/bo/inspecionando.php4
                Source: abd1 .exe, 00000003.00000002.592601515.00000000069D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ebaoffice.com.br/imagens/bo/inspecionando.php:
                Source: abd1 .exe, 00000003.00000002.592601515.00000000069D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ebaoffice.com.br/imagens/bo/inspecionando.phpC
                Source: abd1 .exe, 00000006.00000002.507443605.0000000000927000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ebaoffice.com.br/imagens/bo/inspecionando.phpIBAD
                Source: abd1 .exe, 00000006.00000002.507443605.0000000000927000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ebaoffice.com.br/imagens/bo/inspecionando.phpLMEMp
                Source: abd1 .exe, 00000003.00000002.592601515.00000000069D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ebaoffice.com.br/imagens/bo/inspecionando.phpR
                Source: abd1 .exe, 00000006.00000002.507443605.0000000000927000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ebaoffice.com.br/imagens/bo/inspecionando.phpY9FD
                Source: abd1 .exe, 00000003.00000002.592601515.00000000069D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ebaoffice.com.br/imagens/bo/inspecionando.phpf
                Source: abd1 .exe, 00000006.00000002.507443605.0000000000927000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ebaoffice.com.br/imagens/bo/inspecionando.phpgBcD
                Source: abd1 .exe, 00000006.00000002.507443605.0000000000927000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ebaoffice.com.br/imagens/bo/inspecionando.phporC:
                Source: abd1 .exe, 00000003.00000002.592601515.00000000069D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ebaoffice.com.br/imagens/bo/inspecionando.phpp
                Source: abd1 .exe, 00000006.00000002.507443605.00000000008FC000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 00000006.00000002.507443605.00000000008F7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ebaoffice.com.br/imagens/bo/inspecionando.phpt
                Source: abd1 .exe, 00000006.00000002.506925692.0000000000195000.00000004.00000010.00020000.00000000.sdmp, abd1 .exe, 00000007.00000002.521027541.0000000000195000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: https://ebaoffice.com.br/imagens/bo/inspecionando.phputllib.dll.DLL
                Source: abd1 .exe, 00000006.00000002.507443605.0000000000927000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ebaoffice.com.br/m
                Source: abd1 .exe, 00000006.00000002.507443605.0000000000927000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ebaoffice.com.br/uCuE
                Source: abd1 .exe, 00000006.00000002.507443605.0000000000927000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
                Source: z1F_4_T_U_r_4_2024mfdfgryry5.msi, MSI71AA.tmp.1.dr, MSI714B.tmp.1.dr, MSI7277.tmp.1.dr, MSI71E9.tmp.1.drString found in binary or memory: https://www.advancedinstaller.com
                Source: abd1 .exe.1.drString found in binary or memory: https://www.digicert.com/CPS0
                Source: z1F_4_T_U_r_4_2024mfdfgryry5.msi, MSI71AA.tmp.1.dr, MSI714B.tmp.1.dr, MSI7277.tmp.1.dr, MSI71E9.tmp.1.drString found in binary or memory: https://www.thawte.com/cps0/
                Source: z1F_4_T_U_r_4_2024mfdfgryry5.msi, MSI71AA.tmp.1.dr, MSI714B.tmp.1.dr, MSI7277.tmp.1.dr, MSI71E9.tmp.1.drString found in binary or memory: https://www.thawte.com/repository0W
                Source: unknownDNS traffic detected: queries for: ebaoffice.com.br
                Source: global trafficHTTP traffic detected: GET /imagens/bo/inspecionando.php HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ebaoffice.com.brConnection: Keep-Alive
                Source: unknownHTTPS traffic detected: 187.45.187.42:443 -> 192.168.2.4:49695 version: TLS 1.2
                Source: abd1 .exe, 00000003.00000003.325986773.0000000002802000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: DirectInput8Create
                Source: abd1 .exe, 00000003.00000003.329021627.000000000280B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: GetRawInputData
                Source: Yara matchFile source: 00000006.00000002.514615623.0000000002A80000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000003.325986773.0000000002802000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.527493811.0000000002853000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.587390780.00000000029FF000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: abd1 .exe PID: 2348, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: abd1 .exe PID: 5692, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: abd1 .exe PID: 4792, type: MEMORYSTR

                System Summary

                barindex
                PE file has a writeable .text section
                Source: WebUI.dll.1.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\MSI6FF2.tmpJump to behavior
                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\6c6bfb.msiJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024F5A993_2_024F5A99
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024F737E3_2_024F737E
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024EE1F93_2_024EE1F9
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024EBF043_2_024EBF04
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_0251BF083_2_0251BF08
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_0251B4AF3_2_0251B4AF
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024F1D593_2_024F1D59
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: String function: 02541F0D appears 33 times
                Source: z1F_4_T_U_r_4_2024mfdfgryry5.msiBinary or memory string: OriginalFilenameAICustAct.dllF vs z1F_4_T_U_r_4_2024mfdfgryry5.msi
                Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
                Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\abd1 .exe EFB6169BBB869A849AFB91184A75B906FE509CBF6E672B6B4F3311C02343BBBB
                Source: z1F_4_T_U_r_4_2024mfdfgryry5.msiReversingLabs: Detection: 28%
                Source: z1F_4_T_U_r_4_2024mfdfgryry5.msiVirustotal: Detection: 41%
                Source: C:\Users\user\AppData\Roaming\abd1 .exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: unknownProcess created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\z1F_4_T_U_r_4_2024mfdfgryry5.msi"
                Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 8691F6983ACCABCCE0C9446FEF7BF02E
                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Users\user\AppData\Roaming\abd1 .exe C:\Users\user\AppData\Roaming\abd1 .exe
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\abd1 .exe "C:\Users\user\AppData\Roaming\abd1 .exe"
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\abd1 .exe "C:\Users\user\AppData\Roaming\abd1 .exe"
                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 8691F6983ACCABCCE0C9446FEF7BF02EJump to behavior
                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Users\user\AppData\Roaming\abd1 .exe C:\Users\user\AppData\Roaming\abd1 .exeJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8856F961-340A-11D0-A96B-00C04FD705A2}\InProcServer32Jump to behavior
                Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\abd1 .exeJump to behavior
                Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSIc690d.LOGJump to behavior
                Source: classification engineClassification label: mal76.evad.winMSI@8/27@1/2
                Source: C:\Users\user\AppData\Roaming\abd1 .exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                Source: z1F_4_T_U_r_4_2024mfdfgryry5.msiStatic file information: TRID: Microsoft Windows Installer (77509/1) 52.18%
                Source: C:\Users\user\AppData\Roaming\abd1 .exeMutant created: \Sessions\1\BaseNamedObjects\madExceptSettingsMtx$92c
                Source: C:\Users\user\AppData\Roaming\abd1 .exeMutant created: \Sessions\1\BaseNamedObjects\madExceptSettingsMtx$163c
                Source: C:\Users\user\AppData\Roaming\abd1 .exeMutant created: \Sessions\1\BaseNamedObjects\madExceptSettingsMtx$12b8
                Source: Yara matchFile source: 3.0.abd1 .exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000003.00000000.310275166.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: C:\Users\user\AppData\Roaming\abd1 .exe, type: DROPPED
                Source: C:\Users\user\AppData\Roaming\abd1 .exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: z1F_4_T_U_r_4_2024mfdfgryry5.msiStatic file information: File size 8487936 > 1048576
                Source: Binary string: iphlpapi.pdbUGP source: abd1 .exe, 00000003.00000002.586726358.0000000002878000.00000040.00000800.00020000.00000000.sdmp, abd1 .exe, 00000006.00000002.513033436.00000000028DA000.00000040.00000800.00020000.00000000.sdmp, abd1 .exe, 00000006.00000003.461669663.00000000008B7000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 00000007.00000002.525664822.00000000026D8000.00000040.00000800.00020000.00000000.sdmp
                Source: Binary string: wkernel32.pdb source: abd1 .exe, 00000003.00000003.327377830.00000000023A5000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 00000003.00000002.584442919.0000000002551000.00000040.00000020.00020000.00000000.sdmp, abd1 .exe, 00000006.00000002.508812747.00000000025B1000.00000040.00000020.00020000.00000000.sdmp, abd1 .exe, 00000007.00000002.522810867.0000000002441000.00000040.00000020.00020000.00000000.sdmp
                Source: Binary string: advapi32.pdbUGP source: abd1 .exe, 00000003.00000002.586726358.0000000002800000.00000040.00000800.00020000.00000000.sdmp, abd1 .exe, 00000006.00000002.513033436.0000000002870000.00000040.00000800.00020000.00000000.sdmp, abd1 .exe, 00000006.00000003.459882009.00000000008B7000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 00000007.00000002.525664822.0000000002660000.00000040.00000800.00020000.00000000.sdmp
                Source: Binary string: iphlpapi.pdb source: abd1 .exe, 00000003.00000002.586726358.0000000002878000.00000040.00000800.00020000.00000000.sdmp, abd1 .exe, 00000006.00000002.513033436.00000000028DA000.00000040.00000800.00020000.00000000.sdmp, abd1 .exe, 00000006.00000003.461669663.00000000008B7000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 00000007.00000002.525664822.00000000026D8000.00000040.00000800.00020000.00000000.sdmp
                Source: Binary string: wkernelbase.pdb source: abd1 .exe, 00000003.00000003.325986773.0000000002802000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 00000003.00000002.587390780.00000000029FF000.00000040.00000020.00020000.00000000.sdmp, abd1 .exe, 00000006.00000002.514615623.0000000002A80000.00000040.00000020.00020000.00000000.sdmp, abd1 .exe, 00000007.00000002.527493811.0000000002853000.00000040.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdbUGP source: abd1 .exe, 00000003.00000003.324124673.00000000024D2000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 00000003.00000002.585197149.000000000266E000.00000040.00000020.00020000.00000000.sdmp, abd1 .exe, 00000006.00000002.510145403.00000000026D5000.00000040.00000020.00020000.00000000.sdmp, abd1 .exe, 00000007.00000002.523736457.00000000024CD000.00000040.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: abd1 .exe, 00000003.00000003.324124673.00000000024D2000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 00000003.00000002.585197149.000000000266E000.00000040.00000020.00020000.00000000.sdmp, abd1 .exe, 00000006.00000002.510145403.00000000026D5000.00000040.00000020.00020000.00000000.sdmp, abd1 .exe, 00000007.00000002.523736457.00000000024CD000.00000040.00000020.00020000.00000000.sdmp
                Source: Binary string: wuser32.pdb source: abd1 .exe, 00000003.00000003.329021627.000000000280B000.00000004.00000800.00020000.00000000.sdmp, abd1 .exe, 00000003.00000002.589051217.0000000002BFD000.00000040.00000800.00020000.00000000.sdmp, abd1 .exe, 00000006.00000002.517303228.0000000002C7A000.00000040.00000800.00020000.00000000.sdmp, abd1 .exe, 00000007.00000002.536181812.0000000002A4B000.00000040.00000800.00020000.00000000.sdmp
                Source: Binary string: wkernelbase.pdbUGP source: abd1 .exe, 00000003.00000003.325986773.0000000002802000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 00000003.00000002.587390780.00000000029FF000.00000040.00000020.00020000.00000000.sdmp, abd1 .exe, 00000006.00000002.514615623.0000000002A80000.00000040.00000020.00020000.00000000.sdmp, abd1 .exe, 00000007.00000002.527493811.0000000002853000.00000040.00000020.00020000.00000000.sdmp
                Source: Binary string: advapi32.pdb source: abd1 .exe, 00000003.00000002.586726358.0000000002800000.00000040.00000800.00020000.00000000.sdmp, abd1 .exe, 00000006.00000002.513033436.0000000002870000.00000040.00000800.00020000.00000000.sdmp, abd1 .exe, 00000006.00000003.459882009.00000000008B7000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 00000007.00000002.525664822.0000000002660000.00000040.00000800.00020000.00000000.sdmp
                Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: z1F_4_T_U_r_4_2024mfdfgryry5.msi, MSI71AA.tmp.1.dr, MSI714B.tmp.1.dr, MSI7277.tmp.1.dr, MSI71E9.tmp.1.dr
                Source: Binary string: wkernel32.pdbGCTL source: abd1 .exe, 00000003.00000003.327377830.00000000023A5000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 00000003.00000002.584442919.0000000002551000.00000040.00000020.00020000.00000000.sdmp, abd1 .exe, 00000006.00000002.508812747.00000000025B1000.00000040.00000020.00020000.00000000.sdmp, abd1 .exe, 00000007.00000002.522810867.0000000002441000.00000040.00000020.00020000.00000000.sdmp
                Source: Binary string: wuser32.pdbUGP source: abd1 .exe, 00000003.00000003.329021627.000000000280B000.00000004.00000800.00020000.00000000.sdmp, abd1 .exe, 00000003.00000002.589051217.0000000002BFD000.00000040.00000800.00020000.00000000.sdmp, abd1 .exe, 00000006.00000002.517303228.0000000002C7A000.00000040.00000800.00020000.00000000.sdmp, abd1 .exe, 00000007.00000002.536181812.0000000002A4B000.00000040.00000800.00020000.00000000.sdmp
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_02541F52 push ecx; ret 3_2_02541F65
                Source: WebUI.dll.1.drStatic PE information: section name: .sedata
                Source: WebUI.dll.1.drStatic PE information: section name: .sedata
                Source: initial sampleStatic PE information: section where entry point is pointing to: .sedata
                Source: initial sampleStatic PE information: section name: .sedata entropy: 7.131494049144793
                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI714B.tmpJump to dropped file
                Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\abd1 .exeJump to dropped file
                Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\WebUI.dllJump to dropped file
                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI71E9.tmpJump to dropped file
                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6FF2.tmpJump to dropped file
                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI71AA.tmpJump to dropped file
                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI7277.tmpJump to dropped file
                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI714B.tmpJump to dropped file
                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI71E9.tmpJump to dropped file
                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6FF2.tmpJump to dropped file
                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI71AA.tmpJump to dropped file
                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI7277.tmpJump to dropped file
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run abd1 .exeJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run abd1 .exeJump to behavior

