Edit tour

Windows Analysis Report
Mandado-Intima#U00e7#U00e3o_Art516mlhg.msi

Overview

General Information

Sample Name:	Mandado-Intima#U00e7#U00e3o_Art516mlhg.msi
Original Sample Name:	Mandado-Intimao_Art516mlhg.msi
Analysis ID:	839646
MD5:	a072b53a00f4e80895b3084d82cf8c78
SHA1:	af5c7c5cc06b7f56658878db4567535880509ddf
SHA256:	0668b24ed5b0ff9d4414eed8b3e8b2acf21226675faa1d2ce91cb29eb1910661
Tags:	msi
Infos:

Detection

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Antivirus detection for dropped file

Hides threads from debuggers

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Tries to detect sandboxes and other dynamic analysis tools (window names)

Query firmware table information (likely to detect VMs)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Machine Learning detection for dropped file

PE file contains section with special chars

Queries the volume information (name, serial number etc) of a device

Deletes files inside the Windows folder

May sleep (evasive loops) to hinder dynamic analysis

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

PE file contains sections with non-standard names

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to call native functions

Found dropped PE file which has not been started or loaded

IP address seen in connection with other malware

Entry point lies outside standard sections

AV process strings found (often used to terminate AV products)

Sample file is different than original file name gathered from version info

Allocates memory with a write watch (potentially for evading sandboxes)

Drops PE files

Tries to load missing DLLs

Uses a known web browser user agent for HTTP communication

Drops PE files to the windows directory (C:\Windows)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Queries keyboard layouts

PE file contains more sections than normal

Launches processes in debugging mode, may be used to hinder debugging

Checks for available system drives (often done to infect USB drives)

Dropped file seen in connection with other malware

Classification

Process Tree

System is w10x64

msiexec.exe (PID: 1840 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\Mandado-Intima#U00e7#U00e3o_Art516mlhg.msi" MD5: 4767B71A318E201188A0D0A420C8B608)

msiexec.exe (PID: 4936 cmdline: C:\Windows\system32\msiexec.exe /V MD5: 4767B71A318E201188A0D0A420C8B608)

msiexec.exe (PID: 4860 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 8E6666F21503E58A0787137F71D8544E MD5: 12C17B5A5C2A7B97342C362CA467E9A2)

abd1 .exe (PID: 4912 cmdline: C:\Users\user\AppData\Roaming\abd1 .exe MD5: CEEF4762B36067F1D32A0DB621EE967E)

abd1 .exe (PID: 6296 cmdline: "C:\Users\user\AppData\Roaming\abd1 .exe" MD5: CEEF4762B36067F1D32A0DB621EE967E)

abd1 .exe (PID: 6388 cmdline: "C:\Users\user\AppData\Roaming\abd1 .exe" MD5: CEEF4762B36067F1D32A0DB621EE967E)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Roaming\abd1 .exe	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000000.254275628.0000000000401000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
3.0.abd1 .exe.400000.0.unpack	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: Mandado-Intima#U00e7#U00e3o_Art516mlhg.msi	ReversingLabs: Detection: 18%
Source: Mandado-Intima#U00e7#U00e3o_Art516mlhg.msi	Virustotal: Detection: 35%			Perma Link

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\WebUI.dll

Avira: detection malicious, Label: TR/Crypt.XPACK.Gen2

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\WebUI.dll

Joe Sandbox ML: detected

Source: unknown

HTTPS traffic detected: 185.31.40.23:443 -> 192.168.2.3:49684 version: TLS 1.2

Source:

Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: Mandado-Intima#U00e7#U00e3o_Art516mlhg.msi, MSI4D7F.tmp.1.dr, MSI4C84.tmp.1.dr, MSI4DEE.tmp.1.dr, 67486e.msi.1.dr

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Joe Sandbox View

IP Address: 15.228.77.178 15.228.77.178

Source: global traffic

HTTP traffic detected: GET /Cont/inspecionando.php HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: hotelmessias.alwaysdata.netConnection: Keep-Alive

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49684
Source: unknown	Network traffic detected: HTTP traffic on port 49684 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 15.228.77.178
Source: unknown	TCP traffic detected without corresponding DNS query: 15.228.77.178
Source: unknown	TCP traffic detected without corresponding DNS query: 15.228.77.178

Source: abd1 .exe.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: abd1 .exe.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: abd1 .exe.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA.crt0
Source: abd1 .exe.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: abd1 .exe.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: abd1 .exe, 00000003.00000002.516309141.0000000000980000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 0000000C.00000002.352902937.000000000095B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: abd1 .exe.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: abd1 .exe.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: abd1 .exe.1.dr	String found in binary or memory: http://crl3.digicert.com/EVCodeSigning-g1.crl03
Source: abd1 .exe.1.dr	String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: abd1 .exe.1.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: abd1 .exe.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: abd1 .exe.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: abd1 .exe.1.dr	String found in binary or memory: http://crl4.digicert.com/EVCodeSigning-g1.crl0K
Source: abd1 .exe.1.dr	String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: abd1 .exe.1.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: abd1 .exe.1.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: abd1 .exe.1.dr	String found in binary or memory: http://ocsp.digicert.com0H
Source: abd1 .exe.1.dr	String found in binary or memory: http://ocsp.digicert.com0I
Source: abd1 .exe.1.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: abd1 .exe, 00000003.00000000.254275628.0000000000401000.00000020.00000001.01000000.00000003.sdmp, abd1 .exe.1.dr	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: abd1 .exe, 00000003.00000000.254275628.0000000000401000.00000020.00000001.01000000.00000003.sdmp, abd1 .exe.1.dr	String found in binary or memory: http://stats.itopvpn.com/iusage.php
Source: abd1 .exe.1.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: abd1 .exe.1.dr	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: abd1 .exe, 00000003.00000003.259381456.0000000002380000.00000004.00001000.00020000.00000000.sdmp, abd1 .exe, 00000003.00000002.518251139.00000000028F0000.00000004.00001000.00020000.00000000.sdmp, abd1 .exe, 0000000C.00000002.353956402.0000000002820000.00000004.00001000.00020000.00000000.sdmp, abd1 .exe, 0000000C.00000002.361846817.0000000069D1E000.00000020.00000001.01000000.00000004.sdmp, abd1 .exe, 0000000D.00000002.375562766.0000000002770000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.indyproject.org/
Source: abd1 .exe, 00000003.00000002.521355931.0000000006180000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.
Source: abd1 .exe, 00000003.00000002.516309141.000000000094C000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 0000000C.00000002.352902937.000000000095B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hotelmessias.alwaysdata.net/
Source: abd1 .exe, 0000000D.00000002.375035868.00000000006CD000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 0000000D.00000002.374209724.0000000000195000.00000004.00000010.00020000.00000000.sdmp, abd1 .exe, 0000000D.00000002.375035868.00000000006D4000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 0000000D.00000002.375035868.00000000006D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hotelmessias.alwaysdata.net/Cont/inspecionando.php
Source: abd1 .exe, 00000003.00000002.516309141.000000000094C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hotelmessias.alwaysdata.net/Cont/inspecionando.php$h
Source: abd1 .exe, 00000003.00000002.516309141.0000000000906000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hotelmessias.alwaysdata.net/Cont/inspecionando.php)
Source: abd1 .exe, 00000003.00000002.516309141.000000000094C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hotelmessias.alwaysdata.net/Cont/inspecionando.php...
Source: abd1 .exe, 0000000C.00000002.352902937.0000000000923000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hotelmessias.alwaysdata.net/Cont/inspecionando.php0:L3
Source: abd1 .exe, 00000003.00000002.516309141.000000000094C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hotelmessias.alwaysdata.net/Cont/inspecionando.php0h
Source: abd1 .exe, 0000000C.00000002.352902937.0000000000923000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hotelmessias.alwaysdata.net/Cont/inspecionando.php32L3
Source: abd1 .exe, 00000003.00000002.516309141.0000000000980000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hotelmessias.alwaysdata.net/Cont/inspecionando.php4
Source: abd1 .exe, 00000003.00000002.516309141.0000000000980000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 0000000C.00000002.352902937.0000000000923000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hotelmessias.alwaysdata.net/Cont/inspecionando.php6
Source: abd1 .exe, 00000003.00000002.516309141.0000000000980000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hotelmessias.alwaysdata.net/Cont/inspecionando.php7
Source: abd1 .exe, 0000000C.00000002.352902937.0000000000923000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hotelmessias.alwaysdata.net/Cont/inspecionando.php:L2
Source: abd1 .exe, 00000003.00000002.521355931.0000000006180000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hotelmessias.alwaysdata.net/Cont/inspecionando.phpC:
Source: abd1 .exe, 00000003.00000002.516309141.0000000000980000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hotelmessias.alwaysdata.net/Cont/inspecionando.phpCont/inspecionando.phpo.php8
Source: abd1 .exe, 00000003.00000002.516309141.0000000000906000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hotelmessias.alwaysdata.net/Cont/inspecionando.phpI
Source: abd1 .exe, 00000003.00000002.516309141.0000000000980000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hotelmessias.alwaysdata.net/Cont/inspecionando.phpJ
Source: abd1 .exe, 00000003.00000002.516309141.0000000000980000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hotelmessias.alwaysdata.net/Cont/inspecionando.phpL
Source: abd1 .exe, 0000000C.00000002.352902937.000000000095B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hotelmessias.alwaysdata.net/Cont/inspecionando.phpLMEMx
Source: abd1 .exe, 0000000C.00000002.352902937.000000000095B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hotelmessias.alwaysdata.net/Cont/inspecionando.phpM
Source: abd1 .exe, 0000000C.00000002.352902937.0000000000923000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hotelmessias.alwaysdata.net/Cont/inspecionando.phpS:L3
Source: abd1 .exe, 0000000C.00000002.352902937.000000000095B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hotelmessias.alwaysdata.net/Cont/inspecionando.phpb
Source: abd1 .exe, 0000000C.00000002.352376564.0000000000195000.00000004.00000010.00020000.00000000.sdmp, abd1 .exe, 0000000D.00000002.374209724.0000000000195000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://hotelmessias.alwaysdata.net/Cont/inspecionando.phpb.dll.DLL
Source: abd1 .exe, 00000003.00000002.516309141.0000000000980000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hotelmessias.alwaysdata.net/Cont/inspecionando.phpd
Source: abd1 .exe, 00000003.00000002.516309141.000000000093E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hotelmessias.alwaysdata.net/Cont/inspecionando.phpf
Source: abd1 .exe, 00000003.00000002.516309141.000000000093E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hotelmessias.alwaysdata.net/Cont/inspecionando.phph
Source: abd1 .exe, 00000003.00000002.516309141.000000000093E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hotelmessias.alwaysdata.net/Cont/inspecionando.phpm
Source: abd1 .exe, 00000003.00000002.516309141.000000000093E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hotelmessias.alwaysdata.net/Cont/inspecionando.phpon
Source: abd1 .exe, 0000000C.00000002.352902937.0000000000923000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hotelmessias.alwaysdata.net/Cont/inspecionando.phpon%L2
Source: abd1 .exe, 00000003.00000002.516309141.000000000094C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hotelmessias.alwaysdata.net/Cont/inspecionando.phpory.IE5
Source: abd1 .exe, 00000003.00000002.516309141.0000000000980000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 0000000C.00000002.352902937.000000000095B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hotelmessias.alwaysdata.net/Cont/inspecionando.phpt
Source: abd1 .exe, 0000000C.00000002.352902937.000000000095B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hotelmessias.alwaysdata.net/Cont/inspecionando.phpy
Source: abd1 .exe, 00000003.00000002.516309141.000000000094C000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 0000000C.00000002.352902937.000000000095B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: abd1 .exe.1.dr	String found in binary or memory: https://www.digicert.com/CPS0

Source: unknown

DNS traffic detected: queries for: hotelmessias.alwaysdata.net

Source: global traffic

Source: unknown

HTTPS traffic detected: 185.31.40.23:443 -> 192.168.2.3:49684 version: TLS 1.2

System Summary

PE file contains section with special chars

Source: WebUI.dll.1.dr	Static PE information: section name:
Source: WebUI.dll.1.dr	Static PE information: section name:
Source: WebUI.dll.1.dr	Static PE information: section name:
Source: WebUI.dll.1.dr	Static PE information: section name:
Source: WebUI.dll.1.dr	Static PE information: section name:
Source: WebUI.dll.1.dr	Static PE information: section name:
Source: WebUI.dll.1.dr	Static PE information: section name:
Source: WebUI.dll.1.dr	Static PE information: section name:
Source: WebUI.dll.1.dr	Static PE information: section name:

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSI4C84.tmp

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\Installer\67486e.msi

Jump to behavior

Source: C:\Users\user\AppData\Roaming\abd1 .exe

Code function: 13_2_6BDD3765 NtQueryInformationProcess,

13_2_6BDD3765

Source: Mandado-Intima#U00e7#U00e3o_Art516mlhg.msi

Binary or memory string: OriginalFilenameAICustAct.dllF vs Mandado-Intima#U00e7#U00e3o_Art516mlhg.msi

Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior

Source: WebUI.dll.1.dr

Static PE information: Number of sections : 15 > 10

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Roaming\abd1 .exe EFB6169BBB869A849AFB91184A75B906FE509CBF6E672B6B4F3311C02343BBBB

