Edit tour

Windows Analysis Report
n_f_3_f_1_s_k_4_l.msi

Overview

General Information

Sample Name:	n_f_3_f_1_s_k_4_l.msi
Analysis ID:	843478
MD5:	549e2bd18cc02a6d3311946905bc0eb5
SHA1:	97e6a6ef783ea046adc83e06eea4f772e38da1c9
SHA256:	21a06a37976a7b137003dac057cc1e1ddcab4bf942e8c51216819e195fba3d10
Tags:	brazilmekobanmsi
Infos:

Detection

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Antivirus detection for dropped file

Hides threads from debuggers

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Tries to evade debugger and weak emulator (self modifying code)

PE file has nameless sections

Machine Learning detection for dropped file

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

Deletes files inside the Windows folder

May sleep (evasive loops) to hinder dynamic analysis

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

PE file contains sections with non-standard names

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to call native functions

Found dropped PE file which has not been started or loaded

IP address seen in connection with other malware

AV process strings found (often used to terminate AV products)

Found inlined nop instructions (likely shell or obfuscated code)

Sample file is different than original file name gathered from version info

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

Allocates memory with a write watch (potentially for evading sandboxes)

Drops PE files

Tries to load missing DLLs

Uses a known web browser user agent for HTTP communication

Drops PE files to the windows directory (C:\Windows)

Checks if the current process is being debugged

Checks for debuggers (devices)

Contains capabilities to detect virtual machines

Queries keyboard layouts

Launches processes in debugging mode, may be used to hinder debugging

Checks for available system drives (often done to infect USB drives)

Dropped file seen in connection with other malware

Found large amount of non-executed APIs

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

msiexec.exe (PID: 6736 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\n_f_3_f_1_s_k_4_l.msi" MD5: 4767B71A318E201188A0D0A420C8B608)

msiexec.exe (PID: 6876 cmdline: C:\Windows\system32\msiexec.exe /V MD5: 4767B71A318E201188A0D0A420C8B608)

msiexec.exe (PID: 1312 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding B175E679D861DA44C1D62490FCC9BB11 MD5: 12C17B5A5C2A7B97342C362CA467E9A2)

abd1 .exe (PID: 1592 cmdline: C:\Users\user\AppData\Roaming\abd1 .exe MD5: CEEF4762B36067F1D32A0DB621EE967E)

abd1 .exe (PID: 6564 cmdline: "C:\Users\user\AppData\Roaming\abd1 .exe" MD5: CEEF4762B36067F1D32A0DB621EE967E)

abd1 .exe (PID: 1292 cmdline: "C:\Users\user\AppData\Roaming\abd1 .exe" MD5: CEEF4762B36067F1D32A0DB621EE967E)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Roaming\abd1 .exe	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000004.00000002.386779049.00000000022F0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_a7da40b7	unknown	unknown	0x659ee:$a: 18 B9 10 00 00 00 83 E2 0F 2B CA 3B 4D 14 76 03 8B 4D 14 8D 5C
00000003.00000002.577793430.000000006C72B000.00000040.00000001.01000000.00000004.sdmp	Windows_Trojan_Generic_a160ca52	unknown	unknown	0x1a11:$a1: 1C 85 C9 74 02 8B 09 8D 41 FF 89 45 F0 89 55 EC 8B 55 EC 8B
00000003.00000002.577793430.000000006C72B000.00000040.00000001.01000000.00000004.sdmp	Windows_Trojan_RedLineStealer_a7da40b7	unknown	unknown	0x1fe7:$a: 18 B9 10 00 00 00 83 E2 0F 2B CA 3B 4D 14 76 03 8B 4D 14 8D 5C
00000003.00000000.304487946.0000000000401000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000003.00000002.570577629.00000000023A0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_a7da40b7	unknown	unknown	0x65aee:$a: 18 B9 10 00 00 00 83 E2 0F 2B CA 3B 4D 14 76 03 8B 4D 14 8D 5C
00000005.00000002.408834670.0000000002260000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_a7da40b7	unknown	unknown	0x65bce:$a: 18 B9 10 00 00 00 83 E2 0F 2B CA 3B 4D 14 76 03 8B 4D 14 8D 5C
00000004.00000002.419723352.000000006C72B000.00000040.00000001.01000000.00000004.sdmp	Windows_Trojan_Generic_a160ca52	unknown	unknown	0x1a11:$a1: 1C 85 C9 74 02 8B 09 8D 41 FF 89 45 F0 89 55 EC 8B 55 EC 8B
00000004.00000002.419723352.000000006C72B000.00000040.00000001.01000000.00000004.sdmp	Windows_Trojan_RedLineStealer_a7da40b7	unknown	unknown	0x1fe7:$a: 18 B9 10 00 00 00 83 E2 0F 2B CA 3B 4D 14 76 03 8B 4D 14 8D 5C
00000005.00000002.419737912.000000006C72A000.00000040.00000001.01000000.00000004.sdmp	Windows_Trojan_Generic_a160ca52	unknown	unknown	0x2a11:$a1: 1C 85 C9 74 02 8B 09 8D 41 FF 89 45 F0 89 55 EC 8B 55 EC 8B
00000005.00000002.419737912.000000006C72A000.00000040.00000001.01000000.00000004.sdmp	Windows_Trojan_RedLineStealer_a7da40b7	unknown	unknown	0x2fe7:$a: 18 B9 10 00 00 00 83 E2 0F 2B CA 3B 4D 14 76 03 8B 4D 14 8D 5C
00000005.00000002.419737912.000000006C72A000.00000040.00000001.01000000.00000004.sdmp	Windows_Trojan_RedLineStealer_d4b38e13	unknown	unknown	0x60e:$a: 5B 5D C2 04 00 8B C2 5F 5E 5B 5D C2 04 00 55 8B EC 57 8B 45 08 0F
Click to see the 6 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
3.0.abd1 .exe.400000.0.unpack	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: n_f_3_f_1_s_k_4_l.msi	ReversingLabs: Detection: 16%
Source: n_f_3_f_1_s_k_4_l.msi	Virustotal: Detection: 21%			Perma Link

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\WebUI.dll

Avira: detection malicious, Label: HEUR/AGEN.1216973

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\WebUI.dll

Joe Sandbox ML: detected

Source: 3.3.abd1 .exe.2630000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen2

Source: unknown

HTTPS traffic detected: 187.45.187.42:443 -> 192.168.2.4:49697 version: TLS 1.2

Source:

Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: n_f_3_f_1_s_k_4_l.msi, MSI5AE8.tmp.1.dr, MSI5C51.tmp.1.dr, MSI5C12.tmp.1.dr, 5e576d.msi.1.dr, MSI5C81.tmp.1.dr, MSI5D0F.tmp.1.dr

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Source: C:\Users\user\AppData\Roaming\abd1 .exe

Code function: 4_2_6A5FF76C FindFirstFileW,

4_2_6A5FF76C

Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 4x nop then push eax	3_2_0240CB88
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 4x nop then test edx, edx	3_2_02403A62
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 4x nop then add edi, 08h	3_2_02403A62
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 4x nop then push dword ptr [ebp+0Ch]	3_2_02403A62
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 4x nop then mov ecx, 0000003Ch	3_2_0240AA72
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 4x nop then lea eax, dword ptr [ebp-64h]	3_2_0240AA72
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 4x nop then mov ecx, 00000005h	3_2_0240AA72
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 4x nop then cmp eax, 7Ah	3_2_02406E7B
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 4x nop then sub eax, 20h	3_2_02406E7B
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 4x nop then cmp eax, 7Ah	3_2_02406E7B
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 4x nop then sub eax, 20h	3_2_02406E7B
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 4x nop then jmp 023FFF17h	3_2_023FFE78
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 4x nop then cmp al, 7Ah	3_2_0240F63F
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 4x nop then sub al, 20h	3_2_0240F63F
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 4x nop then jmp 0240B8DDh	3_2_0240B6C6
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 4x nop then jmp 0240B93Ah	3_2_0240B6C6
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 4x nop then cmp eax, 000000C6h	3_2_0240D2F6
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 4x nop then cmp word ptr [edi+eax*2-02h], 005Ch	3_2_0240D2F6
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 4x nop then inc dword ptr [ebp-04h]	3_2_0240AEAA
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 4x nop then mov ecx, 00000005h	3_2_0240AB7F
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 4x nop then mov ebx, dword ptr [edx+00000334h]	3_2_0240F820
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 4x nop then jmp 023FFD11h	3_2_023FFC5E
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 4x nop then jmp 0240FD3Ah	3_2_0240FD17
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 4x nop then call 6C72CF20h	3_2_6C72CF0E

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Joe Sandbox View	IP Address: 15.228.77.178 15.228.77.178
Source: Joe Sandbox View	IP Address: 187.45.187.42 187.45.187.42

Source: global traffic

HTTP traffic detected: GET /imagens/bo/inspecionando.php HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ebaoffice.com.brConnection: Keep-Alive

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49697
Source: unknown	Network traffic detected: HTTP traffic on port 49697 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 15.228.77.178
Source: unknown	TCP traffic detected without corresponding DNS query: 15.228.77.178
Source: unknown	TCP traffic detected without corresponding DNS query: 15.228.77.178