                Hooking and other Techniques for Hiding and Protection

                barindex
                Overwrites code with unconditional jumps - possibly settings hooks in foreign process
                Source: C:\Users\user\AppData\Roaming\abd1 .exeMemory written: PID: 2348 base: 4A3E60 value: E9 FB 65 06 00 Jump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeMemory written: PID: 2348 base: 4A397C value: E9 FB 68 06 00 Jump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeMemory written: PID: 2348 base: 49FCC0 value: E9 0B E7 06 00 Jump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeMemory written: PID: 2348 base: 49FCE4 value: E9 6B E7 06 00 Jump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeMemory written: PID: 2348 base: 49FCF4 value: E9 FF E8 06 00 Jump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeMemory written: PID: 2348 base: 49FCB0 value: E9 B7 EA 06 00 Jump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeMemory written: PID: 5692 base: 4A3E60 value: E9 FB 65 06 00 Jump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeMemory written: PID: 5692 base: 4A397C value: E9 FB 68 06 00 Jump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeMemory written: PID: 5692 base: 49FCC0 value: E9 0B E7 06 00 Jump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeMemory written: PID: 5692 base: 49FCE4 value: E9 6B E7 06 00 Jump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeMemory written: PID: 5692 base: 49FCF4 value: E9 FF E8 06 00 Jump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeMemory written: PID: 5692 base: 49FCB0 value: E9 B7 EA 06 00 Jump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeMemory written: PID: 4792 base: 4A3E60 value: E9 FB 65 06 00 Jump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeMemory written: PID: 4792 base: 4A397C value: E9 FB 68 06 00 Jump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeMemory written: PID: 4792 base: 49FCC0 value: E9 0B E7 06 00 Jump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeMemory written: PID: 4792 base: 49FCE4 value: E9 6B E7 06 00 Jump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeMemory written: PID: 4792 base: 49FCF4 value: E9 FF E8 06 00 Jump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeMemory written: PID: 4792 base: 49FCB0 value: E9 B7 EA 06 00 Jump to behavior
                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C588B74 second address: 000000006C588BC4 instructions: 0x00000000 rdtsc 0x00000002 mov bh, 52h 0x00000004 dec dl 0x00000006 jno 00007FD2E4B0936Dh 0x00000008 jmp 00007FD2E4B09AC5h 0x0000000d bswap eax 0x0000000f not al 0x00000011 lea eax, dword ptr [esp+0000008Ch] 0x00000018 jmp 00007FD2E4B08EB5h 0x0000001d setnl bh 0x00000020 not esi 0x00000022 rcl ebx, cl 0x00000024 jnp 00007FD2E4B09315h 0x00000026 jmp 00007FD2E4B09248h 0x0000002b dec ah 0x0000002d btc dx, di 0x00000031 mov dl, B9h 0x00000033 jmp 00007FD2E4B0932Eh 0x00000035 bsr edx, ecx 0x00000038 call 00007FD2E4B09377h 0x0000003d rcr bh, cl 0x0000003f jnbe 00007FD2E4B093C2h 0x00000041 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C588FFF second address: 000000006C588FD0 instructions: 0x00000000 rdtsc 0x00000002 push di 0x00000004 xchg word ptr [esp], dx 0x00000008 sets dh 0x0000000b jmp 00007FD2E4AC448Bh 0x0000000d lea esp, dword ptr [esp+02h] 0x00000011 jmp 00007FD2E4AC4496h 0x00000013 inc esi 0x00000014 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C588FD0 second address: 000000006C589039 instructions: 0x00000000 rdtsc 0x00000002 bts eax, eax 0x00000005 jne 00007FD2E4B093C7h 0x00000007 mov ah, byte ptr [esp] 0x0000000a jmp 00007FD2E4B093D0h 0x0000000c mov edx, dword ptr [esp] 0x0000000f sub dx, di 0x00000012 mov edx, C2F83778h 0x00000017 jmp 00007FD2E4B0936Fh 0x00000019 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C58A361 second address: 000000006C58A363 instructions: 0x00000000 rdtsc 0x00000002 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C58A2EC second address: 000000006C58A2EE instructions: 0x00000000 rdtsc 0x00000002 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C596EB8 second address: 000000006C596F49 instructions: 0x00000000 rdtsc 0x00000002 sete dl 0x00000005 jmp 00007FD2E4AC44D6h 0x00000007 lea esp, dword ptr [esp+04h] 0x0000000b add bl, 00000059h 0x0000000e mov edx, dword ptr [esp] 0x00000011 inc ax 0x00000013 jmp 00007FD2E4AC44D7h 0x00000015 jnl 00007FD2E4AC449Ah 0x00000017 stc 0x00000018 call 00007FD2E4AC48B8h 0x0000001d bsf ax, cx 0x00000021 js 00007FD2E4AC40FFh 0x00000027 jns 00007FD2E4AC40F9h 0x0000002d jmp 00007FD2E4AC449Ah 0x0000002f ror bl, 00000000h 0x00000032 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C594925 second address: 000000006C5949F7 instructions: 0x00000000 rdtsc 0x00000002 pop word ptr [esp] 0x00000006 jmp 00007FD2E4B09455h 0x0000000b xchg eax, edx 0x0000000c lea esp, dword ptr [esp+02h] 0x00000010 bswap eax 0x00000012 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C594B85 second address: 000000006C594BE0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2E4AC4BAFh 0x00000007 add esi, 04h 0x0000000a rol dx, cl 0x0000000d ja 00007FD2E4AC4249h 0x00000013 dec ax 0x00000015 jmp 00007FD2E4AC4139h 0x0000001a xchg ax, dx 0x0000001c xor ah, cl 0x0000001e and dx, 888Dh 0x00000023 jmp 00007FD2E4AC439Ah 0x00000028 bsr dx, bp 0x0000002c bts edx, esi 0x0000002f mov edx, dword ptr [esp] 0x00000032 lea eax, dword ptr [00000000h+eax*4] 0x00000039 call 00007FD2E4AC451Eh 0x0000003e neg dl 0x00000040 stc 0x00000041 mov dl, 6Ch 0x00000043 mov dx, ax 0x00000046 xchg dword ptr [esp], ebx 0x00000049 jmp 00007FD2E4AC4463h 0x0000004b rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C594BE0 second address: 000000006C594D62 instructions: 0x00000000 rdtsc 0x00000002 bts dx, bx 0x00000006 mov eax, esp 0x00000008 push ebx 0x00000009 lea ebx, dword ptr [ebx-0000002Ch] 0x0000000f neg eax 0x00000011 jmp 00007FD2E4B09369h 0x00000013 mov dl, byte ptr [esp] 0x00000016 mov dl, byte ptr [esp] 0x00000019 mov ax, 324Eh 0x0000001d xchg dword ptr [esp+04h], ebx 0x00000021 jmp 00007FD2E4B093C1h 0x00000023 lea edx, dword ptr [edi+ebp] 0x00000026 inc dx 0x00000028 mov eax, dword ptr [esp] 0x0000002b mov dh, 9Ch 0x0000002d mov dl, bl 0x0000002f push dword ptr [esp+04h] 0x00000033 retn 0008h 0x00000036 add ebx, 2BC9D459h 0x0000003c jmp 00007FD2E4B093F0h 0x0000003e rcl ah, cl 0x00000040 jnc 00007FD2E4B093E0h 0x00000042 mov eax, edx 0x00000044 bswap eax 0x00000046 jmp 00007FD2E4B09376h 0x00000048 ror ebx, 00000000h 0x0000004b mov dx, 2163h 0x0000004f stc 0x00000050 jne 00007FD2E4B093BAh 0x00000052 clc 0x00000053 call 00007FD2E4B093ACh 0x00000058 bsf ax, bx 0x0000005c jnl 00007FD2E4B09375h 0x0000005e inc dl 0x00000060 jmp 00007FD2E4B093B3h 0x00000062 lea esp, dword ptr [esp+04h] 0x00000066 neg ebx 0x00000068 rcl edx, 1Fh 0x0000006b jno 00007FD2E4B09505h 0x00000071 setnb dl 0x00000074 bsf eax, esi 0x00000077 xchg dl, dh 0x00000079 call 00007FD2E4B0923Ch 0x0000007e mov eax, dword ptr [esp] 0x00000081 mov dx, word ptr [esp] 0x00000085 call 00007FD2E4B0942Dh 0x0000008a rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C596078 second address: 000000006C596183 instructions: 0x00000000 rdtsc 0x00000002 inc bx 0x00000004 jmp 00007FD2E4AC4509h 0x00000006 jp 00007FD2E4AC4464h 0x00000008 jnp 00007FD2E4AC4462h 0x0000000a lea ebp, dword ptr [00000000h+ebx*4] 0x00000011 mov ecx, F2D1F7F8h 0x00000016 push esi 0x00000017 call 00007FD2E4AC44CAh 0x0000001c bsf si, bx 0x00000020 jmp 00007FD2E4AC44EBh 0x00000022 jp 00007FD2E4AC447Bh 0x00000024 xchg word ptr [esp], dx 0x00000028 pushfd 0x00000029 jmp 00007FD2E4AC44CAh 0x0000002b push edi 0x0000002c pushad 0x0000002d mov bh, byte ptr [esp+18h] 0x00000031 mov byte ptr [esp+0Ch], bl 0x00000035 push word ptr [esp+0Ch] 0x0000003a jmp 00007FD2E4AC44F5h 0x0000003c jnc 00007FD2E4AC45B8h 0x00000042 lea esp, dword ptr [esp+02h] 0x00000046 xchg bh, ah 0x00000048 lea ecx, dword ptr [edx+ebx] 0x0000004b lea edi, dword ptr [00000000h+edx*4] 0x00000052 bsr edx, esi 0x00000055 jmp 00007FD2E4AC4411h 0x0000005a add esp, 20h 0x0000005d jno 00007FD2E4AC4475h 0x0000005f pop ebp 0x00000060 mov dx, A2A1h 0x00000064 mov bx, 90C8h 0x00000068 jmp 00007FD2E4AC4487h 0x0000006a shr al, cl 0x0000006c jnle 00007FD2E4AC4498h 0x0000006e mov ah, byte ptr [esp] 0x00000071 jmp 00007FD2E4AC44EAh 0x00000073 add esp, 08h 0x00000076 jnbe 00007FD2E4AC4475h 0x00000078 pop edi 0x00000079 or ah, 0000006Dh 0x0000007c jmp 00007FD2E4AC4549h 0x00000081 jnl 00007FD2E4AC4435h 0x00000083 lea esi, dword ptr [00000000h+esi*4] 0x0000008a rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C595557 second address: 000000006C595541 instructions: 0x00000000 rdtsc 0x00000002 lea esp, dword ptr [esp+08h] 0x00000006 setnle bl 0x00000009 bsf dx, si 0x0000000d jmp 00007FD2E4B09396h 0x0000000f jnbe 00007FD2E4B09367h 0x00000011 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C595541 second address: 000000006C5955EC instructions: 0x00000000 rdtsc 0x00000002 mov ecx, esp 0x00000004 jmp 00007FD2E4AC4513h 0x00000006 pop esi 0x00000007 mov bx, si 0x0000000a cpuid 0x0000000c xchg ax, cx 0x0000000e call 00007FD2E4AC4472h 0x00000013 jmp 00007FD2E4AC44D0h 0x00000015 add esp, 08h 0x00000018 je 00007FD2E4AC448Fh 0x0000001a jne 00007FD2E4AC448Dh 0x0000001c pop ecx 0x0000001d btc dx, si 0x00000021 jnbe 00007FD2E4AC4507h 0x00000023 jmp 00007FD2E4AC4495h 0x00000025 pop edi 0x00000026 call 00007FD2E4AC44E2h 0x0000002b cmc 0x0000002c setnp bh 0x0000002f rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C5955EC second address: 000000006C588B74 instructions: 0x00000000 rdtsc 0x00000002 xchg edx, ebx 0x00000004 jmp 00007FD2E4B09372h 0x00000006 xchg dword ptr [esp], edi 0x00000009 lea ebx, dword ptr [edi-000000C8h] 0x0000000f mov bx, word ptr [esp] 0x00000013 jmp 00007FD2E4B093A3h 0x00000015 lea ebx, dword ptr [edx-0000DC30h] 0x0000001b bswap edx 0x0000001d lea edi, dword ptr [edi-0000CA86h] 0x00000023 xchg dh, bh 0x00000025 jmp 00007FD2E4B0945Bh 0x0000002a stc 0x0000002b stc 0x0000002c add bx, sp 0x0000002f xchg dword ptr [esp], edi 0x00000032 mov bx, word ptr [esp] 0x00000036 inc ebx 0x00000037 jmp 00007FD2E4B09324h 0x00000039 mov dx, E18Dh 0x0000003d bts dx, si 0x00000041 bswap edx 0x00000043 push dword ptr [esp] 0x00000046 retn 0004h 0x00000049 mov ecx, esi 0x0000004b mov dx, bx 0x0000004e jmp 00007FD2E4B093C3h 0x00000050 mov dx, word ptr [esp] 0x00000054 lea edx, dword ptr [esp+edi] 0x00000057 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C5956AC second address: 000000006C5956BD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2E4AC44B6h 0x00000004 push ebp 0x00000005 mov ebp, C0CB15B0h 0x0000000a sete bl 0x0000000d rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C596382 second address: 000000006C5963CA instructions: 0x00000000 rdtsc 0x00000002 call 00007FD2E4B093CFh 0x00000007 dec dl 0x00000009 mov ah, byte ptr [esp] 0x0000000c rol al, cl 0x0000000e rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C599EB2 second address: 000000006C599EF8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2E4AC44F1h 0x00000004 sub ebp, 04h 0x00000007 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C599EF8 second address: 000000006C598C4E instructions: 0x00000000 rdtsc 0x00000002 xchg dl, ah 0x00000004 jmp 00007FD2E4B09321h 0x00000006 mov dword ptr [ebp+00h], ebx 0x00000009 neg edx 0x0000000b jnc 00007FD2E4B093B4h 0x0000000d jc 00007FD2E4B080DEh 0x00000013 call 00007FD2E4B093FCh 0x00000018 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C598C4E second address: 000000006C598D00 instructions: 0x00000000 rdtsc 0x00000002 mov ax, E56Dh 0x00000006 adc edx, C4B6BEBAh 0x0000000c pushfd 0x0000000d xchg dword ptr [esp+04h], ecx 0x00000011 jmp 00007FD2E4AC4489h 0x00000013 btc ebx, ebp 0x00000016 neg ebx 0x00000018 bswap eax 0x0000001a lea eax, dword ptr [00000000h+ebx*4] 0x00000021 jmp 00007FD2E4AC4561h 0x00000026 mov dx, word ptr [esp] 0x0000002a lea ecx, dword ptr [ecx+27h] 0x0000002d bswap edx 0x0000002f rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C5A17F9 second address: 000000006C59638A instructions: 0x00000000 rdtsc 0x00000002 dec ah 0x00000004 jmp 00007FD2E4B093ADh 0x00000006 js 00007FD2E4B093A6h 0x00000008 mov ebp, dword ptr [ebp+00h] 0x0000000b jmp 00007FD2E4B09396h 0x0000000d rol ebx, cl 0x0000000f jo 00007FD2E4B093C7h 0x00000011 jno 00007FD2E4B093AFh 0x00000013 btr dx, cx 0x00000017 sub esp, 03h 0x0000001a lea esp, dword ptr [esp+03h] 0x0000001e jmp 00007FD2E4B093A6h 0x00000020 jmp 00007FD2E4B093F8h 0x00000022 lea edx, dword ptr [edi+50h] 0x00000025 inc ah 0x00000027 js 00007FD2E4B09325h 0x00000029 mov bh, 74h 0x0000002b xchg ebx, eax 0x0000002d stc 0x0000002e jmp 00007FD2E4B093B0h 0x00000030 mov eax, dword ptr [esp] 0x00000033 push ebx 0x00000034 cmp ebp, edx 0x00000036 jne 00007FD2E4B093A5h 0x00000038 mov eax, esi 0x0000003a jmp 00007FD2E4B093D5h 0x0000003c mov ax, 7DDFh 0x00000040 mov eax, EAD00AD1h 0x00000045 lea esp, dword ptr [esp+04h] 0x00000049 jmp 00007FD2E4B0936Dh 0x0000004b ja 00007FD2E4AFDE05h 0x00000051 jmp 00007FD2E4B093CDh 0x00000053 movzx ebx, byte ptr [esi] 0x00000056 mov edx, dword ptr [esp] 0x00000059 cmc 0x0000005a je 00007FD2E4B09369h 0x0000005c jne 00007FD2E4B0936Fh 0x0000005e rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C592FBD second address: 000000006C592FFA instructions: 0x00000000 rdtsc 0x00000002 setl dh 0x00000005 lea eax, dword ptr [edx+edx] 0x00000008 mov bx, 463Ch 0x0000000c bsf eax, esi 0x0000000f jmp 00007FD2E4AC44F5h 0x00000011 jo 00007FD2E4AC447Ah 0x00000013 mov eax, dword ptr [esp] 0x00000016 bsf ax, dx 0x0000001a jmp 00007FD2E4AC4481h 0x0000001c sete ah 0x0000001f jmp 00007FD2E4AC44DEh 0x00000021 pop ebp 0x00000022 jmp 00007FD2E4AC4483h 0x00000024 btr dx, bx 0x00000028 jbe 00007FD2E4AC454Ah 0x0000002e rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C5D5BF6 second address: 000000006C5D5BF8 instructions: 0x00000000 rdtsc 0x00000002 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C5D5BF8 second address: 000000006C598C4E instructions: 0x00000000 rdtsc 0x00000002 xchg dword ptr [esp], edx 0x00000005 jmp 00007FD2E4AC44DEh 0x00000007 rcl ah, cl 0x00000009 inc bx 0x0000000b dec ax 0x0000000d mov bl, 0Ch 0x0000000f lea edx, dword ptr [edx+17h] 0x00000012 call 00007FD2E4AC4545h 0x00000017 mov eax, esi 0x00000019 jmp 00007FD2E4AC446Ch 0x0000001b xchg byte ptr [esp], al 0x0000001e mov bl, AEh 0x00000020 xchg dword ptr [esp+04h], edx 0x00000024 mov edx, 55D31757h 0x00000029 ror dh, cl 0x0000002b neg eax 0x0000002d call 00007FD2E4AC4486h 0x00000032 jmp 00007FD2E4AC449Ah 0x00000034 inc dx 0x00000036 push dword ptr [esp+08h] 0x0000003a retn 000Ch 0x0000003d bswap eax 0x0000003f mov edx, dword ptr [esp] 0x00000042 jmp 00007FD2E4A87486h 0x00000047 call 00007FD2E4AC451Ch 0x0000004c rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C5AB33B second address: 000000006C5AB3DA instructions: 0x00000000 rdtsc 0x00000002 mov ax, EB19h 0x00000006 btr eax, edx 0x00000009 jmp 00007FD2E4B0949Eh 0x0000000e jnp 00007FD2E4B0929Fh 0x00000014 xchg dh, bh 0x00000016 add ebp, 02h 0x00000019 rol bx, cl 0x0000001c jmp 00007FD2E4B093EAh 0x0000001e jnl 00007FD2E4B093A7h 0x00000020 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C5AB3DA second address: 000000006C5AB3DE instructions: 0x00000000 rdtsc 0x00000002 xchg dh, bh 0x00000004 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C5AB3DE second address: 000000006C589B0C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2E4AE7A0Dh 0x00000007 jmp 00007FD2E4B093AFh 0x00000009 mov eax, esi 0x0000000b movzx ebx, byte ptr [eax] 0x0000000e xchg edx, eax 0x00000010 add dx, ax 0x00000013 jmp 00007FD2E4B093A7h 0x00000015 jne 00007FD2E4B093AAh 0x00000017 mov ax, word ptr [esp] 0x0000001b mov ah, byte ptr [esp] 0x0000001e lea eax, dword ptr [edx+edi] 0x00000021 jmp 00007FD2E4B093DBh 0x00000023 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C59CFA8 second address: 000000006C59638A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2E4AC44EAh 0x00000004 lea edx, dword ptr [ebp+7Fh] 0x00000007 btr ebx, ebp 0x0000000a jnle 00007FD2E4AC4494h 0x0000000c mov eax, dword ptr [ebp+00h] 0x0000000f lea ebx, dword ptr [ecx+ecx] 0x00000012 jmp 00007FD2E4AC44E0h 0x00000014 xchg bh, bl 0x00000016 lea edx, dword ptr [00000000h+ecx*4] 0x0000001d mov edx, dword ptr [eax] 0x0000001f lea ebx, dword ptr [ecx-0000A136h] 0x00000025 setb bh 0x00000028 jmp 00007FD2E4AC4486h 0x0000002a not bh 0x0000002c shl bl, 1 0x0000002e ja 00007FD2E4AC4838h 0x00000034 jbe 00007FD2E4AC4832h 0x0000003a mov dword ptr [ebp+00h], edx 0x0000003d mov bx, word ptr [esp] 0x00000041 jmp 00007FD2E4AC42A5h 0x00000046 neg bh 0x00000048 jc 00007FD2E4AC4457h 0x0000004a mov bl, dl 0x0000004c jmp 00007FD2E4ABD6F4h 0x00000051 jmp 00007FD2E4AC44EDh 0x00000053 movzx ebx, byte ptr [esi] 0x00000056 mov edx, dword ptr [esp] 0x00000059 cmc 0x0000005a je 00007FD2E4AC4489h 0x0000005c jne 00007FD2E4AC448Fh 0x0000005e rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C599EF3 second address: 000000006C599EF8 instructions: 0x00000000 rdtsc 0x00000002 sub ebp, 04h 0x00000005 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C588B51 second address: 000000006C588B74 instructions: 0x00000000 rdtsc 0x00000002 bswap edi 0x00000004 jmp 00007FD2E4AC447Ah 0x00000006 sub esp, 000000BCh 0x0000000c mov edi, esp 0x0000000e btr dx, ax 0x00000012 jnp 00007FD2E4AC447Dh 0x00000014 mov eax, 90EB6236h 0x00000019 jmp 00007FD2E4AC44E2h 0x0000001b rcr ax, cl 0x0000001e cmp ah, 00000006h 0x00000021 mov ecx, esi 0x00000023 mov dx, bx 0x00000026 jmp 00007FD2E4AC44E3h 0x00000028 mov dx, word ptr [esp] 0x0000002c lea edx, dword ptr [esp+edi] 0x0000002f rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C585E22 second address: 000000006C585DFD instructions: 0x00000000 rdtsc 0x00000002 mov eax, ebx 0x00000004 jmp 00007FD2E4B09367h 0x00000006 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C5D65B0 second address: 000000006C5D56B3 instructions: 0x00000000 rdtsc 0x00000002 neg ax 0x00000005 push dword ptr [esp+16h] 0x00000009 lea esp, dword ptr [esp+03h] 0x0000000d xchg dword ptr [esp+18h], ebp 0x00000011 jmp 00007FD2E4AC39FAh 0x00000016 shr eax, cl 0x00000018 lea edx, dword ptr [00000000h+ecx*4] 0x0000001f mov dh, byte ptr [esp] 0x00000022 push dword ptr [esp+18h] 0x00000026 retn 001Ch 0x00000029 movzx ebx, byte ptr [esi] 0x0000002c not dh 0x0000002e jmp 00007FD2E4AC46B4h 0x00000033 neg ax 0x00000036 jnp 00007FD2E4AC4405h 0x0000003c rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C588B74 second address: 000000006C588BC4 instructions: 0x00000000 rdtsc 0x00000002 mov bh, 52h 0x00000004 dec dl 0x00000006 jno 00007FD2E4B0936Dh 0x00000008 jmp 00007FD2E4B09AC5h 0x0000000d bswap eax 0x0000000f not al 0x00000011 lea eax, dword ptr [esp+0000008Ch] 0x00000018 jmp 00007FD2E4B08EB5h 0x0000001d setnl bh 0x00000020 not esi 0x00000022 rcl ebx, cl 0x00000024 jnp 00007FD2E4B09315h 0x00000026 dec ah 0x00000028 btc dx, di 0x0000002c mov dl, B9h 0x0000002e bsr edx, ecx 0x00000031 jmp 00007FD2E4B09169h 0x00000036 call 00007FD2E4B09377h 0x0000003b rcr bh, cl 0x0000003d jnbe 00007FD2E4B093C2h 0x0000003f rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C596EB8 second address: 000000006C596F49 instructions: 0x00000000 rdtsc 0x00000002 sete dl 0x00000005 jmp 00007FD2E4AC44D6h 0x00000007 lea esp, dword ptr [esp+04h] 0x0000000b add bl, 00000059h 0x0000000e mov edx, dword ptr [esp] 0x00000011 inc ax 0x00000013 jmp 00007FD2E4AC44D7h 0x00000015 jnl 00007FD2E4AC449Ah 0x00000017 stc 0x00000018 jmp 00007FD2E4AC4498h 0x0000001a call 00007FD2E4AC48B8h 0x0000001f bsf ax, cx 0x00000023 js 00007FD2E4AC40FFh 0x00000029 jns 00007FD2E4AC40F9h 0x0000002f jmp 00007FD2E4AC449Ah 0x00000031 ror bl, 00000000h 0x00000034 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exeRDTSC instruction interceptor: First address: 000000006C5A17F9 second address: 000000006C59638A instructions: 0x00000000 rdtsc 0x00000002 dec ah 0x00000004 jmp 00007FD2E4B093ADh 0x00000006 js 00007FD2E4B093A6h 0x00000008 jns 00007FD2E4B093A4h 0x0000000a mov ebp, dword ptr [ebp+00h] 0x0000000d jmp 00007FD2E4B09396h 0x0000000f rol ebx, cl 0x00000011 jo 00007FD2E4B093C7h 0x00000013 jno 00007FD2E4B093AFh 0x00000015 btr dx, cx 0x00000019 sub esp, 03h 0x0000001c lea esp, dword ptr [esp+03h] 0x00000020 jmp 00007FD2E4B093A6h 0x00000022 jmp 00007FD2E4B093F8h 0x00000024 lea edx, dword ptr [edi+50h] 0x00000027 inc ah 0x00000029 js 00007FD2E4B09325h 0x0000002b mov bh, 74h 0x0000002d jmp 00007FD2E4B0935Ch 0x0000002f xchg ebx, eax 0x00000031 stc 0x00000032 jmp 00007FD2E4B09377h 0x00000034 mov eax, dword ptr [esp] 0x00000037 push ebx 0x00000038 cmp ebp, edx 0x0000003a jne 00007FD2E4B093A5h 0x0000003c mov eax, esi 0x0000003e jmp 00007FD2E4B093D5h 0x00000040 mov ax, 7DDFh 0x00000044 mov eax, EAD00AD1h 0x00000049 lea esp, dword ptr [esp+04h] 0x0000004d jmp 00007FD2E4B0936Dh 0x0000004f ja 00007FD2E4AFDE05h 0x00000055 jmp 00007FD2E4B093CDh 0x00000057 movzx ebx, byte ptr [esi] 0x0000005a mov edx, dword ptr [esp] 0x0000005d cmc 0x0000005e je 00007FD2E4B09369h 0x00000060 jne 00007FD2E4B0936Fh 0x00000062 rdtsc
                Source: C:\Users\user\AppData\Roaming\abd1 .exe TID: 2772Thread sleep time: -40000s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exe TID: 836Thread sleep count: 131 > 30Jump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exe TID: 5468Thread sleep count: 118 > 30Jump to behavior
                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI714B.tmpJump to dropped file
                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI71E9.tmpJump to dropped file
                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI71AA.tmpJump to dropped file
                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI7277.tmpJump to dropped file
                Source: C:\Users\user\AppData\Roaming\abd1 .exeMemory allocated: 6680000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeMemory allocated: 6EB0000 memory commit | memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeMemory allocated: 7030000 memory commit | memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeMemory allocated: 7050000 memory commit | memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeMemory allocated: 6670000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeMemory allocated: 6650000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04090409Jump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04090409Jump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04090409Jump to behavior
                Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: abd1 .exe, 00000007.00000002.527493811.0000000002853000.00000040.00000020.00020000.00000000.sdmpBinary or memory string: DisableGuestVmNetworkConnectivity
                Source: abd1 .exe, 00000007.00000002.527493811.0000000002853000.00000040.00000020.00020000.00000000.sdmpBinary or memory string: EnableGuestVmNetworkConnectivity
                Source: abd1 .exe, 00000006.00000002.507443605.00000000008EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\AppData\Roaming\abd1 .exeThread information set: HideFromDebuggerJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeThread information set: HideFromDebuggerJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeThread information set: HideFromDebuggerJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_02529200 mov eax, dword ptr fs:[00000030h]3_2_02529200
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_02529200 mov eax, dword ptr fs:[00000030h]3_2_02529200
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_02529200 mov eax, dword ptr fs:[00000030h]3_2_02529200
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_02529200 mov eax, dword ptr fs:[00000030h]3_2_02529200
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_02529200 mov ecx, dword ptr fs:[00000030h]3_2_02529200
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_02523A33 mov eax, dword ptr fs:[00000030h]3_2_02523A33
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_02523A33 mov ecx, dword ptr fs:[00000030h]3_2_02523A33
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024F3A37 mov eax, dword ptr fs:[00000030h]3_2_024F3A37
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024F3A37 mov eax, dword ptr fs:[00000030h]3_2_024F3A37
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024F3A37 mov eax, dword ptr fs:[00000030h]3_2_024F3A37
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024F3A37 mov eax, dword ptr fs:[00000030h]3_2_024F3A37
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024F4235 mov eax, dword ptr fs:[00000030h]3_2_024F4235
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024F4235 mov eax, dword ptr fs:[00000030h]3_2_024F4235
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024F4235 mov eax, dword ptr fs:[00000030h]3_2_024F4235
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_025402D5 mov eax, dword ptr fs:[00000030h]3_2_025402D5
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_025142DD mov eax, dword ptr fs:[00000030h]3_2_025142DD
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_025142DD mov eax, dword ptr fs:[00000030h]3_2_025142DD
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024F92D0 mov eax, dword ptr fs:[00000030h]3_2_024F92D0
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024F1AF9 mov eax, dword ptr fs:[00000030h]3_2_024F1AF9
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024F1AF9 mov eax, dword ptr fs:[00000030h]3_2_024F1AF9
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024F3A9F mov eax, dword ptr fs:[00000030h]3_2_024F3A9F
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024F3A9F mov eax, dword ptr fs:[00000030h]3_2_024F3A9F
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024F5A99 mov eax, dword ptr fs:[00000030h]3_2_024F5A99
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024F5A99 mov eax, dword ptr fs:[00000030h]3_2_024F5A99
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024F5A99 mov eax, dword ptr fs:[00000030h]3_2_024F5A99
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024F5A99 mov eax, dword ptr fs:[00000030h]3_2_024F5A99
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024F5A99 mov eax, dword ptr fs:[00000030h]3_2_024F5A99
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024F5A99 mov eax, dword ptr fs:[00000030h]3_2_024F5A99
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024E4AA9 mov eax, dword ptr fs:[00000030h]3_2_024E4AA9
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_0252A2AB mov eax, dword ptr fs:[00000030h]3_2_0252A2AB
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024F737E mov eax, dword ptr fs:[00000030h]3_2_024F737E
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024F737E mov eax, dword ptr fs:[00000030h]3_2_024F737E
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024F737E mov eax, dword ptr fs:[00000030h]3_2_024F737E
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024F737E mov eax, dword ptr fs:[00000030h]3_2_024F737E
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024F737E mov eax, dword ptr fs:[00000030h]3_2_024F737E
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024F737E mov eax, dword ptr fs:[00000030h]3_2_024F737E
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024F3379 mov eax, dword ptr fs:[00000030h]3_2_024F3379
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024F3379 mov eax, dword ptr fs:[00000030h]3_2_024F3379
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024F3379 mov eax, dword ptr fs:[00000030h]3_2_024F3379
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024F3379 mov eax, dword ptr fs:[00000030h]3_2_024F3379
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024E2B79 mov ecx, dword ptr fs:[00000030h]3_2_024E2B79
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024F9329 mov eax, dword ptr fs:[00000030h]3_2_024F9329
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024F9329 mov eax, dword ptr fs:[00000030h]3_2_024F9329
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024F9329 mov eax, dword ptr fs:[00000030h]3_2_024F9329
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_02512327 mov eax, dword ptr fs:[00000030h]3_2_02512327
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_0251B329 mov eax, dword ptr fs:[00000030h]3_2_0251B329
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_0251B329 mov eax, dword ptr fs:[00000030h]3_2_0251B329
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_02530B2F mov eax, dword ptr fs:[00000030h]3_2_02530B2F
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_02530B2F mov ecx, dword ptr fs:[00000030h]3_2_02530B2F
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024F53C8 mov ecx, dword ptr fs:[00000030h]3_2_024F53C8
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024F53C8 mov eax, dword ptr fs:[00000030h]3_2_024F53C8
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024F4BC0 mov eax, dword ptr fs:[00000030h]3_2_024F4BC0
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024F4BC0 mov eax, dword ptr fs:[00000030h]3_2_024F4BC0
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024FA3D8 mov eax, dword ptr fs:[00000030h]3_2_024FA3D8
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024FA3D8 mov eax, dword ptr fs:[00000030h]3_2_024FA3D8
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024FA3D8 mov eax, dword ptr fs:[00000030h]3_2_024FA3D8
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_02533BC9 mov eax, dword ptr fs:[00000030h]3_2_02533BC9
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_02533BC9 mov ecx, dword ptr fs:[00000030h]3_2_02533BC9
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_02533BC9 mov ecx, dword ptr fs:[00000030h]3_2_02533BC9
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024F1BAD mov eax, dword ptr fs:[00000030h]3_2_024F1BAD
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024F1BAD mov eax, dword ptr fs:[00000030h]3_2_024F1BAD
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_0251E04F mov eax, dword ptr fs:[00000030h]3_2_0251E04F
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_0251E04F mov ecx, dword ptr fs:[00000030h]3_2_0251E04F
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024FA067 mov eax, dword ptr fs:[00000030h]3_2_024FA067
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024FA067 mov eax, dword ptr fs:[00000030h]3_2_024FA067
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_0251281D mov ecx, dword ptr fs:[00000030h]3_2_0251281D
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_025290D4 mov eax, dword ptr fs:[00000030h]3_2_025290D4
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_025290D4 mov ecx, dword ptr fs:[00000030h]3_2_025290D4
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_025128C1 mov eax, dword ptr fs:[00000030h]3_2_025128C1
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_025128C1 mov eax, dword ptr fs:[00000030h]3_2_025128C1
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024FA8E9 mov eax, dword ptr fs:[00000030h]3_2_024FA8E9
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024F3899 mov eax, dword ptr fs:[00000030h]3_2_024F3899
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024F3899 mov eax, dword ptr fs:[00000030h]3_2_024F3899
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024F3899 mov eax, dword ptr fs:[00000030h]3_2_024F3899
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024F3899 mov eax, dword ptr fs:[00000030h]3_2_024F3899
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_025138B9 cmp dword ptr fs:[00000030h], ebx3_2_025138B9
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_025138B9 mov eax, dword ptr fs:[00000030h]3_2_025138B9
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_025138B9 mov eax, dword ptr fs:[00000030h]3_2_025138B9
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_025138B9 mov eax, dword ptr fs:[00000030h]3_2_025138B9
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024E20B1 mov ebx, dword ptr fs:[00000030h]3_2_024E20B1
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024E20B1 mov eax, dword ptr fs:[00000030h]3_2_024E20B1
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024E20B1 mov ecx, dword ptr fs:[00000030h]3_2_024E20B1
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024E20B1 mov eax, dword ptr fs:[00000030h]3_2_024E20B1
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024F1979 mov eax, dword ptr fs:[00000030h]3_2_024F1979
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024F1979 mov eax, dword ptr fs:[00000030h]3_2_024F1979
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_0251D106 mov eax, dword ptr fs:[00000030h]3_2_0251D106
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_0251D106 mov eax, dword ptr fs:[00000030h]3_2_0251D106
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_0251D92F mov eax, dword ptr fs:[00000030h]3_2_0251D92F
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_0254012B mov eax, dword ptr fs:[00000030h]3_2_0254012B
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_025331D3 mov eax, dword ptr fs:[00000030h]3_2_025331D3
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_025331D3 mov ecx, dword ptr fs:[00000030h]3_2_025331D3
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_025331D3 mov ecx, dword ptr fs:[00000030h]3_2_025331D3
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024EA9C9 mov eax, dword ptr fs:[00000030h]3_2_024EA9C9
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_0252A1CF mov eax, dword ptr fs:[00000030h]3_2_0252A1CF
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_0252A1CF mov ecx, dword ptr fs:[00000030h]3_2_0252A1CF
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_0252A1CF mov eax, dword ptr fs:[00000030h]3_2_0252A1CF
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_025121F5 mov eax, dword ptr fs:[00000030h]3_2_025121F5
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_02512997 mov eax, dword ptr fs:[00000030h]3_2_02512997
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_02512997 mov ecx, dword ptr fs:[00000030h]3_2_02512997
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024E3989 mov eax, dword ptr fs:[00000030h]3_2_024E3989
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024E3989 mov eax, dword ptr fs:[00000030h]3_2_024E3989
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024E3989 mov eax, dword ptr fs:[00000030h]3_2_024E3989
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_02533E71 mov ecx, dword ptr fs:[00000030h]3_2_02533E71
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_02533E71 mov ecx, dword ptr fs:[00000030h]3_2_02533E71
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_02531E6F mov eax, dword ptr fs:[00000030h]3_2_02531E6F
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_02531E6F mov eax, dword ptr fs:[00000030h]3_2_02531E6F
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_02531E6F mov eax, dword ptr fs:[00000030h]3_2_02531E6F
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_02531E6F mov ecx, dword ptr fs:[00000030h]3_2_02531E6F
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_02531E6F mov eax, dword ptr fs:[00000030h]3_2_02531E6F
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_02531E6F mov ecx, dword ptr fs:[00000030h]3_2_02531E6F
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_0253261C mov eax, dword ptr fs:[00000030h]3_2_0253261C
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_0253261C mov eax, dword ptr fs:[00000030h]3_2_0253261C
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_0253261C mov eax, dword ptr fs:[00000030h]3_2_0253261C
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_0253261C mov eax, dword ptr fs:[00000030h]3_2_0253261C
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_0253261C mov eax, dword ptr fs:[00000030h]3_2_0253261C
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_0253261C mov ecx, dword ptr fs:[00000030h]3_2_0253261C
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024EBE3D mov ecx, dword ptr fs:[00000030h]3_2_024EBE3D
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024EBE3D mov eax, dword ptr fs:[00000030h]3_2_024EBE3D
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_02532E2C mov eax, dword ptr fs:[00000030h]3_2_02532E2C
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024F4EC8 mov eax, dword ptr fs:[00000030h]3_2_024F4EC8
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024F4EC8 mov eax, dword ptr fs:[00000030h]3_2_024F4EC8
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024F4EC8 mov ecx, dword ptr fs:[00000030h]3_2_024F4EC8
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_02513EF9 mov eax, dword ptr fs:[00000030h]3_2_02513EF9
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_02513EF9 mov eax, dword ptr fs:[00000030h]3_2_02513EF9
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024E1EFB mov eax, dword ptr fs:[00000030h]3_2_024E1EFB
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024E1EFB mov eax, dword ptr fs:[00000030h]3_2_024E1EFB
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024E1EFB mov eax, dword ptr fs:[00000030h]3_2_024E1EFB
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_0251C6EC mov eax, dword ptr fs:[00000030h]3_2_0251C6EC
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_0251C6EC mov eax, dword ptr fs:[00000030h]3_2_0251C6EC
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024E8EB9 mov eax, dword ptr fs:[00000030h]3_2_024E8EB9
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024E8EB9 mov ecx, dword ptr fs:[00000030h]3_2_024E8EB9
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024EBF04 mov eax, dword ptr fs:[00000030h]3_2_024EBF04
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024EBF04 mov ecx, dword ptr fs:[00000030h]3_2_024EBF04
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024EBF04 mov eax, dword ptr fs:[00000030h]3_2_024EBF04
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024EBF04 mov eax, dword ptr fs:[00000030h]3_2_024EBF04
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024EBF04 mov eax, dword ptr fs:[00000030h]3_2_024EBF04
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024EBF04 mov eax, dword ptr fs:[00000030h]3_2_024EBF04
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024ED700 mov eax, dword ptr fs:[00000030h]3_2_024ED700
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_0251BF08 mov eax, dword ptr fs:[00000030h]3_2_0251BF08
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_0251BF08 mov eax, dword ptr fs:[00000030h]3_2_0251BF08
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024F8FD9 mov eax, dword ptr fs:[00000030h]3_2_024F8FD9
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024FA7E9 mov ecx, dword ptr fs:[00000030h]3_2_024FA7E9
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_0253FF99 mov eax, dword ptr fs:[00000030h]3_2_0253FF99
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_0253FF99 mov eax, dword ptr fs:[00000030h]3_2_0253FF99
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_0253FF99 mov eax, dword ptr fs:[00000030h]3_2_0253FF99
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_0253FF99 mov eax, dword ptr fs:[00000030h]3_2_0253FF99
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_02531F9E mov eax, dword ptr fs:[00000030h]3_2_02531F9E
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024ECFA0 mov eax, dword ptr fs:[00000030h]3_2_024ECFA0
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024ECFA0 mov eax, dword ptr fs:[00000030h]3_2_024ECFA0
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024ECFA0 mov eax, dword ptr fs:[00000030h]3_2_024ECFA0
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024ECFA0 mov eax, dword ptr fs:[00000030h]3_2_024ECFA0
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024ECFA0 mov eax, dword ptr fs:[00000030h]3_2_024ECFA0
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_02532FBC mov eax, dword ptr fs:[00000030h]3_2_02532FBC
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_02532FBC mov ecx, dword ptr fs:[00000030h]3_2_02532FBC
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_02532FBC mov ecx, dword ptr fs:[00000030h]3_2_02532FBC
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024E2C09 mov eax, dword ptr fs:[00000030h]3_2_024E2C09
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024E2C09 mov ecx, dword ptr fs:[00000030h]3_2_024E2C09
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024E1C09 mov eax, dword ptr fs:[00000030h]3_2_024E1C09
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_02527C3C mov eax, dword ptr fs:[00000030h]3_2_02527C3C
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_0251D425 mov eax, dword ptr fs:[00000030h]3_2_0251D425
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_0251D425 mov eax, dword ptr fs:[00000030h]3_2_0251D425
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024F4433 mov eax, dword ptr fs:[00000030h]3_2_024F4433
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024F4433 mov eax, dword ptr fs:[00000030h]3_2_024F4433
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024F4433 mov eax, dword ptr fs:[00000030h]3_2_024F4433
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024F4433 mov eax, dword ptr fs:[00000030h]3_2_024F4433
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024E24E9 mov eax, dword ptr fs:[00000030h]3_2_024E24E9
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024E24E9 mov ecx, dword ptr fs:[00000030h]3_2_024E24E9
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024E24E9 mov eax, dword ptr fs:[00000030h]3_2_024E24E9
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024E1CF6 mov eax, dword ptr fs:[00000030h]3_2_024E1CF6
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024E1CF6 mov eax, dword ptr fs:[00000030h]3_2_024E1CF6
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024F2489 mov eax, dword ptr fs:[00000030h]3_2_024F2489
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024F2489 mov eax, dword ptr fs:[00000030h]3_2_024F2489
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024E3C89 mov eax, dword ptr fs:[00000030h]3_2_024E3C89
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024E3C89 mov ecx, dword ptr fs:[00000030h]3_2_024E3C89
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024E3C89 mov eax, dword ptr fs:[00000030h]3_2_024E3C89
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_0253649B mov eax, dword ptr fs:[00000030h]3_2_0253649B
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_0253649B mov ecx, dword ptr fs:[00000030h]3_2_0253649B
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_02532484 mov eax, dword ptr fs:[00000030h]3_2_02532484
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_02532484 mov eax, dword ptr fs:[00000030h]3_2_02532484
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_0251CCBA mov eax, dword ptr fs:[00000030h]3_2_0251CCBA
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_0251CCBA mov eax, dword ptr fs:[00000030h]3_2_0251CCBA
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_0251CCBA mov eax, dword ptr fs:[00000030h]3_2_0251CCBA
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_02513CA1 mov eax, dword ptr fs:[00000030h]3_2_02513CA1
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_02513CA1 mov eax, dword ptr fs:[00000030h]3_2_02513CA1
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024F1CB5 mov eax, dword ptr fs:[00000030h]3_2_024F1CB5
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_0251B4AF mov eax, dword ptr fs:[00000030h]3_2_0251B4AF
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_0251B4AF mov ecx, dword ptr fs:[00000030h]3_2_0251B4AF
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024F1D59 mov eax, dword ptr fs:[00000030h]3_2_024F1D59
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024F1D59 mov eax, dword ptr fs:[00000030h]3_2_024F1D59
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_0251DD6F mov eax, dword ptr fs:[00000030h]3_2_0251DD6F
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_0251DD6F mov ecx, dword ptr fs:[00000030h]3_2_0251DD6F
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024F5571 mov ecx, dword ptr fs:[00000030h]3_2_024F5571
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024F5571 mov eax, dword ptr fs:[00000030h]3_2_024F5571
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024E5500 mov eax, dword ptr fs:[00000030h]3_2_024E5500
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024E5500 mov eax, dword ptr fs:[00000030h]3_2_024E5500
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024E5500 mov eax, dword ptr fs:[00000030h]3_2_024E5500
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024F4D39 mov eax, dword ptr fs:[00000030h]3_2_024F4D39
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024F4D39 mov eax, dword ptr fs:[00000030h]3_2_024F4D39
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024F4D39 mov ecx, dword ptr fs:[00000030h]3_2_024F4D39
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024F8D39 mov eax, dword ptr fs:[00000030h]3_2_024F8D39
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024F8D39 mov eax, dword ptr fs:[00000030h]3_2_024F8D39
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_024F8D39 mov eax, dword ptr fs:[00000030h]3_2_024F8D39
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_0252C5AB mov esi, dword ptr fs:[00000030h]3_2_0252C5AB
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_02523DA9 mov eax, dword ptr fs:[00000030h]3_2_02523DA9
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_02523DA9 mov eax, dword ptr fs:[00000030h]3_2_02523DA9
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_02523DA9 mov eax, dword ptr fs:[00000030h]3_2_02523DA9
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_02523DA9 mov eax, dword ptr fs:[00000030h]3_2_02523DA9
                Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_02523DA9 mov ecx, dword ptr fs:[00000030h]3_2_02523DA9
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Users\user\AppData\Roaming\abd1 .exe C:\Users\user\AppData\Roaming\abd1 .exeJump to behavior
                Source: abd1 .exe, 00000003.00000002.590563639.0000000002F8F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: PROGRAM MANAGERq
                Source: abd1 .exe, 00000003.00000002.590563639.0000000002F8F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: PROGRAM MANAGER1
                Source: abd1 .exe, 00000003.00000002.590563639.0000000002F8F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
                Source: abd1 .exe, 00000003.00000003.329021627.000000000280B000.00000004.00000800.00020000.00000000.sdmp, abd1 .exe, 00000003.00000002.589051217.0000000002BFD000.00000040.00000800.00020000.00000000.sdmp, abd1 .exe, 00000006.00000002.517303228.0000000002C7A000.00000040.00000800.00020000.00000000.sdmpBinary or memory string: GetProgmanWindow
                Source: abd1 .exe, 00000003.00000002.590563639.0000000002F8F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: PROGRAM MANAGERA
                Source: abd1 .exe, 00000003.00000002.590563639.0000000002EAE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Managerperience HostFhYSwgYWFh&iav=V2luZG93cyBEZWZlbmRlcg
                Source: abd1 .exe, 00000003.00000002.590563639.0000000002F8F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: PROGRAM MANAGER
                Source: abd1 .exe, 00000003.00000000.310275166.0000000000401000.00000020.00000001.01000000.00000003.sdmp, abd1 .exe.1.drBinary or memory string: ProgmanU
                Source: abd1 .exe, 00000003.00000003.329021627.000000000280B000.00000004.00000800.00020000.00000000.sdmp, abd1 .exe, 00000003.00000002.589051217.0000000002BFD000.00000040.00000800.00020000.00000000.sdmp, abd1 .exe, 00000006.00000002.517303228.0000000002C7A000.00000040.00000800.00020000.00000000.sdmpBinary or memory string: SetProgmanWindow
                Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\abd1 .exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct

                Mitre Att&ck Matrix

                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                1
                Replication Through Removable Media                		1
                Windows Management Instrumentation                		1
                Registry Run Keys / Startup Folder                		2
                Process Injection                		21
                Masquerading                		1
                Credential API Hooking                		321
                Security Software Discovery                		1
                Replication Through Removable Media                		1
                Credential API Hooking                		Exfiltration Over Other Network Medium11
                Encrypted Channel                		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                Default AccountsScheduled Task/Job1
                DLL Side-Loading                		1
                Registry Run Keys / Startup Folder                		1
                Disable or Modify Tools                		21
                Input Capture                		13
                Virtualization/Sandbox Evasion                		Remote Desktop Protocol21
                Input Capture                		Exfiltration Over Bluetooth1
                Ingress Tool Transfer                		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                Domain AccountsAt (Linux)Logon Script (Windows)1
                DLL Side-Loading                		13
                Virtualization/Sandbox Evasion                		Security Account Manager2
                Process Discovery                		SMB/Windows Admin Shares1
                Archive Collected Data                		Automated Exfiltration2
                Non-Application Layer Protocol                		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)2
                Process Injection                		NTDS11
                Peripheral Device Discovery                		Distributed Component Object ModelInput CaptureScheduled Transfer13
                Application Layer Protocol                		SIM Card SwapCarrier Billing Fraud
                Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Remote System Discovery                		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                Replication Through Removable MediaLaunchdRc.commonRc.common3
                Obfuscated Files or Information                		Cached Domain Credentials122
                System Information Discovery                		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                External Remote ServicesScheduled TaskStartup ItemsStartup Items1
                Software Packing                		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)1
                File Deletion                		/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                z1F_4_T_U_r_4_2024mfdfgryry5.msi28%ReversingLabsWin32.Trojan.Razy
                z1F_4_T_U_r_4_2024mfdfgryry5.msi42%VirustotalBrowse

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Roaming\WebUI.dll100%Joe Sandbox ML
                C:\Users\user\AppData\Roaming\WebUI.dll31%ReversingLabsWin32.Trojan.Razy
                C:\Users\user\AppData\Roaming\abd1 .exe0%ReversingLabs
                C:\Windows\Installer\MSI6FF2.tmp0%ReversingLabs
                C:\Windows\Installer\MSI714B.tmp0%ReversingLabs
                C:\Windows\Installer\MSI71AA.tmp0%ReversingLabs
                C:\Windows\Installer\MSI71E9.tmp0%ReversingLabs
                C:\Windows\Installer\MSI7277.tmp0%ReversingLabs

                Unpacked PE Files

                SourceDetectionScannerLabelLinkDownload
                6.2.abd1 .exe.400000.0.unpack100%AviraHEUR/AGEN.1204765Download File

                Domains

                SourceDetectionScannerLabelLink
                ebaoffice.com.br0%VirustotalBrowse

                URLs

                SourceDetectionScannerLabelLink
                http://www.indyproject.org/0%URL Reputationsafe
                https://ebaoffice.com.br/uCuE0%Avira URL Cloudsafe
                https://ebaoffice.com.br/imagens/bo/inspecionando.phpR0%Avira URL Cloudsafe
                https://ebaoffice.com.br0%Avira URL Cloudsafe
                https://ebaoffice.com.br/9P0%Avira URL Cloudsafe
                https://ebaoffice.com.br/imagens/bo/inspecionando.phpIBAD0%Avira URL Cloudsafe
                https://ebaoffice.com.br/imagens/bo/inspecionando.phpf0%Avira URL Cloudsafe
                https://ebaoffice.com.br/m0%Avira URL Cloudsafe
                https://ebaoffice.com.br/imagens/bo/inspecionando.phpLMEMp0%Avira URL Cloudsafe
                https://ebaoffice.com.br/imagens/bo/inspecionando.php%0%Avira URL Cloudsafe
                https://ebaoffice.com.br/imagens/bo/inspecionando.php20%Avira URL Cloudsafe
                http://stats.itopvpn.com/iusage.php0%Avira URL Cloudsafe
                https://ebaoffice.com.br/imagens/bo/inspecionando.phpp0%Avira URL Cloudsafe
                https://ebaoffice.com.br/imagens/bo/inspecionando.phpgBcD0%Avira URL Cloudsafe
                https://ebaoffice.com.br/imagens/bo/inspecionando.phpY9FD0%Avira URL Cloudsafe
                https://ebaoffice.com.br/imagens/bo/inspecionand0%Avira URL Cloudsafe
                https://ebaoffice.com.br/imagens/bo/inspecionando.php:0%Avira URL Cloudsafe
                https://ebaoffice.com.br/imagens/bo/inspecionando.phporC:0%Avira URL Cloudsafe
                https://ebaoffice.com.br/0%Avira URL Cloudsafe
                https://ebaoffice.com.br/imagens/bo/inspecionando.php40%Avira URL Cloudsafe
                https://ebaoffice.com.br/imagens/bo/inspecionando.phpt0%Avira URL Cloudsafe
                https://ebaoffice.com.br/imagens/bo/inspecionando.php0%Avira URL Cloudsafe
                https://ebaoffice.com.br/imagens/bo/inspecionando.phpC0%Avira URL Cloudsafe
                https://ebaoffice.com.br/imagens/bo/inspecionando.phputllib.dll.DLL0%Avira URL Cloudsafe
                https://ebaoffice.com.br/IP0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                ebaoffice.com.br
                		187.45.187.42
                		truefalseunknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                https://ebaoffice.com.br/imagens/bo/inspecionando.phpfalse
                • Avira URL Cloud: safe
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                https://ebaoffice.com.brabd1 .exe, 00000006.00000002.507443605.0000000000927000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://ebaoffice.com.br/imagens/bo/inspecionando.phpRabd1 .exe, 00000003.00000002.592601515.00000000069D0000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://ebaoffice.com.br/9Pabd1 .exe, 00000006.00000002.507443605.000000000096C000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://ebaoffice.com.br/uCuEabd1 .exe, 00000006.00000002.507443605.0000000000927000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://schemas.xmlsoap.org/soap/envelope/abd1 .exe, 00000003.00000000.310275166.0000000000401000.00000020.00000001.01000000.00000003.sdmp, abd1 .exe.1.drfalse
                  		high
                  https://ebaoffice.com.br/imagens/bo/inspecionando.phpLMEMpabd1 .exe, 00000006.00000002.507443605.0000000000927000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://ebaoffice.com.br/imagens/bo/inspecionando.phpIBADabd1 .exe, 00000006.00000002.507443605.0000000000927000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.indyproject.org/abd1 .exe, 00000003.00000002.590563639.0000000002F20000.00000004.00000800.00020000.00000000.sdmp, abd1 .exe, 00000006.00000002.519324588.000000006A7F9000.00000040.00000001.01000000.00000004.sdmp, abd1 .exe, 00000006.00000002.518434684.0000000002EA0000.00000004.00000800.00020000.00000000.sdmp, abd1 .exe, 00000007.00000002.538859224.0000000002D70000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://ebaoffice.com.br/mabd1 .exe, 00000006.00000002.507443605.0000000000927000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://ebaoffice.com.br/imagens/bo/inspecionando.phpfabd1 .exe, 00000003.00000002.592601515.00000000069D0000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://ebaoffice.com.br/imagens/bo/inspecionando.php%abd1 .exe, 00000003.00000002.592601515.00000000069D0000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://stats.itopvpn.com/iusage.phpabd1 .exe, 00000003.00000000.310275166.0000000000401000.00000020.00000001.01000000.00000003.sdmp, abd1 .exe.1.drfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://ebaoffice.com.br/imagens/bo/inspecionando.php2abd1 .exe, 00000006.00000002.507443605.00000000008F7000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://ebaoffice.com.br/imagens/bo/inspecionando.phpgBcDabd1 .exe, 00000006.00000002.507443605.0000000000927000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://ebaoffice.com.br/imagens/bo/inspecionando.phppabd1 .exe, 00000003.00000002.592601515.00000000069D0000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://www.thawte.com/cps0/z1F_4_T_U_r_4_2024mfdfgryry5.msi, MSI71AA.tmp.1.dr, MSI714B.tmp.1.dr, MSI7277.tmp.1.dr, MSI71E9.tmp.1.drfalse
                    		high
                    https://ebaoffice.com.br/imagens/bo/inspecionando.phpY9FDabd1 .exe, 00000006.00000002.507443605.0000000000927000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://ebaoffice.com.br/imagens/bo/inspecionandabd1 .exe, 00000006.00000002.507443605.0000000000927000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://ebaoffice.com.br/imagens/bo/inspecionando.php:abd1 .exe, 00000003.00000002.592601515.00000000069D0000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://ebaoffice.com.br/imagens/bo/inspecionando.phporC:abd1 .exe, 00000006.00000002.507443605.0000000000927000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://www.thawte.com/repository0Wz1F_4_T_U_r_4_2024mfdfgryry5.msi, MSI71AA.tmp.1.dr, MSI714B.tmp.1.dr, MSI7277.tmp.1.dr, MSI71E9.tmp.1.drfalse
                      		high
                      https://ebaoffice.com.br/abd1 .exe, 00000006.00000002.507443605.0000000000927000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://ebaoffice.com.br/imagens/bo/inspecionando.php4abd1 .exe, 00000003.00000002.592601515.00000000069D0000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://ebaoffice.com.br/imagens/bo/inspecionando.phptabd1 .exe, 00000006.00000002.507443605.00000000008FC000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 00000006.00000002.507443605.00000000008F7000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://ebaoffice.com.br/imagens/bo/inspecionando.phpCabd1 .exe, 00000003.00000002.592601515.00000000069D0000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://ebaoffice.com.br/imagens/bo/inspecionando.phputllib.dll.DLLabd1 .exe, 00000006.00000002.506925692.0000000000195000.00000004.00000010.00020000.00000000.sdmp, abd1 .exe, 00000007.00000002.521027541.0000000000195000.00000004.00000010.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://www.advancedinstaller.comz1F_4_T_U_r_4_2024mfdfgryry5.msi, MSI71AA.tmp.1.dr, MSI714B.tmp.1.dr, MSI7277.tmp.1.dr, MSI71E9.tmp.1.drfalse
                        		high
                        https://ebaoffice.com.br/IPabd1 .exe, 00000006.00000002.507443605.000000000096C000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        15.228.77.178
                        		unknownUnited States
                        		16509AMAZON-02USfalse
                        187.45.187.42
                        		ebaoffice.com.brBrazil
                        		33182DIMENOCUSfalse

                        General Information

                        Joe Sandbox Version:37.0.0 Beryl
                        Analysis ID:826204
                        Start date and time:2023-03-14 14:10:10 +01:00
                        Joe Sandbox Product:CloudBasic
                        Overall analysis duration:0h 9m 40s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                        Number of analysed new started processes analysed:11
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • HDC enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample file name:z1F_4_T_U_r_4_2024mfdfgryry5.msi
                        Detection:MAL
                        Classification:mal76.evad.winMSI@8/27@1/2
                        EGA Information:Failed
                        HDC Information:Failed
                        HCA Information:Failed
                        Cookbook Comments:
                        • Found application associated with file extension: .msi

                        Warnings

                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe
                        • Execution Graph export aborted for target abd1 .exe, PID 2348 because it is empty
                        • Execution Graph export aborted for target abd1 .exe, PID 5692 because there are no executed function
                        • Not all processes where analyzed, report is missing behavior information
                        • Report creation exceeded maximum time and may have missing disassembly code information.
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.
                        • Report size getting too big, too many NtSetInformationFile calls found.