Source: WebUI.dll.1.dr	Static PE information: Section: ZLIB complexity 1.0016526442307692
Source: WebUI.dll.1.dr	Static PE information: Section: ZLIB complexity 0.99462890625
Source: WebUI.dll.1.dr	Static PE information: Section: ZLIB complexity 0.9987906816709845

Source: Mandado-Intima#U00e7#U00e3o_Art516mlhg.msi	ReversingLabs: Detection: 18%
Source: Mandado-Intima#U00e7#U00e3o_Art516mlhg.msi	Virustotal: Detection: 35%

Source: C:\Users\user\AppData\Roaming\abd1 .exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\Mandado-Intima#U00e7#U00e3o_Art516mlhg.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 8E6666F21503E58A0787137F71D8544E
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Users\user\AppData\Roaming\abd1 .exe C:\Users\user\AppData\Roaming\abd1 .exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\abd1 .exe "C:\Users\user\AppData\Roaming\abd1 .exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\abd1 .exe "C:\Users\user\AppData\Roaming\abd1 .exe"
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 8E6666F21503E58A0787137F71D8544E	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Users\user\AppData\Roaming\abd1 .exe C:\Users\user\AppData\Roaming\abd1 .exe	Jump to behavior

Source: C:\Users\user\AppData\Roaming\abd1 .exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8856F961-340A-11D0-A96B-00C04FD705A2}\InProcServer32

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user\AppData\Roaming\abd1 .exe

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user\AppData\Local\Temp\MSI745ce.LOG

Jump to behavior

Source: classification engine

Classification label: mal84.evad.winMSI@8/28@1/2

Source: C:\Users\user\AppData\Roaming\abd1 .exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Users\user\AppData\Roaming\abd1 .exe

Code function: 13_2_6BDDBEBA CreateToolhelp32Snapshot,

13_2_6BDDBEBA

Source: Mandado-Intima#U00e7#U00e3o_Art516mlhg.msi

Static file information: TRID: Microsoft Windows Installer (77509/1) 52.18%

Source: C:\Users\user\AppData\Roaming\abd1 .exe	Mutant created: \Sessions\1\BaseNamedObjects\madExceptSettingsMtx$1898
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Mutant created: \Sessions\1\BaseNamedObjects\gg24UGs6BG
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Mutant created: \Sessions\1\BaseNamedObjects\madExceptSettingsMtx$1330
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Mutant created: \Sessions\1\BaseNamedObjects\madExceptSettingsMtx$18f4

Source: Yara match	File source: 3.0.abd1 .exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000000.254275628.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Roaming\abd1 .exe, type: DROPPED

Source: C:\Users\user\AppData\Roaming\abd1 .exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Mandado-Intima#U00e7#U00e3o_Art516mlhg.msi

Static file information: File size 10094080 > 1048576

Source:

Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: Mandado-Intima#U00e7#U00e3o_Art516mlhg.msi, MSI4D7F.tmp.1.dr, MSI4C84.tmp.1.dr, MSI4DEE.tmp.1.dr, 67486e.msi.1.dr

Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 3_2_0019C318 push esp; ret	3_2_0019C329
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 3_2_0019CF18 pushfd ; iretd	3_2_0019CF19
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 3_2_0019CB38 push esp; retf	3_2_0019CB39
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 3_2_0019CE30 pushfd ; iretd	3_2_0019CE31
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 3_2_0019FF9C push ebp; retn 0000h	3_2_0019FFA3
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 3_2_0019CF80 pushfd ; iretd	3_2_0019CF81
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 3_2_0019C9E8 push esp; retf	3_2_0019C9E9
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 3_2_001967EE push 47350019h; ret	3_2_00196802
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 13_2_6BE329A1 push ebx; mov dword ptr [esp], ecx	13_2_6BE329A7
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 13_2_6BE329A1 push eax; mov dword ptr [esp], 56FBA7AAh	13_2_6BE329BA
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 13_2_6BE329A1 push eax; mov dword ptr [esp], 0886D18Ah	13_2_6BE329EB
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 13_2_6BE329A1 push ecx; mov dword ptr [esp], ebp	13_2_6BE32A65
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 13_2_6BE323E1 push 63C68289h; mov dword ptr [esp], ebx	13_2_6BE323ED
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 13_2_6BE323E1 push ecx; mov dword ptr [esp], eax	13_2_6BE323F1
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 13_2_6BE323E1 push 258274CCh; mov dword ptr [esp], ecx	13_2_6BE3240B
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 13_2_6BE323E1 push 6F55B35Ah; mov dword ptr [esp], ecx	13_2_6BE32416
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 13_2_6BE323E1 push 245A934Dh; mov dword ptr [esp], ebp	13_2_6BE3244C
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 13_2_6BE327EE push 25C55665h; mov dword ptr [esp], ebx	13_2_6BE327FC
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 13_2_6BE327EC push 25C55665h; mov dword ptr [esp], ebx	13_2_6BE327FC
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 13_2_6BE322CD push 258274CCh; mov dword ptr [esp], ecx	13_2_6BE3240B
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 13_2_6BE322CD push 6F55B35Ah; mov dword ptr [esp], ecx	13_2_6BE32416
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 13_2_6BE322CD push 245A934Dh; mov dword ptr [esp], ebp	13_2_6BE3244C
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 13_2_6BE324DF push 0BD4A292h; mov dword ptr [esp], ebx	13_2_6BE32503
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 13_2_6BE324DF push 73189D71h; mov dword ptr [esp], ebp	13_2_6BE3250B
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 13_2_6BE32006 push edi; mov dword ptr [esp], esi	13_2_6BE3204D
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 13_2_6BE32006 push 40DCDF08h; mov dword ptr [esp], ebp	13_2_6BE32066
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 13_2_6BE32006 push esi; mov dword ptr [esp], ebp	13_2_6BE320D7
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 13_2_6BE3239D push 245A934Dh; mov dword ptr [esp], ebp	13_2_6BE3244C
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 13_2_6BDE454C push 77B6B6D7h; mov dword ptr [esp], ebp	13_2_6BDE45C3
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 13_2_6BDE498E push eax; mov dword ptr [esp], ebp	13_2_6BDE49A8
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 13_2_6BDE498E push 1E201786h; mov dword ptr [esp], edi	13_2_6BDE49BA

Source: WebUI.dll.1.dr	Static PE information: section name:
Source: WebUI.dll.1.dr	Static PE information: section name:
Source: WebUI.dll.1.dr	Static PE information: section name:
Source: WebUI.dll.1.dr	Static PE information: section name:
Source: WebUI.dll.1.dr	Static PE information: section name:
Source: WebUI.dll.1.dr	Static PE information: section name:
Source: WebUI.dll.1.dr	Static PE information: section name:
Source: WebUI.dll.1.dr	Static PE information: section name:
Source: WebUI.dll.1.dr	Static PE information: section name:
Source: WebUI.dll.1.dr	Static PE information: section name: .themida
Source: WebUI.dll.1.dr	Static PE information: section name: .boot

Source: initial sample

Static PE information: section where entry point is pointing to: .boot

Source: initial sample

Static PE information: section name: entropy: 7.942404498746125

Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\WebUI.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI4DEE.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI4E4D.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI4EBB.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI4D7F.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\abd1 .exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI4C84.tmp	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI4DEE.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI4E4D.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI4EBB.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI4D7F.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI4C84.tmp	Jump to dropped file

Source: C:\Users\user\AppData\Roaming\abd1 .exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run abd1 .exe			Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run abd1 .exe			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Source: C:\Users\user\AppData\Roaming\abd1 .exe	Memory written: PID: 4912 base: 4A3E60 value: E9 FB 65 06 00	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Memory written: PID: 4912 base: 4A397C value: E9 FB 68 06 00	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Memory written: PID: 4912 base: 49FCC0 value: E9 0B E7 06 00	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Memory written: PID: 4912 base: 49FCE4 value: E9 6B E7 06 00	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Memory written: PID: 4912 base: 49FCF4 value: E9 FF E8 06 00	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Memory written: PID: 4912 base: 49FCB0 value: E9 B7 EA 06 00	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Memory written: PID: 6296 base: 4A3E60 value: E9 FB 65 06 00	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Memory written: PID: 6296 base: 4A397C value: E9 FB 68 06 00	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Memory written: PID: 6296 base: 49FCC0 value: E9 0B E7 06 00	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Memory written: PID: 6296 base: 49FCE4 value: E9 6B E7 06 00	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Memory written: PID: 6296 base: 49FCF4 value: E9 FF E8 06 00	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Memory written: PID: 6296 base: 49FCB0 value: E9 B7 EA 06 00	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Memory written: PID: 6388 base: 4A3E60 value: E9 FB 65 06 00	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Memory written: PID: 6388 base: 4A397C value: E9 FB 68 06 00	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Memory written: PID: 6388 base: 49FCC0 value: E9 0B E7 06 00	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Memory written: PID: 6388 base: 49FCE4 value: E9 6B E7 06 00	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Memory written: PID: 6388 base: 49FCF4 value: E9 FF E8 06 00	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Memory written: PID: 6388 base: 49FCB0 value: E9 B7 EA 06 00	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\AppData\Roaming\abd1 .exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	System information queried: FirmwareTableInformation	Jump to behavior

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\AppData\Roaming\abd1 .exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior

Source: C:\Users\user\AppData\Roaming\abd1 .exe TID: 2596

Thread sleep time: -40000s >= -30000s

Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI4DEE.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI4E4D.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI4D7F.tmp	Jump to dropped file

Source: C:\Users\user\AppData\Roaming\abd1 .exe

Memory allocated: 5E20000 memory reserve | memory write watch

Jump to behavior

Source: C:\Users\user\AppData\Roaming\abd1 .exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\AppData\Roaming\abd1 .exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04090409	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04090409	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04090409	Jump to behavior

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Roaming\abd1 .exe

Thread delayed: delay time: 40000

Jump to behavior

Source: C:\Users\user\AppData\Roaming\abd1 .exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: abd1 .exe, 00000003.00000002.516309141.000000000093E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW A
Source: abd1 .exe, 00000003.00000002.516309141.0000000000980000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWonic0Local Area Connection* 1\|
Source: abd1 .exe, 00000003.00000002.516309141.0000000000980000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: abd1 .exe, 0000000C.00000002.352902937.0000000000923000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\AppData\Roaming\abd1 .exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Thread information set: HideFromDebugger	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Roaming\abd1 .exe	Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process queried: DebugObjectHandle	Jump to behavior

Source: C:\Windows\System32\msiexec.exe

Process created: C:\Users\user\AppData\Roaming\abd1 .exe C:\Users\user\AppData\Roaming\abd1 .exe

Jump to behavior

Source: abd1 .exe, 00000003.00000002.518251139.0000000002958000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Program Manager@
Source: abd1 .exe, 00000003.00000000.254275628.0000000000401000.00000020.00000001.01000000.00000003.sdmp, abd1 .exe.1.dr	Binary or memory string: ProgmanU