Source: abd1 .exe.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: abd1 .exe.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: abd1 .exe.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA.crt0
Source: abd1 .exe.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: abd1 .exe.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: abd1 .exe, 00000003.00000002.564671753.000000000075F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: abd1 .exe.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: abd1 .exe.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: abd1 .exe.1.dr	String found in binary or memory: http://crl3.digicert.com/EVCodeSigning-g1.crl03
Source: abd1 .exe.1.dr	String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: abd1 .exe.1.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: abd1 .exe.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: abd1 .exe.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: abd1 .exe.1.dr	String found in binary or memory: http://crl4.digicert.com/EVCodeSigning-g1.crl0K
Source: abd1 .exe.1.dr	String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: abd1 .exe.1.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: abd1 .exe.1.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: abd1 .exe.1.dr	String found in binary or memory: http://ocsp.digicert.com0H
Source: abd1 .exe.1.dr	String found in binary or memory: http://ocsp.digicert.com0I
Source: abd1 .exe.1.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: abd1 .exe, 00000003.00000000.304487946.0000000000401000.00000020.00000001.01000000.00000003.sdmp, abd1 .exe.1.dr	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: abd1 .exe, 00000003.00000000.304487946.0000000000401000.00000020.00000001.01000000.00000003.sdmp, abd1 .exe.1.dr	String found in binary or memory: http://stats.itopvpn.com/iusage.php
Source: abd1 .exe.1.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: abd1 .exe.1.dr	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: abd1 .exe, abd1 .exe, 00000004.00000002.389273322.000000006A9FA000.00000040.00000001.01000000.00000004.sdmp, abd1 .exe, 00000004.00000002.387432573.00000000024F0000.00000004.00001000.00020000.00000000.sdmp, abd1 .exe, 00000005.00000002.412714315.0000000002450000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.indyproject.org/
Source: abd1 .exe, 00000003.00000002.564671753.0000000000714000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ebaoffice.com.br/
Source: abd1 .exe, abd1 .exe, 00000004.00000002.385627041.0000000000196000.00000004.00000010.00020000.00000000.sdmp, abd1 .exe, 00000004.00000002.389273322.000000006A60E000.00000040.00000001.01000000.00000004.sdmp, abd1 .exe, 00000005.00000002.404441078.0000000000196000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://ebaoffice.com.br/imagens/bo/inspecionando.php
Source: abd1 .exe, 00000003.00000002.564671753.0000000000734000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 00000003.00000002.564671753.00000000006E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ebaoffice.com.br/imagens/bo/inspecionando.php...
Source: abd1 .exe, 00000003.00000002.573663174.0000000006240000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ebaoffice.com.br/imagens/bo/inspecionando.php2
Source: abd1 .exe, 00000003.00000002.564671753.000000000075F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ebaoffice.com.br/imagens/bo/inspecionando.php5
Source: abd1 .exe, 00000003.00000002.573663174.0000000006240000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ebaoffice.com.br/imagens/bo/inspecionando.php:
Source: abd1 .exe, 00000003.00000002.573663174.0000000006240000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ebaoffice.com.br/imagens/bo/inspecionando.php;
Source: abd1 .exe, 00000003.00000002.564671753.00000000006E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ebaoffice.com.br/imagens/bo/inspecionando.phpH0
Source: abd1 .exe, 00000003.00000002.564671753.00000000006E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ebaoffice.com.br/imagens/bo/inspecionando.phpHistory.IE5
Source: abd1 .exe, 00000003.00000002.573663174.0000000006240000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ebaoffice.com.br/imagens/bo/inspecionando.phpX
Source: abd1 .exe, 00000003.00000002.564671753.0000000000734000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ebaoffice.com.br/imagens/bo/inspecionando.phph
Source: abd1 .exe, 00000003.00000002.564671753.00000000006E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ebaoffice.com.br/imagens/bo/inspecionando.phphe
Source: abd1 .exe, 00000003.00000002.564671753.000000000075F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ebaoffice.com.br/imagens/bo/inspecionando.phpheC:
Source: abd1 .exe, 00000003.00000002.564671753.0000000000734000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ebaoffice.com.br/imagens/bo/inspecionando.phps/bo/inspecionando.phpo.php8
Source: abd1 .exe, 00000004.00000002.385627041.0000000000196000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://ebaoffice.com.br/imagens/bo/inspecionando.phpt
Source: abd1 .exe, 00000004.00000002.385627041.0000000000196000.00000004.00000010.00020000.00000000.sdmp, abd1 .exe, 00000005.00000002.404441078.0000000000196000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://ebaoffice.com.br/imagens/bo/inspecionando.phputllib.dll.DLL
Source: abd1 .exe, 00000003.00000002.564671753.000000000071A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: abd1 .exe.1.dr	String found in binary or memory: https://www.digicert.com/CPS0

Source: unknown

DNS traffic detected: queries for: ebaoffice.com.br

Source: global traffic

Source: unknown

HTTPS traffic detected: 187.45.187.42:443 -> 192.168.2.4:49697 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000004.00000002.386779049.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_a7da40b7 Author: unknown
Source: 00000003.00000002.577793430.000000006C72B000.00000040.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Generic_a160ca52 Author: unknown
Source: 00000003.00000002.577793430.000000006C72B000.00000040.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_a7da40b7 Author: unknown
Source: 00000003.00000002.570577629.00000000023A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_a7da40b7 Author: unknown
Source: 00000005.00000002.408834670.0000000002260000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_a7da40b7 Author: unknown
Source: 00000004.00000002.419723352.000000006C72B000.00000040.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Generic_a160ca52 Author: unknown
Source: 00000004.00000002.419723352.000000006C72B000.00000040.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_a7da40b7 Author: unknown
Source: 00000005.00000002.419737912.000000006C72A000.00000040.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Generic_a160ca52 Author: unknown
Source: 00000005.00000002.419737912.000000006C72A000.00000040.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_a7da40b7 Author: unknown
Source: 00000005.00000002.419737912.000000006C72A000.00000040.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_d4b38e13 Author: unknown

PE file has nameless sections

Source: WebUI.dll.1.dr	Static PE information: section name:
Source: WebUI.dll.1.dr	Static PE information: section name:
Source: WebUI.dll.1.dr	Static PE information: section name:
Source: WebUI.dll.1.dr	Static PE information: section name:
Source: WebUI.dll.1.dr	Static PE information: section name:
Source: WebUI.dll.1.dr	Static PE information: section name:
Source: WebUI.dll.1.dr	Static PE information: section name:

Source: 00000004.00000002.386779049.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_a7da40b7 reference_sample = 2fb7241ffdfa7525f125e6d7b18e895cfb512ebb6905d056dbe7d76e8d6df806, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 62a62ede10d977582329b3daaa80b0b64576add77736135bac97d3a3eb6de558, id = a7da40b7-63cc-4456-a592-0485932092d5, last_modified = 2022-04-12
Source: 00000003.00000002.577793430.000000006C72B000.00000040.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Generic_a160ca52 reference_sample = 650bf19e73ac2d9ebbf62f15eeb603c2b4a6a65432c70b87edc429165d6706f3, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 06eca9064ca27784b61994844850f05c47c07ba6c4242a2572d6d0c484a920f0, id = a160ca52-8911-4649-a1fa-ac8f6f75e18d, last_modified = 2022-04-12
Source: 00000003.00000002.577793430.000000006C72B000.00000040.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_a7da40b7 reference_sample = 2fb7241ffdfa7525f125e6d7b18e895cfb512ebb6905d056dbe7d76e8d6df806, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 62a62ede10d977582329b3daaa80b0b64576add77736135bac97d3a3eb6de558, id = a7da40b7-63cc-4456-a592-0485932092d5, last_modified = 2022-04-12
Source: 00000003.00000002.570577629.00000000023A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_a7da40b7 reference_sample = 2fb7241ffdfa7525f125e6d7b18e895cfb512ebb6905d056dbe7d76e8d6df806, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 62a62ede10d977582329b3daaa80b0b64576add77736135bac97d3a3eb6de558, id = a7da40b7-63cc-4456-a592-0485932092d5, last_modified = 2022-04-12
Source: 00000005.00000002.408834670.0000000002260000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_a7da40b7 reference_sample = 2fb7241ffdfa7525f125e6d7b18e895cfb512ebb6905d056dbe7d76e8d6df806, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 62a62ede10d977582329b3daaa80b0b64576add77736135bac97d3a3eb6de558, id = a7da40b7-63cc-4456-a592-0485932092d5, last_modified = 2022-04-12
Source: 00000004.00000002.419723352.000000006C72B000.00000040.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Generic_a160ca52 reference_sample = 650bf19e73ac2d9ebbf62f15eeb603c2b4a6a65432c70b87edc429165d6706f3, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 06eca9064ca27784b61994844850f05c47c07ba6c4242a2572d6d0c484a920f0, id = a160ca52-8911-4649-a1fa-ac8f6f75e18d, last_modified = 2022-04-12
Source: 00000004.00000002.419723352.000000006C72B000.00000040.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_a7da40b7 reference_sample = 2fb7241ffdfa7525f125e6d7b18e895cfb512ebb6905d056dbe7d76e8d6df806, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 62a62ede10d977582329b3daaa80b0b64576add77736135bac97d3a3eb6de558, id = a7da40b7-63cc-4456-a592-0485932092d5, last_modified = 2022-04-12
Source: 00000005.00000002.419737912.000000006C72A000.00000040.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Generic_a160ca52 reference_sample = 650bf19e73ac2d9ebbf62f15eeb603c2b4a6a65432c70b87edc429165d6706f3, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 06eca9064ca27784b61994844850f05c47c07ba6c4242a2572d6d0c484a920f0, id = a160ca52-8911-4649-a1fa-ac8f6f75e18d, last_modified = 2022-04-12
Source: 00000005.00000002.419737912.000000006C72A000.00000040.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_a7da40b7 reference_sample = 2fb7241ffdfa7525f125e6d7b18e895cfb512ebb6905d056dbe7d76e8d6df806, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 62a62ede10d977582329b3daaa80b0b64576add77736135bac97d3a3eb6de558, id = a7da40b7-63cc-4456-a592-0485932092d5, last_modified = 2022-04-12
Source: 00000005.00000002.419737912.000000006C72A000.00000040.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_d4b38e13 reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = c91f97a7e609d8138f8c5c7dd66cf675b1b3762f26baa5bf983ee212011b99cb, id = d4b38e13-1439-4549-ba90-0b4a8ed57fb3, last_modified = 2022-04-12

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSI5AE8.tmp

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\Installer\5e576d.msi

Jump to behavior

Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 3_2_02409E38	3_2_02409E38
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 3_2_02409EBB	3_2_02409EBB
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 3_2_0240A041	3_2_0240A041
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 3_2_023A206E	3_2_023A206E
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 3_2_023A484F	3_2_023A484F
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 4_2_6A5FD780	4_2_6A5FD780

Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 3_2_023FF721 LdrInitializeThunk,NtSetInformationThread,		3_2_023FF721
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 3_2_6C72BE96 NtQueryInformationProcess,		3_2_6C72BE96

Source: n_f_3_f_1_s_k_4_l.msi

Binary or memory string: OriginalFilenameAICustAct.dllF vs n_f_3_f_1_s_k_4_l.msi

Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Roaming\abd1 .exe EFB6169BBB869A849AFB91184A75B906FE509CBF6E672B6B4F3311C02343BBBB

Source: WebUI.dll.1.dr

Static PE information: Section: ZLIB complexity 0.9993696914588026

Source: WebUI.dll.1.dr

Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5

Source: n_f_3_f_1_s_k_4_l.msi	ReversingLabs: Detection: 16%
Source: n_f_3_f_1_s_k_4_l.msi	Virustotal: Detection: 21%

Source: C:\Users\user\AppData\Roaming\abd1 .exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\n_f_3_f_1_s_k_4_l.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding B175E679D861DA44C1D62490FCC9BB11
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Users\user\AppData\Roaming\abd1 .exe C:\Users\user\AppData\Roaming\abd1 .exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\abd1 .exe "C:\Users\user\AppData\Roaming\abd1 .exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\abd1 .exe "C:\Users\user\AppData\Roaming\abd1 .exe"
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding B175E679D861DA44C1D62490FCC9BB11	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Users\user\AppData\Roaming\abd1 .exe C:\Users\user\AppData\Roaming\abd1 .exe	Jump to behavior