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        14:11:34API Interceptor1x Sleep call for process: abd1 .exe modified
                        14:11:57AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run abd1.exe C:\Users\user\AppData\Roaming\abd1.exe
                        14:12:06AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run abd1.exe C:\Users\user\AppData\Roaming\abd1.exe

                        Joe Sandbox View / Context

                        IPs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        15.228.77.178F_4_T_U_R_4___nf____0992344.4354.msiGet hashmaliciousUnknownBrowse
                          rPEDIDOS-10032023-X491kkum.msiGet hashmaliciousUnknownBrowse
                            z93nf_e_mnhhh345553.msiGet hashmaliciousUnknownBrowse
                              z1n_f_e_Fa_tu_r4_03.msiGet hashmaliciousUnknownBrowse
                                PEDIDOS-08032023-X388omke.msiGet hashmaliciousUnknownBrowse
                                  Nota-LG-emitida-13488mhqt.msiGet hashmaliciousUnknownBrowse
                                    __B0L3T0_06Marc_23_f4tur4__.msiGet hashmaliciousUnknownBrowse
                                      __B0L3T0_06Marc_23_f4tur4__.msiGet hashmaliciousUnknownBrowse
                                        rPedido-Danfe-03-03-202316872pnlc.msiGet hashmaliciousUnknownBrowse
                                          Autos-Processo 27-02-2023 ligh.msiGet hashmaliciousUnknownBrowse
                                            rEmita-Danfe-01-03-20234076czdg.msiGet hashmaliciousUnknownBrowse
                                              187.45.187.42F_4_T_U_R_4___nf____0992344.4354.msiGet hashmaliciousUnknownBrowse
                                                z93nf_e_mnhhh345553.msiGet hashmaliciousUnknownBrowse
                                                  z1n_f_e_Fa_tu_r4_03.msiGet hashmaliciousUnknownBrowse
                                                    __B0L3T0_06Marc_23_f4tur4__.msiGet hashmaliciousUnknownBrowse
                                                      __B0L3T0_06Marc_23_f4tur4__.msiGet hashmaliciousUnknownBrowse

                                                        Domains

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        ebaoffice.com.brF_4_T_U_R_4___nf____0992344.4354.msiGet hashmaliciousUnknownBrowse
                                                        • 187.45.187.42
                                                        z93nf_e_mnhhh345553.msiGet hashmaliciousUnknownBrowse
                                                        • 187.45.187.42
                                                        z1n_f_e_Fa_tu_r4_03.msiGet hashmaliciousUnknownBrowse
                                                        • 187.45.187.42
                                                        __B0L3T0_06Marc_23_f4tur4__.msiGet hashmaliciousUnknownBrowse
                                                        • 187.45.187.42
                                                        __B0L3T0_06Marc_23_f4tur4__.msiGet hashmaliciousUnknownBrowse
                                                        • 187.45.187.42

                                                        ASNs

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        AMAZON-02UShttps://v64tvrgq.r.us-west-2.awstrack.me/L0/https:%2F%2Fstaging.grants.gov%2Fc%2Fblogs%2Ffind_entry%3Fp_1_id=0%26noSuchEntryRedirect=https:%2F%2Fdev.protektnet.com%2FMNU%2Ftsbrass.com%2Fbowers@tsbrass.com/1/01010186dda6eb22-92011f56-3982-495e-8e7e-47da4599e62b-000000/emQVswSVPSocLNQqyREyczYG174=313Get hashmaliciousHTMLPhisherBrowse
                                                        • 35.167.141.173
                                                        c97Xz2H8h2.exeGet hashmaliciousNjratBrowse
                                                        • 35.157.111.131
                                                        qgS40jk08T.exeGet hashmaliciousNjratBrowse
                                                        • 18.158.249.75
                                                        #Ufe0fATT53546789b.htmGet hashmaliciousHTMLPhisherBrowse
                                                        • 13.32.99.90
                                                        hua.apkGet hashmaliciousUnknownBrowse
                                                        • 13.228.23.243
                                                        8F7APsB7nl.exeGet hashmaliciousNjratBrowse
                                                        • 18.158.249.75
                                                        hua.apkGet hashmaliciousUnknownBrowse
                                                        • 13.228.23.243
                                                        https://api-01.moengage.com/v1/emailclick?em=joaquim.brites%40sma-europe.eu&user_id=%40%24xy%2A%40%21hYs%C2%B7%3A%C3%A7%C3%A8Z+%C3%98%15ll%C2%B8%C2%9C%C3%8A%C3%9A2%C2%8E%C2%AE+%C2%BD%C3%95h%C2%8A%C2%A4A%0A%C3%B3%00.5%1F&d=%40%24xy%2A%40%21hn%C2%8E%3C%60f%3B%24%5CoR%1B%C2%97+%C2%87cm&cid=%40%24xy%2A%40%21h%C2%BA%C2%A7M%C2%9E%C2%9E%14%24%0FD%C2%90%C2%BF%C3%AEZf%08%C3%B9%17%C3%B9%C3%B4b%C2%92l%C2%81%03%C2%89rxvM%C2%92V%28%C2%91%C3%91%00%C3%AF%1Ds%C2%A7%C2%86V%C3%A4%3F%0D%C3%91%C2%9BOt%C2%B3J%C2%BE%C3%87%C2%ACvs%1B%C3%BE%C3%81%C3%91%C2%AAiqD%C3%B8%C3%B3%7F%2C%16+%3E%5C%C3%88%C3%88%C3%97o%21%07%C2%AA%C3%A1%25%0B%C2%BF%00%10&ut=l&moeclickid=61b35f5997223f7c61e6625a_F_T_EM_AB_0_P_0_TIME_2021-12-10+14%3A09%3A02.859891_L_0ecli27&rlink=https://philshotel.com.pg/kaja/ncbdfh/lorzdue%2F%2F%2F%2Falbert.quietzsch@globalfoundries.comGet hashmaliciousHTMLPhisherBrowse
                                                        • 52.216.57.176
                                                        x86-20230314-0547.elfGet hashmaliciousMiraiBrowse
                                                        • 35.152.60.49
                                                        mips-20230314-0547.elfGet hashmaliciousMiraiBrowse
                                                        • 52.53.96.18
                                                        arm-20230314-0547.elfGet hashmaliciousMiraiBrowse
                                                        • 108.139.53.50
                                                        https://nxt.to/HwopA7OGet hashmaliciousUnknownBrowse
                                                        • 3.64.129.233
                                                        XxvxipkL6q.exeGet hashmaliciousNjratBrowse
                                                        • 35.158.159.254
                                                        r6nJuQ2co4.exeGet hashmaliciousMetasploit, MeterpreterBrowse
                                                        • 3.141.126.222
                                                        5HnZemSQvI.exeGet hashmaliciousNjratBrowse
                                                        • 3.121.139.82
                                                        rJjQ4OhL8O.exeGet hashmaliciousMetasploit, MeterpreterBrowse
                                                        • 3.141.126.222
                                                        hvJSe5fSXC.exeGet hashmaliciousMetasploit, MeterpreterBrowse
                                                        • 3.141.126.222
                                                        wIOSZ33Siu.exeGet hashmaliciousMetasploit, MeterpreterBrowse
                                                        • 3.141.126.222
                                                        https://bs.serving-sys.com/Serving/adServer.bs?cn=brd&PluID=0&Pos=4292342187212&EyeblasterID=1086486580&clk=2&ctick=21342&rtu=https%3A%2F%2Fna2signing.web.app/ggrFe5shaBM2x0qgrFe5Fe5ndWO3k17s3RWO3rpdy9s3RWO3BM2Get hashmaliciousHTMLPhisherBrowse
                                                        • 52.32.243.140
                                                        https://api-01.moengage.com/v1/emailclick?em=joaquim.brites%40sma-europe.eu&user_id=%40%24xy%2A%40%21hYs%C2%B7%3A%C3%A7%C3%A8Z+%C3%98%15ll%C2%B8%C2%9C%C3%8A%C3%9A2%C2%8E%C2%AE+%C2%BD%C3%95h%C2%8A%C2%A4A%0A%C3%B3%00.5%1F&d=%40%24xy%2A%40%21hn%C2%8E%3C%60f%3B%24%5CoR%1B%C2%97+%C2%87cm&cid=%40%24xy%2A%40%21h%C2%BA%C2%A7M%C2%9E%C2%9E%14%24%0FD%C2%90%C2%BF%C3%AEZf%08%C3%B9%17%C3%B9%C3%B4b%C2%92l%C2%81%03%C2%89rxvM%C2%92V%28%C2%91%C3%91%00%C3%AF%1Ds%C2%A7%C2%86V%C3%A4%3F%0D%C3%91%C2%9BOt%C2%B3J%C2%BE%C3%87%C2%ACvs%1B%C3%BE%C3%81%C3%91%C2%AAiqD%C3%B8%C3%B3%7F%2C%16+%3E%5C%C3%88%C3%88%C3%97o%21%07%C2%AA%C3%A1%25%0B%C2%BF%00%10&ut=l&moeclickid=61b35f5997223f7c61e6625a_F_T_EM_AB_0_P_0_TIME_2021-12-10+14%3A09%3A02.859891_L_0ecli27&rlink=https://atlanticlogistics.com.ng%2F%2F%2F%2F/.host/%2F%2F%2F%2Fauth/8mbbe56%2F%2F%2F%2Fpacermail@psc.uscourts.govGet hashmaliciousUnknownBrowse
                                                        • 3.73.219.16
                                                        DIMENOCUSATT98089.htmGet hashmaliciousHTMLPhisherBrowse
                                                        • 198.136.61.4
                                                        ATT98089.htmGet hashmaliciousHTMLPhisherBrowse
                                                        • 198.136.61.4
                                                        F_4_T_U_R_4___nf____0992344.4354.msiGet hashmaliciousUnknownBrowse
                                                        • 187.45.187.42
                                                        COTIZACIONES_GOYMA.xlsx.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 184.171.242.24
                                                        z93nf_e_mnhhh345553.msiGet hashmaliciousUnknownBrowse
                                                        • 187.45.187.42
                                                        z1n_f_e_Fa_tu_r4_03.msiGet hashmaliciousUnknownBrowse
                                                        • 187.45.187.42
                                                        https://darudar.org/external/?link=https://ymxvy2thdhrhy2tz-x54vm.pagemaker.link/ymxv-y-2-thd-h-rh-y-2-tz?draftGet hashmaliciousHTMLPhisherBrowse
                                                        • 98.142.99.242
                                                        http://links.next-retail.mkt4934.com/ctt?m=34617369&r=LTU2NTczOTM1NjIS1&b=0&j=MjMwMzU2NDUwOQS2&k=TrackYourOrder&kx=1&kt=5&kd=https://grupocrusol.com.mx/new/auth//1v5egwymixx7f//kmccormick@elkandelk.comGet hashmaliciousHTMLPhisherBrowse
                                                        • 98.142.99.242
                                                        __B0L3T0_06Marc_23_f4tur4__.msiGet hashmaliciousUnknownBrowse
                                                        • 187.45.187.42
                                                        __B0L3T0_06Marc_23_f4tur4__.msiGet hashmaliciousUnknownBrowse
                                                        • 187.45.187.42
                                                        arm7.elfGet hashmaliciousMirai, MoobotBrowse
                                                        • 212.18.238.174
                                                        https://affiliate.insider.com/?amazonTrackingID=biauto-1053-20&postID=61b8efc8f2a36b1ac9f42d54&site=in&u=http://Motional.houseoflegendsusa.com/Motional/zeb.dawson@motional.comGet hashmaliciousHTMLPhisherBrowse
                                                        • 198.49.73.146
                                                        Employees New Payroll Amendment.htmGet hashmaliciousHTMLPhisher, ReCaptcha PhishBrowse
                                                        • 187.45.187.106
                                                        ORDEN DE COMPRA 80107.vbsGet hashmaliciousAgentTeslaBrowse
                                                        • 184.171.242.24
                                                        Scanned documents. Tuesday February 7 2023 (12.6 KB).msgGet hashmaliciousHTMLPhisherBrowse
                                                        • 67.23.248.124
                                                        MvgLSNs1B8.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                        • 184.171.242.24
                                                        91#U03a3.vbsGet hashmaliciousAgentTeslaBrowse
                                                        • 184.171.242.24
                                                        Teknik veri sayfas#U0131.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 186.227.194.42
                                                        Statement 210826.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 138.128.163.242
                                                        1194 FE7191PO1.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 138.128.163.242

                                                        JA3 Fingerprints

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        37f463bf4616ecd445d4a1937da06e19Komfortens.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                        • 187.45.187.42
                                                        fJXbhkbAh4.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                        • 187.45.187.42
                                                        file.exeGet hashmaliciousBabuk, Djvu, SmokeLoaderBrowse
                                                        • 187.45.187.42
                                                        file.exeGet hashmaliciousVidarBrowse
                                                        • 187.45.187.42
                                                        10Key632_AllWin_Upgrade.exeGet hashmaliciousUnknownBrowse
                                                        • 187.45.187.42
                                                        SC_TR11670000.exeGet hashmaliciousGuLoader, LokibotBrowse
                                                        • 187.45.187.42
                                                        SITAMO_COMPARTIMENTACION_DE_OFICINAS_S.L_OFERTA_2563400.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                        • 187.45.187.42
                                                        EXCEL STATEMENT0093 03_13_23.xlsxGet hashmaliciousHTMLPhisherBrowse
                                                        • 187.45.187.42
                                                        MEDIANET_SOLUTIONS_SL_OFERTA_2602288.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                        • 187.45.187.42
                                                        EXCEL STATEMENT0093 03_13_23.xlsxGet hashmaliciousHTMLPhisherBrowse
                                                        • 187.45.187.42
                                                        file.exeGet hashmaliciousSocelarsBrowse
                                                        • 187.45.187.42
                                                        setup.exeGet hashmaliciousDjvuBrowse
                                                        • 187.45.187.42
                                                        setup.exeGet hashmaliciousBabuk, Clipboard Hijacker, Djvu, VidarBrowse
                                                        • 187.45.187.42
                                                        GCE0323.vbsGet hashmaliciousAgentTeslaBrowse
                                                        • 187.45.187.42
                                                        Drawings_and_specifications.vbsGet hashmaliciousUnknownBrowse
                                                        • 187.45.187.42
                                                        file.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                        • 187.45.187.42
                                                        F_4_T_U_R_4___nf____0992344.4354.msiGet hashmaliciousUnknownBrowse
                                                        • 187.45.187.42
                                                        dYnCG9EA36.exeGet hashmaliciousAmadey, Djvu, RedLine, SmokeLoaderBrowse
                                                        • 187.45.187.42
                                                        SHIPPPING-DOC..exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                        • 187.45.187.42
                                                        cnCBwuJbqc.exeGet hashmaliciousAmadey, Djvu, SmokeLoaderBrowse
                                                        • 187.45.187.42

                                                        Dropped Files

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        C:\Users\user\AppData\Roaming\abd1 .exeF_4_T_U_R_4___nf____0992344.4354.msiGet hashmaliciousUnknownBrowse
                                                          rPEDIDOS-10032023-X491kkum.msiGet hashmaliciousUnknownBrowse
                                                            j3PHT0tBBF.msiGet hashmaliciousUnknownBrowse
                                                              j3PHT0tBBF.msiGet hashmaliciousUnknownBrowse
                                                                B0LET0 VENC 060320234273168 WFTBCLZUJMVFEDSWZXMLWSBRA.msiGet hashmaliciousUnknownBrowse
                                                                  rPedido-Danfe-03-03-202316872pnlc.msiGet hashmaliciousUnknownBrowse
                                                                    Autos-Processo 27-02-2023 ligh.msiGet hashmaliciousUnknownBrowse
                                                                      rEmita-Danfe-01-03-20234076czdg.msiGet hashmaliciousUnknownBrowse
                                                                        Formulario_20183.msiGet hashmaliciousHidden Macro 4.0Browse

                                                                          Created / dropped Files

                                                                          C:\Config.Msi\6c6bfd.rbs

                                                                          Download File
                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                          File Type:data
                                                                          Category:modified
                                                                          Size (bytes):1640
                                                                          Entropy (8bit):5.54731751009777
                                                                          Encrypted:false
                                                                          SSDEEP:24:Wg8jg9p9nlTi6OZh26ANd/3xDL8B8INcs+/6+fJDw4ib+w4ib3idnw4ibMPzC+q+:W5EHARegB/cq+fS/l8CPUAX6Uq
                                                                          MD5:E57D3777BA86A335757CB2525405B1AE
                                                                          SHA1:D142DC1F3D22E5D4BCE898064CB13EF980AC7417
                                                                          SHA-256:8DEA03618E269F4C091529A483A8BD94A5959FA4D0D755177DABB8CAEC6EDDA2
                                                                          SHA-512:C2E369FE2AB09BBC4E6E7ED5723C627B5F4462594FC17EBBEA29607F448F5799260A387C94477BC195E0B6A3808AD457106C3D80E7ED4678F6DAE55F7A81A5B9
                                                                          Malicious:false
                                                                          Reputation:low
                                                                          Preview:...@IXOS.@.....@dqnV.@.....@.....@.....@.....@.....@......&.{DD2F54EA-F711-48DE-8642-20D28E97CFD4}..Aplicativo Windows .z1F_4_T_U_r_4_2024mfdfgryry5.msi.@.....@.....@.....@........&.{E6A0B7A3-0DB3-4FF9-A7D0-4CE6CD02964C}.....@.....@.....@.....@.......@.....@.....@.......@......Aplicativo Windows......Rollback..A.....o. .d.e. .r.e.s.t.a.u.r.a.....o.....RollbackCleanup..Removendo arquivos de backup..Arquivo: [1]....ProcessComponents%.Atualizando o registro de componentes..&.{279056F3-5587-4E7B-AB9D-DCCCBE70B1B0}&.{DD2F54EA-F711-48DE-8642-20D28E97CFD4}.@......&.{3383F62D-C9DC-4944-B060-A04DF20B2D51}&.{DD2F54EA-F711-48DE-8642-20D28E97CFD4}.@......&.{6E7C7FB2-232B-4E0E-A7F5-BFBE1C8F0450}&.{DD2F54EA-F711-48DE-8642-20D28E97CFD4}.@......&.{3172B725-CD19-4770-8615-B600D7CBC2C7}&.{DD2F54EA-F711-48DE-8642-20D28E97CFD4}.@........CreateFolders..Criando novas pastas..Pasta: [1]"...C:\Users\user\AppData\Roaming\.@..............0.......L...................I..~.......................I..~.........X..

                                                                          C:\Users\user\AppData\Local\910646

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Roaming\abd1 .exe
                                                                          File Type:ASCII text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):32
                                                                          Entropy (8bit):4.390319531114783
                                                                          Encrypted:false
                                                                          SSDEEP:3:1EypyGrSov:1XpyGn
                                                                          MD5:DADDE73B5BB747D92DE22D3AE0169841
                                                                          SHA1:4C893699F099FB8FDBD3846623073D5DB0862D74
                                                                          SHA-256:CC14FD67A43B8692D2603465AB1F480BD755FAA6ACC9BCD7F0DC27DF5E4938C9
                                                                          SHA-512:2F66ADC05F52D4327F3A106CBB4EEC666A3ED0B607CA6E1C9C12919D902061723A668752169A900CDB169687336CE06A3785CBC01576B2DCDA0C4A5A25F9D045
                                                                          Malicious:false
                                                                          Reputation:low
                                                                          Preview:[Generate Pasta]..rsWOpCNxTziw..

                                                                          C:\Users\user\AppData\Local\Temp\MSIc690d.LOG

                                                                          Download File
                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):158432
                                                                          Entropy (8bit):3.7923565345492785
                                                                          Encrypted:false
                                                                          SSDEEP:1536:vvrXUmDXyML0u6hogle/ETmPqtBXILuyexNC27U6ucNb62K7oiKFBLRMHnrHCORu:jwj1FDxtNJ
                                                                          MD5:14AFFC8D037E76589D6802259B174B09
                                                                          SHA1:B9BEA18DBE6534F9A432BDBC14EE0DE3EE32F66F
                                                                          SHA-256:FB8F0DA7C47B7BB3674088E523655F1319C3E22163F70EE8651FCE8FB633B488
                                                                          SHA-512:E029E6A1B6A479DE26A6F427905033A7C7586926F46A80C3C1608EB4C53C99406D6AFFCE9C70A79CA51E338A5F46E8073C99AE98AFB088FC19E6961B013E9983
                                                                          Malicious:false
                                                                          Reputation:low
                                                                          Preview:..=.=.=. .V.e.r.b.o.s.e. .l.o.g.g.i.n.g. .s.t.a.r.t.e.d.:. .3./.1.4./.2.0.2.3. . .1.4.:.1.1.:.0.4. . .B.u.i.l.d. .t.y.p.e.:. .S.H.I.P. .U.N.I.C.O.D.E. .5...0.0...1.0.0.1.1...0.0. . .C.a.l.l.i.n.g. .p.r.o.c.e.s.s.:. .C.:.\.W.i.n.d.o.w.s.\.S.y.s.t.e.m.3.2.\.m.s.i.e.x.e.c...e.x.e. .=.=.=.....M.S.I. .(.c.). .(.E.C.:.F.0.). .[.1.4.:.1.1.:.0.4.:.2.7.5.].:. .F.o.n.t. .c.r.e.a.t.e.d... . .C.h.a.r.s.e.t.:. .R.e.q.=.0.,. .R.e.t.=.0.,. .F.o.n.t.:. .R.e.q.=.M.S. .S.h.e.l.l. .D.l.g.,. .R.e.t.=.M.S. .S.h.e.l.l. .D.l.g.......M.S.I. .(.c.). .(.E.C.:.F.0.). .[.1.4.:.1.1.:.0.4.:.2.7.5.].:. .F.o.n.t. .c.r.e.a.t.e.d... . .C.h.a.r.s.e.t.:. .R.e.q.=.0.,. .R.e.t.=.0.,. .F.o.n.t.:. .R.e.q.=.M.S. .S.h.e.l.l. .D.l.g.,. .R.e.t.=.M.S. .S.h.e.l.l. .D.l.g.......M.S.I. .(.c.). .(.E.C.:.2.C.). .[.1.4.:.1.1.:.0.4.:.3.2.2.].:. .R.e.s.e.t.t.i.n.g. .c.a.c.h.e.d. .p.o.l.i.c.y. .v.a.l.u.e.s.....M.S.I. .(.c.). .(.E.C.:.2.C.). .[.1.4.:.1.1.:.0.4.:.3.2.2.].:. .M.a.c.h.i.n.e. .p.o.l.i.c.y. .v.a.l.u.e. .'.D.e.b.u.g.'. .i.s. .0.

                                                                          C:\Users\user\AppData\Roaming\WebUI.dll

                                                                          Download File
                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):7125504
                                                                          Entropy (8bit):7.867996822449751
                                                                          Encrypted:false
                                                                          SSDEEP:196608:B2wvIJvDbDTUxLDV97I/Had9cxazP8mtkoQ:UFfOPE/6dgazFkj
                                                                          MD5:FDE526F83557ABA523FFC4646E76BB7D
                                                                          SHA1:C2D2A82D34894C32877A462DC10E47ED9816C3D4
                                                                          SHA-256:01E2CD29AD6F705F407E1B230265227B00A28E018AA7EEA8C5D093174A630D8F
                                                                          SHA-512:96E11A10BC483D7C6BFD9B7247403C9F25E2481943FDC5998DD58251758A967FA730F19C6F20CCC883A97FD1DB735F79D5C0701B2238FDAF28B9D6AC506321D3
                                                                          Malicious:true
                                                                          Antivirus:
                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                          • Antivirus: ReversingLabs, Detection: 31%
                                                                          Reputation:low
                                                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......d...........!.................l)...........@...........................4.......m...@.........................G.)......@4.T....P4......................`4.x....................................................................................text.............P.................`....sedata...............P............. ....idata.......@4.......l.............@....rsrc........P4.......l.............@....reloc.......`4.......l.............@..B.sedata......p4.......l.............@..@................................................................................................................................................................................................................................................................

                                                                          C:\Users\user\AppData\Roaming\abd1 .exe

                                                                          Download File
                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):1856512
                                                                          Entropy (8bit):6.763893864307226
                                                                          Encrypted:false
                                                                          SSDEEP:24576:fMWohhojVlG981FE03Pb+Cp67LkDdlXUi+nNv3O5AcAQNwuWSfJST4HCLgCGT/TH:KhujVl6p8UiaAKRT4HCUN1
                                                                          MD5:CEEF4762B36067F1D32A0DB621EE967E
                                                                          SHA1:D23DA38DF6B0FCA8C524B641C59C700A2338648E
                                                                          SHA-256:EFB6169BBB869A849AFB91184A75B906FE509CBF6E672B6B4F3311C02343BBBB
                                                                          SHA-512:6301871A95E48F2873B60C706757AF38D956C895112F14C28EAC4C4A83456A1ACDF15D0A5B1CD35F267A4149DC78B2469C427BDE6A1BF5AA99DE51D5E824D1B3
                                                                          Malicious:true
                                                                          Yara Hits:
                                                                          • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Roaming\abd1 .exe, Author: Joe Security
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                          Joe Sandbox View:
                                                                          • Filename: F_4_T_U_R_4___nf____0992344.4354.msi, Detection: malicious, Browse
                                                                          • Filename: rPEDIDOS-10032023-X491kkum.msi, Detection: malicious, Browse
                                                                          • Filename: j3PHT0tBBF.msi, Detection: malicious, Browse
                                                                          • Filename: j3PHT0tBBF.msi, Detection: malicious, Browse
                                                                          • Filename: B0LET0 VENC 060320234273168 WFTBCLZUJMVFEDSWZXMLWSBRA.msi, Detection: malicious, Browse
                                                                          • Filename: rPedido-Danfe-03-03-202316872pnlc.msi, Detection: malicious, Browse
                                                                          • Filename: Autos-Processo 27-02-2023 ligh.msi, Detection: malicious, Browse
                                                                          • Filename: rEmita-Danfe-01-03-20234076czdg.msi, Detection: malicious, Browse
                                                                          • Filename: Formulario_20183.msi, Detection: malicious, Browse
                                                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....a..................................... ....@........................... .................@......................P....@...F.......................@......@....................................................L...............................text...t........................... ..`.itext.............................. ..`.data........ ......................@....bss.....f...............................idata...F...@...H..................@....edata..P...........................@..@.tls....L................................rdata..............................@..@.reloc..@...........................@..B.rsrc...............................@..@....................................@..@........................................................