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\AppData\Roaming\abd1 .exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Source: abd1 .exe, 00000003.00000002.516309141.000000000094C000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 00000003.00000002.516309141.0000000000980000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
1 Replication Through Removable Media	1 Windows Management Instrumentation	1 Registry Run Keys / Startup Folder	2 Process Injection	21 Masquerading	1 Credential API Hooking	441 Security Software Discovery	1 Replication Through Removable Media	1 Credential API Hooking	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Registry Run Keys / Startup Folder	1 Disable or Modify Tools	LSASS Memory	341 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	1 DLL Side-Loading	341 Virtualization/Sandbox Evasion	Security Account Manager	3 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	2 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	2 Process Injection	NTDS	11 Peripheral Device Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	13 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	1 Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	2 Software Packing	Cached Domain Credentials	23 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	1 File Deletion	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Mandado-Intima#U00e7#U00e3o_Art516mlhg.msi	19%	ReversingLabs
Mandado-Intima#U00e7#U00e3o_Art516mlhg.msi	35%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\WebUI.dll	100%	Avira	TR/Crypt.XPACK.Gen2
C:\Users\user\AppData\Roaming\WebUI.dll	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\abd1 .exe	0%	ReversingLabs
C:\Windows\Installer\MSI4C84.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI4D7F.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI4DEE.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI4E4D.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI4EBB.tmp	0%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
12.2.abd1 .exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1204765		Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.microsoft.	0%	URL Reputation	safe
http://www.indyproject.org/	0%	URL Reputation	safe
https://hotelmessias.alwaysdata.net/Cont/inspecionando.phpJ	0%	Avira URL Cloud	safe
https://hotelmessias.alwaysdata.net/Cont/inspecionando.phpb.dll.DLL	0%	Avira URL Cloud	safe
https://hotelmessias.alwaysdata.net/Cont/inspecionando.phpI	0%	Avira URL Cloud	safe
https://hotelmessias.alwaysdata.net/	0%	Avira URL Cloud	safe
https://hotelmessias.alwaysdata.net/Cont/inspecionando.phpS:L3	0%	Avira URL Cloud	safe
https://hotelmessias.alwaysdata.net/Cont/inspecionando.php0h	0%	Avira URL Cloud	safe
https://hotelmessias.alwaysdata.net/Cont/inspecionando.phpM	0%	Avira URL Cloud	safe
https://hotelmessias.alwaysdata.net/Cont/inspecionando.phpL	0%	Avira URL Cloud	safe
https://hotelmessias.alwaysdata.net/Cont/inspecionando.phpon	0%	Avira URL Cloud	safe
https://hotelmessias.alwaysdata.net/Cont/inspecionando.phpon%L2	0%	Avira URL Cloud	safe
https://hotelmessias.alwaysdata.net/Cont/inspecionando.php:L2	0%	Avira URL Cloud	safe
https://hotelmessias.alwaysdata.net/Cont/inspecionando.phpb	0%	Avira URL Cloud	safe
https://hotelmessias.alwaysdata.net/Cont/inspecionando.php)	0%	Avira URL Cloud	safe
https://hotelmessias.alwaysdata.net/Cont/inspecionando.php0:L3	0%	Avira URL Cloud	safe
https://hotelmessias.alwaysdata.net/Cont/inspecionando.php...	0%	Avira URL Cloud	safe
https://hotelmessias.alwaysdata.net/Cont/inspecionando.phph	0%	Avira URL Cloud	safe
http://stats.itopvpn.com/iusage.php	0%	Avira URL Cloud	safe
https://hotelmessias.alwaysdata.net/Cont/inspecionando.phpd	0%	Avira URL Cloud	safe
https://hotelmessias.alwaysdata.net/Cont/inspecionando.php32L3	0%	Avira URL Cloud	safe
https://hotelmessias.alwaysdata.net/Cont/inspecionando.php	0%	Avira URL Cloud	safe
https://hotelmessias.alwaysdata.net/Cont/inspecionando.phpCont/inspecionando.phpo.php8	0%	Avira URL Cloud	safe
https://hotelmessias.alwaysdata.net/Cont/inspecionando.phpf	0%	Avira URL Cloud	safe
https://hotelmessias.alwaysdata.net/Cont/inspecionando.php4	0%	Avira URL Cloud	safe
https://hotelmessias.alwaysdata.net/Cont/inspecionando.phpy	0%	Avira URL Cloud	safe
https://hotelmessias.alwaysdata.net/Cont/inspecionando.phpC:	0%	Avira URL Cloud	safe
https://hotelmessias.alwaysdata.net/Cont/inspecionando.phpory.IE5	0%	Avira URL Cloud	safe
https://hotelmessias.alwaysdata.net/Cont/inspecionando.phpLMEMx	0%	Avira URL Cloud	safe
https://hotelmessias.alwaysdata.net/Cont/inspecionando.phpt	0%	Avira URL Cloud	safe
https://hotelmessias.alwaysdata.net/Cont/inspecionando.php7	0%	Avira URL Cloud	safe
https://hotelmessias.alwaysdata.net/Cont/inspecionando.php6	0%	Avira URL Cloud	safe
https://hotelmessias.alwaysdata.net/Cont/inspecionando.php$h	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
hotelmessias.alwaysdata.net	185.31.40.23	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://hotelmessias.alwaysdata.net/Cont/inspecionando.php	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://hotelmessias.alwaysdata.net/Cont/inspecionando.phpI	abd1 .exe, 00000003.00000002.516309141.0000000000906000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://hotelmessias.alwaysdata.net/Cont/inspecionando.phpb.dll.DLL	abd1 .exe, 0000000C.00000002.352376564.0000000000195000.00000004.00000010.00020000.00000000.sdmp, abd1 .exe, 0000000D.00000002.374209724.0000000000195000.00000004.00000010.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://hotelmessias.alwaysdata.net/Cont/inspecionando.phpJ	abd1 .exe, 00000003.00000002.516309141.0000000000980000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://hotelmessias.alwaysdata.net/	abd1 .exe, 00000003.00000002.516309141.000000000094C000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 0000000C.00000002.352902937.000000000095B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://hotelmessias.alwaysdata.net/Cont/inspecionando.phpS:L3	abd1 .exe, 0000000C.00000002.352902937.0000000000923000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://hotelmessias.alwaysdata.net/Cont/inspecionando.php0h	abd1 .exe, 00000003.00000002.516309141.000000000094C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://hotelmessias.alwaysdata.net/Cont/inspecionando.phpM	abd1 .exe, 0000000C.00000002.352902937.000000000095B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://hotelmessias.alwaysdata.net/Cont/inspecionando.phpL	abd1 .exe, 00000003.00000002.516309141.0000000000980000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/soap/envelope/	abd1 .exe, 00000003.00000000.254275628.0000000000401000.00000020.00000001.01000000.00000003.sdmp, abd1 .exe.1.dr	false		high
https://hotelmessias.alwaysdata.net/Cont/inspecionando.phpon%L2	abd1 .exe, 0000000C.00000002.352902937.0000000000923000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.microsoft.	abd1 .exe, 00000003.00000002.521355931.0000000006180000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://hotelmessias.alwaysdata.net/Cont/inspecionando.phpon	abd1 .exe, 00000003.00000002.516309141.000000000093E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.indyproject.org/	abd1 .exe, 00000003.00000003.259381456.0000000002380000.00000004.00001000.00020000.00000000.sdmp, abd1 .exe, 00000003.00000002.518251139.00000000028F0000.00000004.00001000.00020000.00000000.sdmp, abd1 .exe, 0000000C.00000002.353956402.0000000002820000.00000004.00001000.00020000.00000000.sdmp, abd1 .exe, 0000000C.00000002.361846817.0000000069D1E000.00000020.00000001.01000000.00000004.sdmp, abd1 .exe, 0000000D.00000002.375562766.0000000002770000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://hotelmessias.alwaysdata.net/Cont/inspecionando.php:L2	abd1 .exe, 0000000C.00000002.352902937.0000000000923000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://hotelmessias.alwaysdata.net/Cont/inspecionando.phpb	abd1 .exe, 0000000C.00000002.352902937.000000000095B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://hotelmessias.alwaysdata.net/Cont/inspecionando.php0:L3	abd1 .exe, 0000000C.00000002.352902937.0000000000923000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://hotelmessias.alwaysdata.net/Cont/inspecionando.php)	abd1 .exe, 00000003.00000002.516309141.0000000000906000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://stats.itopvpn.com/iusage.php	abd1 .exe, 00000003.00000000.254275628.0000000000401000.00000020.00000001.01000000.00000003.sdmp, abd1 .exe.1.dr	false	Avira URL Cloud: safe	unknown
https://hotelmessias.alwaysdata.net/Cont/inspecionando.php...	abd1 .exe, 00000003.00000002.516309141.000000000094C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://hotelmessias.alwaysdata.net/Cont/inspecionando.phph	abd1 .exe, 00000003.00000002.516309141.000000000093E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://hotelmessias.alwaysdata.net/Cont/inspecionando.phpd	abd1 .exe, 00000003.00000002.516309141.0000000000980000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://hotelmessias.alwaysdata.net/Cont/inspecionando.php32L3	abd1 .exe, 0000000C.00000002.352902937.0000000000923000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://hotelmessias.alwaysdata.net/Cont/inspecionando.phpCont/inspecionando.phpo.php8	abd1 .exe, 00000003.00000002.516309141.0000000000980000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://hotelmessias.alwaysdata.net/Cont/inspecionando.phpf	abd1 .exe, 00000003.00000002.516309141.000000000093E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://hotelmessias.alwaysdata.net/Cont/inspecionando.phpm	abd1 .exe, 00000003.00000002.516309141.000000000093E000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://hotelmessias.alwaysdata.net/Cont/inspecionando.phpC:	abd1 .exe, 00000003.00000002.521355931.0000000006180000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://hotelmessias.alwaysdata.net/Cont/inspecionando.phpory.IE5	abd1 .exe, 00000003.00000002.516309141.000000000094C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://hotelmessias.alwaysdata.net/Cont/inspecionando.phpy	abd1 .exe, 0000000C.00000002.352902937.000000000095B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://hotelmessias.alwaysdata.net/Cont/inspecionando.php4	abd1 .exe, 00000003.00000002.516309141.0000000000980000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://hotelmessias.alwaysdata.net/Cont/inspecionando.phpLMEMx	abd1 .exe, 0000000C.00000002.352902937.000000000095B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://hotelmessias.alwaysdata.net/Cont/inspecionando.phpt	abd1 .exe, 00000003.00000002.516309141.0000000000980000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 0000000C.00000002.352902937.000000000095B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://hotelmessias.alwaysdata.net/Cont/inspecionando.php7	abd1 .exe, 00000003.00000002.516309141.0000000000980000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://hotelmessias.alwaysdata.net/Cont/inspecionando.php6	abd1 .exe, 00000003.00000002.516309141.0000000000980000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 0000000C.00000002.352902937.0000000000923000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://hotelmessias.alwaysdata.net/Cont/inspecionando.php$h	abd1 .exe, 00000003.00000002.516309141.000000000094C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.31.40.23	hotelmessias.alwaysdata.net	France		60362	ALWAYSDATAFR	false
15.228.77.178	unknown	United States		16509	AMAZON-02US	false

General Information

Joe Sandbox Version:	37.0.0 Beryl
Analysis ID:	839646
Start date and time:	2023-04-03 06:05:08 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 20s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	Mandado-Intima#U00e7#U00e3o_Art516mlhg.msi
Original Sample Name:	Mandado-Intimao_Art516mlhg.msi
Detection:	MAL
Classification:	mal84.evad.winMSI@8/28@1/2
EGA Information:	Successful, ratio: 33.3%
HDC Information:	Failed
HCA Information:	Successful, ratio: 71% Number of executed functions: 25 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .msi

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com
Execution Graph export aborted for target abd1 .exe, PID 4912 because there are no executed function
Execution Graph export aborted for target abd1 .exe, PID 6296 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
06:06:10	API Interceptor	1x Sleep call for process: abd1 .exe modified
06:06:36	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run abd1.exe C:\Users\user\AppData\Roaming\abd1.exe
06:06:44	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run abd1.exe C:\Users\user\AppData\Roaming\abd1.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
15.228.77.178	z12A____o-Trabalhista.msi	Get hash	malicious	Unknown	Browse
	z1F_4_T_U_r_4_2024mfdfgryry5.msi	Get hash	malicious	Unknown	Browse
	F_4_T_U_R_4___nf____0992344.4354.msi	Get hash	malicious	Unknown	Browse
	rPEDIDOS-10032023-X491kkum.msi	Get hash	malicious	Unknown	Browse
	z93nf_e_mnhhh345553.msi	Get hash	malicious	Unknown	Browse
	z1n_f_e_Fa_tu_r4_03.msi	Get hash	malicious	Unknown	Browse
	PEDIDOS-08032023-X388omke.msi	Get hash	malicious	Unknown	Browse
	Nota-LG-emitida-13488mhqt.msi	Get hash	malicious	Unknown	Browse
	__B0L3T0_06Marc_23_f4tur4__.msi	Get hash	malicious	Unknown	Browse
	__B0L3T0_06Marc_23_f4tur4__.msi	Get hash	malicious	Unknown	Browse
	rPedido-Danfe-03-03-202316872pnlc.msi	Get hash	malicious	Unknown	Browse
	Autos-Processo 27-02-2023 ligh.msi	Get hash	malicious	Unknown	Browse
	rEmita-Danfe-01-03-20234076czdg.msi	Get hash	malicious	Unknown	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ALWAYSDATAFR	B0LET0 VENC 060320234273168 WFTBCLZUJMVFEDSWZXMLWSBRA.msi	Get hash	malicious	Unknown	Browse	185.31.40.22
	ejnQAYxXVX.exe	Get hash	malicious	SmokeLoader	Browse	185.31.40.12
	C3sTl3d04U.exe	Get hash	malicious	SmokeLoader	Browse	185.31.40.12
	2hMv5q2olO.exe	Get hash	malicious	SmokeLoader	Browse	185.31.40.12
	4g894hiS6D.exe	Get hash	malicious	SmokeLoader	Browse	185.31.40.12
	QoIEPSoS7k.exe	Get hash	malicious	SmokeLoader, Vidar	Browse	185.31.40.12
	http://kidanioman.com/plans~%21%40%24%40%5E%2A%23%28~%21%40%24%40%5E%2A%23%28~%21%40%24%40%5E%2A%23%28~%21%40%24%40%5E%2A%23%28	Get hash	malicious		Browse	185.31.40.161
AMAZON-02US	owari.x86.elf	Get hash	malicious	Mirai	Browse	54.66.79.34
	A5TMp5flDP.elf	Get hash	malicious	Mirai	Browse	52.10.146.44
	3Kf5mbe7eT.elf	Get hash	malicious	Mirai	Browse	18.255.213.120
	usKVq35tAu.elf	Get hash	malicious	Mirai	Browse	13.209.34.146
	HAlOlQLCVO.elf	Get hash	malicious	Mirai	Browse	35.167.253.12
	ISd7zpfQxZ.elf	Get hash	malicious	Mirai	Browse	34.209.36.226
	qh4GQXP96t.elf	Get hash	malicious	Mirai	Browse	216.137.62.243
	oK4s67OUpN.elf	Get hash	malicious	Unknown	Browse	18.179.169.140
	jKqk9FzBU7.elf	Get hash	malicious	Unknown	Browse	34.242.85.130
	Dba7KSSr5D.exe	Get hash	malicious	njRat	Browse	18.197.239.5
	42C3DA89A0FE1FFB934B035C421FBF621CB2F6EEA4814.exe	Get hash	malicious	Unknown	Browse	54.65.172.3
	0646D2001E43EAC37C568AC4972998A50DFDF3068B299.exe	Get hash	malicious	Agent Tesla, Imminent, AgentTesla	Browse	75.2.18.233
	nkAYe8SOIg.elf	Get hash	malicious	Mirai	Browse	18.178.220.220
	4A290F482706AB37BF00CE655653F7D07C3617416ED69.exe	Get hash	malicious	Agent Tesla, AgentTesla	Browse	13.248.148.254
	1DQOxg7yQp.elf	Get hash	malicious	Mirai	Browse	52.78.126.251
	in5cyuNWRq.elf	Get hash	malicious	Unknown	Browse	18.190.206.148
	mr8AlNplx5.elf	Get hash	malicious	Mirai	Browse	18.133.169.25
	HPDQNJTRLT.elf	Get hash	malicious	Mirai	Browse	18.196.46.173
	jY48W1RYP9.elf	Get hash	malicious	Mirai	Browse	54.254.223.249
	Qg6WdGeq2y.elf	Get hash	malicious	Mirai	Browse	71.152.68.212