Source: C:\Users\user\AppData\Roaming\abd1 .exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8856F961-340A-11D0-A96B-00C04FD705A2}\InProcServer32

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user\AppData\Roaming\abd1 .exe

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user\AppData\Local\Temp\MSIe548f.LOG

Jump to behavior

Source: classification engine

Classification label: mal84.evad.winMSI@8/28@1/2

Source: C:\Users\user\AppData\Roaming\abd1 .exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Users\user\AppData\Roaming\abd1 .exe

Code function: 3_2_6C72BEE6 CreateToolhelp32Snapshot,

3_2_6C72BEE6

Source: n_f_3_f_1_s_k_4_l.msi

Static file information: TRID: Microsoft Windows Installer (77509/1) 52.18%

Source: C:\Users\user\AppData\Roaming\abd1 .exe	Mutant created: \Sessions\1\BaseNamedObjects\madExceptSettingsMtx$638
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Mutant created: \Sessions\1\BaseNamedObjects\gg24UGs6BG
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Mutant created: \Sessions\1\BaseNamedObjects\madExceptSettingsMtx$19a4
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Mutant created: \Sessions\1\BaseNamedObjects\madExceptSettingsMtx$50c

Source: abd1 .exe	String found in binary or memory: ISO_6937-2-add
Source: abd1 .exe	String found in binary or memory: NATS-SEFI-ADD
Source: abd1 .exe	String found in binary or memory: NATS-DANO-ADD
Source: abd1 .exe	String found in binary or memory: jp-ocr-b-add
Source: abd1 .exe	String found in binary or memory: jp-ocr-hand-add
Source: abd1 .exe	String found in binary or memory: JIS_C6229-1984-hand-add
Source: abd1 .exe	String found in binary or memory: JIS_C6229-1984-b-add

Source: Yara match	File source: 3.0.abd1 .exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000000.304487946.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Roaming\abd1 .exe, type: DROPPED

Source: C:\Users\user\AppData\Roaming\abd1 .exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: n_f_3_f_1_s_k_4_l.msi

Static file information: File size 7191552 > 1048576

Source:

Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 3_3_02452E4A pushfd ; iretd	3_3_02452E4E
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 3_3_02450869 push ebx; retf	3_3_0245086D
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 3_3_0245360A pushfd ; iretd	3_3_02453626
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 3_3_024518D6 push edi; iretd	3_3_02451925
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 3_3_02452CE6 pushfd ; iretd	3_3_02452CEA
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 3_3_02455AF3 push esp; ret	3_3_02455B04
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 3_3_02452745 push eax; retf	3_3_02452752
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 3_3_02451B13 push eax; ret	3_3_02451B14
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 3_3_02450193 push cs; retf	3_3_02450196
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 3_2_023A52FF push edx; ret	3_2_023A5306
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 3_2_023A5EF1 push ebx; retf	3_2_023A5EF2
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 3_2_023A6385 push ebx; iretd	3_2_023A6398
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 3_2_023A6033 push ebx; iretd	3_2_023A6034
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 3_2_023A1C15 push eax; retf	3_2_023A1C22
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 3_2_023A4929 push edx; retf	3_2_023A492E
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 3_2_023A5991 push esp; iretd	3_2_023A5996
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 3_2_023A05EB push cs; retf	3_2_023A05EE
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 3_2_6C72CD29 push 00000048h; ret	3_2_6C72CD2B
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 3_2_6C722008 pushad ; retf	3_2_6C722009
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 4_3_02626662 push cs; retf	4_3_02626663
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 4_3_0262496A pushad ; retf	4_3_0262496B
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 4_3_02624D79 push edx; ret	4_3_02624D7C
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 4_3_02623D09 push edx; ret	4_3_02623D0C
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 4_3_02627DB6 push ebp; ret	4_3_02627DDA
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 4_3_02624D85 push cs; ret	4_3_02624D87
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 4_2_6A618204 push ecx; mov dword ptr [esp], ecx	4_2_6A618208
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 4_2_6A6422F0 push ecx; mov dword ptr [esp], edx	4_2_6A6422F1
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 4_2_6A6D33EC push ecx; mov dword ptr [esp], ecx	4_2_6A6D33F1
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 4_2_6A604788 push ecx; mov dword ptr [esp], edx	4_2_6A604789
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 4_2_6A62D794 push ecx; mov dword ptr [esp], edx	4_2_6A62D796
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 4_2_6A6D4424 push ecx; mov dword ptr [esp], ecx	4_2_6A6D4428

Source: WebUI.dll.1.dr	Static PE information: section name:
Source: WebUI.dll.1.dr	Static PE information: section name:
Source: WebUI.dll.1.dr	Static PE information: section name:
Source: WebUI.dll.1.dr	Static PE information: section name:
Source: WebUI.dll.1.dr	Static PE information: section name:
Source: WebUI.dll.1.dr	Static PE information: section name:
Source: WebUI.dll.1.dr	Static PE information: section name:

Source: initial sample

Static PE information: section name: entropy: 7.996850183126047

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI5AE8.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\abd1 .exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI5D0F.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\WebUI.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI5C51.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI5C81.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI5C12.tmp	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI5AE8.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI5D0F.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI5C51.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI5C81.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI5C12.tmp	Jump to dropped file

Source: C:\Users\user\AppData\Roaming\abd1 .exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run abd1 .exe			Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run abd1 .exe			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Source: C:\Users\user\AppData\Roaming\abd1 .exe	Memory written: PID: 1592 base: 4A3E60 value: E9 FB 65 06 00	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Memory written: PID: 1592 base: 4A397C value: E9 FB 68 06 00	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Memory written: PID: 1592 base: 49FCC0 value: E9 0B E7 06 00	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Memory written: PID: 1592 base: 49FCE4 value: E9 6B E7 06 00	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Memory written: PID: 1592 base: 49FCF4 value: E9 FF E8 06 00	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Memory written: PID: 1592 base: 49FCB0 value: E9 B7 EA 06 00	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Memory written: PID: 6564 base: 4A3E60 value: E9 FB 65 06 00	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Memory written: PID: 6564 base: 4A397C value: E9 FB 68 06 00	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Memory written: PID: 6564 base: 49FCC0 value: E9 0B E7 06 00	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Memory written: PID: 6564 base: 49FCE4 value: E9 6B E7 06 00	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Memory written: PID: 6564 base: 49FCF4 value: E9 FF E8 06 00	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Memory written: PID: 6564 base: 49FCB0 value: E9 B7 EA 06 00	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Memory written: PID: 1292 base: 4A3E60 value: E9 FB 65 06 00	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Memory written: PID: 1292 base: 4A397C value: E9 FB 68 06 00	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Memory written: PID: 1292 base: 49FCC0 value: E9 0B E7 06 00	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Memory written: PID: 1292 base: 49FCE4 value: E9 6B E7 06 00	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Memory written: PID: 1292 base: 49FCF4 value: E9 FF E8 06 00	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Memory written: PID: 1292 base: 49FCB0 value: E9 B7 EA 06 00	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\AppData\Roaming\abd1 .exe

Special instruction interceptor: First address: 000000006C737387 instructions caused by: Self-modifying code

Source: C:\Users\user\AppData\Roaming\abd1 .exe TID: 3584

Thread sleep time: -40000s >= -30000s

Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI5D0F.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI5C51.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI5C81.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI5C12.tmp	Jump to dropped file

Source: C:\Users\user\AppData\Roaming\abd1 .exe	Memory allocated: 5F40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Memory allocated: 5F60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Memory allocated: 5ED0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\AppData\Roaming\abd1 .exe

File opened / queried: VBoxGuest

Jump to behavior

Source: C:\Users\user\AppData\Roaming\abd1 .exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04090409	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04090409	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04090409	Jump to behavior

Source: C:\Users\user\AppData\Roaming\abd1 .exe

API coverage: 0.0 %

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Roaming\abd1 .exe

Code function: 4_2_6A5FF76C FindFirstFileW,

4_2_6A5FF76C

Source: C:\Users\user\AppData\Roaming\abd1 .exe

Thread delayed: delay time: 40000

Jump to behavior

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: abd1 .exe, 00000003.00000002.564671753.000000000071A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWx`Y~
Source: abd1 .exe, 00000003.00000002.564671753.0000000000734000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 00000003.00000002.564671753.00000000006E1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\AppData\Roaming\abd1 .exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Thread information set: HideFromDebugger	Jump to behavior

Source: C:\Users\user\AppData\Roaming\abd1 .exe

System information queried: KernelDebuggerInformation

Jump to behavior

Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process queried: DebugFlags	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process queried: DebugFlags	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process queried: DebugFlags	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\AppData\Roaming\abd1 .exe	File opened: NTICE
Source: C:\Users\user\AppData\Roaming\abd1 .exe	File opened: SICE

Source: C:\Windows\System32\msiexec.exe

Process created: C:\Users\user\AppData\Roaming\abd1 .exe C:\Users\user\AppData\Roaming\abd1 .exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\abd1 .exe

Code function: 3_2_0240CB88 LdrInitializeThunk,

3_2_0240CB88

Source: abd1 .exe, 00000003.00000000.304487946.0000000000401000.00000020.00000001.01000000.00000003.sdmp, abd1 .exe.1.dr	Binary or memory string: ProgmanU
Source: abd1 .exe, 00000003.00000002.571181544.0000000002548000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Program Manager@

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\AppData\Roaming\abd1 .exe

Code function: 3_2_023A0EE0 cpuid

3_2_023A0EE0

Source: C:\Users\user\AppData\Roaming\abd1 .exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Source: abd1 .exe, 00000003.00000002.564671753.0000000000734000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 00000003.00000002.564671753.00000000006E1000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
1 Replication Through Removable Media	1 Windows Management Instrumentation	1 Registry Run Keys / Startup Folder	2 Process Injection	21 Masquerading	1 Credential API Hooking	261 Security Software Discovery	1 Replication Through Removable Media	1 Credential API Hooking	Exfiltration Over Other Network Medium	11 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Registry Run Keys / Startup Folder	1 Disable or Modify Tools	LSASS Memory	161 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	Exfiltration Over Bluetooth	1 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	1 DLL Side-Loading	161 Virtualization/Sandbox Evasion	Security Account Manager	3 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	2 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	2 Process Injection	NTDS	11 Peripheral Device Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	13 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	4 Obfuscated Files or Information	LSA Secrets	1 Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	3 Software Packing	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	132 System Information Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	1 File Deletion	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
n_f_3_f_1_s_k_4_l.msi	16%	ReversingLabs
n_f_3_f_1_s_k_4_l.msi	22%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\WebUI.dll	100%	Avira	HEUR/AGEN.1216973
C:\Users\user\AppData\Roaming\WebUI.dll	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\abd1 .exe	0%	ReversingLabs
C:\Windows\Installer\MSI5AE8.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI5C12.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI5C51.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI5C81.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI5D0F.tmp	0%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
3.3.abd1 .exe.2630000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen2		Download File
4.2.abd1 .exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1204765		Download File