                                                                          C:\Windows\Installer\6c6bfb.msi

                                                                          Download File
                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                          File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {E6A0B7A3-0DB3-4FF9-A7D0-4CE6CD02964C}, Number of Words: 10, Subject: Aplicativo Windows, Author: Aplicativo Windows, Name of Creating Application: Aplicativo Windows, Template: ;1046, Comments: Aplicativo Windows, Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Tue Mar 14 01:48:15 2023, Number of Pages: 200
                                                                          Category:dropped
                                                                          Size (bytes):8487936
                                                                          Entropy (8bit):7.9228057897301465
                                                                          Encrypted:false
                                                                          SSDEEP:196608:D2B+nM6wQRaDOUJVDM6wIqlNNrU5B+TZTEC4Ij:DjzAxLdqvNoB+TGI
                                                                          MD5:61FF4CDAE6F7986EF209560F4FE38FBF
                                                                          SHA1:F780332539B013A07BC84943C98B04D155619FC5
                                                                          SHA-256:4735B8E4CB072FA17EDE40FC38737FE87ED2B1E6BE7BD72A6F28E4F037613E13
                                                                          SHA-512:AF985F5820BE979FBDB58B82F1EAFCE24A75A8DB84F68CFC8071A4ED495C8C9CCBBCEDF1495B7BDA6A55B3FA4785A5F22A37482DAF145270A84AAF6A84FF0361
                                                                          Malicious:false
                                                                          Preview:......................>.......................................................E.......b.......n...............................................e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...{...|...}...~.......................................................................................................................................................................................................................................................................................<...........!...4............................................................................................... ...+..."...#...$...%...&...'...(...)...*...1...,...-......./...0...5...2...3...=...?...6...7...8...9...:...;...........>.......@...A...B...C...D...........G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                                                          C:\Windows\Installer\MSI6FF2.tmp

                                                                          Download File
                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):592288
                                                                          Entropy (8bit):6.451258406471538
                                                                          Encrypted:false
                                                                          SSDEEP:6144:AgfrHltQFK4iVWYFkkc0V1koKRcWyxjg3AOqQb985Gt5A6U:AgDfnzVbkY1kdRlz8M98536U
                                                                          MD5:89AFE34385AB2B63A7CB0121792BE070
                                                                          SHA1:56CDF3F32D03AA4A175FA69A33A21AAF5B42078D
                                                                          SHA-256:36E35EAFC91451A38AD7E7958156841CD2F004D5791FD862D5AFA4D5F9DF9103
                                                                          SHA-512:14A851B3B4D3B8DBB9A2B3EA84D3C30FC9884A8924AF0726A717C68DB5E8F5E717DC78CA62E5F455010E46C1FECF294791B89F7426CC14FFDD4C84945518BB9C
                                                                          Malicious:true
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                          Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........w.g...4...4...4Sd.5...4Sd.5+..4.j.5...4.j.5...4.j.5...4Sd.5...4Sd.5...4Sd.5...4...48..4Fj.5...4Fj.5...4Fju4...4...4...4Fj.5...4Rich...4........................PE..L......d.........."!...".6...........R.......P...............................0............@..........................W..(...(`..,........................#.......g..x...p...............................@............P..P............................text....5.......6.................. ..`.rdata...+...P...,...:..............@..@.data... %...........f..............@....rsrc................v..............@..@.reloc...g.......h...~..............@..B........................................................................................................................................................................................................................................................................

                                                                          C:\Windows\Installer\MSI714B.tmp

                                                                          Download File
                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):592288
                                                                          Entropy (8bit):6.451258406471538
                                                                          Encrypted:false
                                                                          SSDEEP:6144:AgfrHltQFK4iVWYFkkc0V1koKRcWyxjg3AOqQb985Gt5A6U:AgDfnzVbkY1kdRlz8M98536U
                                                                          MD5:89AFE34385AB2B63A7CB0121792BE070
                                                                          SHA1:56CDF3F32D03AA4A175FA69A33A21AAF5B42078D
                                                                          SHA-256:36E35EAFC91451A38AD7E7958156841CD2F004D5791FD862D5AFA4D5F9DF9103
                                                                          SHA-512:14A851B3B4D3B8DBB9A2B3EA84D3C30FC9884A8924AF0726A717C68DB5E8F5E717DC78CA62E5F455010E46C1FECF294791B89F7426CC14FFDD4C84945518BB9C
                                                                          Malicious:true
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                          Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........w.g...4...4...4Sd.5...4Sd.5+..4.j.5...4.j.5...4.j.5...4Sd.5...4Sd.5...4Sd.5...4...48..4Fj.5...4Fj.5...4Fju4...4...4...4Fj.5...4Rich...4........................PE..L......d.........."!...".6...........R.......P...............................0............@..........................W..(...(`..,........................#.......g..x...p...............................@............P..P............................text....5.......6.................. ..`.rdata...+...P...,...:..............@..@.data... %...........f..............@....rsrc................v..............@..@.reloc...g.......h...~..............@..B........................................................................................................................................................................................................................................................................

                                                                          C:\Windows\Installer\MSI71AA.tmp

                                                                          Download File
                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):592288
                                                                          Entropy (8bit):6.451258406471538
                                                                          Encrypted:false
                                                                          SSDEEP:6144:AgfrHltQFK4iVWYFkkc0V1koKRcWyxjg3AOqQb985Gt5A6U:AgDfnzVbkY1kdRlz8M98536U
                                                                          MD5:89AFE34385AB2B63A7CB0121792BE070
                                                                          SHA1:56CDF3F32D03AA4A175FA69A33A21AAF5B42078D
                                                                          SHA-256:36E35EAFC91451A38AD7E7958156841CD2F004D5791FD862D5AFA4D5F9DF9103
                                                                          SHA-512:14A851B3B4D3B8DBB9A2B3EA84D3C30FC9884A8924AF0726A717C68DB5E8F5E717DC78CA62E5F455010E46C1FECF294791B89F7426CC14FFDD4C84945518BB9C
                                                                          Malicious:true
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                          Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........w.g...4...4...4Sd.5...4Sd.5+..4.j.5...4.j.5...4.j.5...4Sd.5...4Sd.5...4Sd.5...4...48..4Fj.5...4Fj.5...4Fju4...4...4...4Fj.5...4Rich...4........................PE..L......d.........."!...".6...........R.......P...............................0............@..........................W..(...(`..,........................#.......g..x...p...............................@............P..P............................text....5.......6.................. ..`.rdata...+...P...,...:..............@..@.data... %...........f..............@....rsrc................v..............@..@.reloc...g.......h...~..............@..B........................................................................................................................................................................................................................................................................

                                                                          C:\Windows\Installer\MSI71E9.tmp

                                                                          Download File
                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):592288
                                                                          Entropy (8bit):6.451258406471538
                                                                          Encrypted:false
                                                                          SSDEEP:6144:AgfrHltQFK4iVWYFkkc0V1koKRcWyxjg3AOqQb985Gt5A6U:AgDfnzVbkY1kdRlz8M98536U
                                                                          MD5:89AFE34385AB2B63A7CB0121792BE070
                                                                          SHA1:56CDF3F32D03AA4A175FA69A33A21AAF5B42078D
                                                                          SHA-256:36E35EAFC91451A38AD7E7958156841CD2F004D5791FD862D5AFA4D5F9DF9103
                                                                          SHA-512:14A851B3B4D3B8DBB9A2B3EA84D3C30FC9884A8924AF0726A717C68DB5E8F5E717DC78CA62E5F455010E46C1FECF294791B89F7426CC14FFDD4C84945518BB9C
                                                                          Malicious:true
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                          Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........w.g...4...4...4Sd.5...4Sd.5+..4.j.5...4.j.5...4.j.5...4Sd.5...4Sd.5...4Sd.5...4...48..4Fj.5...4Fj.5...4Fju4...4...4...4Fj.5...4Rich...4........................PE..L......d.........."!...".6...........R.......P...............................0............@..........................W..(...(`..,........................#.......g..x...p...............................@............P..P............................text....5.......6.................. ..`.rdata...+...P...,...:..............@..@.data... %...........f..............@....rsrc................v..............@..@.reloc...g.......h...~..............@..B........................................................................................................................................................................................................................................................................

                                                                          C:\Windows\Installer\MSI7277.tmp

                                                                          Download File
                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):592288
                                                                          Entropy (8bit):6.451258406471538
                                                                          Encrypted:false
                                                                          SSDEEP:6144:AgfrHltQFK4iVWYFkkc0V1koKRcWyxjg3AOqQb985Gt5A6U:AgDfnzVbkY1kdRlz8M98536U
                                                                          MD5:89AFE34385AB2B63A7CB0121792BE070
                                                                          SHA1:56CDF3F32D03AA4A175FA69A33A21AAF5B42078D
                                                                          SHA-256:36E35EAFC91451A38AD7E7958156841CD2F004D5791FD862D5AFA4D5F9DF9103
                                                                          SHA-512:14A851B3B4D3B8DBB9A2B3EA84D3C30FC9884A8924AF0726A717C68DB5E8F5E717DC78CA62E5F455010E46C1FECF294791B89F7426CC14FFDD4C84945518BB9C
                                                                          Malicious:true
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                          Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........w.g...4...4...4Sd.5...4Sd.5+..4.j.5...4.j.5...4.j.5...4Sd.5...4Sd.5...4Sd.5...4...48..4Fj.5...4Fj.5...4Fju4...4...4...4Fj.5...4Rich...4........................PE..L......d.........."!...".6...........R.......P...............................0............@..........................W..(...(`..,........................#.......g..x...p...............................@............P..P............................text....5.......6.................. ..`.rdata...+...P...,...:..............@..@.data... %...........f..............@....rsrc................v..............@..@.reloc...g.......h...~..............@..B........................................................................................................................................................................................................................................................................

                                                                          C:\Windows\Installer\MSI73D0.tmp

                                                                          Download File
                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):1966
                                                                          Entropy (8bit):5.248290595098431
                                                                          Encrypted:false
                                                                          SSDEEP:24:7g8jg9p9nlTi6OZhEu6AN2/6JdDARK4Wr6dccFytcx/6+eSPM+sPvI8cEwWHYH65:75EHA4i0RWYuB+AnQcpqA7AX6ObmVl
                                                                          MD5:01086FC07C5A8E92232E50BC60C1C936
                                                                          SHA1:2482F48841912E7B1214C144D40D88715EF1054E
                                                                          SHA-256:92DAA71CAFDC0C802BA92F95BC9D4EDD5FD3384E13112500B55F5823D82752CB
                                                                          SHA-512:D28A1C83A440087986775D5F108AB40517657C9385A776E2988AFF279C9997693BA30C81444C4EF639D55EE7DEC7B5A1B3AD53DF7384467A867A5F2F85A1D722
                                                                          Malicious:false
                                                                          Preview:...@IXOS.@.....@dqnV.@.....@.....@.....@.....@.....@......&.{DD2F54EA-F711-48DE-8642-20D28E97CFD4}..Aplicativo Windows .z1F_4_T_U_r_4_2024mfdfgryry5.msi.@.....@.....@.....@........&.{E6A0B7A3-0DB3-4FF9-A7D0-4CE6CD02964C}.....@.....@.....@.....@.......@.....@.....@.......@......Aplicativo Windows......Rollback..A.....o. .d.e. .r.e.s.t.a.u.r.a.....o.....RollbackCleanup..Removendo arquivos de backup..Arquivo: [1]...@.......@........ProcessComponents%.Atualizando o registro de componentes...@.....@.....@.]....&.{279056F3-5587-4E7B-AB9D-DCCCBE70B1B0}..C:\Users\user\AppData\Roaming\.@.......@.....@.....@......&.{3383F62D-C9DC-4944-B060-A04DF20B2D51}:.01:\Software\Aplicativo Windows\Aplicativo Windows\Version.@.......@.....@.....@......&.{6E7C7FB2-232B-4E0E-A7F5-BFBE1C8F0450}(.C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.a.b.d.1.....e.x.e..@.......@.....@.....@......&.{3172B725-CD19-4770-8615-B600D7CBC2C7}(.C:\Users\user\AppData\Roaming\WebUI.dll.@.......@.....@.....@......

                                                                          C:\Windows\Installer\SourceHash{DD2F54EA-F711-48DE-8642-20D28E97CFD4}

                                                                          Download File
                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                          File Type:Composite Document File V2 Document, Cannot read section info
                                                                          Category:dropped
                                                                          Size (bytes):20480
                                                                          Entropy (8bit):1.1738377668522646
                                                                          Encrypted:false
                                                                          SSDEEP:12:JSbX72Fj7xJAGiLIlHVRpbh/7777777777777777777777777vDHF80ItXwieIyx:JHJQI5/PItXm978F
                                                                          MD5:924DB1733526FD13014439547590CCE5
                                                                          SHA1:96C6DE71384E5F69E295BFFAD2970013E891A575
                                                                          SHA-256:4459968314C86A1978BE4FD7C351715F19EE7CD8BE805DBD3A6C07AB32C4D1D2
                                                                          SHA-512:B3C191E1FCCDFA5019400ADCB40254DC2A378317DBACA8DDB84D5D51FE4DC6B2894DD54BF25A3217469DF828A62B20FE08913C7AEB26E16F953179C789F75699
                                                                          Malicious:false
                                                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                          C:\Windows\Installer\inprogressinstallinfo.ipi

                                                                          Download File
                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                          File Type:Composite Document File V2 Document, Cannot read section info
                                                                          Category:dropped
                                                                          Size (bytes):20480
                                                                          Entropy (8bit):1.5083819383347188
                                                                          Encrypted:false
                                                                          SSDEEP:48:+8PhBuRc06WXJQFT5PuF3JHMSCWAECiCyjMHoSpgMSCcTO:xhB1TFTiZs1EC0Mft
                                                                          MD5:764767790F0F2E6CA459842623ED5898
                                                                          SHA1:D97A246100B6128AA2806B677354166B0493A032
                                                                          SHA-256:470514454B55F3DD7D4C34E1605DB30C029D9A1AE80101511D13079E9134078E
                                                                          SHA-512:60368F89A0E7090700CBECE845EFE0D96EEA57E142339EA64D02CECCEC1F2428751CA963DBE7518CE1FA1411062654F7055CD2F0D56E40AE9C520253DABE56E6
                                                                          Malicious:false
                                                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

                                                                          Download File
                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                          File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):79122
                                                                          Entropy (8bit):5.282152338915408
                                                                          Encrypted:false
                                                                          SSDEEP:192:jmXs969ozNSkk3peTBYeHt0tfoI9qsjl0urmwYyid:yXs9UogeWeH29qclhmwYyid
                                                                          MD5:518692854A3578FBBC6B47C5B06D1663
                                                                          SHA1:3025C91F61A08FE9C317CE38E28C9271BE8B66AE
                                                                          SHA-256:9533FD674F9D8ADB9322A85D0AC20850FDB51F364382F1AF487CF2837B0AA312
                                                                          SHA-512:7F0CD938432AF2E4A509829A048D5D31D328DA7C81EF02AC474D7BD35F815BA50D012230E1B474B43288649366B123B5B7936405A51085B4FF2038F37DCA62EB
                                                                          Malicious:false
                                                                          Preview:.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..07/23/2020 03:22:38.143 [320]: Command line: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install Microsoft.Office.Tools.Outlook, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A /queue:3 /NoDependencies ..07/23/2020 03:22:38.159 [320]: ngen returning 0x00000000..07/23/2020 03:22:38.222 [3748]: Command line: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install Microsoft.Office.Tools.Word, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A /queue:3 /NoDependencies ..07/23/2020 03:22:38.237 [3748]: ngen returning 0x00000000..07/23/2020 03:22:38.284 [64]: Command line: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install Microsoft.Office.Tools.Common.Implementation, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A /queue:3 /NoDependencies ..07/23/2020 03:22:38.300 [64]:

                                                                          C:\Windows\Temp\~DF0819F988CD17849F.TMP

                                                                          Download File
                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):32768
                                                                          Entropy (8bit):0.07936887057574461
                                                                          Encrypted:false
                                                                          SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKO8SvNItXwiK2A1CyIWM1IVky6lMt/:2F0i8n0itFzDHF80ItXwieIyOM1
                                                                          MD5:809261C01234A26E9B6F4DEBAFECA414
                                                                          SHA1:5732620BE0EFE36748A4976EA1A6A298A1FC0CE9
                                                                          SHA-256:9644CE818692336976379DF78F73C0444A3F16245657200D57E89970C3F92D53
                                                                          SHA-512:B6B14D4B4B6B967F2FE218AA0DEB298C08FFA6F0D5B3FB9A3230B5F5716AD1987F5C6CC6D79AF9C7E576BCC32B883D7F185582E5893CD3EBDD3F7C18216BC6CF
                                                                          Malicious:false
                                                                          Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                          C:\Windows\Temp\~DF16E1E76CE50612B4.TMP

                                                                          Download File
                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):512
                                                                          Entropy (8bit):0.0
                                                                          Encrypted:false
                                                                          SSDEEP:3::
                                                                          MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                          SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                          SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                          SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                          Malicious:false
                                                                          Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                          C:\Windows\Temp\~DF1E58020F3182C0F9.TMP

                                                                          Download File
                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                          File Type:Composite Document File V2 Document, Cannot read section info
                                                                          Category:dropped
                                                                          Size (bytes):32768
                                                                          Entropy (8bit):1.2127978363904077
                                                                          Encrypted:false
                                                                          SSDEEP:48:k905uZO+CFXJVT5JuF3JHMSCWAECiCyjMHoSpgMSCcTO:kC5h9TIZs1EC0Mft
                                                                          MD5:ED4C243B84B241C42E2A9B33A6E1FE44
                                                                          SHA1:8B3DDCEED08EED0603A1C7DDFA30DC2C9F116C96
                                                                          SHA-256:1A9DD778708D45599D49B002C3AC34A176622FF899A6883E6AE3CA8571E93976
                                                                          SHA-512:0F224F4C38DE0B500FAB71C555F73E2DC5B6725DBAF2E841DB27E51DA2A9699534456EF07BD5D1DBDA88D8C43C5847955EDB13BA523ECE8079E1AAC366B9BE33
                                                                          Malicious:false
                                                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                          C:\Windows\Temp\~DF20BB477DFDE9E293.TMP

                                                                          Download File
                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):512
                                                                          Entropy (8bit):0.0
                                                                          Encrypted:false
                                                                          SSDEEP:3::
                                                                          MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                          SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                          SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                          SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                          Malicious:false
                                                                          Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                          C:\Windows\Temp\~DF245B5D3957C1F90E.TMP

                                                                          Download File
                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):512
                                                                          Entropy (8bit):0.0
                                                                          Encrypted:false
                                                                          SSDEEP:3::
                                                                          MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                          SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                          SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                          SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                          Malicious:false
                                                                          Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                          C:\Windows\Temp\~DF5DE57D2E5FF725FF.TMP

                                                                          Download File
                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):512
                                                                          Entropy (8bit):0.0
                                                                          Encrypted:false
                                                                          SSDEEP:3::
                                                                          MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                          SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                          SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                          SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                          Malicious:false
                                                                          Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                          C:\Windows\Temp\~DF74FB610016FF53D9.TMP

                                                                          Download File
                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):73728
                                                                          Entropy (8bit):0.11622038105696603
                                                                          Encrypted:false
                                                                          SSDEEP:24:NY6iscTxkrwipVkrakrwipVkrSAEVkryjCyjMHV2BwGYpUZ+jSF3b:eTTeMSCpMSCWAECiCyjMHoSpy/F3b
                                                                          MD5:A36B350BCE4AFC7DF9F19F44E09855F9
                                                                          SHA1:8F14F867DB726D1CEF1463598B8EE05AB96BDCC1
                                                                          SHA-256:5AEA78284E9DC1C288134D6C56283E10F1E19CFFD5D1598DE1E33E1E3D6A0287
                                                                          SHA-512:EE986350B1F0AB43B467CD1BF99C432895797385CAEFDD0D66D3B2201BBDFFA4573F67B62FFB148F870510F8F39F891183B3E4351135BCB84E6B168882D78705
                                                                          Malicious:false
                                                                          Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                          C:\Windows\Temp\~DF9E01BFC270F13F63.TMP

                                                                          Download File
                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):512
                                                                          Entropy (8bit):0.0
                                                                          Encrypted:false
                                                                          SSDEEP:3::
                                                                          MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                          SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                          SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                          SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                          Malicious:false
                                                                          Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                          C:\Windows\Temp\~DFA96330F64BA67F11.TMP

                                                                          Download File
                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                          File Type:Composite Document File V2 Document, Cannot read section info
                                                                          Category:dropped
                                                                          Size (bytes):32768
                                                                          Entropy (8bit):1.2127978363904077
                                                                          Encrypted:false
                                                                          SSDEEP:48:k905uZO+CFXJVT5JuF3JHMSCWAECiCyjMHoSpgMSCcTO:kC5h9TIZs1EC0Mft
                                                                          MD5:ED4C243B84B241C42E2A9B33A6E1FE44
                                                                          SHA1:8B3DDCEED08EED0603A1C7DDFA30DC2C9F116C96
                                                                          SHA-256:1A9DD778708D45599D49B002C3AC34A176622FF899A6883E6AE3CA8571E93976
                                                                          SHA-512:0F224F4C38DE0B500FAB71C555F73E2DC5B6725DBAF2E841DB27E51DA2A9699534456EF07BD5D1DBDA88D8C43C5847955EDB13BA523ECE8079E1AAC366B9BE33
                                                                          Malicious:false
                                                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                          C:\Windows\Temp\~DFB6CD0EC7F1DE3DBB.TMP

                                                                          Download File
                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                          File Type:Composite Document File V2 Document, Cannot read section info
                                                                          Category:dropped
                                                                          Size (bytes):20480
                                                                          Entropy (8bit):1.5083819383347188
                                                                          Encrypted:false
                                                                          SSDEEP:48:+8PhBuRc06WXJQFT5PuF3JHMSCWAECiCyjMHoSpgMSCcTO:xhB1TFTiZs1EC0Mft
                                                                          MD5:764767790F0F2E6CA459842623ED5898
                                                                          SHA1:D97A246100B6128AA2806B677354166B0493A032
                                                                          SHA-256:470514454B55F3DD7D4C34E1605DB30C029D9A1AE80101511D13079E9134078E
                                                                          SHA-512:60368F89A0E7090700CBECE845EFE0D96EEA57E142339EA64D02CECCEC1F2428751CA963DBE7518CE1FA1411062654F7055CD2F0D56E40AE9C520253DABE56E6
                                                                          Malicious:false
                                                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                          C:\Windows\Temp\~DFD7FDAD31E1174B8A.TMP

                                                                          Download File
                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                          File Type:Composite Document File V2 Document, Cannot read section info
                                                                          Category:dropped
                                                                          Size (bytes):32768
                                                                          Entropy (8bit):1.2127978363904077
                                                                          Encrypted:false
                                                                          SSDEEP:48:k905uZO+CFXJVT5JuF3JHMSCWAECiCyjMHoSpgMSCcTO:kC5h9TIZs1EC0Mft
                                                                          MD5:ED4C243B84B241C42E2A9B33A6E1FE44
                                                                          SHA1:8B3DDCEED08EED0603A1C7DDFA30DC2C9F116C96
                                                                          SHA-256:1A9DD778708D45599D49B002C3AC34A176622FF899A6883E6AE3CA8571E93976
                                                                          SHA-512:0F224F4C38DE0B500FAB71C555F73E2DC5B6725DBAF2E841DB27E51DA2A9699534456EF07BD5D1DBDA88D8C43C5847955EDB13BA523ECE8079E1AAC366B9BE33
                                                                          Malicious:false
                                                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                          C:\Windows\Temp\~DFFB735FADC253A6AE.TMP

                                                                          Download File
                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                          File Type:Composite Document File V2 Document, Cannot read section info
                                                                          Category:dropped
                                                                          Size (bytes):20480
                                                                          Entropy (8bit):1.5083819383347188
                                                                          Encrypted:false
                                                                          SSDEEP:48:+8PhBuRc06WXJQFT5PuF3JHMSCWAECiCyjMHoSpgMSCcTO:xhB1TFTiZs1EC0Mft
                                                                          MD5:764767790F0F2E6CA459842623ED5898
                                                                          SHA1:D97A246100B6128AA2806B677354166B0493A032
                                                                          SHA-256:470514454B55F3DD7D4C34E1605DB30C029D9A1AE80101511D13079E9134078E
                                                                          SHA-512:60368F89A0E7090700CBECE845EFE0D96EEA57E142339EA64D02CECCEC1F2428751CA963DBE7518CE1FA1411062654F7055CD2F0D56E40AE9C520253DABE56E6
                                                                          Malicious:false
                                                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                          Static File Info

                                                                          General

                                                                          File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {E6A0B7A3-0DB3-4FF9-A7D0-4CE6CD02964C}, Number of Words: 10, Subject: Aplicativo Windows, Author: Aplicativo Windows, Name of Creating Application: Aplicativo Windows, Template: ;1046, Comments: Aplicativo Windows, Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Tue Mar 14 01:48:15 2023, Number of Pages: 200
                                                                          Entropy (8bit):7.9228057897301465
                                                                          TrID:
                                                                          • Microsoft Windows Installer (77509/1) 52.18%
                                                                          • Windows SDK Setup Transform Script (63028/2) 42.43%
                                                                          • Generic OLE2 / Multistream Compound File (8008/1) 5.39%
                                                                          File name:z1F_4_T_U_r_4_2024mfdfgryry5.msi
                                                                          File size:8487936
                                                                          MD5:61ff4cdae6f7986ef209560f4fe38fbf
                                                                          SHA1:f780332539b013a07bc84943c98b04d155619fc5
                                                                          SHA256:4735b8e4cb072fa17ede40fc38737fe87ed2b1e6be7bd72a6f28e4f037613e13
                                                                          SHA512:af985f5820be979fbdb58b82f1eafce24a75a8db84f68cfc8071a4ed495c8c9ccbbcedf1495b7bda6a55b3fa4785a5f22a37482daf145270a84aaf6a84ff0361
                                                                          SSDEEP:196608:D2B+nM6wQRaDOUJVDM6wIqlNNrU5B+TZTEC4Ij:DjzAxLdqvNoB+TGI
                                                                          TLSH:CD862322B2C7C522C65D027BE859FE5E05797EB3473111E3B6F8796E84F0CC062BA646
                                                                          File Content Preview:........................>.......................................................E.......b.......n...............................................e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...{...|...}...~..........