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	40D5fjYMku.exe	Get hash	malicious	Socelars	Browse	185.31.40.23
	kITj78TQbW.exe	Get hash	malicious	Socelars	Browse	185.31.40.23
	JKWzdEZV70.exe	Get hash	malicious	Vidar	Browse	185.31.40.23
	setup.exe	Get hash	malicious	Amadey, Djvu, SmokeLoader	Browse	185.31.40.23
	setup.exe	Get hash	malicious	Amadey, Djvu, Fabookie, SmokeLoader	Browse	185.31.40.23
	file.exe	Get hash	malicious	Djvu	Browse	185.31.40.23
	file.exe	Get hash	malicious	Djvu	Browse	185.31.40.23
	file.exe	Get hash	malicious	Djvu	Browse	185.31.40.23
	setup.exe	Get hash	malicious	DanaBot, Djvu, SmokeLoader	Browse	185.31.40.23
	PO21784.vbs	Get hash	malicious	XWorm	Browse	185.31.40.23
	setup.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	185.31.40.23
	setup.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, HTMLPhisher	Browse	185.31.40.23
	setup.exe	Get hash	malicious	Djvu	Browse	185.31.40.23
	sample-no-padding.exe	Get hash	malicious	Vidar	Browse	185.31.40.23
	DCUMNTO_FDR_PROCES.vbs	Get hash	malicious	Unknown	Browse	185.31.40.23
	Documento_Recebido_2023110.689818.65285.lNk.lnk	Get hash	malicious	Unknown	Browse	185.31.40.23
	FACT6426b.msi	Get hash	malicious	Unknown	Browse	185.31.40.23
	Octoparse Setup 8.5.8.exe	Get hash	malicious	Unknown	Browse	185.31.40.23
	roVwLR4rAG.exe	Get hash	malicious	Socelars	Browse	185.31.40.23
	rZhYC0A3tZ.exe	Get hash	malicious	Raccoon Stealer v2	Browse	185.31.40.23

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\abd1 .exe	z12A____o-Trabalhista.msi	Get hash	malicious	Unknown	Browse
	z1F_4_T_U_r_4_2024mfdfgryry5.msi	Get hash	malicious	Unknown	Browse
	F_4_T_U_R_4___nf____0992344.4354.msi	Get hash	malicious	Unknown	Browse
	rPEDIDOS-10032023-X491kkum.msi	Get hash	malicious	Unknown	Browse
	j3PHT0tBBF.msi	Get hash	malicious	Unknown	Browse
	j3PHT0tBBF.msi	Get hash	malicious	Unknown	Browse
	B0LET0 VENC 060320234273168 WFTBCLZUJMVFEDSWZXMLWSBRA.msi	Get hash	malicious	Unknown	Browse
	rPedido-Danfe-03-03-202316872pnlc.msi	Get hash	malicious	Unknown	Browse
	Autos-Processo 27-02-2023 ligh.msi	Get hash	malicious	Unknown	Browse
	rEmita-Danfe-01-03-20234076czdg.msi	Get hash	malicious	Unknown	Browse
	Formulario_20183.msi	Get hash	malicious	Hidden Macro 4.0	Browse

Created / dropped Files

C:\Config.Msi\674870.rbs

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	modified
Size (bytes):	1674
Entropy (8bit):	5.467333202065632
Encrypted:	false
SSDEEP:	24:OgVJqLAHJ366+N3JElTi6OZh26AND6qLA2qLAc+qLA8qLAG/6+fDw4ib+w4ib3if:O2g6+KAR0MApO5+fU/l8CfAAX6Z1
MD5:	C825CFB20CBE89C627B7C5114A91EEBB
SHA1:	25F189E069EF083EECB28C0B578A7180F9292395
SHA-256:	A983674C72F22447F4CCD37EB61EDEB2C9A32A009DF2874CF3EE010EBC1B7DFC
SHA-512:	0903995679420322502E32C28D9D6DE0EA23522362F00B90531DF9BEB271DD887BCAF7F62F0EB80CEC54406FFE05EBF32A26B5A5F0A1AEA5A0E03893324BDF1F
Malicious:	false
Reputation:	low
Preview:	...@IXOS.@.....@.0.V.@.....@.....@.....@.....@.....@......&.{0E8A4B79-2C4F-4D9E-80F4-DD7DCA422F39}..Aplicativo seguro*.Mandado-Intima#U00e7#U00e3o_Art516mlhg.msi.@.....@.....@.....@........&.{F6760524-DDDC-4874-95BC-1A09CDB88E42}.....@.....@.....@.....@.......@.....@.....@.......@......Aplicativo seguro......Rollback..A.....o. .d.e. .r.e.s.t.a.u.r.a.....o.....RollbackCleanup..Removendo arquivos de backup..Arquivo: [1]....ProcessComponents%.Atualizando o registro de componentes..&.{2C2ACA44-C197-434A-9AA2-F7852D530110}&.{0E8A4B79-2C4F-4D9E-80F4-DD7DCA422F39}.@......&.{F4F0473F-F642-497B-9579-93B828227E4B}&.{0E8A4B79-2C4F-4D9E-80F4-DD7DCA422F39}.@......&.{6C827F45-4CEF-4181-827B-64B7E3BC6298}&.{0E8A4B79-2C4F-4D9E-80F4-DD7DCA422F39}.@......&.{CFC087F1-BBB4-4400-B747-6241C5E27C4F}&.{0E8A4B79-2C4F-4D9E-80F4-DD7DCA422F39}.@........CreateFolders..Criando novas pastas..Pasta: [1]"...C:\Users\user\AppData\Roaming\.@..............0.......L...................I..~.......................I..~....

C:\Users\user\AppData\Local\414408

Download File

Process:	C:\Users\user\AppData\Roaming\abd1 .exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	32
Entropy (8bit):	4.288909765557392
Encrypted:	false
SSDEEP:	3:1Eypytxvn:1Xpyrv
MD5:	E5CB497AC249833F860027B70EC08FA5
SHA1:	E3054FBB5C3C7FA1A96280EC5CB566AAA61870E6
SHA-256:	7BB01190E6445FE735DC594553D9499CAA26A59F749250C675D8127E87ED700C
SHA-512:	5FC5AD389F66432B2E1A9AC03C5B5A3D5D2F4C29ABE853A4D12567DDE6CFD36FEA14BA2EF06CB377EC48EDFD5B85FD84D975230A39DCB89AA45308E74D10D9F6
Malicious:	false
Reputation:	low
Preview:	[Generate Pasta]..RxbyjwnAueRN..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\inspecionando[1].htm

Download File

Process:	C:\Users\user\AppData\Roaming\abd1 .exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	142
Entropy (8bit):	4.585772518464826
Encrypted:	false
SSDEEP:	3:IFAZZcb3sPQW58X42FQC5rq5KL5B1QVZzCIHbUBHXg:HZZcb3sPw42FXQSb1QzWvg
MD5:	209574405E8C788440DFD709A5157AA2
SHA1:	85005B72FF6CC0458A111BC4FE9DB457A59E27B9
SHA-256:	1FDA9D7C6FA2B3A48BE5B62E52DAE5D7B3302C741FD7E59CEB35FDBBE02EC209
SHA-512:	8B681AE971A458389F5E1CB7C4B2C66E49764CFE3349CEB1EB1D89BF7BDDEC55BE2F7F5C55AFBCCB5798C33CA1D1516B708E92E7E4D6B692118D748C24304285
Malicious:	false
Reputation:	low
Preview:	<br />.<b>Deprecated</b>: Function strftime() is deprecated in <b>/home/hotelmessias/www/Cont/inspecionando.php</b> on line <b>107</b><br />.

C:\Users\user\AppData\Local\Temp\MSI745ce.LOG

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	158364
Entropy (8bit):	3.7928133703305456
Encrypted:	false
SSDEEP:	1536:4pXXJApBysb0BivdDMUZNEXAdKjmL5U5xdSG+RLtSNj4MOHEmuZ1x+U+ewHt2RHJ:/jKOYUiR3
MD5:	903B8D511E4E164A386539A49EDB4D32
SHA1:	F8F341B0DB12A083FCAD4F8963FA4BCFAA7933FC
SHA-256:	5F9E63D373F4B911D4AA2B9CC9A019FAE775A65F7BFDC46112D2785633199856
SHA-512:	BE02F58BCD9607C82F33F4E56849AD1869D7E69634EBC5350AC76E464F4D218FB81AF64958577B8D79BF3A225C4E47ECEF4F1A2C0315720EAE6F93199D0831DC
Malicious:	false
Reputation:	low
Preview:	..=.=.=. .V.e.r.b.o.s.e. .l.o.g.g.i.n.g. .s.t.a.r.t.e.d.:. .4./.3./.2.0.2.3. . .6.:.0.6.:.0.1. . .B.u.i.l.d. .t.y.p.e.:. .S.H.I.P. .U.N.I.C.O.D.E. .5...0.0...1.0.0.1.1...0.0. . .C.a.l.l.i.n.g. .p.r.o.c.e.s.s.:. .C.:.\.W.i.n.d.o.w.s.\.S.y.s.t.e.m.3.2.\.m.s.i.e.x.e.c...e.x.e. .=.=.=.....M.S.I. .(.c.). .(.3.0.:.C.4.). .[.0.6.:.0.6.:.0.1.:.1.3.0.].:. .F.o.n.t. .c.r.e.a.t.e.d... . .C.h.a.r.s.e.t.:. .R.e.q.=.0.,. .R.e.t.=.0.,. .F.o.n.t.:. .R.e.q.=.M.S. .S.h.e.l.l. .D.l.g.,. .R.e.t.=.M.S. .S.h.e.l.l. .D.l.g.......M.S.I. .(.c.). .(.3.0.:.C.4.). .[.0.6.:.0.6.:.0.1.:.1.3.0.].:. .F.o.n.t. .c.r.e.a.t.e.d... . .C.h.a.r.s.e.t.:. .R.e.q.=.0.,. .R.e.t.=.0.,. .F.o.n.t.:. .R.e.q.=.M.S. .S.h.e.l.l. .D.l.g.,. .R.e.t.=.M.S. .S.h.e.l.l. .D.l.g.......M.S.I. .(.c.). .(.3.0.:.8.4.). .[.0.6.:.0.6.:.0.1.:.1.7.7.].:. .R.e.s.e.t.t.i.n.g. .c.a.c.h.e.d. .p.o.l.i.c.y. .v.a.l.u.e.s.....M.S.I. .(.c.). .(.3.0.:.8.4.). .[.0.6.:.0.6.:.0.1.:.1.7.7.].:. .M.a.c.h.i.n.e. .p.o.l.i.c.y. .v.a.l.u.e. .'.D.e.b.u.g.'. .i.s. .0.....

C:\Users\user\AppData\Roaming\WebUI.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	8179200
Entropy (8bit):	7.9789190861638986
Encrypted:	false
SSDEEP:	196608:cDZ7m0mSuQxymhpT+1W0bUrvHrJosJsC8pAb5jHJBq:OJmS7yq+ivLJdJsC8uVjHJ
MD5:	B783E504AD8BD6ACFC59C6B786B386C3
SHA1:	851F0A56705B563C9BF254E5E15C9851C1C65B8A
SHA-256:	F78A29B60F3E0B082E125C86AA65A9E3D7D475D824B559E8975CE92A12C23922
SHA-512:	5EC3D7BF4AB11CF10823AABC93401CA8B303460E6ABF76613C5E9B7794E22B9743D9B5A09C0897D6AD52D9CD5E1C4BBE7F12EA60BEEF5D634828F2274808ECDF
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....!d...........!......@..........3i.......A...@..........................P........\|...@.............................................\|....................................................................................`C..................... ..@......(.................. ..` ./....@..................... ..` d.....A......H..............@....bss.....z....B......................... .>... C.....................@... .....`C.....................@... .....pC.....................@..@ E.....C.....................@..@ ......C.....................@..B ..... I...0.................@..@.edata................K.............@..@.idata................K.............@....rsrc...........