Domains

Source	Detection	Scanner	Label	Link
ebaoffice.com.br	2%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://www.indyproject.org/	0%	URL Reputation	safe
https://ebaoffice.com.br/imagens/bo/inspecionando.php;	0%	Avira URL Cloud	safe
https://ebaoffice.com.br/imagens/bo/inspecionando.phpheC:	0%	Avira URL Cloud	safe
http://stats.itopvpn.com/iusage.php	0%	Virustotal		Browse
https://ebaoffice.com.br/imagens/bo/inspecionando.php:	0%	Avira URL Cloud	safe
http://stats.itopvpn.com/iusage.php	0%	Avira URL Cloud	safe
https://ebaoffice.com.br/imagens/bo/inspecionando.phpX	0%	Avira URL Cloud	safe
https://ebaoffice.com.br/imagens/bo/inspecionando.php2	0%	Avira URL Cloud	safe
https://ebaoffice.com.br/	0%	Avira URL Cloud	safe
https://ebaoffice.com.br/imagens/bo/inspecionando.php5	0%	Avira URL Cloud	safe
https://ebaoffice.com.br/imagens/bo/inspecionando.phpH0	0%	Avira URL Cloud	safe
https://ebaoffice.com.br/imagens/bo/inspecionando.phpt	0%	Avira URL Cloud	safe
https://ebaoffice.com.br/imagens/bo/inspecionando.php	0%	Avira URL Cloud	safe
https://ebaoffice.com.br/imagens/bo/inspecionando.phps/bo/inspecionando.phpo.php8	0%	Avira URL Cloud	safe
https://ebaoffice.com.br/imagens/bo/inspecionando.phputllib.dll.DLL	0%	Avira URL Cloud	safe
https://ebaoffice.com.br/imagens/bo/inspecionando.php...	0%	Avira URL Cloud	safe
https://ebaoffice.com.br/imagens/bo/inspecionando.phphe	0%	Avira URL Cloud	safe
https://ebaoffice.com.br/imagens/bo/inspecionando.phph	0%	Avira URL Cloud	safe
https://ebaoffice.com.br/imagens/bo/inspecionando.phpHistory.IE5	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ebaoffice.com.br	187.45.187.42	true	false	2%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://ebaoffice.com.br/imagens/bo/inspecionando.php	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://stats.itopvpn.com/iusage.php	abd1 .exe, 00000003.00000000.304487946.0000000000401000.00000020.00000001.01000000.00000003.sdmp, abd1 .exe.1.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ebaoffice.com.br/imagens/bo/inspecionando.php2	abd1 .exe, 00000003.00000002.573663174.0000000006240000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ebaoffice.com.br/imagens/bo/inspecionando.php;	abd1 .exe, 00000003.00000002.573663174.0000000006240000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ebaoffice.com.br/imagens/bo/inspecionando.php:	abd1 .exe, 00000003.00000002.573663174.0000000006240000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ebaoffice.com.br/imagens/bo/inspecionando.phpheC:	abd1 .exe, 00000003.00000002.564671753.000000000075F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ebaoffice.com.br/imagens/bo/inspecionando.phpX	abd1 .exe, 00000003.00000002.573663174.0000000006240000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ebaoffice.com.br/	abd1 .exe, 00000003.00000002.564671753.0000000000714000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ebaoffice.com.br/imagens/bo/inspecionando.php5	abd1 .exe, 00000003.00000002.564671753.000000000075F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/soap/envelope/	abd1 .exe, 00000003.00000000.304487946.0000000000401000.00000020.00000001.01000000.00000003.sdmp, abd1 .exe.1.dr	false		high
https://ebaoffice.com.br/imagens/bo/inspecionando.phpH0	abd1 .exe, 00000003.00000002.564671753.00000000006E1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ebaoffice.com.br/imagens/bo/inspecionando.phpt	abd1 .exe, 00000004.00000002.385627041.0000000000196000.00000004.00000010.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ebaoffice.com.br/imagens/bo/inspecionando.phps/bo/inspecionando.phpo.php8	abd1 .exe, 00000003.00000002.564671753.0000000000734000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ebaoffice.com.br/imagens/bo/inspecionando.phputllib.dll.DLL	abd1 .exe, 00000004.00000002.385627041.0000000000196000.00000004.00000010.00020000.00000000.sdmp, abd1 .exe, 00000005.00000002.404441078.0000000000196000.00000004.00000010.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ebaoffice.com.br/imagens/bo/inspecionando.php...	abd1 .exe, 00000003.00000002.564671753.0000000000734000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 00000003.00000002.564671753.00000000006E1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ebaoffice.com.br/imagens/bo/inspecionando.phphe	abd1 .exe, 00000003.00000002.564671753.00000000006E1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.indyproject.org/	abd1 .exe, abd1 .exe, 00000004.00000002.389273322.000000006A9FA000.00000040.00000001.01000000.00000004.sdmp, abd1 .exe, 00000004.00000002.387432573.00000000024F0000.00000004.00001000.00020000.00000000.sdmp, abd1 .exe, 00000005.00000002.412714315.0000000002450000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ebaoffice.com.br/imagens/bo/inspecionando.phph	abd1 .exe, 00000003.00000002.564671753.0000000000734000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ebaoffice.com.br/imagens/bo/inspecionando.phpHistory.IE5	abd1 .exe, 00000003.00000002.564671753.00000000006E1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
15.228.77.178	unknown	United States		16509	AMAZON-02US	false
187.45.187.42	ebaoffice.com.br	Brazil		33182	DIMENOCUS	false

General Information

Joe Sandbox Version:	37.0.0 Beryl
Analysis ID:	843478
Start date and time:	2023-04-08 15:02:10 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 13s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	n_f_3_f_1_s_k_4_l.msi
Detection:	MAL
Classification:	mal84.evad.winMSI@8/28@1/2
EGA Information:	Successful, ratio: 100%
HDC Information:	Failed
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .msi

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
15:03:07	API Interceptor	1x Sleep call for process: abd1 .exe modified
15:03:31	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run abd1.exe C:\Users\user\AppData\Roaming\abd1.exe
15:03:39	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run abd1.exe C:\Users\user\AppData\Roaming\abd1.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
15.228.77.178	Mandado-Intima#U00e7#U00e3o_Art516mlhg.msi	Get hash	malicious	Unknown	Browse
	z12A____o-Trabalhista.msi	Get hash	malicious	Unknown	Browse
	z1F_4_T_U_r_4_2024mfdfgryry5.msi	Get hash	malicious	Unknown	Browse
	F_4_T_U_R_4___nf____0992344.4354.msi	Get hash	malicious	Unknown	Browse
	rPEDIDOS-10032023-X491kkum.msi	Get hash	malicious	Unknown	Browse
	z93nf_e_mnhhh345553.msi	Get hash	malicious	Unknown	Browse
	z1n_f_e_Fa_tu_r4_03.msi	Get hash	malicious	Unknown	Browse
	PEDIDOS-08032023-X388omke.msi	Get hash	malicious	Unknown	Browse
	Nota-LG-emitida-13488mhqt.msi	Get hash	malicious	Unknown	Browse
	__B0L3T0_06Marc_23_f4tur4__.msi	Get hash	malicious	Unknown	Browse
	__B0L3T0_06Marc_23_f4tur4__.msi	Get hash	malicious	Unknown	Browse
	rPedido-Danfe-03-03-202316872pnlc.msi	Get hash	malicious	Unknown	Browse
	Autos-Processo 27-02-2023 ligh.msi	Get hash	malicious	Unknown	Browse
	rEmita-Danfe-01-03-20234076czdg.msi	Get hash	malicious	Unknown	Browse
187.45.187.42	z1F_4_T_U_r_4_2024mfdfgryry5.msi	Get hash	malicious	Unknown	Browse
	F_4_T_U_R_4___nf____0992344.4354.msi	Get hash	malicious	Unknown	Browse
	z93nf_e_mnhhh345553.msi	Get hash	malicious	Unknown	Browse
	z1n_f_e_Fa_tu_r4_03.msi	Get hash	malicious	Unknown	Browse
	__B0L3T0_06Marc_23_f4tur4__.msi	Get hash	malicious	Unknown	Browse
	__B0L3T0_06Marc_23_f4tur4__.msi	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ebaoffice.com.br	z1F_4_T_U_r_4_2024mfdfgryry5.msi	Get hash	malicious	Unknown	Browse	187.45.187.42
	F_4_T_U_R_4___nf____0992344.4354.msi	Get hash	malicious	Unknown	Browse	187.45.187.42
	z93nf_e_mnhhh345553.msi	Get hash	malicious	Unknown	Browse	187.45.187.42
	z1n_f_e_Fa_tu_r4_03.msi	Get hash	malicious	Unknown	Browse	187.45.187.42
	__B0L3T0_06Marc_23_f4tur4__.msi	Get hash	malicious	Unknown	Browse	187.45.187.42
	__B0L3T0_06Marc_23_f4tur4__.msi	Get hash	malicious	Unknown	Browse	187.45.187.42