                                                                          File Icon

                                                                          Icon Hash:a2a0b496b2caca72

                                                                          Network Behavior

                                                                          Network Port Distribution

                                                                          TCP Packets

                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                          Mar 14, 2023 14:11:34.229559898 CET49695443192.168.2.4187.45.187.42
                                                                          Mar 14, 2023 14:11:34.229643106 CET44349695187.45.187.42192.168.2.4
                                                                          Mar 14, 2023 14:11:34.229765892 CET49695443192.168.2.4187.45.187.42
                                                                          Mar 14, 2023 14:11:34.346455097 CET49695443192.168.2.4187.45.187.42
                                                                          Mar 14, 2023 14:11:34.346564054 CET44349695187.45.187.42192.168.2.4
                                                                          Mar 14, 2023 14:11:34.756629944 CET4969680192.168.2.415.228.77.178
                                                                          Mar 14, 2023 14:11:35.058782101 CET44349695187.45.187.42192.168.2.4
                                                                          Mar 14, 2023 14:11:35.059017897 CET49695443192.168.2.4187.45.187.42
                                                                          Mar 14, 2023 14:11:35.302448034 CET49695443192.168.2.4187.45.187.42
                                                                          Mar 14, 2023 14:11:35.302488089 CET44349695187.45.187.42192.168.2.4
                                                                          Mar 14, 2023 14:11:35.303448915 CET44349695187.45.187.42192.168.2.4
                                                                          Mar 14, 2023 14:11:35.303571939 CET49695443192.168.2.4187.45.187.42
                                                                          Mar 14, 2023 14:11:35.305885077 CET49695443192.168.2.4187.45.187.42
                                                                          Mar 14, 2023 14:11:35.305911064 CET44349695187.45.187.42192.168.2.4
                                                                          Mar 14, 2023 14:11:35.935142040 CET44349695187.45.187.42192.168.2.4
                                                                          Mar 14, 2023 14:11:35.935301065 CET44349695187.45.187.42192.168.2.4
                                                                          Mar 14, 2023 14:11:35.935334921 CET49695443192.168.2.4187.45.187.42
                                                                          Mar 14, 2023 14:11:35.935370922 CET49695443192.168.2.4187.45.187.42
                                                                          Mar 14, 2023 14:11:35.935524940 CET49695443192.168.2.4187.45.187.42
                                                                          Mar 14, 2023 14:11:35.935550928 CET44349695187.45.187.42192.168.2.4
                                                                          Mar 14, 2023 14:11:35.935607910 CET49695443192.168.2.4187.45.187.42
                                                                          Mar 14, 2023 14:11:35.936675072 CET49695443192.168.2.4187.45.187.42
                                                                          Mar 14, 2023 14:11:37.847208977 CET4969680192.168.2.415.228.77.178
                                                                          Mar 14, 2023 14:11:43.847716093 CET4969680192.168.2.415.228.77.178

                                                                          UDP Packets

                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                          Mar 14, 2023 14:11:33.973382950 CET5657253192.168.2.48.8.8.8
                                                                          Mar 14, 2023 14:11:34.199709892 CET53565728.8.8.8192.168.2.4

                                                                          DNS Queries

                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                          Mar 14, 2023 14:11:33.973382950 CET192.168.2.48.8.8.80x94c0Standard query (0)ebaoffice.com.brA (IP address)IN (0x0001)false

                                                                          DNS Answers

                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                          Mar 14, 2023 14:11:34.199709892 CET8.8.8.8192.168.2.40x94c0No error (0)ebaoffice.com.br187.45.187.42A (IP address)IN (0x0001)false

                                                                          HTTP Request Dependency Graph

                                                                          • ebaoffice.com.br

                                                                          HTTPS Proxied Packets

                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                          0192.168.2.449695187.45.187.42443C:\Users\user\AppData\Roaming\abd1 .exe
                                                                          TimestampkBytes transferredDirectionData
                                                                          2023-03-14 13:11:35 UTC0OUTGET /imagens/bo/inspecionando.php HTTP/1.1
                                                                          Accept: */*
                                                                          Accept-Language: en-US
                                                                          Accept-Encoding: gzip, deflate
                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                          Host: ebaoffice.com.br
                                                                          Connection: Keep-Alive
                                                                          2023-03-14 13:11:35 UTC0INHTTP/1.1 200 OK
                                                                          Connection: close
                                                                          x-powered-by: PHP/5.6.40
                                                                          content-type: text/html; charset=UTF-8
                                                                          cache-control: public, max-age=0
                                                                          expires: Tue, 14 Mar 2023 13:11:35 GMT
                                                                          content-length: 0
                                                                          date: Tue, 14 Mar 2023 13:11:35 GMT
                                                                          server: LiteSpeed
                                                                          x-ua-compatible: IE=Edge,chrome=1
                                                                          alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"


                                                                          Statistics

                                                                          CPU Usage

                                                                          Click to jump to process

                                                                          Memory Usage

                                                                          Click to jump to process

                                                                          High Level Behavior Distribution

                                                                          Click to dive into process behavior distribution

                                                                          Behavior

                                                                          Click to jump to process

                                                                          System Behavior

                                                                          General

                                                                          Target ID:0
                                                                          Start time:14:11:04
                                                                          Start date:14/03/2023
                                                                          Path:C:\Windows\System32\msiexec.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\z1F_4_T_U_r_4_2024mfdfgryry5.msi"
                                                                          Imagebase:0x7ff60cc30000
                                                                          File size:66048 bytes
                                                                          MD5 hash:4767B71A318E201188A0D0A420C8B608
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high

                                                                          General

                                                                          Target ID:1
                                                                          Start time:14:11:04
                                                                          Start date:14/03/2023
                                                                          Path:C:\Windows\System32\msiexec.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\msiexec.exe /V
                                                                          Imagebase:0x7ff60cc30000
                                                                          File size:66048 bytes
                                                                          MD5 hash:4767B71A318E201188A0D0A420C8B608
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high

                                                                          General

                                                                          Target ID:2
                                                                          Start time:14:11:06
                                                                          Start date:14/03/2023
                                                                          Path:C:\Windows\SysWOW64\msiexec.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding 8691F6983ACCABCCE0C9446FEF7BF02E
                                                                          Imagebase:0x1300000
                                                                          File size:59904 bytes
                                                                          MD5 hash:12C17B5A5C2A7B97342C362CA467E9A2
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high

                                                                          General

                                                                          Target ID:3
                                                                          Start time:14:11:07
                                                                          Start date:14/03/2023
                                                                          Path:C:\Users\user\AppData\Roaming\abd1 .exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:C:\Users\user\AppData\Roaming\abd1 .exe
                                                                          Imagebase:0x400000
                                                                          File size:1856512 bytes
                                                                          MD5 hash:CEEF4762B36067F1D32A0DB621EE967E
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:Borland Delphi
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000003.00000003.325986773.0000000002802000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000003.00000002.587390780.00000000029FF000.00000040.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000003.00000000.310275166.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Roaming\abd1 .exe, Author: Joe Security
                                                                          Antivirus matches:
                                                                          • Detection: 0%, ReversingLabs
                                                                          Reputation:low

                                                                          General

                                                                          Target ID:6
                                                                          Start time:14:12:06
                                                                          Start date:14/03/2023
                                                                          Path:C:\Users\user\AppData\Roaming\abd1 .exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Users\user\AppData\Roaming\abd1 .exe"
                                                                          Imagebase:0x400000
                                                                          File size:1856512 bytes
                                                                          MD5 hash:CEEF4762B36067F1D32A0DB621EE967E
                                                                          Has elevated privileges:false
                                                                          Has administrator privileges:false
                                                                          Programmed in:Borland Delphi
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000006.00000002.514615623.0000000002A80000.00000040.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                          Reputation:low

                                                                          General

                                                                          Target ID:7
                                                                          Start time:14:12:15
                                                                          Start date:14/03/2023
                                                                          Path:C:\Users\user\AppData\Roaming\abd1 .exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Users\user\AppData\Roaming\abd1 .exe"
                                                                          Imagebase:0x400000
                                                                          File size:1856512 bytes
                                                                          MD5 hash:CEEF4762B36067F1D32A0DB621EE967E
                                                                          Has elevated privileges:false
                                                                          Has administrator privileges:false
                                                                          Programmed in:Borland Delphi
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000007.00000002.527493811.0000000002853000.00000040.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                          Reputation:low

                                                                          Disassembly

                                                                          Reset < >

                                                                            Executed Functions

                                                                            Function 024E5DC9 Relevance: .0, Instructions: 16COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.584442919.00000000024E1000.00000040.00000020.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_24e1000_abd1 .jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 16165544b2dfa898f1154914fe6ade2048471460da88a8e034e2ad5599a0919b
                                                                            • Instruction ID: c506bba07535ccec432fb5a802090ec1a948b6fdd5ba8ab5f2a8ccff671e8749
                                                                            • Opcode Fuzzy Hash: 16165544b2dfa898f1154914fe6ade2048471460da88a8e034e2ad5599a0919b
                                                                            • Instruction Fuzzy Hash: C5D0177300010DBBCF024E80DC01EDA3F2AEB48370F044100BE34451A0C676C4B0ABA0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 024E68C9 Relevance: .0, Instructions: 9COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.584442919.00000000024E1000.00000040.00000020.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_24e1000_abd1 .jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 3b625a21e0e8f13ce1f5811f7961b0ade4efb135ec4fa313cd362c7693640e40
                                                                            • Instruction ID: ee9ad66c929e24f2043331a70b8082511ca2addd87581777f57bfcdb2222f546
                                                                            • Opcode Fuzzy Hash: 3b625a21e0e8f13ce1f5811f7961b0ade4efb135ec4fa313cd362c7693640e40
                                                                            • Instruction Fuzzy Hash: 05C0483644420CFB8F026E82E828C8A7F2AEB98360B008011FA18490209B329A35FB94
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Non-executed Functions