C:\Users\user\AppData\Roaming\abd1 .exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1856512
Entropy (8bit):	6.763893864307226
Encrypted:	false
SSDEEP:	24576:fMWohhojVlG981FE03Pb+Cp67LkDdlXUi+nNv3O5AcAQNwuWSfJST4HCLgCGT/TH:KhujVl6p8UiaAKRT4HCUN1
MD5:	CEEF4762B36067F1D32A0DB621EE967E
SHA1:	D23DA38DF6B0FCA8C524B641C59C700A2338648E
SHA-256:	EFB6169BBB869A849AFB91184A75B906FE509CBF6E672B6B4F3311C02343BBBB
SHA-512:	6301871A95E48F2873B60C706757AF38D956C895112F14C28EAC4C4A83456A1ACDF15D0A5B1CD35F267A4149DC78B2469C427BDE6A1BF5AA99DE51D5E824D1B3
Malicious:	true
Yara Hits:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Roaming\abd1 .exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: z12A____o-Trabalhista.msi, Detection: malicious, Browse Filename: z1F_4_T_U_r_4_2024mfdfgryry5.msi, Detection: malicious, Browse Filename: F_4_T_U_R_4___nf____0992344.4354.msi, Detection: malicious, Browse Filename: rPEDIDOS-10032023-X491kkum.msi, Detection: malicious, Browse Filename: j3PHT0tBBF.msi, Detection: malicious, Browse Filename: j3PHT0tBBF.msi, Detection: malicious, Browse Filename: B0LET0 VENC 060320234273168 WFTBCLZUJMVFEDSWZXMLWSBRA.msi, Detection: malicious, Browse Filename: rPedido-Danfe-03-03-202316872pnlc.msi, Detection: malicious, Browse Filename: Autos-Processo 27-02-2023 ligh.msi, Detection: malicious, Browse Filename: rEmita-Danfe-01-03-20234076czdg.msi, Detection: malicious, Browse Filename: Formulario_20183.msi, Detection: malicious, Browse
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....a..................................... ....@........................... .................@......................P....@...F.......................@......@....................................................L...............................text...t........................... ..`.itext.............................. ..`.data........ ......................@....bss.....f...............................idata...F...@...H..................@....edata..P...........................@..@.tls....L................................rdata..............................@..@.reloc..@...........................@..B.rsrc...............................@..@....................................@..@........................................................

C:\Windows\Installer\67486e.msi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {F6760524-DDDC-4874-95BC-1A09CDB88E42}, Number of Words: 10, Subject: Aplicativo seguro, Author: Segurana, Name of Creating Application: Aplicativo seguro, Template: ;1046, Comments: Segurana, Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Mon Mar 27 03:59:03 2023, Number of Pages: 200
Category:	dropped
Size (bytes):	10094080
Entropy (8bit):	7.938362483289143
Encrypted:	false
SSDEEP:	196608:lABXWviyzzww6mKihLiwApP+OL20OsQOZvdmu63:lAazvLK0mzlC0CA0u
MD5:	A072B53A00F4E80895B3084D82CF8C78
SHA1:	AF5C7C5CC06B7F56658878DB4567535880509DDF
SHA-256:	0668B24ED5B0FF9D4414EED8B3E8B2ACF21226675FAA1D2CE91CB29EB1910661
SHA-512:	99C64BA2BD8361125E78AB2A22583236EFA8C2A118326FD8E3BEC9AB05D297D8860BEC26ECDF465322A46E05B67E80AF9C1AC78E2D8B3D62D13A1DAA7F1CBB53
Malicious:	false
Preview:	......................>.......................................................E.......b.......n...............................................r...s...t...u...v...w...x...y...z...{...\|...}...~...........................................................................................................................................................................................................................................................................................................................................<...........!...4............................................................................................... ...+..."...#...$...%...&...'...(...)...*...1...,...-......./...0...5...2...3...=...?...6...7...8...9...:...;...........>.......@...A...B...C...D...........G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Windows\Installer\MSI4C84.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	598840
Entropy (8bit):	6.47442291222685
Encrypted:	false
SSDEEP:	12288:HTjum5EiRHQAzDdVssW8z5LN8Hc4vwaqc:zjusEEQKb35y84vwaqc
MD5:	AD6FAED544D1F3B892268E4B47425736
SHA1:	E893AD7E0B52F03CEDD0F94A8B9655459286083C
SHA-256:	759936D197E6098BE606432002B78067C3FEB2DBC294F5776B1C8C3A38314F0B
SHA-512:	0A752417F5E3789FEE92C6D755A0C34317B82CB0CB9995BA7B5F102B4E85AD0D48206D66CB766F48A767BE2349C546B51E963EE6E032446447B29868943B2AF5
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$............E...E...E{..D...E{..D...E...D...E...D...E...D...E{..D...E{..D...E{..D...E...E...E...D...E...D...E...E...E..\|E...E...D...ERich...E........................PE..L...7g.d.........."!...#.6...........S.......P...............................0............@..........................W..(...8`..,.......................8=.......g..x...p...............................@............P..P............................text....5.......6.................. ..`.rdata...+...P...,...:..............@..@.data... %...........f..............@....rsrc................v..............@..@.reloc...g.......h...~..............@..B........................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI4D7F.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	598840
Entropy (8bit):	6.47442291222685
Encrypted:	false
SSDEEP:	12288:HTjum5EiRHQAzDdVssW8z5LN8Hc4vwaqc:zjusEEQKb35y84vwaqc
MD5:	AD6FAED544D1F3B892268E4B47425736
SHA1:	E893AD7E0B52F03CEDD0F94A8B9655459286083C
SHA-256:	759936D197E6098BE606432002B78067C3FEB2DBC294F5776B1C8C3A38314F0B
SHA-512:	0A752417F5E3789FEE92C6D755A0C34317B82CB0CB9995BA7B5F102B4E85AD0D48206D66CB766F48A767BE2349C546B51E963EE6E032446447B29868943B2AF5
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$............E...E...E{..D...E{..D...E...D...E...D...E...D...E{..D...E{..D...E{..D...E...E...E...D...E...D...E...E...E..\|E...E...D...ERich...E........................PE..L...7g.d.........."!...#.6...........S.......P...............................0............@..........................W..(...8`..,.......................8=.......g..x...p...............................@............P..P............................text....5.......6.................. ..`.rdata...+...P...,...:..............@..@.data... %...........f..............@....rsrc................v..............@..@.reloc...g.......h...~..............@..B........................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI4DEE.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	598840
Entropy (8bit):	6.47442291222685
Encrypted:	false
SSDEEP:	12288:HTjum5EiRHQAzDdVssW8z5LN8Hc4vwaqc:zjusEEQKb35y84vwaqc
MD5:	AD6FAED544D1F3B892268E4B47425736
SHA1:	E893AD7E0B52F03CEDD0F94A8B9655459286083C
SHA-256:	759936D197E6098BE606432002B78067C3FEB2DBC294F5776B1C8C3A38314F0B
SHA-512:	0A752417F5E3789FEE92C6D755A0C34317B82CB0CB9995BA7B5F102B4E85AD0D48206D66CB766F48A767BE2349C546B51E963EE6E032446447B29868943B2AF5
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$............E...E...E{..D...E{..D...E...D...E...D...E...D...E{..D...E{..D...E{..D...E...E...E...D...E...D...E...E...E..\|E...E...D...ERich...E........................PE..L...7g.d.........."!...#.6...........S.......P...............................0............@..........................W..(...8`..,.......................8=.......g..x...p...............................@............P..P............................text....5.......6.................. ..`.rdata...+...P...,...:..............@..@.data... %...........f..............@....rsrc................v..............@..@.reloc...g.......h...~..............@..B........................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI4E4D.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	598840
Entropy (8bit):	6.47442291222685
Encrypted:	false
SSDEEP:	12288:HTjum5EiRHQAzDdVssW8z5LN8Hc4vwaqc:zjusEEQKb35y84vwaqc
MD5:	AD6FAED544D1F3B892268E4B47425736
SHA1:	E893AD7E0B52F03CEDD0F94A8B9655459286083C
SHA-256:	759936D197E6098BE606432002B78067C3FEB2DBC294F5776B1C8C3A38314F0B
SHA-512:	0A752417F5E3789FEE92C6D755A0C34317B82CB0CB9995BA7B5F102B4E85AD0D48206D66CB766F48A767BE2349C546B51E963EE6E032446447B29868943B2AF5
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$............E...E...E{..D...E{..D...E...D...E...D...E...D...E{..D...E{..D...E{..D...E...E...E...D...E...D...E...E...E..\|E...E...D...ERich...E........................PE..L...7g.d.........."!...#.6...........S.......P...............................0............@..........................W..(...8`..,.......................8=.......g..x...p...............................@............P..P............................text....5.......6.................. ..`.rdata...+...P...,...:..............@..@.data... %...........f..............@....rsrc................v..............@..@.reloc...g.......h...~..............@..B........................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI4EBB.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	598840
Entropy (8bit):	6.47442291222685
Encrypted:	false
SSDEEP:	12288:HTjum5EiRHQAzDdVssW8z5LN8Hc4vwaqc:zjusEEQKb35y84vwaqc
MD5:	AD6FAED544D1F3B892268E4B47425736
SHA1:	E893AD7E0B52F03CEDD0F94A8B9655459286083C
SHA-256:	759936D197E6098BE606432002B78067C3FEB2DBC294F5776B1C8C3A38314F0B
SHA-512:	0A752417F5E3789FEE92C6D755A0C34317B82CB0CB9995BA7B5F102B4E85AD0D48206D66CB766F48A767BE2349C546B51E963EE6E032446447B29868943B2AF5
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$............E...E...E{..D...E{..D...E...D...E...D...E...D...E{..D...E{..D...E{..D...E...E...E...D...E...D...E...E...E..\|E...E...D...ERich...E........................PE..L...7g.d.........."!...#.6...........S.......P...............................0............@..........................W..(...8`..,.......................8=.......g..x...p...............................@............P..P............................text....5.......6.................. ..`.rdata...+...P...,...:..............@..@.data... %...........f..............@....rsrc................v..............@..@.reloc...g.......h...~..............@..B........................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI5043.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	2044
Entropy (8bit):	5.1151800402440415
Encrypted:	false
SSDEEP:	48:T2g6+KA4nfco/96pB+OJvcpq1AX6nymLo:T2uKAODz1pq1i6ymE
MD5:	01E3F30E2BC785228792F3B302C92F05
SHA1:	F1B31C3E371A39D5F96B66DCAA3AF00FEE99E09E
SHA-256:	ACA56006FE8EBD073B45007B5EBC34BAC8048BD724A62BFDD6F619BDF3F7C0A4
SHA-512:	0C83A6BE7A2475F61537ADF044CD7EF0725BFE61A79C3C6776060D94013DF3371CA0F80A549B8EEE6B13D0F292881E5C6D325B4E7367626C1B3BB3ABB1CA00B9
Malicious:	false
Preview:	...@IXOS.@.....@.0.V.@.....@.....@.....@.....@.....@......&.{0E8A4B79-2C4F-4D9E-80F4-DD7DCA422F39}..Aplicativo seguro*.Mandado-Intima#U00e7#U00e3o_Art516mlhg.msi.@.....@.....@.....@........&.{F6760524-DDDC-4874-95BC-1A09CDB88E42}.....@.....@.....@.....@.......@.....@.....@.......@......Aplicativo seguro......Rollback..A.....o. .d.e. .r.e.s.t.a.u.r.a.....o.....RollbackCleanup..Removendo arquivos de backup..Arquivo: [1]...@.......@........ProcessComponents%.Atualizando o registro de componentes...@.....@.....@.]....&.{2C2ACA44-C197-434A-9AA2-F7852D530110}..C:\Users\user\AppData\Roaming\.@.......@.....@.....@......&.{F4F0473F-F642-497B-9579-93B828227E4B}0.0.1.:.\.S.o.f.t.w.a.r.e.\.S.e.g.u.r.a.n...a.\.A.p.l.i.c.a.t.i.v.o. .s.e.g.u.r.o.\.V.e.r.s.i.o.n..@.......@.....@.....@......&.{6C827F45-4CEF-4181-827B-64B7E3BC6298}(.C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.a.b.d.1.....e.x.e..@.......@.....@.....@......&.{CFC087F1-BBB4-4400-B747-6241C5E27C4F}(.C:\Users\user\AppData

C:\Windows\Installer\SourceHash{0E8A4B79-2C4F-4D9E-80F4-DD7DCA422F39}

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.1802730151725562
Encrypted:	false
SSDEEP:	12:JSbX72Fj06AGiLIlHVRpNh/7777777777777777777777777vDHFxcMzug3Id6+z:JC6QI5Jsg366+KF
MD5:	72B9DA64B32DEF6373257EC646EB03A3
SHA1:	867251B042D7AE33881473F62B06086262EF233F
SHA-256:	A8AEAA95AA38DAF938D1EE327077F7312FBCFA4CED3466E2AEE04B19EA01FEE0
SHA-512:	4FA6BED6869BCEC770BF129133FA5FE92307CDE16A95DD9CAEAFFB7251DDCACAE227F78CFF05C04A0D84CB3B34A7E44BA0529F562B7513F81B8BBB01AE9A1842
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\inprogressinstallinfo.ipi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.5131877442473154
Encrypted:	false
SSDEEP:	48:28PhKuRc06WX48FT5cAL2/6+mSKsAEKgCyjMHknmSKqT0WRIr:JhK1MFTHLQ65lkC0Mj0
MD5:	E0B1FF882FA5E18EB4A5A5FFCDCC6812
SHA1:	18F85D7A1F39AE83B4E6ECB5909277F7113E0458
SHA-256:	8B6766A8C385ACB0FEA7C3AA0A3E914097D61CAF87913869F0E8A53EB5883E85
SHA-512:	8F735A21D539EFB5674940D362AEFB60473576843D99BB5363B293207839CE89A281D71A1D6CE0B72C421AFFE365A93C144C1F0B7B2927890DCA2DCB39F91FA3
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	192827
Entropy (8bit):	5.391995190889113
Encrypted:	false
SSDEEP:	3072:iHHJCoX5CNWFHjkzRl1pqf5JjzH6wbxygaK8Nkv6kF8Kwu8K8uBD556GIlZZ6bF8:i0LVlA+
MD5:	25097DD3197017D357D2E26D10422955
SHA1:	E56E589675BD05BF793312D78150926158D57AAF
SHA-256:	512EEAA3E72D1E998299BF41A3D5E03855C9FBE705DFB634F7CD8B039FC34679
SHA-512:	2D122A06E7D43D84968BB0E7200D2419308E3561AC0807F82C4C9BC6E015C9D242EC26BFB0AAEBCB48C65317785E3F734016FDA7029FCB1CF2FEA7CA7DC1ECDA
Malicious:	false
Preview:	.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..07/23/2020 10:13:25.847 [3928]: Command line: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install Microsoft.VisualStudio.Tools.Applications.Hosting, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A /queue:3 /NoDependencies ..07/23/2020 10:13:25.863 [3928]: ngen returning 0x00000000..07/23/2020 10:13:25.925 [1900]: Command line: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install Microsoft.VisualStudio.Tools.Applications.ServerDocument, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A /queue:3 /NoDependencies ..07/23/2020 10:13:25.925 [1900]: ngen returning 0x00000000..07/23/2020 10:13:25.972 [4436]: Command line: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install Microsoft.Office.Tools.v4.0.Framework, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A /queue:3 /N