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-02US	https://m.exactag.com/cl.aspx?extProvApi=b2c&extProvID=99&extPu=ew-email&extLi=promo_14-2023_de-DE_sixt&url=https%3A%2F%2Fkilhas.com.br/%2Fshfajsndsns%2Fverification%2F/40eciu%2F%2F%2F%2FZWxhaW5lLnNoZWxsZXlAZ28tZG92ZS5jb20=	Get hash	malicious	HTMLPhisher	Browse	52.216.76.22
	https://dcauthchecker.top/verify/	Get hash	malicious	Unknown	Browse	143.204.215.95
	Roblox_Hack.exe	Get hash	malicious	njRat	Browse	3.121.139.82
	http://tanishkenclave.in/blog/642eca3094280.zip	Get hash	malicious	Unknown	Browse	52.25.98.49
	E9N0kMyIfq.elf	Get hash	malicious	Unknown	Browse	13.208.176.76
	oMl5W13VMw.elf	Get hash	malicious	Mirai, Moobot	Browse	18.189.23.178
	Xt13O68HNd.elf	Get hash	malicious	Moobot	Browse	52.52.39.193
	XWuq1Ur2oA.elf	Get hash	malicious	Mirai, Moobot	Browse	52.31.185.149
	FBSDTLXWIF.elf	Get hash	malicious	Mirai, Moobot	Browse	13.231.100.146
	33T91PweGq.elf	Get hash	malicious	Moobot	Browse	13.122.248.64
	TkUT5feM4X.elf	Get hash	malicious	Moobot	Browse	18.203.1.96
	http://fuseservice.com	Get hash	malicious	Unknown	Browse	3.133.77.36
	ovnhzJz4lW.elf	Get hash	malicious	Moobot	Browse	18.230.152.189
	KCWLge2AEy.elf	Get hash	malicious	Moobot	Browse	54.206.32.146
	rwDENO48jg.elf	Get hash	malicious	Mirai, Moobot	Browse	52.208.97.4
	7sH6M8eR52.elf	Get hash	malicious	Moobot	Browse	13.62.201.153
	lQ2J7JqsfM.elf	Get hash	malicious	Mirai, Moobot	Browse	18.148.47.71
	skid.x86.elf	Get hash	malicious	Moobot	Browse	35.161.155.145
	JqVcvWw1k3.elf	Get hash	malicious	Moobot	Browse	18.149.70.122
	OC5TUkV4uu.elf	Get hash	malicious	Mirai, Moobot	Browse	13.210.145.202
DIMENOCUS	Cubicles.eml	Get hash	malicious	Qbot	Browse	107.190.143.58
	http://lleuques.cl/pur/pur.php	Get hash	malicious	Unknown	Browse	98.142.108.122
	E67f7vaDdM.exe	Get hash	malicious	AgentTesla	Browse	186.227.194.42
	Technical_Datasheet.exe	Get hash	malicious	AgentTesla, zgRAT	Browse	186.227.194.42
	Technical_Datasheet.exe	Get hash	malicious	AgentTesla, zgRAT	Browse	186.227.194.42
	Expedita.html	Get hash	malicious	HtmlDropper	Browse	198.49.74.2
	Expedita.html	Get hash	malicious	HtmlDropper, Qbot	Browse	198.49.74.2
	https://casa.tiscali.it/promo/?u=https://sistemaexacto.com.br/gt/test/test@savion.huji.ac.il	Get hash	malicious	HTMLPhisher	Browse	187.45.181.109
	Excepturi.html	Get hash	malicious	HtmlDropper	Browse	184.171.244.22
	https://www.youtube.com/attribution_link?c=coachblog-ytm-acq-int-blog-txt-coach&u=https%3A%2F%2Fderivadosbiodegradables.com%2Fhdefneifeifiefneifn%2Fhuhudhindneefefe%2F/pzp6oa%2F%2F%2F%2Fdhalaszynski@magmutual.com%3Fid%3Dcom.google.android.apps.youtube.music	Get hash	malicious	Unknown	Browse	98.142.99.242
	Copia_di_pagamento.vbs	Get hash	malicious	AgentTesla	Browse	67.23.238.170
	cotizaci#U00f3n.vbs	Get hash	malicious	AgentTesla	Browse	67.23.238.170
	In.html	Get hash	malicious	Qbot	Browse	67.23.254.45
	Laudantium.html	Get hash	malicious	Qbot	Browse	177.234.150.42
	Teklif_Talebi_763734838.vbs	Get hash	malicious	AgentTesla	Browse	67.23.238.170
	Payment_Swift_645547366353646.pdf.vbs	Get hash	malicious	AgentTesla	Browse	67.23.238.170
	33ab528f-ebe0-4177-aae1-4e27bc03f2df.exe	Get hash	malicious	AgentTesla	Browse	67.23.238.170
	Produktlista.vbs	Get hash	malicious	AgentTesla	Browse	67.23.238.170
	http://nearbynavigator.com	Get hash	malicious	Unknown	Browse	198.136.51.42
	https://ums.koreanair.com/Check.html?redirectUrl=9JRD01MTMy&U1RZUEU9TUFTUw=TElTVF9UQUJMRT1FTVNfTUFTU19TRU5EX0xJU1Q=E9TVF9JRD0yMDE5MDkyMzAwMDAy&VEM9MjAxOTEwMjM=0lORD1D&Q0lEPTAwMg=URL=https://ingloba.com.mx/sh/ubbqg08fzkahm//nblach@stikeman.com	Get hash	malicious	HTMLPhisher	Browse	98.142.99.242

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	sample.exe	Get hash	malicious	Unknown	Browse	187.45.187.42
	sample.exe	Get hash	malicious	Unknown	Browse	187.45.187.42
	Loader.exe	Get hash	malicious	Vidar	Browse	187.45.187.42
	setup.exe	Get hash	malicious	Amadey, SmokeLoader, Vidar	Browse	187.45.187.42
	8F8B341230323B995C1CDE1D534031092BFDDB56411DA.exe	Get hash	malicious	Nitol, SmokeLoader, Vidar	Browse	187.45.187.42
	7227806e030cc029ddcf455694f3d235d14eed0dbe0a5.exe	Get hash	malicious	Amadey, SmokeLoader, Vidar	Browse	187.45.187.42
	Sal-April(6923).wsf	Get hash	malicious	Unknown	Browse	187.45.187.42
	INV_200817-68 MARCH2023.exe	Get hash	malicious	GuLoader	Browse	187.45.187.42
	fd370634e5dd7cc964eb87d3465a1c087e2ab642844d9.exe	Get hash	malicious	Amadey, SmokeLoader, Vidar	Browse	187.45.187.42
	file.exe	Get hash	malicious	Socelars	Browse	187.45.187.42
	6D7.bin.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, HTMLPhisher	Browse	187.45.187.42
	Setup.exe	Get hash	malicious	Vidar	Browse	187.45.187.42
	setup.exe	Get hash	malicious	Vidar	Browse	187.45.187.42
	setup.exe	Get hash	malicious	SmokeLoader, Vidar	Browse	187.45.187.42
	setup.exe	Get hash	malicious	SmokeLoader, Vidar	Browse	187.45.187.42
	FACT642f3.msi	Get hash	malicious	Unknown	Browse	187.45.187.42
	installerdoor.exe	Get hash	malicious	LummaC Stealer	Browse	187.45.187.42
	f_0130ce.xlsx	Get hash	malicious	Unknown	Browse	187.45.187.42
	f_00074e#U007e.xlsx	Get hash	malicious	HTMLPhisher	Browse	187.45.187.42
	1.bin.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu	Browse	187.45.187.42

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\abd1 .exe	Mandado-Intima#U00e7#U00e3o_Art516mlhg.msi	Get hash	malicious	Unknown	Browse
	z12A____o-Trabalhista.msi	Get hash	malicious	Unknown	Browse
	z1F_4_T_U_r_4_2024mfdfgryry5.msi	Get hash	malicious	Unknown	Browse
	F_4_T_U_R_4___nf____0992344.4354.msi	Get hash	malicious	Unknown	Browse
	rPEDIDOS-10032023-X491kkum.msi	Get hash	malicious	Unknown	Browse
	j3PHT0tBBF.msi	Get hash	malicious	Unknown	Browse
	j3PHT0tBBF.msi	Get hash	malicious	Unknown	Browse
	B0LET0 VENC 060320234273168 WFTBCLZUJMVFEDSWZXMLWSBRA.msi	Get hash	malicious	Unknown	Browse
	rPedido-Danfe-03-03-202316872pnlc.msi	Get hash	malicious	Unknown	Browse
	Autos-Processo 27-02-2023 ligh.msi	Get hash	malicious	Unknown	Browse
	rEmita-Danfe-01-03-20234076czdg.msi	Get hash	malicious	Unknown	Browse
	Formulario_20183.msi	Get hash	malicious	Hidden Macro 4.0	Browse

Created / dropped Files

C:\Config.Msi\5e576f.rbs

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	modified
Size (bytes):	1658
Entropy (8bit):	5.484427642500988
Encrypted:	false
SSDEEP:	48:3bShWUAR8S2VXSPdSe1ySo+fS/l8CPUAX6IJ:3b+LAqVRkdRy2Xi64
MD5:	7674CE6CE6129AE341C4C96D311D8375
SHA1:	DCA41EE07B045EB2C6466E1F1C38B4782461F7CD
SHA-256:	2F744EA037A567241B5D359E47F7DF9EA572B8A5EFAA2705D924B2B370104176
SHA-512:	4E25BB2A409C6EB9FB6CB84B502D91E00BFF45400E43A73D8841BF02C938111860613F89592E3A8BE371DA1780B76FD721A9EAB730068DA91AE5AF135ED62F92
Malicious:	false
Reputation:	low
Preview:	...@IXOS.@.....@bx.V.@.....@.....@.....@.....@.....@......&.{C2D550F7-7A44-449E-9376-91329715675A}..Aplicativo Windows..n_f_3_f_1_s_k_4_l.msi.@.....@...2.@.....@........&.{5BDB7F7B-15AF-4AF6-9F72-E84D5E8410BE}.....@.....@.....@.....@.......@.....@.....@.......@......Aplicativo Windows......Rollback..A.....o. .d.e. .r.e.s.t.a.u.r.a.....o.....RollbackCleanup..Removendo arquivos de backup..Arquivo: [1]....ProcessComponents%.Atualizando o registro de componentes..&.{EB9160EC-5057-4A69-AF8F-0732836F475C}&.{C2D550F7-7A44-449E-9376-91329715675A}.@......&.{47C0ADE2-81CB-4D30-89DD-9B46577886C5}&.{C2D550F7-7A44-449E-9376-91329715675A}.@......&.{8A063F16-6265-44DF-BCB9-A4579F73BFDC}&.{C2D550F7-7A44-449E-9376-91329715675A}.@......&.{4834160E-0B8B-4CB5-81B4-5EAE5E4DE138}&.{C2D550F7-7A44-449E-9376-91329715675A}.@........CreateFolders..Criando novas pastas..Pasta: [1]"...C:\Users\user\AppData\Roaming\.@..............0.......L...................I..~.......................I..~.........X.............