                                                                            Function 024EE1F9 Relevance: 11.8, Strings: 9, Instructions: 507COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.584442919.00000000024E1000.00000040.00000020.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_24e1000_abd1 .jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: $Hxt$,Hxt$8Hxt$@Hxt$LHxt$THxt$`Hxt$hHxt$Gxt
                                                                            • API String ID: 0-4090764636
                                                                            • Opcode ID: 0c02d07244d2be3aa5dd7498f0672f526d893d49e41a8ed2304cb88b28fa264a
                                                                            • Instruction ID: ff3249f921a4666779b5383838069d2b708e6dbbd1d9178103dd4323da740ee1
                                                                            • Opcode Fuzzy Hash: 0c02d07244d2be3aa5dd7498f0672f526d893d49e41a8ed2304cb88b28fa264a
                                                                            • Instruction Fuzzy Hash: 7D12AF706083418FFB20DF66C44476BB7E5AF9532AF14882EE49787391EBB4D54ACB12
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 024EBF04 Relevance: 4.9, Strings: 3, Instructions: 1157COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.584442919.00000000024E1000.00000040.00000020.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_24e1000_abd1 .jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: $9$B
                                                                            • API String ID: 0-1781792629
                                                                            • Opcode ID: 13716faeb3b2f32a92731424129270db136dc6ffab94a132c5fdd152683e9599
                                                                            • Instruction ID: 9a71acb7cd1889a775e73cf661ae75a857291de53efd3a0a6fba698497093905
                                                                            • Opcode Fuzzy Hash: 13716faeb3b2f32a92731424129270db136dc6ffab94a132c5fdd152683e9599
                                                                            • Instruction Fuzzy Hash: 07B25875901225DFEF249F28C888BAAB7B4FF48705F0441EBE84AE7291D7309A85CF54
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0251D425 Relevance: 4.2, Strings: 3, Instructions: 423COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.584442919.00000000024E1000.00000040.00000020.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_24e1000_abd1 .jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: $ $@
                                                                            • API String ID: 0-2546599590
                                                                            • Opcode ID: 3ae605143143e001c8ac90907ae9f7d93f14fcb41856db02a0fa5734ce911d5d
                                                                            • Instruction ID: f2243d51992a0f46c215510c211645e445d23038aaad933e54444a179e670da7
                                                                            • Opcode Fuzzy Hash: 3ae605143143e001c8ac90907ae9f7d93f14fcb41856db02a0fa5734ce911d5d
                                                                            • Instruction Fuzzy Hash: E1F1CE72605741AFE725CF24C844A6BBBF9FF89724F100A1DF49687290E770EA09CB59
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 024F5A99 Relevance: 3.0, Strings: 1, Instructions: 1792COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.584442919.00000000024E1000.00000040.00000020.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_24e1000_abd1 .jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: lSxt
                                                                            • API String ID: 0-2394964373
                                                                            • Opcode ID: 22e0c7619983017434325d9d7a9cefe892e22a31c5fbfd8976c138b66a228076
                                                                            • Instruction ID: ac712687855cc997ee95e8b54d79fd5b7948f4a8fd84e951b13c94a6aa972b25
                                                                            • Opcode Fuzzy Hash: 22e0c7619983017434325d9d7a9cefe892e22a31c5fbfd8976c138b66a228076
                                                                            • Instruction Fuzzy Hash: 33F25F71A0122A9BDB64DF14CC88BAAB7B5FF88314F1581DAD919AB341D734EE81CF50
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 024F737E Relevance: 3.0, Strings: 1, Instructions: 1792COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.584442919.00000000024E1000.00000040.00000020.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_24e1000_abd1 .jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: lSxt
                                                                            • API String ID: 0-2394964373
                                                                            • Opcode ID: 8602b55c58b2cfce235269384e9444378836ec418cee06f9ea38fa199a054e4e
                                                                            • Instruction ID: a9041b5b4090ee085c9feb26a825c2958b8bf3a47d77b89bd82ec996d6620b50
                                                                            • Opcode Fuzzy Hash: 8602b55c58b2cfce235269384e9444378836ec418cee06f9ea38fa199a054e4e
                                                                            • Instruction Fuzzy Hash: DAF24D71A012299BDB64DF18CC88BAAF7B5FF88314F1581DAD909AB341D734AE81CF54
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 024F1D59 Relevance: 1.7, Strings: 1, Instructions: 495COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.584442919.00000000024E1000.00000040.00000020.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_24e1000_abd1 .jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: @
                                                                            • API String ID: 0-2766056989
                                                                            • Opcode ID: a1e7ac8138f60beb787574d35b9b02cf4b1fb55e8e5595b3987c396c8143f3c7
                                                                            • Instruction ID: e856cdaed836dba0bdb78465df23efc4971b131e8751d999b6d2f13924379efb
                                                                            • Opcode Fuzzy Hash: a1e7ac8138f60beb787574d35b9b02cf4b1fb55e8e5595b3987c396c8143f3c7
                                                                            • Instruction Fuzzy Hash: 9E32DEB55087819FD765CF29C480B9BBBE5BF88304F10492EEA99C7350EBB0E945CB52
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0251CCBA Relevance: 1.6, Strings: 1, Instructions: 361COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.584442919.00000000024E1000.00000040.00000020.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_24e1000_abd1 .jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID: 0-3916222277
                                                                            • Opcode ID: 17f039d0841d4fef3b99ee8225abccdf8fc43f4871ee5623cde2496645e13225
                                                                            • Instruction ID: 67ff35f1ba592cb863c9dc098472a8cae6c74859653c71b48d0af2755c6d0470
                                                                            • Opcode Fuzzy Hash: 17f039d0841d4fef3b99ee8225abccdf8fc43f4871ee5623cde2496645e13225
                                                                            • Instruction Fuzzy Hash: B4E168B1D41668DFDB25CF98C880AADBFB1FF88701F15815AE805EB315E3728841CB99
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0251BF08 Relevance: 1.5, Strings: 1, Instructions: 295COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.584442919.00000000024E1000.00000040.00000020.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_24e1000_abd1 .jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: @
                                                                            • API String ID: 0-2766056989
                                                                            • Opcode ID: 141547d21e02f6fab9ab19cedba77e96bee06fc4c7ab1a8e96a3b815c433a9e2
                                                                            • Instruction ID: ed729dd3f73e4c2b227ec008505238953281a4de4b043dae1a615de695897144
                                                                            • Opcode Fuzzy Hash: 141547d21e02f6fab9ab19cedba77e96bee06fc4c7ab1a8e96a3b815c433a9e2
                                                                            • Instruction Fuzzy Hash: D1B190B1D40229AFEB10CFE4C844BEEBBB8FF08745F05456AE915E7240E7359944CB99
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 024FA067 Relevance: 1.5, Strings: 1, Instructions: 216COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.584442919.00000000024E1000.00000040.00000020.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_24e1000_abd1 .jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: qrks
                                                                            • API String ID: 0-3937875505
                                                                            • Opcode ID: bc186f0a1c22534d40417210b105b2b21e44c2f8d4f94aae9251e7b630d276bb
                                                                            • Instruction ID: 8455d8ad60a84054565bf6a2a78704e6754a95e8a6f8dd3ef9ce3135f215e2c0
                                                                            • Opcode Fuzzy Hash: bc186f0a1c22534d40417210b105b2b21e44c2f8d4f94aae9251e7b630d276bb
                                                                            • Instruction Fuzzy Hash: AE819271A413299BDB60CE11DD88FDEB7B9EF84714F2041AAEA0CA7240D7719E81CF50
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 024E1CF6 Relevance: 1.4, Strings: 1, Instructions: 169COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.584442919.00000000024E1000.00000040.00000020.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_24e1000_abd1 .jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 8
                                                                            • API String ID: 0-4194326291
                                                                            • Opcode ID: 24bac68a9f406e77caf578f1e9d745074e2b0fd4ac012d75d70b943b61efe792
                                                                            • Instruction ID: 76e87470517421b83ffd601c445c16cc247794f7cfcc03356b5ab5620d48c438
                                                                            • Opcode Fuzzy Hash: 24bac68a9f406e77caf578f1e9d745074e2b0fd4ac012d75d70b943b61efe792
                                                                            • Instruction Fuzzy Hash: F4513971D80768EBEF219FD5CC48EAEBFB9FB48705F00041AF51AA6250C7B19915DB50
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02529200 Relevance: 1.4, Strings: 1, Instructions: 160COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.584442919.00000000024E1000.00000040.00000020.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_24e1000_abd1 .jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: @
                                                                            • API String ID: 0-2766056989
                                                                            • Opcode ID: 0e79cceb59b4535da395f1e5ef8ce741452c7221888a9e0f22e36a7174bc20a0
                                                                            • Instruction ID: 504fd77f8729332502003de2e9f98115c906361cb5b894d41d202d77b2e4ab8b
                                                                            • Opcode Fuzzy Hash: 0e79cceb59b4535da395f1e5ef8ce741452c7221888a9e0f22e36a7174bc20a0
                                                                            • Instruction Fuzzy Hash: 3B518071981228AFCB20DF54DC99FEABBB8FB49704F1004E9E509E7290DB349A59CF54
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02532FBC Relevance: 1.4, Strings: 1, Instructions: 145COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.584442919.00000000024E1000.00000040.00000020.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_24e1000_abd1 .jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: @
                                                                            • API String ID: 0-2766056989
                                                                            • Opcode ID: ae21f81b5a012ccf69e9e078211d3549e91889963cdb19d60af390eb2c1bbda1
                                                                            • Instruction ID: 8738c0c4e71e59e95c65ce91586d580a31b9527045137572a2db7aa9009c450e
                                                                            • Opcode Fuzzy Hash: ae21f81b5a012ccf69e9e078211d3549e91889963cdb19d60af390eb2c1bbda1
                                                                            • Instruction Fuzzy Hash: 1041BE71E41219BBDB128F94CC95FAEBBBDFB44750F0001A5F908B7280D7759E058AA9
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02531F9E Relevance: 1.4, Strings: 1, Instructions: 141COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.584442919.00000000024E1000.00000040.00000020.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_24e1000_abd1 .jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: @
                                                                            • API String ID: 0-2766056989
                                                                            • Opcode ID: 56beb8e81084bc67dcc7feb1ebf3d08b7e1c06547f6e069317a57c9216b99e91
                                                                            • Instruction ID: 9c68d9c8843bcf8f9830d2eb75e5828007c24ee81d0658cbad47425fc8200bca
                                                                            • Opcode Fuzzy Hash: 56beb8e81084bc67dcc7feb1ebf3d08b7e1c06547f6e069317a57c9216b99e91
                                                                            • Instruction Fuzzy Hash: C9511972D0061A9FDB16DFA5C981AEEFBB9BB08314F20402AEA15F7240DB349D45CF94
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 024F1979 Relevance: 1.4, Strings: 1, Instructions: 137COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.584442919.00000000024E1000.00000040.00000020.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_24e1000_abd1 .jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID: 0-3916222277
                                                                            • Opcode ID: 2a06b1ee5d5e2f637049002ed6599423a76b1e832279eac43b0ae22ef7f17258
                                                                            • Instruction ID: 1d489727fc7028f71b21147357d33b1f292a31e6ec07173c164a55897724aeff
                                                                            • Opcode Fuzzy Hash: 2a06b1ee5d5e2f637049002ed6599423a76b1e832279eac43b0ae22ef7f17258
                                                                            • Instruction Fuzzy Hash: 77417C75E00719EFDB108FA5C854FAEBBB8EB88764F11055AFA19A7280D7709910DB70
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 024ED700 Relevance: 1.4, Strings: 1, Instructions: 108COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.584442919.00000000024E1000.00000040.00000020.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_24e1000_abd1 .jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID: 0-3916222277
                                                                            • Opcode ID: c62c15ac590bac89232978e85740bbcec0bffff6f5b6f448c3588d01861c9376
                                                                            • Instruction ID: d7dafe7868bbd81051b75223a480ee41bba40d1d0348dc8ea1ef36f6c665da3b
                                                                            • Opcode Fuzzy Hash: c62c15ac590bac89232978e85740bbcec0bffff6f5b6f448c3588d01861c9376
                                                                            • Instruction Fuzzy Hash: F1415B75A00208EFEF11CF95C8859EEBBBAFB8C314F10416AF916A7250D7329951DB50
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 025290D4 Relevance: 1.4, Strings: 1, Instructions: 102COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.584442919.00000000024E1000.00000040.00000020.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_24e1000_abd1 .jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: @
                                                                            • API String ID: 0-2766056989
                                                                            • Opcode ID: 46cb293e1b692a11d3bf5cacd2eeacf50d2bafca5f42e56fc5e3b7a02fe8bf69
                                                                            • Instruction ID: bb8b8ae355d675c07c84c2122f9126a56dba2e7876cffcd84dc94d1b38ed0e4c
                                                                            • Opcode Fuzzy Hash: 46cb293e1b692a11d3bf5cacd2eeacf50d2bafca5f42e56fc5e3b7a02fe8bf69
                                                                            • Instruction Fuzzy Hash: FE316D71A41228BBDB10DF91DC49FAEBFB8FB49744F1004A9F905A6280D3309A19DF69
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 025121F5 Relevance: 1.3, Strings: 1, Instructions: 91COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.584442919.00000000024E1000.00000040.00000020.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_24e1000_abd1 .jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: (
                                                                            • API String ID: 0-3887548279
                                                                            • Opcode ID: 8c7336d5e4a3b65c58545328fa0bd471725b8f900988ecbaf8d743d398ca174f
                                                                            • Instruction ID: de5590cfb06cd8004cdf0c76536cfd91605b642e783c9527264a81237f8f9b0a
                                                                            • Opcode Fuzzy Hash: 8c7336d5e4a3b65c58545328fa0bd471725b8f900988ecbaf8d743d398ca174f
                                                                            • Instruction Fuzzy Hash: 3841BEB0D00219EFEF25CF9AD884A9DBBF4BB08354F10852AE829EB250C7749945CF59
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 024F1AF9 Relevance: 1.3, Strings: 1, Instructions: 65COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.584442919.00000000024E1000.00000040.00000020.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_24e1000_abd1 .jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID: 0-3916222277
                                                                            • Opcode ID: 685326183b84b911dcdaf360f639268a74096c42469a9a5b417a8ff74d63f4b2
                                                                            • Instruction ID: 0b759e595602e931b524edb22c31e42ad9ec26d4a96a78d45ae176d065a624ae
                                                                            • Opcode Fuzzy Hash: 685326183b84b911dcdaf360f639268a74096c42469a9a5b417a8ff74d63f4b2
                                                                            • Instruction Fuzzy Hash: 6421B471A00248DFDB50CF58C988BEAB7F8EF88718F04456AEA4DAB281D3749D45CB90
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 024E2B79 Relevance: 1.3, Strings: 1, Instructions: 41COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.584442919.00000000024E1000.00000040.00000020.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_24e1000_abd1 .jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID: 0-3916222277
                                                                            • Opcode ID: ec3e5b2a8b46f56950b2415b293818962ffb40b9de7a1ea285e499658aeb4efd
                                                                            • Instruction ID: 0eccd47230279955e9532c008d2d2b01a9d24e1e272412dc40c23f7659eb3885
                                                                            • Opcode Fuzzy Hash: ec3e5b2a8b46f56950b2415b293818962ffb40b9de7a1ea285e499658aeb4efd
                                                                            • Instruction Fuzzy Hash: 5B012131400209FFEF12DFB1C948ADA3769FB4835AF01845AFD1651161D7B9C9A4EF51
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0251B4AF Relevance: .4, Instructions: 399COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.584442919.00000000024E1000.00000040.00000020.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_24e1000_abd1 .jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 9cbe383d1d0062a49713afe53595a61753e18908bba3d6e888ef4f891183c883
                                                                            • Instruction ID: f55e5d67401e331ce09091f0657211edf9d3d6eadaaa2b5e3f20c55eb790f309
                                                                            • Opcode Fuzzy Hash: 9cbe383d1d0062a49713afe53595a61753e18908bba3d6e888ef4f891183c883
                                                                            • Instruction Fuzzy Hash: 41F1EEB5A00756EFDB14CF69C480AAABBF1FF58308B05856AD846D7700E730E925CBD9
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 024E8EB9 Relevance: .4, Instructions: 367COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.584442919.00000000024E1000.00000040.00000020.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_24e1000_abd1 .jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 0b6192fcfd13f5b5b3abf2bfe4935e760e790c75408977395c070f754a2b5a56
                                                                            • Instruction ID: f6e110c6d0ed5df71e91e3e74085345b76786171647bf2913d6a923557d7c0a5
                                                                            • Opcode Fuzzy Hash: 0b6192fcfd13f5b5b3abf2bfe4935e760e790c75408977395c070f754a2b5a56
                                                                            • Instruction Fuzzy Hash: F5D1E175E402349ADB309F15CC44BAA7BB4FB45714F40859AFA09AB1C0E770DACACB9C
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0251E04F Relevance: .3, Instructions: 303COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.584442919.00000000024E1000.00000040.00000020.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_24e1000_abd1 .jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 7be1b9d52b3637c8631c06b9c113665980fa33adc90628818b95d32763a6436f
                                                                            • Instruction ID: 1d6f6cc3e0f5330c41fe4b6d882a792e1ad62fe0f3d12b328273de7ad0226297
                                                                            • Opcode Fuzzy Hash: 7be1b9d52b3637c8631c06b9c113665980fa33adc90628818b95d32763a6436f
                                                                            • Instruction Fuzzy Hash: 01B1E130A003459FEB25CF68C842BBDBBF2BF86304F188499DC55AB391D774A946CB59
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0253261C Relevance: .3, Instructions: 298COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.584442919.00000000024E1000.00000040.00000020.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_24e1000_abd1 .jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 31a679eeeaf3050126aeae3f27d5251e747628f4ad8e5a5d6b087b1baa05dbc0
                                                                            • Instruction ID: 690e42e47f20b894720b2c2341104118101a21afcca8df6a6810d27a4dab0cae
                                                                            • Opcode Fuzzy Hash: 31a679eeeaf3050126aeae3f27d5251e747628f4ad8e5a5d6b087b1baa05dbc0
                                                                            • Instruction Fuzzy Hash: 5DB13832D00A2A9BCB22DF94C880BEEBBB9BF48714F11516AE915F7250DB309D41CF94
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 025138B9 Relevance: .3, Instructions: 271COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.584442919.00000000024E1000.00000040.00000020.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_24e1000_abd1 .jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 5b2e95ad634d22070bc504c4e957c6de39ab921be63a2c512be07330b168b78a
                                                                            • Instruction ID: 6f433a6ebd7ac2eef68dc9579ba31984fb65230140783290c9216e3a12df8617
                                                                            • Opcode Fuzzy Hash: 5b2e95ad634d22070bc504c4e957c6de39ab921be63a2c512be07330b168b78a
                                                                            • Instruction Fuzzy Hash: 98B14975D01229EFDF649F28C8A8BA9BBB5BF48704F1546D9D80DA3250EB309E85CF44
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02513EF9 Relevance: .3, Instructions: 267COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.584442919.00000000024E1000.00000040.00000020.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_24e1000_abd1 .jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 0c0e577f0b3a4c104234a48941967619d80bb81393d644f6db4744e1b09161e3
                                                                            • Instruction ID: 341bef1b98e180581ce725728a87154edcdf84b19ad93034d554bb5321e76717
                                                                            • Opcode Fuzzy Hash: 0c0e577f0b3a4c104234a48941967619d80bb81393d644f6db4744e1b09161e3
                                                                            • Instruction Fuzzy Hash: B5B15975D0222A9FDF649F68CC88BA9BBB5BF84700F1446D9D81DA3250EB309E85CF44
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0251DD6F Relevance: .3, Instructions: 257COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.584442919.00000000024E1000.00000040.00000020.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_24e1000_abd1 .jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 5b84ac1d75e17105fad4a6dc47cfd0e5f5b61c86c1e157146ac554c91502e43c
                                                                            • Instruction ID: 072ed074ddc7d98740535b8ffc95ad49d1d3f6e0fa57819e220af24d7d0ecd73
                                                                            • Opcode Fuzzy Hash: 5b84ac1d75e17105fad4a6dc47cfd0e5f5b61c86c1e157146ac554c91502e43c
                                                                            • Instruction Fuzzy Hash: 8F91C3759013559FEF25CFA8C880BBABBF1FF4A308F184499D841AB351D335A946CB64
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 024F9329 Relevance: .3, Instructions: 252COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.584442919.00000000024E1000.00000040.00000020.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_24e1000_abd1 .jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 0ca16df24c63966515f2f2ee37c7ea01db785379649ad6b78a23f69b4fa51a6b
                                                                            • Instruction ID: 021ca100c145696cb71517621864866b2ddb2a97552af0d9bed4a2629d392be4
                                                                            • Opcode Fuzzy Hash: 0ca16df24c63966515f2f2ee37c7ea01db785379649ad6b78a23f69b4fa51a6b
                                                                            • Instruction Fuzzy Hash: 28A15375608342AFDB54CF28C484A6ABBE1FF88754F11886EF95987390DB30E845CF52
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02533BC9 Relevance: .2, Instructions: 209COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.584442919.00000000024E1000.00000040.00000020.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_24e1000_abd1 .jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 74f408931f7dec3971a303e71e848172f7950f277dafff32712e49d5f899c3f9
                                                                            • Instruction ID: c2da4cfdbed8da592cae2323d97d24679ff7540e79bda4ec29de23eaac05593b
                                                                            • Opcode Fuzzy Hash: 74f408931f7dec3971a303e71e848172f7950f277dafff32712e49d5f899c3f9
                                                                            • Instruction Fuzzy Hash: 0471D831E04629AFDB229F64CC58B6A7775BB84750F1006E9F809EB350DB319E40CF98
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 024E20B1 Relevance: .2, Instructions: 201COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.584442919.00000000024E1000.00000040.00000020.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_24e1000_abd1 .jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: aa11a8293b886bb8a16de68b71e421a24f6008440b7721cb28cf11bb03808677
                                                                            • Instruction ID: ea043cb6891a219b429f53960c50b3c99e06e9c4adc9ed675519829f74089211
                                                                            • Opcode Fuzzy Hash: aa11a8293b886bb8a16de68b71e421a24f6008440b7721cb28cf11bb03808677
                                                                            • Instruction Fuzzy Hash: 1281CF74A41219DBEF25CF25C848FEA77B9FB04306F1045AAEC0A9B341D7B19A84CF54
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 024F8D39 Relevance: .2, Instructions: 201COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.584442919.00000000024E1000.00000040.00000020.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_24e1000_abd1 .jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 108bb82680be8ebf1cbfde0c01fdc90015fe7b8d450a50c814c47bba5a74b2d1
                                                                            • Instruction ID: f1b723e8d60c4b12287e105ceffcd6d87234da951e4a3bbed175f27d79e21a75
                                                                            • Opcode Fuzzy Hash: 108bb82680be8ebf1cbfde0c01fdc90015fe7b8d450a50c814c47bba5a74b2d1
                                                                            • Instruction Fuzzy Hash: EA618C71A087529FD761CE14C840B6BB6E9BBC8754F050A2EBA49DB380DB30D845CB96
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0251C6EC Relevance: .2, Instructions: 185COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.584442919.00000000024E1000.00000040.00000020.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_24e1000_abd1 .jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: e50d9688c0e98ea3fa956f03ca01c67892e3e65d509e7a4ff1fc1b1dc76b3035
                                                                            • Instruction ID: 68c01caa69aee5a80ae6c218e8edd36d58faccd3324b4db52469cd6ba683f385
                                                                            • Opcode Fuzzy Hash: e50d9688c0e98ea3fa956f03ca01c67892e3e65d509e7a4ff1fc1b1dc76b3035
                                                                            • Instruction Fuzzy Hash: A551C231E40229ABEF10DB94C884FFEBBB5BF48765F15446AE901A7280C7329C45DB69
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 024F4235 Relevance: .2, Instructions: 182COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.584442919.00000000024E1000.00000040.00000020.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_24e1000_abd1 .jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: f425c615f5ca9317bec7fb5918c73def5de86defbb77466819a9b96354d7f2ea
                                                                            • Instruction ID: ebde9672bc5653901506f86d85c32bc009e395dd0bfd1be3c6a30173c3f38330
                                                                            • Opcode Fuzzy Hash: f425c615f5ca9317bec7fb5918c73def5de86defbb77466819a9b96354d7f2ea
                                                                            • Instruction Fuzzy Hash: D4510831A001019BCB65DF58D94067BF7B6FFC4745B5A856ADB02ABB10EB31EE82C790
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0252A2AB Relevance: .2, Instructions: 161COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.584442919.00000000024E1000.00000040.00000020.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_24e1000_abd1 .jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 58cb975ec72ee301366920f5070a5f76c38407600e2267085f4cba81a0d34272
                                                                            • Instruction ID: 619eb808699f6db0121b79db6af8dbfd337e3f400fe1d7561c35d8366163a45e
                                                                            • Opcode Fuzzy Hash: 58cb975ec72ee301366920f5070a5f76c38407600e2267085f4cba81a0d34272
                                                                            • Instruction Fuzzy Hash: CA5176B1A003299BDB109F61CC98B9A7BBDFB45314F0045E5AB09E2181EB71DE58CF59
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 024F53C8 Relevance: .2, Instructions: 160COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.584442919.00000000024E1000.00000040.00000020.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_24e1000_abd1 .jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 3d18322b77ce5546fb684878f5a0f947296c252889277f449f5928d566c5ad9e
                                                                            • Instruction ID: 904adee5bb56bcc608bac8641a443fe532e9a20d1840041ea17302779455c20d
                                                                            • Opcode Fuzzy Hash: 3d18322b77ce5546fb684878f5a0f947296c252889277f449f5928d566c5ad9e
                                                                            • Instruction Fuzzy Hash: 1251AE31A40205DFDB24CF58D984FAAB7B2FF88314F55416AEA45AB391C730ED51CB90
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 024F5571 Relevance: .2, Instructions: 160COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.584442919.00000000024E1000.00000040.00000020.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_24e1000_abd1 .jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 79e06e5de64300e0f1ee16ca53cf1912e8c18787ab788d82aa7d72ee07f60fce
                                                                            • Instruction ID: 2626eff0650876c54b6926fca0bf37261cbcd888c6b620442275a8b3c85fe726
                                                                            • Opcode Fuzzy Hash: 79e06e5de64300e0f1ee16ca53cf1912e8c18787ab788d82aa7d72ee07f60fce
                                                                            • Instruction Fuzzy Hash: A9519F31A40205DFEB14CF58C984FAAB7B2FF88714F55456AEA19AB391C730ED51CB90
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 024F3379 Relevance: .2, Instructions: 151COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.584442919.00000000024E1000.00000040.00000020.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_24e1000_abd1 .jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 43eb81e75c2617cb9d2fee61dca1d89da25dfa19bbe86d70aaf80c4897ab541c
                                                                            • Instruction ID: 4014a4cc2153ba768ac492c23f1fd34a3d27619c08222efbf6aeb309bef72a00
                                                                            • Opcode Fuzzy Hash: 43eb81e75c2617cb9d2fee61dca1d89da25dfa19bbe86d70aaf80c4897ab541c
                                                                            • Instruction Fuzzy Hash: D851C171A40656ABCB62AF65DC04B2B7FB9EFC4740F0044AAFA0296250DB34D956DFA0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0251B329 Relevance: .1, Instructions: 149COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.584442919.00000000024E1000.00000040.00000020.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_24e1000_abd1 .jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 2a3421451fccc81a716d05c37735236b3b3f1342c4b1f4cc3680fa28f8f8757f
                                                                            • Instruction ID: 7e70295b4c14f4fda29b3828b21c9ba498c46f87694e023a9cc99a8bf06f6bdb
                                                                            • Opcode Fuzzy Hash: 2a3421451fccc81a716d05c37735236b3b3f1342c4b1f4cc3680fa28f8f8757f
                                                                            • Instruction Fuzzy Hash: A1416631614754EBFF368E64C942BAE7FA3BB9170CF19C458EC4257280DBB09851C749
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 024F4433 Relevance: .1, Instructions: 145COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.584442919.00000000024E1000.00000040.00000020.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_24e1000_abd1 .jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: aa3b82222e1822fb2aa18bc6c3e5cc3def227a4ddc331e3c536b588223c0b670
                                                                            • Instruction ID: feb00d0e57acbeedb22d78a71eacedc82d28080e0f06304e1cb11c8c17c9e5a6
                                                                            • Opcode Fuzzy Hash: aa3b82222e1822fb2aa18bc6c3e5cc3def227a4ddc331e3c536b588223c0b670
                                                                            • Instruction Fuzzy Hash: 8851D071900611DFCB21DF68C840A6BB7F4FF88704B15496AEB56DB360EB34E951DB90
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 024F3899 Relevance: .1, Instructions: 142COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.584442919.00000000024E1000.00000040.00000020.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_24e1000_abd1 .jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 661aa4005a4d330f4b19da07c05143cc25ab7e190d0681c043c555cb3d32bf64
                                                                            • Instruction ID: c7eb43640e99190720daef580eb54321f26c29bb6623322ea437b21e265db44c
                                                                            • Opcode Fuzzy Hash: 661aa4005a4d330f4b19da07c05143cc25ab7e190d0681c043c555cb3d32bf64
                                                                            • Instruction Fuzzy Hash: F6518B31A40646EFCB519FA5CC54FAFBFB9FB88700F10046AEE01E6250DB349955DB61
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02523DA9 Relevance: .1, Instructions: 140COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.584442919.00000000024E1000.00000040.00000020.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_24e1000_abd1 .jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: a75c3b67c9a9973b6678e75869d82e029fb6375f52784e1f3da2c8b32f6a7006
                                                                            • Instruction ID: c82e49f68705bc9b940a04bebc73fc623766753d6145fd764a0c37715aff536f
                                                                            • Opcode Fuzzy Hash: a75c3b67c9a9973b6678e75869d82e029fb6375f52784e1f3da2c8b32f6a7006
                                                                            • Instruction Fuzzy Hash: EE410236A80310FBD7219FA0DC19F6A7BB8FF48750F100859F60ADB2D0D6348914DB28
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 024F4BC0 Relevance: .1, Instructions: 138COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.584442919.00000000024E1000.00000040.00000020.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_24e1000_abd1 .jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 20fc745aa8a66ed9ba5ff9867d77c3aaaf6560fbdcd58529461c3b42148b7a85
                                                                            • Instruction ID: 56002be0b2f4ead1740e85309c9e368ca28a7e737c32662e3315529b1e251831
                                                                            • Opcode Fuzzy Hash: 20fc745aa8a66ed9ba5ff9867d77c3aaaf6560fbdcd58529461c3b42148b7a85
                                                                            • Instruction Fuzzy Hash: B8519075600245DFCB64DF64C480A6BB7F1FF89744B12446AEB069B350EB34ED81CBA0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02532484 Relevance: .1, Instructions: 136COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.584442919.00000000024E1000.00000040.00000020.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_24e1000_abd1 .jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 232aaa99976b1b6e80e1406cbcc3c5afcb59487324129c8697838a98fb00eee1
                                                                            • Instruction ID: 281037860b1c7cdd5260f03b253312157633b292c2a43817c1dc6dd14d882a7e