C:\Windows\Temp\~DF139E919462EE2757.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF157BFADF2D82849F.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF276223E273A8FB42.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.5131877442473154
Encrypted:	false
SSDEEP:	48:28PhKuRc06WX48FT5cAL2/6+mSKsAEKgCyjMHknmSKqT0WRIr:JhK1MFTHLQ65lkC0Mj0
MD5:	E0B1FF882FA5E18EB4A5A5FFCDCC6812
SHA1:	18F85D7A1F39AE83B4E6ECB5909277F7113E0458
SHA-256:	8B6766A8C385ACB0FEA7C3AA0A3E914097D61CAF87913869F0E8A53EB5883E85
SHA-512:	8F735A21D539EFB5674940D362AEFB60473576843D99BB5363B293207839CE89A281D71A1D6CE0B72C421AFFE365A93C144C1F0B7B2927890DCA2DCB39F91FA3
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF6432F6E0A44759E3.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2159974675632403
Encrypted:	false
SSDEEP:	48:xDCusthPIFX4xT5xAL2/6+mSKsAEKgCyjMHknmSKqT0WRIr:JCpIyTYLQ65lkC0Mj0
MD5:	42149DC4F23CBF782E7DBCACE88C6266
SHA1:	28BE6DC46BE4582A6B5B931EE7A743E3ABF0DABB
SHA-256:	07E0A16C5E4FFC50308C58F75A5190C139F37E2C42558E326A02832C7B567682
SHA-512:	29E9B70A1352B21959A0840E4F2AD05BF31F0B9C61B993A796C6702966609AFB9C9387FB90BBECA46F1F29FBC0601F478E57EB403E500CC46A68C0A3102A212A
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF82D623B23CBB91CA.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2159974675632403
Encrypted:	false
SSDEEP:	48:xDCusthPIFX4xT5xAL2/6+mSKsAEKgCyjMHknmSKqT0WRIr:JCpIyTYLQ65lkC0Mj0
MD5:	42149DC4F23CBF782E7DBCACE88C6266
SHA1:	28BE6DC46BE4582A6B5B931EE7A743E3ABF0DABB
SHA-256:	07E0A16C5E4FFC50308C58F75A5190C139F37E2C42558E326A02832C7B567682
SHA-512:	29E9B70A1352B21959A0840E4F2AD05BF31F0B9C61B993A796C6702966609AFB9C9387FB90BBECA46F1F29FBC0601F478E57EB403E500CC46A68C0A3102A212A
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFA9CE5BFD9E9CB86C.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.5131877442473154
Encrypted:	false
SSDEEP:	48:28PhKuRc06WX48FT5cAL2/6+mSKsAEKgCyjMHknmSKqT0WRIr:JhK1MFTHLQ65lkC0Mj0
MD5:	E0B1FF882FA5E18EB4A5A5FFCDCC6812
SHA1:	18F85D7A1F39AE83B4E6ECB5909277F7113E0458
SHA-256:	8B6766A8C385ACB0FEA7C3AA0A3E914097D61CAF87913869F0E8A53EB5883E85
SHA-512:	8F735A21D539EFB5674940D362AEFB60473576843D99BB5363B293207839CE89A281D71A1D6CE0B72C421AFFE365A93C144C1F0B7B2927890DCA2DCB39F91FA3
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFBF7770B365992964.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFC3E518BE0262FB81.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFC4A4AF8C2AAA686E.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2159974675632403
Encrypted:	false
SSDEEP:	48:xDCusthPIFX4xT5xAL2/6+mSKsAEKgCyjMHknmSKqT0WRIr:JCpIyTYLQ65lkC0Mj0
MD5:	42149DC4F23CBF782E7DBCACE88C6266
SHA1:	28BE6DC46BE4582A6B5B931EE7A743E3ABF0DABB
SHA-256:	07E0A16C5E4FFC50308C58F75A5190C139F37E2C42558E326A02832C7B567682
SHA-512:	29E9B70A1352B21959A0840E4F2AD05BF31F0B9C61B993A796C6702966609AFB9C9387FB90BBECA46F1F29FBC0601F478E57EB403E500CC46A68C0A3102A212A
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFE6A18F83263361C9.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.08331278709537565
Encrypted:	false
SSDEEP:	6:2/9LG7iVCnLG7iVrKOzPLHKOIMcMlVm3rJ+Wi3IdSn+jcQVky6ly:2F0i8n0itFzDHFxcMzug3Id6+iy
MD5:	3AC08D9E9FF90F9850ED978DCE37A1A1
SHA1:	2BB06ADB6E0402FA6D8B0D3B8091B6B1BF5A8E45
SHA-256:	12922F0D11AE65E23BD41FF76E7F14324D8BF9F0BFA828A31A31536A20A51A38
SHA-512:	84943A1DA12D8F4ABBE5450B3030EBA77E77BB5150E8D92E23C24701974054D2D85E2DB13EED7139211B62529755FF138F2EA4006FB52F2B7A8AFBD1062DEC8D
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFE6E49EBF07038728.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFFAC181F021A06EDE.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	0.11771498259230646
Encrypted:	false
SSDEEP:	48:hRIrYRT2mSKZmSKsAEKgCyjMHk9iAL2/:HHulkC0Mm/LQ
MD5:	53AC0D922909E4D34A7C78C8C9F410D4
SHA1:	41C6A544FD1BC89E78CF6E9738D19B72B0DBBE0E
SHA-256:	A5E995A23ADE3E6E74E25949C018CA289EA22D177D8A360A4E32CF44420449BD
SHA-512:	3C936C92F29FA1AA39F06C20A2C2D99CA0E58628E550411EA0ADB2264B7F13DB597AD5C0D2E721503FEB088DC0AC8721249355DF75C09A24ABA209F03A3D2CF0
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {F6760524-DDDC-4874-95BC-1A09CDB88E42}, Number of Words: 10, Subject: Aplicativo seguro, Author: Segurana, Name of Creating Application: Aplicativo seguro, Template: ;1046, Comments: Segurana, Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Mon Mar 27 03:59:03 2023, Number of Pages: 200
Entropy (8bit):	7.938362483289143
TrID:	Microsoft Windows Installer (77509/1) 52.18% Windows SDK Setup Transform Script (63028/2) 42.43% Generic OLE2 / Multistream Compound File (8008/1) 5.39%
File name:	Mandado-Intima#U00e7#U00e3o_Art516mlhg.msi
File size:	10094080
MD5:	a072b53a00f4e80895b3084d82cf8c78
SHA1:	af5c7c5cc06b7f56658878db4567535880509ddf
SHA256:	0668b24ed5b0ff9d4414eed8b3e8b2acf21226675faa1d2ce91cb29eb1910661
SHA512:	99c64ba2bd8361125e78ab2a22583236efa8c2a118326fd8e3bec9ab05d297d8860bec26ecdf465322a46e05b67e80af9c1ac78e2d8b3d62d13a1daa7f1cbb53
SSDEEP:	196608:lABXWviyzzww6mKihLiwApP+OL20OsQOZvdmu63:lAazvLK0mzlC0CA0u
TLSH:	58A62325A3D78532C55D01B7E869FE0F0539BE73437041E3B6B93D6A88F08C166BEA52
File Content Preview:	........................>.......................................................E.......b.......n...............................................r...s...t...u...v...w...x...y...z...{...\|...}...~..............................................................

File Icon


Icon Hash:	a2a0b496b2caca72

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 3, 2023 06:06:11.520545006 CEST	49684	443	192.168.2.3	185.31.40.23
Apr 3, 2023 06:06:11.520629883 CEST	443	49684	185.31.40.23	192.168.2.3
Apr 3, 2023 06:06:11.520806074 CEST	49684	443	192.168.2.3	185.31.40.23
Apr 3, 2023 06:06:11.623127937 CEST	49684	443	192.168.2.3	185.31.40.23
Apr 3, 2023 06:06:11.623188972 CEST	443	49684	185.31.40.23	192.168.2.3
Apr 3, 2023 06:06:11.705611944 CEST	443	49684	185.31.40.23	192.168.2.3
Apr 3, 2023 06:06:11.705727100 CEST	49684	443	192.168.2.3	185.31.40.23
Apr 3, 2023 06:06:12.091676950 CEST	49684	443	192.168.2.3	185.31.40.23
Apr 3, 2023 06:06:12.091744900 CEST	443	49684	185.31.40.23	192.168.2.3
Apr 3, 2023 06:06:12.092598915 CEST	443	49684	185.31.40.23	192.168.2.3
Apr 3, 2023 06:06:12.092703104 CEST	49684	443	192.168.2.3	185.31.40.23
Apr 3, 2023 06:06:12.096441984 CEST	49684	443	192.168.2.3	185.31.40.23
Apr 3, 2023 06:06:12.096462011 CEST	443	49684	185.31.40.23	192.168.2.3
Apr 3, 2023 06:06:12.100084066 CEST	49685	80	192.168.2.3	15.228.77.178
Apr 3, 2023 06:06:12.162636995 CEST	443	49684	185.31.40.23	192.168.2.3
Apr 3, 2023 06:06:12.162805080 CEST	49684	443	192.168.2.3	185.31.40.23
Apr 3, 2023 06:06:12.162852049 CEST	443	49684	185.31.40.23	192.168.2.3
Apr 3, 2023 06:06:12.162950039 CEST	49684	443	192.168.2.3	185.31.40.23
Apr 3, 2023 06:06:12.162969112 CEST	443	49684	185.31.40.23	192.168.2.3
Apr 3, 2023 06:06:12.163000107 CEST	443	49684	185.31.40.23	192.168.2.3
Apr 3, 2023 06:06:12.163156986 CEST	49684	443	192.168.2.3	185.31.40.23
Apr 3, 2023 06:06:12.163429976 CEST	49684	443	192.168.2.3	185.31.40.23
Apr 3, 2023 06:06:15.112335920 CEST	49685	80	192.168.2.3	15.228.77.178
Apr 3, 2023 06:06:21.269279003 CEST	49685	80	192.168.2.3	15.228.77.178
Apr 3, 2023 06:06:33.356878996 CEST	49684	443	192.168.2.3	185.31.40.23
Apr 3, 2023 06:06:33.356930017 CEST	443	49684	185.31.40.23	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 3, 2023 06:06:11.457794905 CEST	58974	53	192.168.2.3	8.8.8.8
Apr 3, 2023 06:06:11.509068012 CEST	53	58974	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 3, 2023 06:06:11.457794905 CEST	192.168.2.3	8.8.8.8	0xa4d7	Standard query (0)	hotelmessias.alwaysdata.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 3, 2023 06:06:11.509068012 CEST	8.8.8.8	192.168.2.3	0xa4d7	No error (0)	hotelmessias.alwaysdata.net		185.31.40.23	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

hotelmessias.alwaysdata.net

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49684	185.31.40.23	443	C:\Users\user\AppData\Roaming\abd1 .exe