C:\Users\user\AppData\Local\760639

Download File

Process:	C:\Users\user\AppData\Roaming\abd1 .exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	32
Entropy (8bit):	4.390319531114783
Encrypted:	false
SSDEEP:	3:1EypyGVQvCcv:1XpyG6vVv
MD5:	EC6A13B96B9524E089984345C29DC40D
SHA1:	65354C6CA906A4E6EB9E7D57007AD9581DEDB055
SHA-256:	7B84045344C147D2EAE77E0D2605BF78F2E508244B1FE2CDA481F815B5D3C910
SHA-512:	C72FAA7CE63D15B33BBB2BCADA841DAD9AADE56322D2E37F15C2EA3D46229A720BDFE8B40538B5BB6372C8D3E6A29352A7DDC6F6B3D5716318A3718518ECB349
Malicious:	false
Reputation:	low
Preview:	[Generate Pasta]..zKpimyFJvBsn..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\inspecionando[1].htm

Download File

Process:	C:\Users\user\AppData\Roaming\abd1 .exe
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	1377
Entropy (8bit):	5.1584696837704564
Encrypted:	false
SSDEEP:	24:0ph1KUsqSELahF1Wu7+8ASEhAh8z6peRRR0RRRKOw4T:01KQ9K+5zF6h7T
MD5:	B1F19F9237647E6312EC3B1479F3982B
SHA1:	04C8A07CDF9815F9D21152B558FE83E1A9FEA8B5
SHA-256:	FA1042CAE964D47AC153ADBF12716F76EC41EB4B6C22D1AAD395C3F23621194B
SHA-512:	60FEE39D376EBD3F8F05A6216F734D8D0D7FEDFDE69CE4EEC9E8141BEDBAB4CB1F006E22A22413F69C788449E5B685C28740E5B2450FD92819E940FF6646A540
Malicious:	false
Reputation:	low
Preview:	<!doctype html>.<html>.<head>.<meta charset="utf-8">.<meta name="robots" content="noindex, nofollow">.<title>One moment, please...</title>.<style>.body {. background: #F6F7F8;. color: #303131;. font-family: sans-serif;. margin-top: 45vh;. text-align: center;.}.</style>.</head>.<body>.<h1>Please wait while your request is being verified...</h1>.<form id="wsidchk-form" style="display:none;" action="/z0f76a1d14fd21a8fb5fd0d03e0fdc3d3cedae52f" method="get">.<input type="hidden" id="wsidchk" name="wsidchk"/>.</form>.<script>.(function(){. var west=+((+!+[]+!![])+(+!+[]+!![]+!![]+!![]+!![]+!![]+!![]+[])+(+!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+!![])+(+![]+[])+(+!+[])+(+!+[]+!![]+[])+(+!+[]+!![]+!![]+!![]+!![]+!![])),. east=+((+!+[]+!![])+(+!+[]+!![]+!![]+!![]+!![]+!![]+!![]+[])+(+!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+!![])+(+!+[]+!![]+!![]+!![]+!![]+[])+(+!+[]+!![])+(+!+[]+!![]+!![]+!![]+[])+(+!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+!![])),. x=function(){tr

C:\Users\user\AppData\Local\Temp\MSIe548f.LOG

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	157810
Entropy (8bit):	3.7897984615287177
Encrypted:	false
SSDEEP:	1536:TYAfY4xOf2bkDSOW+NH4Qpp9YGdfzO0ZBWx9rnNwEVL2SQ2pXfU4SNc+ekHzu5HV:+jcJ2W2gz
MD5:	90CCF3FC51629C0B03CDA36A0C2C73C6
SHA1:	5E90150310EC15F24E17DCCAD887FCA423467BB0
SHA-256:	F832209A878C0A14DB5628911C8C02BF793B7ACA753240494883EFCBC3029311
SHA-512:	8E8FA70063234AD1DF4958F7A0A8B89F483E55FB238A930A30879A95C701F2C7BE08986857CCC6A9E992F30804F7CC979BE7AE40562497E387EB2FA0EFB9EEDD
Malicious:	false
Preview:	..=.=.=. .V.e.r.b.o.s.e. .l.o.g.g.i.n.g. .s.t.a.r.t.e.d.:. .4./.8./.2.0.2.3. . .1.5.:.0.3.:.0.0. . .B.u.i.l.d. .t.y.p.e.:. .S.H.I.P. .U.N.I.C.O.D.E. .5...0.0...1.0.0.1.1...0.0. . .C.a.l.l.i.n.g. .p.r.o.c.e.s.s.:. .C.:.\.W.i.n.d.o.w.s.\.S.y.s.t.e.m.3.2.\.m.s.i.e.x.e.c...e.x.e. .=.=.=.....M.S.I. .(.c.). .(.5.0.:.4.C.). .[.1.5.:.0.3.:.0.0.:.8.1.4.].:. .F.o.n.t. .c.r.e.a.t.e.d... . .C.h.a.r.s.e.t.:. .R.e.q.=.0.,. .R.e.t.=.0.,. .F.o.n.t.:. .R.e.q.=.M.S. .S.h.e.l.l. .D.l.g.,. .R.e.t.=.M.S. .S.h.e.l.l. .D.l.g.......M.S.I. .(.c.). .(.5.0.:.4.C.). .[.1.5.:.0.3.:.0.0.:.8.1.4.].:. .F.o.n.t. .c.r.e.a.t.e.d... . .C.h.a.r.s.e.t.:. .R.e.q.=.0.,. .R.e.t.=.0.,. .F.o.n.t.:. .R.e.q.=.M.S. .S.h.e.l.l. .D.l.g.,. .R.e.t.=.M.S. .S.h.e.l.l. .D.l.g.......M.S.I. .(.c.). .(.5.0.:.C.C.). .[.1.5.:.0.3.:.0.0.:.8.6.1.].:. .R.e.s.e.t.t.i.n.g. .c.a.c.h.e.d. .p.o.l.i.c.y. .v.a.l.u.e.s.....M.S.I. .(.c.). .(.5.0.:.C.C.). .[.1.5.:.0.3.:.0.0.:.8.6.1.].:. .M.a.c.h.i.n.e. .p.o.l.i.c.y. .v.a.l.u.e. .'.D.e.b.u.g.'. .i.s. .0...

C:\Users\user\AppData\Roaming\WebUI.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS-DOS executable PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5348000
Entropy (8bit):	7.98740830847663
Encrypted:	false
SSDEEP:	98304:AjioV7SEOqjuSKQ3HIpA7mFSol1TMxygEtYQr6zRTxgIEv8P:LiWEV3H2Avq4xyHuBGI0I
MD5:	410F458AEA9FEE630BC10229E59FF03B
SHA1:	8255E8404D9FACCB419A28D6E51BCCF156324831
SHA-256:	9708E26469CEB22334687CDFF8F06B72BE0A1D137FCD53C5CFD7362CBA78986E
SHA-512:	1D48548B5A3C1D9E8CF301470B6A854CEAD7466663CCFFB93C21224DE27665CD0786DEB24EB377C657F609CB435B92EF4AA6442C0FD0A0AC1D09C95225AC1D4F
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ.M..5.W.r.\|..?DG...c)....z\XT]lG.g@I..a..`.*....cR9...........Q..............................................................................................................................................................................................PE..L....g/d...........!......A.......... ....... A...@...................................Q...@...........................C.......C.0.....C. /....................C..............................................................................................`C............................@.............pC.....................@............@....C........................@..............C.....................@..@..............C.....................@..@..............C.....................@....rsrc... /....C...2.................@..@............. ...z....2.............@............................................................................................................................................................a.1qa....B...2<qq.Dsh.h

C:\Users\user\AppData\Roaming\abd1 .exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1856512
Entropy (8bit):	6.763893864307226
Encrypted:	false
SSDEEP:	24576:fMWohhojVlG981FE03Pb+Cp67LkDdlXUi+nNv3O5AcAQNwuWSfJST4HCLgCGT/TH:KhujVl6p8UiaAKRT4HCUN1
MD5:	CEEF4762B36067F1D32A0DB621EE967E
SHA1:	D23DA38DF6B0FCA8C524B641C59C700A2338648E
SHA-256:	EFB6169BBB869A849AFB91184A75B906FE509CBF6E672B6B4F3311C02343BBBB
SHA-512:	6301871A95E48F2873B60C706757AF38D956C895112F14C28EAC4C4A83456A1ACDF15D0A5B1CD35F267A4149DC78B2469C427BDE6A1BF5AA99DE51D5E824D1B3
Malicious:	true
Yara Hits:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Roaming\abd1 .exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Mandado-Intima#U00e7#U00e3o_Art516mlhg.msi, Detection: malicious, Browse Filename: z12A____o-Trabalhista.msi, Detection: malicious, Browse Filename: z1F_4_T_U_r_4_2024mfdfgryry5.msi, Detection: malicious, Browse Filename: F_4_T_U_R_4___nf____0992344.4354.msi, Detection: malicious, Browse Filename: rPEDIDOS-10032023-X491kkum.msi, Detection: malicious, Browse Filename: j3PHT0tBBF.msi, Detection: malicious, Browse Filename: j3PHT0tBBF.msi, Detection: malicious, Browse Filename: B0LET0 VENC 060320234273168 WFTBCLZUJMVFEDSWZXMLWSBRA.msi, Detection: malicious, Browse Filename: rPedido-Danfe-03-03-202316872pnlc.msi, Detection: malicious, Browse Filename: Autos-Processo 27-02-2023 ligh.msi, Detection: malicious, Browse Filename: rEmita-Danfe-01-03-20234076czdg.msi, Detection: malicious, Browse Filename: Formulario_20183.msi, Detection: malicious, Browse
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....a..................................... ....@........................... .................@......................P....@...F.......................@......@....................................................L...............................text...t........................... ..`.itext.............................. ..`.data........ ......................@....bss.....f...............................idata...F...@...H..................@....edata..P...........................@..@.tls....L................................rdata..............................@..@.reloc..@...........................@..B.rsrc...............................@..@....................................@..@........................................................