                                                                            • Opcode Fuzzy Hash: 232aaa99976b1b6e80e1406cbcc3c5afcb59487324129c8697838a98fb00eee1
                                                                            • Instruction Fuzzy Hash: 16418032D0161AABCB22DFA4C8A0BEEBBB9FF44754F105165E905BB250DB709E41CF94
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 024E1EFB Relevance: .1, Instructions: 131COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.584442919.00000000024E1000.00000040.00000020.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_24e1000_abd1 .jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 240edb3d9f76392969063c900d6d70d7544162159d77cdd79bd9c067af2aa55d
                                                                            • Instruction ID: eb9b7a2825ab9c588f2bd2544de528710af03d0284df6412742809d84e084773
                                                                            • Opcode Fuzzy Hash: 240edb3d9f76392969063c900d6d70d7544162159d77cdd79bd9c067af2aa55d
                                                                            • Instruction Fuzzy Hash: ED417471940118ABEB309F54CC45FEB77BDEB58755F4004A6EA8AA7290DBB44EC1CF90
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 024E3C89 Relevance: .1, Instructions: 130COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.584442919.00000000024E1000.00000040.00000020.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_24e1000_abd1 .jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 4b5b775125a1cfeb750be6a16efa4183b738e87a80e27b4591df3c015aabb51a
                                                                            • Instruction ID: 12960e52868a4855447c43ff7eb35af0ce188551fca24ef5d9a7bb5e44f91009
                                                                            • Opcode Fuzzy Hash: 4b5b775125a1cfeb750be6a16efa4183b738e87a80e27b4591df3c015aabb51a
                                                                            • Instruction Fuzzy Hash: 9141A172940219BFDF128FA4CD54EBE7FB8EB48785F0405A5F90AA7200D7318D55DBA4
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 024F4D39 Relevance: .1, Instructions: 128COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.584442919.00000000024E1000.00000040.00000020.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_24e1000_abd1 .jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: da3105e943e858d7d46d1db7b9da3f330a0ac3219d0283daa7181caaee14c322
                                                                            • Instruction ID: 9c3cb4691627aa65c67daf4ed78b84555d7ad38feb36b0fad320437f05678bb8
                                                                            • Opcode Fuzzy Hash: da3105e943e858d7d46d1db7b9da3f330a0ac3219d0283daa7181caaee14c322
                                                                            • Instruction Fuzzy Hash: B3419A76600201DFCB64DF28C850B67B7F1FF98B50B15446AEA5ACB750EB30E991CB90
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02523A33 Relevance: .1, Instructions: 127COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.584442919.00000000024E1000.00000040.00000020.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_24e1000_abd1 .jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 5d337d76f9ce09283e83cf6c08469f51a455c7e0aaaec2749de2869dee19da3a
                                                                            • Instruction ID: ff87101a82b10cd9d7a9a76a046dc263194ac6be36a15f8486924eb45177a889
                                                                            • Opcode Fuzzy Hash: 5d337d76f9ce09283e83cf6c08469f51a455c7e0aaaec2749de2869dee19da3a
                                                                            • Instruction Fuzzy Hash: 7241C231A40324BBDB209F68DC05FAEB7B9FB49710F004569F916E72D0DB789958CB68
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02533E71 Relevance: .1, Instructions: 127COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.584442919.00000000024E1000.00000040.00000020.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_24e1000_abd1 .jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: bebdb36d10c341fae7547381bf6e839e481ac7979659515ef5b7c8346e9dddce
                                                                            • Instruction ID: a4dce054a029b009b6b0fbc695eba10018e0c82fff7df3d7dcacee44ab9a9809
                                                                            • Opcode Fuzzy Hash: bebdb36d10c341fae7547381bf6e839e481ac7979659515ef5b7c8346e9dddce
                                                                            • Instruction Fuzzy Hash: 5B419D71708742BBC316EE19C850A2BB7A9BBC5710F0059ADF958DB341DB70D905CAEA
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 025331D3 Relevance: .1, Instructions: 123COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.584442919.00000000024E1000.00000040.00000020.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_24e1000_abd1 .jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 999ab4316911424cf374e98700f723ad7a61872ad7538ec27465dfbf0afbd76b
                                                                            • Instruction ID: 80675bc555fa227a2bfee42a72421224834ffa570e979b288215a65b8674e2da
                                                                            • Opcode Fuzzy Hash: 999ab4316911424cf374e98700f723ad7a61872ad7538ec27465dfbf0afbd76b
                                                                            • Instruction Fuzzy Hash: 53314971F44741BBDB125EA9CC90B6A7B6EBB94700F0058E9F905EB340DBB1DD01CA98
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 024E3989 Relevance: .1, Instructions: 116COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.584442919.00000000024E1000.00000040.00000020.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_24e1000_abd1 .jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 04a614aee5df797eee7a0f458440664028a17397b3ceec6757ac94060c6ae829
                                                                            • Instruction ID: cb34a606badaf90e550a1a1ba1e75e41dd6ecfc1e4c2366c7ac7ca57ad501168
                                                                            • Opcode Fuzzy Hash: 04a614aee5df797eee7a0f458440664028a17397b3ceec6757ac94060c6ae829
                                                                            • Instruction Fuzzy Hash: 1341B135E40219EFDF119FA4C858ABEBBB8EF48341F1148A6E807E3210D734DA44DB60
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 024E5500 Relevance: .1, Instructions: 113COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.584442919.00000000024E1000.00000040.00000020.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_24e1000_abd1 .jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: f511ad7e8afc1958de678edc97f0a1e822201e16786f6495278e5463e6fd0102
                                                                            • Instruction ID: cc91429f83899a28c7e128d04d3ae3036f9f8b0264fade45d2089f9cad723257
                                                                            • Opcode Fuzzy Hash: f511ad7e8afc1958de678edc97f0a1e822201e16786f6495278e5463e6fd0102
                                                                            • Instruction Fuzzy Hash: 7341BDB5941610EFDB228F64D804B6ABBF9EF44B56F41445AF88ACB310E730E951CB94
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02531E6F Relevance: .1, Instructions: 110COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.584442919.00000000024E1000.00000040.00000020.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_24e1000_abd1 .jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 5d5e93a81709991016149296e919126eca9ed62b14d484b355a28d5b0fa400c6
                                                                            • Instruction ID: fa21975402fd8aef8fc6093bf678ecd9caa7e3b82237849a4a27c5fde92e4cbe
                                                                            • Opcode Fuzzy Hash: 5d5e93a81709991016149296e919126eca9ed62b14d484b355a28d5b0fa400c6
                                                                            • Instruction Fuzzy Hash: 57319E32640A04EFDB226FA4CC40F6ABBBAFF84754F114428F6099B560DB31DD12DBA4
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0251D92F Relevance: .1, Instructions: 102COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.584442919.00000000024E1000.00000040.00000020.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_24e1000_abd1 .jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: c2ed42348a870cecdae490840979cc1231e22f5d329fd546aca33dfa1bc87410
                                                                            • Instruction ID: 09d97694c2bceee674d5b57d364c623fca76848fa07c401a9c5006e9f6bac27d
                                                                            • Opcode Fuzzy Hash: c2ed42348a870cecdae490840979cc1231e22f5d329fd546aca33dfa1bc87410
                                                                            • Instruction Fuzzy Hash: FC418071A0060ABFEB00CF99CC45AAABBB8FF88310F144329E55492690D730B964CB94
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02530B2F Relevance: .1, Instructions: 101COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.584442919.00000000024E1000.00000040.00000020.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_24e1000_abd1 .jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: c16f0938d7bdc50d01f4e9ebb54674ee1d873fcced93ab7a1e535352ea3ee749
                                                                            • Instruction ID: 9fea61068e87e50940ee14d42340444030bdde72b4221637028a76ccc7b5937b
                                                                            • Opcode Fuzzy Hash: c16f0938d7bdc50d01f4e9ebb54674ee1d873fcced93ab7a1e535352ea3ee749
                                                                            • Instruction Fuzzy Hash: 27313833A00259ABCB269F59C850BBEF7A9FF84B08F14516AF540EB2D0E634CD41C768
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 024F1BAD Relevance: .1, Instructions: 99COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.584442919.00000000024E1000.00000040.00000020.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_24e1000_abd1 .jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 4e7018a2b3490e2b640817146c51f44deb70ea5852c8d6fc42b0bc1f26be303a
                                                                            • Instruction ID: b4baa98d7f93adac4d6e704b23b44baf216a8be986f8343d58162f9c58dc616f
                                                                            • Opcode Fuzzy Hash: 4e7018a2b3490e2b640817146c51f44deb70ea5852c8d6fc42b0bc1f26be303a
                                                                            • Instruction Fuzzy Hash: 10310632E40298EFDB118FD5DC18FADBBB5EB85750F11016AFA09AB250DB709C04EB50
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0253649B Relevance: .1, Instructions: 98COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.584442919.00000000024E1000.00000040.00000020.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_24e1000_abd1 .jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 1756c83c4aae58b0106e5207135d21e9189d0a8beda2f7d629cefbd06f329a69
                                                                            • Instruction ID: fecebf175e09ef96fd8e610c54f197ae6e3104f0af73310039d8945a7755e637
                                                                            • Opcode Fuzzy Hash: 1756c83c4aae58b0106e5207135d21e9189d0a8beda2f7d629cefbd06f329a69
                                                                            • Instruction Fuzzy Hash: 9D214932F00621B7DB125A698C54F6F7B6EBB54760F01116DFD09EB381EB209E008A9C
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 024E2C09 Relevance: .1, Instructions: 95COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.584442919.00000000024E1000.00000040.00000020.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_24e1000_abd1 .jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 32873644114c64627719d30e3089e88ce7a02c7f5e2711ed0205cc94914eceaa
                                                                            • Instruction ID: 5a10ae437f423d31c8964c80ad1b099255fe4c9705cf189ba792da86d5e0dad8
                                                                            • Opcode Fuzzy Hash: 32873644114c64627719d30e3089e88ce7a02c7f5e2711ed0205cc94914eceaa
                                                                            • Instruction Fuzzy Hash: CA315636640510AFEF25AF64DC64B7B376DFB88B02B004869FD038A240E7B16A16DB90
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02512997 Relevance: .1, Instructions: 93COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.584442919.00000000024E1000.00000040.00000020.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_24e1000_abd1 .jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 8383c9024c45168a0c398e88b3cee0cf6cbfbb1fc3e7a4e87b6755e13b402029
                                                                            • Instruction ID: a9b0c36bef0e9e71bfb967452171ac50e710fefaf7e713359a6196d9001ce2a6
                                                                            • Opcode Fuzzy Hash: 8383c9024c45168a0c398e88b3cee0cf6cbfbb1fc3e7a4e87b6755e13b402029
                                                                            • Instruction Fuzzy Hash: 43318D71A00219BFEB15DF94C980AAEBBBAFF48754F144069ED05E7380D7B09E11CB94
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 024FA8E9 Relevance: .1, Instructions: 91COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.584442919.00000000024E1000.00000040.00000020.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_24e1000_abd1 .jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 887aec1fdf3c3064b5a8cc2ed58dee104b1adf28296e7082620d200ff6fcc69d
                                                                            • Instruction ID: 2229f7a0c59c3427ae87e34cd9a2d68d67076d9c22dce069c873987ab8238d76
                                                                            • Opcode Fuzzy Hash: 887aec1fdf3c3064b5a8cc2ed58dee104b1adf28296e7082620d200ff6fcc69d
                                                                            • Instruction Fuzzy Hash: F9319A323106214BD7A48E69C491FA773D6EBC4324F154A3EDF5DC7380DB70A885CA44
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 024FA3D8 Relevance: .1, Instructions: 89COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.584442919.00000000024E1000.00000040.00000020.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_24e1000_abd1 .jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 234faffafd35cdadc6b4689c8766cdcd66f5c4ea05782c6a2556ea5be05cc502
                                                                            • Instruction ID: cf64bbfe4d8c0dcae68477af7319fbefb768c609200e9bbb3f61400e239cdaef
                                                                            • Opcode Fuzzy Hash: 234faffafd35cdadc6b4689c8766cdcd66f5c4ea05782c6a2556ea5be05cc502
                                                                            • Instruction Fuzzy Hash: A231C6326512A2EFCB628F26C82CF967BA8FBC4756B1401BAFD0987710C7308851DF91
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 025128C1 Relevance: .1, Instructions: 88COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.584442919.00000000024E1000.00000040.00000020.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_24e1000_abd1 .jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: d6580833572911299e331c0326415342623b4dd3ea0ff946905f5c86df73e1fe
                                                                            • Instruction ID: 6ba4f604030b8f98d7388110a09faa34d35d2e30ad7dc2da3d8b93f3575e079c
                                                                            • Opcode Fuzzy Hash: d6580833572911299e331c0326415342623b4dd3ea0ff946905f5c86df73e1fe
                                                                            • Instruction Fuzzy Hash: A7314A75A00219AFDB05DF9AC884EAEBBF9FF88740F104469ED06E7250DB709D50DB64
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 025402D5 Relevance: .1, Instructions: 82COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.584442919.00000000024E1000.00000040.00000020.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_24e1000_abd1 .jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 375d961f19e325e417c294dc61cf27a418bc97301e36422e6ebbc2967751c86b
                                                                            • Instruction ID: b4b0cf8f2de97b70d127ac42206fbd9910a1664cc45ff47bd815731cf86c3df2
                                                                            • Opcode Fuzzy Hash: 375d961f19e325e417c294dc61cf27a418bc97301e36422e6ebbc2967751c86b
                                                                            • Instruction Fuzzy Hash: 9221E731A48721EBC7249F68DC55A6EFBB4BF4472CF214669F915972D0DF7049008748
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0254012B Relevance: .1, Instructions: 82COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.584442919.00000000024E1000.00000040.00000020.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_24e1000_abd1 .jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 3c20bff82bb02c8adb1d23298c646148f0fc779065d67f7983ddc08ea4f8a91d
                                                                            • Instruction ID: ebb343f4609aa7678963888c9458d83ee41788182a9354994ea44fb565b43cca
                                                                            • Opcode Fuzzy Hash: 3c20bff82bb02c8adb1d23298c646148f0fc779065d67f7983ddc08ea4f8a91d
                                                                            • Instruction Fuzzy Hash: FE21E531E44720ABC7249F68DC95F6EFB74BF84724F215669F915972D0DB705900C788
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 024FA7E9 Relevance: .1, Instructions: 79COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.584442919.00000000024E1000.00000040.00000020.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_24e1000_abd1 .jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: f52a2c4fbf6f707451c15f8cbc09a0413e84f3900891d13b6ad4858e2f8be94e
                                                                            • Instruction ID: 1d3e9159241b93c252e797222356e561cf9d95900bbe8772dc761870bb2445a7
                                                                            • Opcode Fuzzy Hash: f52a2c4fbf6f707451c15f8cbc09a0413e84f3900891d13b6ad4858e2f8be94e
                                                                            • Instruction Fuzzy Hash: 0621D3317107218BD7A4DAA5C491BABB386ABC4718F10453EDA5E87380DBA0A847CA84
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 024E1C09 Relevance: .1, Instructions: 79COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.584442919.00000000024E1000.00000040.00000020.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_24e1000_abd1 .jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: d5862f81c261ec64cc5788ea787162582532478cfd9e3e2853f53808dfe7e9d1
                                                                            • Instruction ID: 35ee7ec4e773ac2652f71f6bcfaae1c8b5713bcc7e2f513bebbec7815948f56e
                                                                            • Opcode Fuzzy Hash: d5862f81c261ec64cc5788ea787162582532478cfd9e3e2853f53808dfe7e9d1
                                                                            • Instruction Fuzzy Hash: A4218230980369AAEF219A918949BBF7BBCAF04755F000456ED4EE2280D7708A15EB60
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0253FF99 Relevance: .1, Instructions: 77COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.584442919.00000000024E1000.00000040.00000020.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_24e1000_abd1 .jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 661b5d3bdfeeabacbce7cabfc5544f10fa5dbaa5cf6b84c4d775c7671f17e35a
                                                                            • Instruction ID: 874706ca31bc0f4475f0a4c149ab99dd0fb34ce3dab37c00bd227e60fad5a18d
                                                                            • Opcode Fuzzy Hash: 661b5d3bdfeeabacbce7cabfc5544f10fa5dbaa5cf6b84c4d775c7671f17e35a
                                                                            • Instruction Fuzzy Hash: B821AE32981620FFCB229F95DC18E5ABF79FB89B50F110454FA0997260CB359A10EB94
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02532E2C Relevance: .1, Instructions: 76COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.584442919.00000000024E1000.00000040.00000020.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_24e1000_abd1 .jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 25f26db406c99afb8d09e072980dc527f056d1e9001886eac60343834a4c3348
                                                                            • Instruction ID: ea7756ce48868487f4aa7434ee4156743f0c6d25beee168908334409ecf82fa9
                                                                            • Opcode Fuzzy Hash: 25f26db406c99afb8d09e072980dc527f056d1e9001886eac60343834a4c3348
                                                                            • Instruction Fuzzy Hash: 9021F372A40615BBC7119FA8CC45EBBBBBCFB84751F014569FC0AD7200E7319E119BA5
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 024ECFA0 Relevance: .1, Instructions: 76COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.584442919.00000000024E1000.00000040.00000020.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_24e1000_abd1 .jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 763267450047a7933b7f18402d9ec675b2f3b1c64e6b79da5d34ca353a6d7b65
                                                                            • Instruction ID: d4d9c47ba017a52b85ae98ee326583a7eb9f05673afe9994a8eaaade54dabbbc
                                                                            • Opcode Fuzzy Hash: 763267450047a7933b7f18402d9ec675b2f3b1c64e6b79da5d34ca353a6d7b65
                                                                            • Instruction Fuzzy Hash: B4311831D42228EFDF229F94C89CB9AB7BDFB04746F4805D5B40AA2660C7389E94DF50
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 024F4EC8 Relevance: .1, Instructions: 71COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.584442919.00000000024E1000.00000040.00000020.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_24e1000_abd1 .jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 022fa4f1c43ecd08c1f5fd994ca2e2d73bc62edfb1bd75f49cabb64a7af25a1d
                                                                            • Instruction ID: 2a8f3dff9a9bfd4ea0af5e93f0bb4f6990ea8d09be1fb48172fbc019ba25008e
                                                                            • Opcode Fuzzy Hash: 022fa4f1c43ecd08c1f5fd994ca2e2d73bc62edfb1bd75f49cabb64a7af25a1d
                                                                            • Instruction Fuzzy Hash: 24219031E41254ABC7619F98CD84F5BBBB9EBC8784F120069FE0AA7341CA349D11DBA4
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 024E24E9 Relevance: .1, Instructions: 71COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.584442919.00000000024E1000.00000040.00000020.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_24e1000_abd1 .jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 8a87b701a93b2cd7bbd659779f78a3bc6496e192579828ef93b352bbac27b3ee
                                                                            • Instruction ID: fd8245f41bf16b2a220be406005a1684862599c7065be168d1a6c79ba83abd76
                                                                            • Opcode Fuzzy Hash: 8a87b701a93b2cd7bbd659779f78a3bc6496e192579828ef93b352bbac27b3ee
                                                                            • Instruction Fuzzy Hash: 0A11B472984215FFEB11DFA0DD68F6B7BBCEB48691F0108A5F907C6150D6648E10EB64
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0252A1CF Relevance: .1, Instructions: 70COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.584442919.00000000024E1000.00000040.00000020.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_24e1000_abd1 .jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 28c3d33f0896939d416fe75fac24a72d201db20cc36fbbbc026c7e8526d6e6f7
                                                                            • Instruction ID: 9b24bd83f81cb3ecec174809f47df22af130c20886c3f03170ff65762d37ee2a
                                                                            • Opcode Fuzzy Hash: 28c3d33f0896939d416fe75fac24a72d201db20cc36fbbbc026c7e8526d6e6f7
                                                                            • Instruction Fuzzy Hash: 7921CC36721255DFCB05DF29C8D4EAABBBAFB45309F204669E80597285C336E908CF44
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 024E4AA9 Relevance: .1, Instructions: 66COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.584442919.00000000024E1000.00000040.00000020.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_24e1000_abd1 .jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: f83276028992f6064cd7b993e4543865fa7821abfc0bb0b8dc1547ed37785beb
                                                                            • Instruction ID: 31cbd5c637bca7503b9d9c6accecf60d96c13aa6e9ab6179e10324156b262a40
                                                                            • Opcode Fuzzy Hash: f83276028992f6064cd7b993e4543865fa7821abfc0bb0b8dc1547ed37785beb
                                                                            • Instruction Fuzzy Hash: AC21F035A40219AFD711DF64D859FEEBBB8FB44712F104155FA06AB280EB749904CFA8
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 024F1CB5 Relevance: .1, Instructions: 65COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.584442919.00000000024E1000.00000040.00000020.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_24e1000_abd1 .jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: d51648bb51d00dd99f7372459a4aa93e3e00ddabb3494aef392deadc30900691
                                                                            • Instruction ID: 738a2f57eab6d0f050dc6f83f3aaa730e023236511f05bc712f250b4e04fd238
                                                                            • Opcode Fuzzy Hash: d51648bb51d00dd99f7372459a4aa93e3e00ddabb3494aef392deadc30900691
                                                                            • Instruction Fuzzy Hash: CD216372A00219EFCB54DF89C480D6EBBF9EF88750B15406AEA0D9B311DB70ED41DB90
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 024EBE3D Relevance: .1, Instructions: 59COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.584442919.00000000024E1000.00000040.00000020.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_24e1000_abd1 .jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 31185aae06b36675e53897899529a4457611e1c1d45e45950a4196dd6fa15fc6
                                                                            • Instruction ID: d0c26b121bcccf11c8cf9e12b75f2f4b7debb7ea0f65f2109823bbbd5876cc3c
                                                                            • Opcode Fuzzy Hash: 31185aae06b36675e53897899529a4457611e1c1d45e45950a4196dd6fa15fc6
                                                                            • Instruction Fuzzy Hash: 7711C275740300BFEB259F48DC94F2ABBA9FB48755F1004A9FA0A97340C734AD10DB54
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 024EA9C9 Relevance: .0, Instructions: 39COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.584442919.00000000024E1000.00000040.00000020.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_24e1000_abd1 .jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: c206b6eaa1ad34e121b2f2acf52bdaeb2958898ae769ea94adf88d3895402067
                                                                            • Instruction ID: 614eceae9c26b464d15d66319243ab7f9a4f120c8859a59fc1ea0a041d2fa9f0
                                                                            • Opcode Fuzzy Hash: c206b6eaa1ad34e121b2f2acf52bdaeb2958898ae769ea94adf88d3895402067
                                                                            • Instruction Fuzzy Hash: 9BF02232240765EBDB119F55D818E5B7BB8FF89301F01482BF906C7220D335E869DBA9
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 024F3A37 Relevance: .0, Instructions: 36COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.584442919.00000000024E1000.00000040.00000020.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_24e1000_abd1 .jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: d8af047c4db33a8b2ac6e2b862f49343a680125f9172994949283d75563092ee
                                                                            • Instruction ID: fe35a9bb9abd370d85f450de01827c4d584f69838cb8fe5cb4ac7d61e5f25717
                                                                            • Opcode Fuzzy Hash: d8af047c4db33a8b2ac6e2b862f49343a680125f9172994949283d75563092ee
                                                                            • Instruction Fuzzy Hash: A201E832544A90EFC7329F4AD918E07BBF9FB99B50B0149ADF10687A30C3349851DF50
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 024F2489 Relevance: .0, Instructions: 30COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.584442919.00000000024E1000.00000040.00000020.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_24e1000_abd1 .jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: ecd198d654d2bcb9975e23d85852ecf70c21d1947e668b990c9ef57527475bac
                                                                            • Instruction ID: eef1f38bda744609c30e240761ce9101ed5139c4a366782668189db844111ed5
                                                                            • Opcode Fuzzy Hash: ecd198d654d2bcb9975e23d85852ecf70c21d1947e668b990c9ef57527475bac
                                                                            • Instruction Fuzzy Hash: 11F06D31181B10EBC7669F55DE18B5AB7B5FB44751F401829F94302EB0C7B4B8A5DE84
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 024F3A9F Relevance: .0, Instructions: 26COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.584442919.00000000024E1000.00000040.00000020.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_24e1000_abd1 .jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 6acb04e96699937937ec92fdea3e80bf8032a175f62353670939447f2fa3d107
                                                                            • Instruction ID: b79b5b27863acd541bb13d5c773493c64b1f3ee8a4d61d4d04439bbf7ca0895b
                                                                            • Opcode Fuzzy Hash: 6acb04e96699937937ec92fdea3e80bf8032a175f62353670939447f2fa3d107
                                                                            • Instruction Fuzzy Hash: 99F08C32540B50EBC7328F01D804B127BB4FBC4B61F160998F50A1B650C331E852DA90
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02513CA1 Relevance: .0, Instructions: 21COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.584442919.00000000024E1000.00000040.00000020.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_24e1000_abd1 .jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 9a435811de11ab1f90bdeb19bef329ccc59cdcca6d7a400c4832c4929c0cc587
                                                                            • Instruction ID: 7a687079fe86c0aa90d000669e81a61841219cabbf16c0f4958a96aae0698031
                                                                            • Opcode Fuzzy Hash: 9a435811de11ab1f90bdeb19bef329ccc59cdcca6d7a400c4832c4929c0cc587
                                                                            • Instruction Fuzzy Hash: 01F03031985524EFDF259F40CD5CB59BB79FF08710F0505D8A40E67220C734ADA0DE40
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 025142DD Relevance: .0, Instructions: 19COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.584442919.00000000024E1000.00000040.00000020.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_24e1000_abd1 .jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 54ce7d03c47873b99978463dcedf64876a4bd145cc25b2d6a21d7b3d532a165d
                                                                            • Instruction ID: 617b2cc79abc818a54f09c421063c319247e1a3f9a894a8e631d300e25572867
                                                                            • Opcode Fuzzy Hash: 54ce7d03c47873b99978463dcedf64876a4bd145cc25b2d6a21d7b3d532a165d
                                                                            • Instruction Fuzzy Hash: 07E0E571644015AFDF259F55CA58B29B7B9FB08B40F050198A40EA3620C734EDA1CE50
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0251D106 Relevance: .0, Instructions: 18COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.584442919.00000000024E1000.00000040.00000020.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_24e1000_abd1 .jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: dffd266fc3d8d4e3b3298bbf526422e4e0d9421fc5cd4117f4998351e80ca522
                                                                            • Instruction ID: d44da47ce97fdaef86c59d4e94d33d2330aeabb20f0aafd3ea45e211b68b5b3f
                                                                            • Opcode Fuzzy Hash: dffd266fc3d8d4e3b3298bbf526422e4e0d9421fc5cd4117f4998351e80ca522
                                                                            • Instruction Fuzzy Hash: DDE08C31689450EFCB1A8F88D914F2A7BB9FB4CB40F06005CB406D7120C728D820DA18
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02512327 Relevance: .0, Instructions: 12COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.584442919.00000000024E1000.00000040.00000020.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_24e1000_abd1 .jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 7e7510691d7c04af7e47d951cfc5ca0050cd65aa7ab80d5430173bc8518a1f20
                                                                            • Instruction ID: a6e80c9a89e6464036585f415587c5ae8ae67c852166c8676798db8ddca23dca
                                                                            • Opcode Fuzzy Hash: 7e7510691d7c04af7e47d951cfc5ca0050cd65aa7ab80d5430173bc8518a1f20
                                                                            • Instruction Fuzzy Hash: 4CD0C931C52574DBDF269F85C554B6EBA78FB04745F0540A8E815A512083348950CE98
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 024F8FD9 Relevance: .0, Instructions: 12COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.584442919.00000000024E1000.00000040.00000020.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_24e1000_abd1 .jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 2df018c49e26387f698bb0b44642b8134793fea4602f9bf9dd7a1e5082e00ad7
                                                                            • Instruction ID: e397f3cd81245d93374f849c0f9281e407868909ef98bb3769d7980dafacc1d8
                                                                            • Opcode Fuzzy Hash: 2df018c49e26387f698bb0b44642b8134793fea4602f9bf9dd7a1e5082e00ad7
                                                                            • Instruction Fuzzy Hash: 71D02232084608FFCB124F80C808F553BA9E794740F014020B6090A6B0C734D8B0EA88
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02527C3C Relevance: .0, Instructions: 12COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.584442919.00000000024E1000.00000040.00000020.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_24e1000_abd1 .jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 471a13b5d11c7d0b17ce8f8c01a7d5e3e01c67906e9a260acc8876566bdd5156
                                                                            • Instruction ID: beee1cd5294961505d3f531355dbb267073e07d9ae0c8d20dd2a81e05473fd22
                                                                            • Opcode Fuzzy Hash: 471a13b5d11c7d0b17ce8f8c01a7d5e3e01c67906e9a260acc8876566bdd5156
                                                                            • Instruction Fuzzy Hash: E5C012316519518EDF11DF31C90C7157BE4B745746F0404A4A005E10E0E775C48DE50C
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0252C5AB Relevance: .0, Instructions: 11COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.584442919.00000000024E1000.00000040.00000020.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_24e1000_abd1 .jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 9fa866e7d6a9c980e30eb623554beaede4b7ee945df9ee15508a9909551ba351
                                                                            • Instruction ID: 217ce3568eada471d7190929ea7421fd8d7642bfc686e6a692265c1b620bed56
                                                                            • Opcode Fuzzy Hash: 9fa866e7d6a9c980e30eb623554beaede4b7ee945df9ee15508a9909551ba351
                                                                            • Instruction Fuzzy Hash: A7D0A970A11E91E7CB21AB94C50071DB770BB40B22F028380D0522B2C0CB380B028F88
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0251281D Relevance: .0, Instructions: 8COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.584442919.00000000024E1000.00000040.00000020.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_24e1000_abd1 .jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 9c2dcd453cdcef2f5a7ffcd11799c7baedb428be437c7ef2b690e8e7af168a51
                                                                            • Instruction ID: e71d703dfdbd374a689d1003f6e1de922ada129af493907e6b147d9895be3163
                                                                            • Opcode Fuzzy Hash: 9c2dcd453cdcef2f5a7ffcd11799c7baedb428be437c7ef2b690e8e7af168a51
                                                                            • Instruction Fuzzy Hash: DAC04C342055918BDE19D714C660B693765BB88744F5405A49C4A97651DA199902D904
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 024F92D0 Relevance: .0, Instructions: 6COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.584442919.00000000024E1000.00000040.00000020.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_24e1000_abd1 .jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 6109815572dd4bb9051bc816c542e7b6b1c8bba9bfcb27aa1ecbacd36c6f79d0
                                                                            • Instruction ID: 0d76ec0ce886ea0e9984c7a1de7e6848b93abefcfa02ab2363944b1d03e1be65
                                                                            • Opcode Fuzzy Hash: 6109815572dd4bb9051bc816c542e7b6b1c8bba9bfcb27aa1ecbacd36c6f79d0
                                                                            • Instruction Fuzzy Hash: D8B012315D4950FFDF1A9F80CE19F243774F704B40F010498B102494B0C264AC30DA04
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 024F24F9 Relevance: 5.1, Strings: 4, Instructions: 96COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.584442919.00000000024E1000.00000040.00000020.00020000.00000000.sdmp, Offset: 024E1000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_3_2_24e1000_abd1 .jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 0Oxt$PNxt$pMxt$Mxt
                                                                            • API String ID: 0-4067622300
                                                                            • Opcode ID: a8dd9e0028b052b2cab8a1345b7ce55a042577313f689c00afb03dcc0b7f1bb0
                                                                            • Instruction ID: eb9fb2f9965527864d5bbcc1e6c27f49a19332604fc32988c0ab170c1ad939ae
                                                                            • Opcode Fuzzy Hash: a8dd9e0028b052b2cab8a1345b7ce55a042577313f689c00afb03dcc0b7f1bb0
                                                                            • Instruction Fuzzy Hash: 3D314D71A0021AABCB45CF95D8659EFBBB9FF88604B10905AFE01E7304E770DA11CBA5
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%