Timestamp	Direction	Data
2023-04-03 04:06:12 UTC	OUT	GET /Cont/inspecionando.php HTTP/1.1 Accept: / Accept-Language: en-US Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: hotelmessias.alwaysdata.net Connection: Keep-Alive
2023-04-03 04:06:12 UTC	IN	HTTP/1.1 200 OK Connection: close date: Mon, 03 Apr 2023 04:06:12 GMT server: Apache vary: Accept-Encoding content-type: text/html; charset=UTF-8 via: 1.1 alproxy transfer-encoding: chunked
2023-04-03 04:06:12 UTC	IN	Data Raw: 38 65 0d 0a Data Ascii: 8e
2023-04-03 04:06:12 UTC	IN	Data Raw: 3c 62 72 20 2f 3e 0a 3c 62 3e 44 65 70 72 65 63 61 74 65 64 3c 2f 62 3e 3a 20 20 46 75 6e 63 74 69 6f 6e 20 73 74 72 66 74 69 6d 65 28 29 20 69 73 20 64 65 70 72 65 63 61 74 65 64 20 69 6e 20 3c 62 3e 2f 68 6f 6d 65 2f 68 6f 74 65 6c 6d 65 73 73 69 61 73 2f 77 77 77 2f 43 6f 6e 74 2f 69 6e 73 70 65 63 69 6f 6e 61 6e 64 6f 2e 70 68 70 3c 2f 62 3e 20 6f 6e 20 6c 69 6e 65 20 3c 62 3e 31 30 37 3c 2f 62 3e 3c 62 72 20 2f 3e 0a Data Ascii: <br /><b>Deprecated</b>: Function strftime() is deprecated in <b>/home/hotelmessias/www/Cont/inspecionando.php</b> on line <b>107</b><br />
2023-04-03 04:06:12 UTC	IN	Data Raw: 0d 0a 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	06:06:00
Start date:	03/04/2023
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\Mandado-Intima#U00e7#U00e3o_Art516mlhg.msi"
Imagebase:	0x7ff73e250000
File size:	66048 bytes
MD5 hash:	4767B71A318E201188A0D0A420C8B608
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	1
Start time:	06:06:01
Start date:	03/04/2023
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\msiexec.exe /V
Imagebase:	0x7ff73e250000
File size:	66048 bytes
MD5 hash:	4767B71A318E201188A0D0A420C8B608
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	2
Start time:	06:06:02
Start date:	03/04/2023
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding 8E6666F21503E58A0787137F71D8544E
Imagebase:	0x12a0000
File size:	59904 bytes
MD5 hash:	12C17B5A5C2A7B97342C362CA467E9A2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	3
Start time:	06:06:04
Start date:	03/04/2023
Path:	C:\Users\user\AppData\Roaming\abd1 .exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\abd1 .exe
Imagebase:	0x400000
File size:	1856512 bytes
MD5 hash:	CEEF4762B36067F1D32A0DB621EE967E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000003.00000000.254275628.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Roaming\abd1 .exe, Author: Joe Security
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	moderate

Show Windows behavior

Target ID:	12
Start time:	06:06:44
Start date:	03/04/2023
Path:	C:\Users\user\AppData\Roaming\abd1 .exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\abd1 .exe"
Imagebase:	0x400000
File size:	1856512 bytes
MD5 hash:	CEEF4762B36067F1D32A0DB621EE967E
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Reputation:	moderate

Show Windows behavior

Target ID:	13
Start time:	06:06:53
Start date:	03/04/2023
Path:	C:\Users\user\AppData\Roaming\abd1 .exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\abd1 .exe"
Imagebase:	0x400000
File size:	1856512 bytes
MD5 hash:	CEEF4762B36067F1D32A0DB621EE967E
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Reputation:	moderate

Show Windows behavior

Execution Graph

Execution Coverage:	6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	3.1%
Total number of Nodes:	32
Total number of Limit Nodes:	0

Executed Functions

Function 6BDD3765 Relevance: 1.6, APIs: 1, Instructions: 82
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtQueryInformationProcess.NTDLL ref: 6BDD3775

Memory Dump Source

Source File: 0000000D.00000002.377883707.000000006BDD3000.00000040.00000001.01000000.00000004.sdmp, Offset: 6BDD3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6bdd3000_abd1 .jbxd

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: 12a4d399fa7d7838a665138d89792c39781e3ffa6bb0f7a21f67074316067af2
Instruction ID: eefc42bee4b23e72338a3478a56de69f73b0913fb927becc81de8e2a7390ea14
Opcode Fuzzy Hash: 12a4d399fa7d7838a665138d89792c39781e3ffa6bb0f7a21f67074316067af2
Instruction Fuzzy Hash: F321F1F150C600BFE705AF05DC416AABBE5EFD5724F11882DE6D882350D23688559B63

Uniqueness

Uniqueness Score: -1.00%

Function 6BDDBEBA Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.377883707.000000006BDDB000.00000040.00000001.01000000.00000004.sdmp, Offset: 6BDDB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6bddb000_abd1 .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ab8c499742ad89a1c1947b95dbe45180795d2a9b013056c0f9e3e13bd82fff5
Instruction ID: ea9fd6f5a30c5b75f3e5a0d89d08a2e6b805655df7abf0b9e02ed07f2c259422
Opcode Fuzzy Hash: 0ab8c499742ad89a1c1947b95dbe45180795d2a9b013056c0f9e3e13bd82fff5
Instruction Fuzzy Hash: 2D313CF2A1C710AFD315AF09D885BAAFBE4EF88320F06482DE6C487340D6359840CB97

Uniqueness

Uniqueness Score: -1.00%

Function 6BDE454C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 110
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindWindowA.USER32 ref: 6BDE459C

Strings

b(B, xrefs: 6BDE45FF

Memory Dump Source

Source File: 0000000D.00000002.377883707.000000006BDE4000.00000040.00000001.01000000.00000004.sdmp, Offset: 6BDE4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6bde4000_abd1 .jbxd

Similarity

API ID: FindWindow
String ID: b(B
API String ID: 134000473-325247589
Opcode ID: e343bc4b585e89f8f39316c61c616c9d5cbfc169c18442f2fbf4144426bf79c3
Instruction ID: 57c0bbf323d3590d37e27903ac37918bd63be47bb52fa92bace245ec742989d9
Opcode Fuzzy Hash: e343bc4b585e89f8f39316c61c616c9d5cbfc169c18442f2fbf4144426bf79c3
Instruction Fuzzy Hash: EC3195B190C200EFE706AF08DC817AABBE1EF95314F06892DE6C847711E7369851CB97

Uniqueness

Uniqueness Score: -1.00%

Function 6BDED89C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 107
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNEL32 ref: 6BDED8B0

Strings

+Hyw, xrefs: 6BDED970

Memory Dump Source

Source File: 0000000D.00000002.377883707.000000006BDEC000.00000040.00000001.01000000.00000004.sdmp, Offset: 6BDEC000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6bdec000_abd1 .jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID: +Hyw
API String ID: 2591292051-409079163
Opcode ID: 74e7758ceae0655746c76c486c0ff87b8882cbc87f29051354a90b8d8c296d02
Instruction ID: c6b20895aa3f582160d3e0cd26179a27aa45243838c21844ba00d2bed5420312
Opcode Fuzzy Hash: 74e7758ceae0655746c76c486c0ff87b8882cbc87f29051354a90b8d8c296d02
Instruction Fuzzy Hash: 5C31ABB264D700AFD3016F09DC82ABEFFE4EF95761F06482EE2C443601D63658018BA3

Uniqueness

Uniqueness Score: -1.00%

Function 6BDED8A8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 92
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNEL32 ref: 6BDED8B0

Strings

+Hyw, xrefs: 6BDED970

Memory Dump Source

Source File: 0000000D.00000002.377883707.000000006BDEC000.00000040.00000001.01000000.00000004.sdmp, Offset: 6BDEC000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6bdec000_abd1 .jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID: +Hyw
API String ID: 2591292051-409079163
Opcode ID: b4a4129ea6c5134f49e4e76f145553d764a1e52543617587267899640b5e9fbb
Instruction ID: 5ee288041eccf6bf3af9f3341ff0b5a2bf799165dd206d548014ae7c381eba77
Opcode Fuzzy Hash: b4a4129ea6c5134f49e4e76f145553d764a1e52543617587267899640b5e9fbb
Instruction Fuzzy Hash: 80216DF2609304AFE311BF09DC81ABEFBE8EF85761F06492DE6C443700D63658508AA7

Uniqueness

Uniqueness Score: -1.00%

Function 6BEAF31A Relevance: 1.6, APIs: 1, Instructions: 121
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNEL32 ref: 6BEAF31A

Memory Dump Source

Source File: 0000000D.00000002.377883707.000000006BEAE000.00000040.00000001.01000000.00000004.sdmp, Offset: 6BEAE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6beae000_abd1 .jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: d9b7fdba30c5fd3f5e4ffa09cb0789cdeff89e911530fb52016b781c1eefadc6
Instruction ID: 3feaf45bb4d378eeb16173479c875206b22990c78557f71a77bd2d5b43edbf0f
Opcode Fuzzy Hash: d9b7fdba30c5fd3f5e4ffa09cb0789cdeff89e911530fb52016b781c1eefadc6
Instruction Fuzzy Hash: 4031B3B351C214AFE341AE5DDC81BABBBE9EF49661F15482EF684C3700EA75884087D2

Uniqueness

Uniqueness Score: -1.00%

Function 6BCCEFC5 Relevance: 1.6, APIs: 1, Instructions: 102
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL ref: 6BCCEFC5

Memory Dump Source

Source File: 0000000D.00000002.377883707.000000006BCCD000.00000040.00000001.01000000.00000004.sdmp, Offset: 6BCCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6bccd000_abd1 .jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: fecc9b249fbc579e61da73f9e4c366e138bc27193e3094e6774bd3d558f82ae0
Instruction ID: 8e40a76c6a8d14279c026a4d496b84b0c87762135dff0ed8669fdb203ebd2bb0
Opcode Fuzzy Hash: fecc9b249fbc579e61da73f9e4c366e138bc27193e3094e6774bd3d558f82ae0
Instruction Fuzzy Hash: B13114F260D600AFE715AE09DC81BBAFBE9EFD8761F15882DE7C4C3750D63548408696

Uniqueness

Uniqueness Score: -1.00%

Function 6BE1C049 Relevance: 1.6, APIs: 1, Instructions: 102
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNEL32 ref: 6BE1C06D

Memory Dump Source

Source File: 0000000D.00000002.377883707.000000006BE1C000.00000040.00000001.01000000.00000004.sdmp, Offset: 6BE1C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6be1c000_abd1 .jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 3abd4514425de60f7fe89081575b48faf2d217b0d78538c122f4d8b879d60768
Instruction ID: 721f4c6c89d823ba9d8e5b4be601bcae2ad8d9ee29c1d9f95a0359c935e56125
Opcode Fuzzy Hash: 3abd4514425de60f7fe89081575b48faf2d217b0d78538c122f4d8b879d60768
Instruction Fuzzy Hash: A9315AB150C704AFD715AF19DC8266AFBE4FF09710F06492DE6C487381E6356840CB8A

Uniqueness

Uniqueness Score: -1.00%

Function 6BE0C401 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindWindowA.USER32 ref: 6BE0C401

Memory Dump Source

Source File: 0000000D.00000002.377883707.000000006BE0A000.00000040.00000001.01000000.00000004.sdmp, Offset: 6BE0A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6be0a000_abd1 .jbxd

Similarity

API ID: FindWindow
String ID:
API String ID: 134000473-0
Opcode ID: 413917ef627b8667a349d15e128dc251cd0bdd197f958e2e075c31c1bc33cc26
Instruction ID: f5bca0683b87ce3352bdad12f0ab52917e43fab21c4f98149057a9cf63197f6c
Opcode Fuzzy Hash: 413917ef627b8667a349d15e128dc251cd0bdd197f958e2e075c31c1bc33cc26
Instruction Fuzzy Hash: D83138B251C318AFE715BE58DC857BAFBE4EF44710F06492DE7D483740EA3558148A8B

Uniqueness

Uniqueness Score: -1.00%

Function 6BDECF50 Relevance: 1.6, APIs: 1, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindWindowA.USER32 ref: 6BDECF57

Memory Dump Source

Source File: 0000000D.00000002.377883707.000000006BDEC000.00000040.00000001.01000000.00000004.sdmp, Offset: 6BDEC000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6bdec000_abd1 .jbxd

Similarity

API ID: FindWindow
String ID:
API String ID: 134000473-0
Opcode ID: 23c35d1df49e3d8b808407ff929e6584eb018391a903ce8049b6521170c557c8
Instruction ID: e023c202391c8a163ac42a314e602c57f4432dd8bbeedf40adb516ddce6d5128
Opcode Fuzzy Hash: 23c35d1df49e3d8b808407ff929e6584eb018391a903ce8049b6521170c557c8
Instruction Fuzzy Hash: 3B2161F290C314AFE7116F49DC816AAFBE8EF94760F06093EEAC483210D6765815DB97

Uniqueness

Uniqueness Score: -1.00%

Function 6BDF73ED Relevance: 1.6, APIs: 1, Instructions: 92
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemFirmwareTable.KERNEL32 ref: 6BDF73ED

Memory Dump Source

Source File: 0000000D.00000002.377883707.000000006BDF7000.00000040.00000001.01000000.00000004.sdmp, Offset: 6BDF7000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6bdf7000_abd1 .jbxd

Similarity

API ID: FirmwareSystemTable
String ID:
API String ID: 3847969577-0
Opcode ID: 16e19f353985f40f1856a466f9fb38abff747ab62a1c8d7a98ec5fbf992e7ee0
Instruction ID: be7ae220b66681777d9832ce6af3beaa7e4efe293cc41dfac86572359b8a5b4e
Opcode Fuzzy Hash: 16e19f353985f40f1856a466f9fb38abff747ab62a1c8d7a98ec5fbf992e7ee0
Instruction Fuzzy Hash: 58314CF261C700AFE719AF49D8C1A7AB7E5FF88710F15883DE6C487740E67458418AA7

Uniqueness

Uniqueness Score: -1.00%

Function 6BE17391 Relevance: 1.6, APIs: 1, Instructions: 91
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyA.ADVAPI32 ref: 6BE17391

Memory Dump Source

Source File: 0000000D.00000002.377883707.000000006BE15000.00000040.00000001.01000000.00000004.sdmp, Offset: 6BE15000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6be15000_abd1 .jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 41dfe9058facba4984c29b5f4b897dafa47608032cda7ce4a20d8887e53fba78
Instruction ID: 2663289949af9950be6cbb96bf2a5c3a64446bf4a24eb6ca3fe3d3b91e10b948
Opcode Fuzzy Hash: 41dfe9058facba4984c29b5f4b897dafa47608032cda7ce4a20d8887e53fba78
Instruction Fuzzy Hash: 3C317CF290C304AFE716BE09DC8176ABBE5EF98710F05892CEBD443740EA3558148B9B

Uniqueness

Uniqueness Score: -1.00%

Function 6BEB15F2 Relevance: 1.6, APIs: 1, Instructions: 82
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNEL32 ref: 6BEB15F2

Memory Dump Source

Source File: 0000000D.00000002.377883707.000000006BEB1000.00000040.00000001.01000000.00000004.sdmp, Offset: 6BEB1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6beb1000_abd1 .jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 1404be8cbcd9fd6ed2f8bd1abc8210c385b055e0d9fb844c6ed3064342edb888
Instruction ID: 9ab031af529ef28c42186b7a6d714ef9c27829ed03558aaf1ed3ff2b9b48e548
Opcode Fuzzy Hash: 1404be8cbcd9fd6ed2f8bd1abc8210c385b055e0d9fb844c6ed3064342edb888
Instruction Fuzzy Hash: BD21D2F150C704AFE7156F49EC817BAFBE5EF84310F02482DE6D486B10EA3598908B97

Uniqueness

Uniqueness Score: -1.00%

Function 6BE329A1 Relevance: 1.6, APIs: 1, Instructions: 82
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MapViewOfFile.KERNEL32 ref: 6BE329A3

Memory Dump Source

Source File: 0000000D.00000002.377883707.000000006BE32000.00000040.00000001.01000000.00000004.sdmp, Offset: 6BE32000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6be32000_abd1 .jbxd

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: b9c3fc2bfc5a068cb57e44db5e4df944abe1ab6ff9c4daf73bb726b179542b8a
Instruction ID: 0b9369b83c34aee3f6a857190908382eba567919537451f543eceb471acd8a8a
Opcode Fuzzy Hash: b9c3fc2bfc5a068cb57e44db5e4df944abe1ab6ff9c4daf73bb726b179542b8a
Instruction Fuzzy Hash: A521E9F250C200AFE315AF09DC91ABEFBE9EF98720F05492EE6C8C7210D23558508B97

Uniqueness

Uniqueness Score: -1.00%

Function 6BE3BEF6 Relevance: 1.6, APIs: 1, Instructions: 80
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNEL32 ref: 6BE3BEF6

Memory Dump Source

Source File: 0000000D.00000002.377883707.000000006BE3B000.00000040.00000001.01000000.00000004.sdmp, Offset: 6BE3B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6be3b000_abd1 .jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: cf2f9c1cd09228666615dd18ca6c635814a1c5ec376ddf9c9650334b778b7efd
Instruction ID: 0be7e547a462691ca4727854750c0bc5381a12e6eb75c4e3b957abca9de39eed
Opcode Fuzzy Hash: cf2f9c1cd09228666615dd18ca6c635814a1c5ec376ddf9c9650334b778b7efd
Instruction Fuzzy Hash: F7211BF2A0C210AFE711AF18DC81B6ABBE5EF98750F06492DEBD483350D6355860CB97

Uniqueness

Uniqueness Score: -1.00%

Function 6BD57974 Relevance: 1.6, APIs: 1, Instructions: 80
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32 ref: 6BD57980

Memory Dump Source

Source File: 0000000D.00000002.377883707.000000006BD55000.00000040.00000001.01000000.00000004.sdmp, Offset: 6BD55000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6bd55000_abd1 .jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: f2188ee0027bfda220d1fc4a785aeb6153a7df581462e00d7055125d2be023b4
Instruction ID: dd45250cd0a3199771b1d36d6c40ac9c21d513c78419f45e4edc64578b9b6b3e
Opcode Fuzzy Hash: f2188ee0027bfda220d1fc4a785aeb6153a7df581462e00d7055125d2be023b4
Instruction Fuzzy Hash: F321FBF280C614AFE711AF49DCC166AFBE4FF58310F46092DEAC487210D6355854DB97

Uniqueness

Uniqueness Score: -1.00%

Function 6BDD8D6E Relevance: 1.6, APIs: 1, Instructions: 79COMMON

Download Yara Rule

APIs

FindWindowA.USER32 ref: 6BDD8D6E

Memory Dump Source

Source File: 0000000D.00000002.377883707.000000006BDD8000.00000040.00000001.01000000.00000004.sdmp, Offset: 6BDD8000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6bdd8000_abd1 .jbxd

Similarity

API ID: FindWindow
String ID:
API String ID: 134000473-0
Opcode ID: ae7967b66449afc5e5edc34811025294b86d20e6283f52ec3ed6690b415f4798
Instruction ID: d57e4d69a5ca7f5867f4202ec3bb58a3b3c6698731db3a903035124da86fc7ee
Opcode Fuzzy Hash: ae7967b66449afc5e5edc34811025294b86d20e6283f52ec3ed6690b415f4798
Instruction Fuzzy Hash: EC21C6B181C214AFE711AF59D8C1B6ABBE4EF48350F06492DEBD887340E63A58548B97

Uniqueness

Uniqueness Score: -1.00%

Function 6BE195F6 Relevance: 1.6, APIs: 1, Instructions: 76registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32 ref: 6BE1960B

Memory Dump Source

Source File: 0000000D.00000002.377883707.000000006BE19000.00000040.00000001.01000000.00000004.sdmp, Offset: 6BE19000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6be19000_abd1 .jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 6ac65e5b0d3811935dab77c1d5b5beec3fd7c123dc0610d6a73206c7e4ae8a39
Instruction ID: be6bf627621ffb907226dbb0e40e1aa8c9f661cd6a04f9cecdba9828e143c114
Opcode Fuzzy Hash: 6ac65e5b0d3811935dab77c1d5b5beec3fd7c123dc0610d6a73206c7e4ae8a39
Instruction Fuzzy Hash: 952107F151C600AFE705AF19EC8267EFBE1EF98300F06492DE6D586250E33589548B87

Uniqueness

Uniqueness Score: -1.00%

Function 6BD96BC2 Relevance: 1.5, APIs: 1, Instructions: 2COMMON

Download Yara Rule

APIs

RtlRemoveVectoredExceptionHandler.NTDLL ref: 6BD96BC2

Memory Dump Source

Source File: 0000000D.00000002.377883707.000000006BD96000.00000040.00000001.01000000.00000004.sdmp, Offset: 6BD96000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6bd96000_abd1 .jbxd

Similarity

API ID: ExceptionHandlerRemoveVectored
String ID:
API String ID: 1340492425-0
Opcode ID: f65d4501bc89aa458ff46657bbccc41f1789a361f4a649508a1824df2e7f8fe0
Instruction ID: 498895a79fbb3f77d7e8e824bb4da42a15e91ea95db510843e7e98865017f54a
Opcode Fuzzy Hash: f65d4501bc89aa458ff46657bbccc41f1789a361f4a649508a1824df2e7f8fe0
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 6BDECAFA Relevance: 1.3, APIs: 1, Instructions: 94COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE ref: 6BDECB15

Memory Dump Source

Source File: 0000000D.00000002.377883707.000000006BDEC000.00000040.00000001.01000000.00000004.sdmp, Offset: 6BDEC000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6bdec000_abd1 .jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: bef608aff5c3a412476e2a15267008afbb3e4dcd955e5593506f381cd18e03f0
Instruction ID: 4094568d40dd3398072f5546d02738f7e146309f1aba7a9e9ea63bbd570dab32
Opcode Fuzzy Hash: bef608aff5c3a412476e2a15267008afbb3e4dcd955e5593506f381cd18e03f0
Instruction Fuzzy Hash: 7C3125B151C708AFE745BF19D885A7AFBE4EF58750F02492DE6C487700EA3598808B97

Uniqueness

Uniqueness Score: -1.00%

Function 6BE08203 Relevance: 1.3, APIs: 1, Instructions: 91memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32 ref: 6BE0820A

Memory Dump Source

Source File: 0000000D.00000002.377883707.000000006BE08000.00000040.00000001.01000000.00000004.sdmp, Offset: 6BE08000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6be08000_abd1 .jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e49ed1f5c1eeb6048505fa74e06c5fb4aa164944bd86bd0b57b304bfcc7572a4
Instruction ID: decfc1f643ac71ab0e554b27da502e065576864ef2cf9f2492583702dc24f894
Opcode Fuzzy Hash: e49ed1f5c1eeb6048505fa74e06c5fb4aa164944bd86bd0b57b304bfcc7572a4
Instruction Fuzzy Hash: 06312BF241C610AFE716AF18D8857BEBBE4EF44750F05492DEBC487640D73698548B8B

Uniqueness

Uniqueness Score: -1.00%

Function 6BDB0EAE Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.377883707.000000006BDB0000.00000040.00000001.01000000.00000004.sdmp, Offset: 6BDB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6bdb0000_abd1 .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2aacdbb68fee8f99ab4d14f9062fb3e87f693e9b8e1db6064a5178ce51e7fc47
Instruction ID: de32a743a856c88526896a00de66942477aabf0bc35b62e22a8a6ddbcf157f8a
Opcode Fuzzy Hash: 2aacdbb68fee8f99ab4d14f9062fb3e87f693e9b8e1db6064a5178ce51e7fc47
Instruction Fuzzy Hash: A13181B250C310AFE712AF18DC81BABBBE5EF85710F06482EE6C487650D2355810CBD7

Uniqueness

Uniqueness Score: -1.00%

Function 6BD635FD Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.377883707.000000006BD63000.00000040.00000001.01000000.00000004.sdmp, Offset: 6BD63000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6bd63000_abd1 .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 333233637a22e37449e1f9aaa41b6e7752e20076fe3bdcfad3879bae69c2de35
Instruction ID: cbecf37e2f00fbba8ec95eeb073ca6a5b9dfc972024bd83c7d8c776e5f9979da
Opcode Fuzzy Hash: 333233637a22e37449e1f9aaa41b6e7752e20076fe3bdcfad3879bae69c2de35
Instruction Fuzzy Hash: CA31AFB250C710AFE719AF18D8916BABBE5FF84720F06893EEAC443750D67558508B87

Uniqueness

Uniqueness Score: -1.00%

Function 6BDC0034 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.377883707.000000006BDC0000.00000040.00000001.01000000.00000004.sdmp, Offset: 6BDC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6bdc0000_abd1 .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e242d719e5d9f9efb3c7f95324f99b826b0d13dfc4b614c4c72d1a1ee12f483e
Instruction ID: e42f53ca741f059d9d78985fe73a5115c6e384484621a984cab8aa688406c90f
Opcode Fuzzy Hash: e242d719e5d9f9efb3c7f95324f99b826b0d13dfc4b614c4c72d1a1ee12f483e
Instruction Fuzzy Hash: 7131D7B291C610AFE711AF08D8C17AAFBE4FF58710F06492DEAC893710E73558508B87

Uniqueness

Uniqueness Score: -1.00%

Function 6BD8CFD0 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.377883707.000000006BD8C000.00000040.00000001.01000000.00000004.sdmp, Offset: 6BD8C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6bd8c000_abd1 .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbc627a0644bcfc5855c265cef5cf9e7ffba4aa88751a9eb7171088f8922f6f3
Instruction ID: 8721da12489aa7811794acff80680528ff38b5c9c369033e06df552d36384578
Opcode Fuzzy Hash: bbc627a0644bcfc5855c265cef5cf9e7ffba4aa88751a9eb7171088f8922f6f3
Instruction Fuzzy Hash: E4D0A7F140C6C82FD7025F294C900F8FFE5FF15600F45864EA4C841A42D33841468303

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Data loss prevention, File monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Mandado-Intima#U00e7#U00e3o_Art516mlhg.msi

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Config.Msi\674870.rbs

C:\Users\user\AppData\Local\414408

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\inspecionando[1].htm

C:\Users\user\AppData\Local\Temp\MSI745ce.LOG

C:\Users\user\AppData\Roaming\WebUI.dll

C:\Users\user\AppData\Roaming\abd1 .exe

C:\Windows\Installer\67486e.msi

C:\Windows\Installer\MSI4C84.tmp

C:\Windows\Installer\MSI4D7F.tmp

C:\Windows\Installer\MSI4DEE.tmp

C:\Windows\Installer\MSI4E4D.tmp

C:\Windows\Installer\MSI4EBB.tmp

C:\Windows\Installer\MSI5043.tmp

C:\Windows\Installer\SourceHash{0E8A4B79-2C4F-4D9E-80F4-DD7DCA422F39}

C:\Windows\Installer\inprogressinstallinfo.ipi

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

C:\Windows\Temp\~DF139E919462EE2757.TMP

Windows Analysis Report
Mandado-Intima#U00e7#U00e3o_Art516mlhg.msi

Function 6BDD3765 Relevance: 1.6, APIs: 1, Instructions: 82
nativeCOMMON

Function 6BDE454C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 110
COMMON

Function 6BDED89C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 107
COMMON

Function 6BDED8A8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 92
COMMON

Function 6BEAF31A Relevance: 1.6, APIs: 1, Instructions: 121
memoryCOMMON

Function 6BCCEFC5 Relevance: 1.6, APIs: 1, Instructions: 102
memoryCOMMON

Function 6BE1C049 Relevance: 1.6, APIs: 1, Instructions: 102
memoryCOMMON

Function 6BE0C401 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 6BDECF50 Relevance: 1.6, APIs: 1, Instructions: 94
COMMON