C:\Windows\Installer\5e576d.msi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {5BDB7F7B-15AF-4AF6-9F72-E84D5E8410BE}, Number of Words: 10, Subject: Aplicativo Windows, Author: Segurana, Name of Creating Application: Aplicativo Windows, Template: ;1046, Comments: Aplicativo Windows, Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Fri Apr 7 01:49:24 2023, Number of Pages: 200
Category:	dropped
Size (bytes):	7191552
Entropy (8bit):	7.902531666909113
Encrypted:	false
SSDEEP:	196608:lIKv20ZmJxLsMsW2OekIOzRm6VMHGI5m:lIo25sW2OehQTVv
MD5:	549E2BD18CC02A6D3311946905BC0EB5
SHA1:	97E6A6EF783EA046ADC83E06EEA4F772E38DA1C9
SHA-256:	21A06A37976A7B137003DAC057CC1E1DDCAB4BF942E8C51216819E195FBA3D10
SHA-512:	E483680EB7AA28F87B1633D54C6F8311594DAD4538CF69F1602C66E198B5F1B47F3E74878FF748C9C3838FB5349204298DC2715D95F5DEF43770D4FDF294487A
Malicious:	false
Preview:	......................>...................n...................................E.......b.......n...............................................r...s...t...u...v...w...x...y...z...{...\|...}...~...........................................................................................................................................................................................................................................................................................................................................<...........!...4............................................................................................... ...+..."...#...$...%...&...'...(...)...*...1...,...-......./...0...5...2...3...=...?...6...7...8...9...:...;...........>.......@...A...B...C...D...........G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Windows\Installer\MSI5AE8.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	598840
Entropy (8bit):	6.4742572330426045
Encrypted:	false
SSDEEP:	12288:JTjOV8EDRaQsUDE2dYu8z5fN8HcsvwaqN:hjOeEMQNLS5W8svwaqN
MD5:	8E565FD81CA10A65CC02E7901A78C95B
SHA1:	1BCA3979C233321AE527D4508CFE9B3BA825DBD3
SHA-256:	7B64112C2C534203BB59CE1A9B7D5390448C045DDA424FB3CFD5878EDB262016
SHA-512:	144BDE89EBA469B32B59F30E7F4D451329C541ED7B556BC60D118C9E2E5CDF148C2275CCA51C4B9355686AEFA16A4B86A26D4C8FE0DD2CF318B979863109592E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m..)..)..)......$...........8.....>.....c......0......(.........)........A......(....U.(..).=.(......(..Rich)..................PE..L...W.%d.........."!...#.6...........S.......P...............................0............@..........................W..(...8`..,.......................8=.......g..x...p...............................@............P..P............................text....5.......6.................. ..`.rdata...+...P...,...:..............@..@.data... %...........f..............@....rsrc................v..............@..@.reloc...g.......h...~..............@..B................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI5C12.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	598840
Entropy (8bit):	6.4742572330426045
Encrypted:	false
SSDEEP:	12288:JTjOV8EDRaQsUDE2dYu8z5fN8HcsvwaqN:hjOeEMQNLS5W8svwaqN
MD5:	8E565FD81CA10A65CC02E7901A78C95B
SHA1:	1BCA3979C233321AE527D4508CFE9B3BA825DBD3
SHA-256:	7B64112C2C534203BB59CE1A9B7D5390448C045DDA424FB3CFD5878EDB262016
SHA-512:	144BDE89EBA469B32B59F30E7F4D451329C541ED7B556BC60D118C9E2E5CDF148C2275CCA51C4B9355686AEFA16A4B86A26D4C8FE0DD2CF318B979863109592E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m..)..)..)......$...........8.....>.....c......0......(.........)........A......(....U.(..).=.(......(..Rich)..................PE..L...W.%d.........."!...#.6...........S.......P...............................0............@..........................W..(...8`..,.......................8=.......g..x...p...............................@............P..P............................text....5.......6.................. ..`.rdata...+...P...,...:..............@..@.data... %...........f..............@....rsrc................v..............@..@.reloc...g.......h...~..............@..B................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI5C51.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	598840
Entropy (8bit):	6.4742572330426045
Encrypted:	false
SSDEEP:	12288:JTjOV8EDRaQsUDE2dYu8z5fN8HcsvwaqN:hjOeEMQNLS5W8svwaqN
MD5:	8E565FD81CA10A65CC02E7901A78C95B
SHA1:	1BCA3979C233321AE527D4508CFE9B3BA825DBD3
SHA-256:	7B64112C2C534203BB59CE1A9B7D5390448C045DDA424FB3CFD5878EDB262016
SHA-512:	144BDE89EBA469B32B59F30E7F4D451329C541ED7B556BC60D118C9E2E5CDF148C2275CCA51C4B9355686AEFA16A4B86A26D4C8FE0DD2CF318B979863109592E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m..)..)..)......$...........8.....>.....c......0......(.........)........A......(....U.(..).=.(......(..Rich)..................PE..L...W.%d.........."!...#.6...........S.......P...............................0............@..........................W..(...8`..,.......................8=.......g..x...p...............................@............P..P............................text....5.......6.................. ..`.rdata...+...P...,...:..............@..@.data... %...........f..............@....rsrc................v..............@..@.reloc...g.......h...~..............@..B................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI5C81.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	598840
Entropy (8bit):	6.4742572330426045
Encrypted:	false
SSDEEP:	12288:JTjOV8EDRaQsUDE2dYu8z5fN8HcsvwaqN:hjOeEMQNLS5W8svwaqN
MD5:	8E565FD81CA10A65CC02E7901A78C95B
SHA1:	1BCA3979C233321AE527D4508CFE9B3BA825DBD3
SHA-256:	7B64112C2C534203BB59CE1A9B7D5390448C045DDA424FB3CFD5878EDB262016
SHA-512:	144BDE89EBA469B32B59F30E7F4D451329C541ED7B556BC60D118C9E2E5CDF148C2275CCA51C4B9355686AEFA16A4B86A26D4C8FE0DD2CF318B979863109592E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m..)..)..)......$...........8.....>.....c......0......(.........)........A......(....U.(..).=.(......(..Rich)..................PE..L...W.%d.........."!...#.6...........S.......P...............................0............@..........................W..(...8`..,.......................8=.......g..x...p...............................@............P..P............................text....5.......6.................. ..`.rdata...+...P...,...:..............@..@.data... %...........f..............@....rsrc................v..............@..@.reloc...g.......h...~..............@..B................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI5D0F.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	598840
Entropy (8bit):	6.4742572330426045
Encrypted:	false
SSDEEP:	12288:JTjOV8EDRaQsUDE2dYu8z5fN8HcsvwaqN:hjOeEMQNLS5W8svwaqN
MD5:	8E565FD81CA10A65CC02E7901A78C95B
SHA1:	1BCA3979C233321AE527D4508CFE9B3BA825DBD3
SHA-256:	7B64112C2C534203BB59CE1A9B7D5390448C045DDA424FB3CFD5878EDB262016
SHA-512:	144BDE89EBA469B32B59F30E7F4D451329C541ED7B556BC60D118C9E2E5CDF148C2275CCA51C4B9355686AEFA16A4B86A26D4C8FE0DD2CF318B979863109592E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m..)..)..)......$...........8.....>.....c......0......(.........)........A......(....U.(..).=.(......(..Rich)..................PE..L...W.%d.........."!...#.6...........S.......P...............................0............@..........................W..(...8`..,.......................8=.......g..x...p...............................@............P..P............................text....5.......6.................. ..`.rdata...+...P...,...:..............@..@.data... %...........f..............@....rsrc................v..............@..@.reloc...g.......h...~..............@..B................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI5E48.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	2024
Entropy (8bit):	5.121118282764871
Encrypted:	false
SSDEEP:	48:SbShWUA4+Z+o/RnYg1ZB+8nVcpqV7AX6WYmVm:Sb+LAVbpnmHpqV7i6dmU
MD5:	9C6BA7DD7407E2FE119FC96333536959
SHA1:	FE9F632E3792C85E6D3DF430F94A95E30FF11094
SHA-256:	A09B84FF6A663BBA76A4A6E17A436D4741B682101693C62ECC444F99D051EA20
SHA-512:	6F4CDB9766F885C5E5E45BDA66EBAFEE8255257A62CF5D45034D993BCB5C9C000A13F54B6E2A0A0FC129248154CD1676E6EFB632FD61B0C35FFC107739C61C77
Malicious:	false
Preview:	...@IXOS.@.....@bx.V.@.....@.....@.....@.....@.....@......&.{C2D550F7-7A44-449E-9376-91329715675A}..Aplicativo Windows..n_f_3_f_1_s_k_4_l.msi.@.....@...2.@.....@........&.{5BDB7F7B-15AF-4AF6-9F72-E84D5E8410BE}.....@.....@.....@.....@.......@.....@.....@.......@......Aplicativo Windows......Rollback..A.....o. .d.e. .r.e.s.t.a.u.r.a.....o.....RollbackCleanup..Removendo arquivos de backup..Arquivo: [1]...@.......@........ProcessComponents%.Atualizando o registro de componentes...@.....@.....@.]....&.{EB9160EC-5057-4A69-AF8F-0732836F475C}..C:\Users\user\AppData\Roaming\.@.......@.....@.....@......&.{47C0ADE2-81CB-4D30-89DD-9B46577886C5}1.0.1.:.\.S.o.f.t.w.a.r.e.\.S.e.g.u.r.a.n...a.\.A.p.l.i.c.a.t.i.v.o. .W.i.n.d.o.w.s.\.V.e.r.s.i.o.n..@.......@.....@.....@......&.{8A063F16-6265-44DF-BCB9-A4579F73BFDC}(.C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.a.b.d.1.....e.x.e..@.......@.....@.....@......&.{4834160E-0B8B-4CB5-81B4-5EAE5E4DE138}(.C:\Users\user\AppData\Roaming\WebUI.dl

C:\Windows\Installer\SourceHash{C2D550F7-7A44-449E-9376-91329715675A}

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.1671023188100342
Encrypted:	false
SSDEEP:	12:JSbX72FjSJAGiLIlHVRpwh/7777777777777777777777777vDHFCod0+FyjXl0G:JAJQI5YQT+NF
MD5:	14062B5C0964C1133E08C981F920F522
SHA1:	181FD8FDEB84D16DCFBB59CCCAF76B345CD27C1A
SHA-256:	B3A76137FBF438A2E8DD44C1D735E5C4F82B7E956A837FD2024788ABD753A683
SHA-512:	6CADA2ABD4C3347949252E5C3791B6854562AFCDC597C754DB052C6CA3328D4B7BA837613EAAF0F50B3347BB5FDDB5CF79FCB42F537344CA4D745BEFA07C2BC1
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\inprogressinstallinfo.ipi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.5023985818916723
Encrypted:	false
SSDEEP:	48:s8PhBuRc06WXJqjT5WuwNTMSCWAECiCyjMHoEMSCcT82RM:DhB1hjTPwu1EC0M4r2
MD5:	95FE6DB680BDD656C6CF158D847A0849
SHA1:	864ED3F2605A776D8FDC732E78DD908DA4FCA24B
SHA-256:	D75ED3F7B9E8303589E092264D8E158B4E675BE80B611A2C6B93DA02EAF3DD60
SHA-512:	33BE846C48AD97247CF51276BBE5C18E39B6F51F132990FFA4A077D26F334A777683709B6A3D977FD29148B0CAC64B2DC9913E7D1ADF383DA3318A954679E797
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	79122
Entropy (8bit):	5.2821286193315125
Encrypted:	false
SSDEEP:	192:jmXs969ozNSkk3peTBYeHt0tfoI9qsjl0urmwYyi1:yXs9UogeWeH29qclhmwYyi1
MD5:	EB4C89FAEE076CD48A2E072A2D26B93A
SHA1:	D497FB2B18E30356AF4EA6D898154952AF4CB369
SHA-256:	7BBBDB6286BFDBDA8E7637A781A0FA05921322916FA324EBD701FDAE1DBD8591
SHA-512:	4ED11A16ADB42177EEB06A0844083617004075248B47EE9D6F23B04B7853106EDC7BF85F82237134DFBA83040735F7B66E3EB0085EB00B096FFD45B0F7C67F84
Malicious:	false
Preview:	.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..07/23/2020 03:22:38.143 [320]: Command line: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install Microsoft.Office.Tools.Outlook, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A /queue:3 /NoDependencies ..07/23/2020 03:22:38.159 [320]: ngen returning 0x00000000..07/23/2020 03:22:38.222 [3748]: Command line: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install Microsoft.Office.Tools.Word, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A /queue:3 /NoDependencies ..07/23/2020 03:22:38.237 [3748]: ngen returning 0x00000000..07/23/2020 03:22:38.284 [64]: Command line: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install Microsoft.Office.Tools.Common.Implementation, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A /queue:3 /NoDependencies ..07/23/2020 03:22:38.300 [64]:

C:\Windows\Temp\~DF0639B52DC4B1F83D.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.07416870825924522
Encrypted:	false
SSDEEP:	6:2/9LG7iVCnLG7iVrKOzPLHKO2JJ88odbTG2hy9+FIhCVky6ljX:2F0i8n0itFzDHFCod0+FyjX
MD5:	8EDFD65D6B9D467204C084314E3F4265
SHA1:	E647C11752AFB7FACCF3B854D3C358C58F4C902F
SHA-256:	04FCA8E48AB96A41B293B083FE98A06DD32F9A8A658A2B605039E43F400B6EDA
SHA-512:	F8E66BE8286F38B1EC598A457D72446E64DB34F40200F0077701BF67B92C94A70B7EA7F3BF9B74DCD132ED2669A521B034E1CFF70DC471CE80FCEB478F3F52EA
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF0BE358E8E1BDB276.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF18827DFA02446C7D.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF2BFB3E91CA859E27.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF35FED97C5F509776.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.5023985818916723
Encrypted:	false
SSDEEP:	48:s8PhBuRc06WXJqjT5WuwNTMSCWAECiCyjMHoEMSCcT82RM:DhB1hjTPwu1EC0M4r2
MD5:	95FE6DB680BDD656C6CF158D847A0849
SHA1:	864ED3F2605A776D8FDC732E78DD908DA4FCA24B
SHA-256:	D75ED3F7B9E8303589E092264D8E158B4E675BE80B611A2C6B93DA02EAF3DD60
SHA-512:	33BE846C48AD97247CF51276BBE5C18E39B6F51F132990FFA4A077D26F334A777683709B6A3D977FD29148B0CAC64B2DC9913E7D1ADF383DA3318A954679E797
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF4AC8952929CA9119.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	0.11372843097633333
Encrypted:	false
SSDEEP:	24:YJ2RMGiscTxkrwipVkrakrwipVkrSAEVkryjCyjMHV2BwGC1+/NPngUc:M2RMPTeMSCpMSCWAECiCyjMHoywNP
MD5:	8C1EA8644210D1AEF229404F81BC4790
SHA1:	0FA9F7C01CCEB247F9488A216550DF06C462F8F5
SHA-256:	D96D7810F103A4D5449E3EB36EBCF0F8882252B7524A6AB6C90117CB1076B17D
SHA-512:	F885F3BD06592206BD07072D975ED0F80B4B0F84B548C5B737288BB2085FFE6BCA9DAEA717E914D57FAAF47642E672E10A64C8804DFF5684B7FB2AA68374366F
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF5963A0B69C069B81.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.208334764681773
Encrypted:	false
SSDEEP:	48:I05uZI+CFXJ9T5cuwNTMSCWAECiCyjMHoEMSCcT82RM:l5zlTxwu1EC0M4r2
MD5:	3091C7B10195BB6802CFC97C52963515
SHA1:	7A38A7D12725ED607B9445F550930B5BC4074460
SHA-256:	3F9968B0B4CA857E3AA295129E1894B4EDF6AFA98A055C234AF2254DE99173DB
SHA-512:	2BF96F45393DE1F77E0970BB8F825C4C139CB39A1255624C5B96CDA54A1E46CB9A5E6261D316A88B216ECE0BB737BBAB10207F5007D2A190FA588DD4584C0239
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF6C340B8548BE49E1.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF719ED03C996D711E.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.208334764681773
Encrypted:	false
SSDEEP:	48:I05uZI+CFXJ9T5cuwNTMSCWAECiCyjMHoEMSCcT82RM:l5zlTxwu1EC0M4r2
MD5:	3091C7B10195BB6802CFC97C52963515
SHA1:	7A38A7D12725ED607B9445F550930B5BC4074460
SHA-256:	3F9968B0B4CA857E3AA295129E1894B4EDF6AFA98A055C234AF2254DE99173DB
SHA-512:	2BF96F45393DE1F77E0970BB8F825C4C139CB39A1255624C5B96CDA54A1E46CB9A5E6261D316A88B216ECE0BB737BBAB10207F5007D2A190FA588DD4584C0239
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFE18C8A96C19B0889.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.5023985818916723
Encrypted:	false
SSDEEP:	48:s8PhBuRc06WXJqjT5WuwNTMSCWAECiCyjMHoEMSCcT82RM:DhB1hjTPwu1EC0M4r2
MD5:	95FE6DB680BDD656C6CF158D847A0849
SHA1:	864ED3F2605A776D8FDC732E78DD908DA4FCA24B
SHA-256:	D75ED3F7B9E8303589E092264D8E158B4E675BE80B611A2C6B93DA02EAF3DD60
SHA-512:	33BE846C48AD97247CF51276BBE5C18E39B6F51F132990FFA4A077D26F334A777683709B6A3D977FD29148B0CAC64B2DC9913E7D1ADF383DA3318A954679E797
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFE777E16F67C3FE3F.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.208334764681773
Encrypted:	false
SSDEEP:	48:I05uZI+CFXJ9T5cuwNTMSCWAECiCyjMHoEMSCcT82RM:l5zlTxwu1EC0M4r2
MD5:	3091C7B10195BB6802CFC97C52963515
SHA1:	7A38A7D12725ED607B9445F550930B5BC4074460
SHA-256:	3F9968B0B4CA857E3AA295129E1894B4EDF6AFA98A055C234AF2254DE99173DB
SHA-512:	2BF96F45393DE1F77E0970BB8F825C4C139CB39A1255624C5B96CDA54A1E46CB9A5E6261D316A88B216ECE0BB737BBAB10207F5007D2A190FA588DD4584C0239
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFF0AC4D4BDB2108BD.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {5BDB7F7B-15AF-4AF6-9F72-E84D5E8410BE}, Number of Words: 10, Subject: Aplicativo Windows, Author: Segurana, Name of Creating Application: Aplicativo Windows, Template: ;1046, Comments: Aplicativo Windows, Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Fri Apr 7 01:49:24 2023, Number of Pages: 200
Entropy (8bit):	7.902531666909113
TrID:	Microsoft Windows Installer (77509/1) 52.18% Windows SDK Setup Transform Script (63028/2) 42.43% Generic OLE2 / Multistream Compound File (8008/1) 5.39%
File name:	n_f_3_f_1_s_k_4_l.msi
File size:	7191552
MD5:	549e2bd18cc02a6d3311946905bc0eb5
SHA1:	97e6a6ef783ea046adc83e06eea4f772e38da1c9
SHA256:	21a06a37976a7b137003dac057cc1e1ddcab4bf942e8c51216819e195fba3d10
SHA512:	e483680eb7aa28f87b1633d54c6f8311594dad4538cf69f1602c66e198b5f1b47f3e74878ff748c9c3838fb5349204298dc2715d95f5def43770d4fdf294487a
SSDEEP:	196608:lIKv20ZmJxLsMsW2OekIOzRm6VMHGI5m:lIo25sW2OehQTVv
TLSH:	76761215F3CBC532C15D017BE859FE5F1539BEA3573040E3B6A939AE88F08C166B9A42
File Content Preview:	........................>...................n...................................E.......b.......n...............................................r...s...t...u...v...w...x...y...z...{...\|...}...~..............................................................

File Icon


Icon Hash:	a2a0b496b2caca72

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 8, 2023 15:03:08.644113064 CEST	49696	80	192.168.2.4	15.228.77.178
Apr 8, 2023 15:03:08.704869032 CEST	49697	443	192.168.2.4	187.45.187.42
Apr 8, 2023 15:03:08.704942942 CEST	443	49697	187.45.187.42	192.168.2.4
Apr 8, 2023 15:03:08.705029011 CEST	49697	443	192.168.2.4	187.45.187.42
Apr 8, 2023 15:03:08.723858118 CEST	49697	443	192.168.2.4	187.45.187.42
Apr 8, 2023 15:03:08.723902941 CEST	443	49697	187.45.187.42	192.168.2.4
Apr 8, 2023 15:03:09.213089943 CEST	443	49697	187.45.187.42	192.168.2.4
Apr 8, 2023 15:03:09.213247061 CEST	49697	443	192.168.2.4	187.45.187.42
Apr 8, 2023 15:03:09.442476034 CEST	49697	443	192.168.2.4	187.45.187.42
Apr 8, 2023 15:03:09.442552090 CEST	443	49697	187.45.187.42	192.168.2.4
Apr 8, 2023 15:03:09.443335056 CEST	443	49697	187.45.187.42	192.168.2.4
Apr 8, 2023 15:03:09.443463087 CEST	49697	443	192.168.2.4	187.45.187.42
Apr 8, 2023 15:03:09.445883036 CEST	49697	443	192.168.2.4	187.45.187.42
Apr 8, 2023 15:03:09.445915937 CEST	443	49697	187.45.187.42	192.168.2.4
Apr 8, 2023 15:03:09.678953886 CEST	443	49697	187.45.187.42	192.168.2.4
Apr 8, 2023 15:03:09.679060936 CEST	49697	443	192.168.2.4	187.45.187.42
Apr 8, 2023 15:03:09.679085970 CEST	443	49697	187.45.187.42	192.168.2.4
Apr 8, 2023 15:03:09.679111958 CEST	443	49697	187.45.187.42	192.168.2.4
Apr 8, 2023 15:03:09.679131031 CEST	49697	443	192.168.2.4	187.45.187.42
Apr 8, 2023 15:03:09.679176092 CEST	49697	443	192.168.2.4	187.45.187.42
Apr 8, 2023 15:03:11.647880077 CEST	49696	80	192.168.2.4	15.228.77.178
Apr 8, 2023 15:03:17.648407936 CEST	49696	80	192.168.2.4	15.228.77.178
Apr 8, 2023 15:03:29.714356899 CEST	49697	443	192.168.2.4	187.45.187.42
Apr 8, 2023 15:03:29.714405060 CEST	443	49697	187.45.187.42	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 8, 2023 15:03:08.307682991 CEST	50911	53	192.168.2.4	8.8.8.8
Apr 8, 2023 15:03:08.692630053 CEST	53	50911	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 8, 2023 15:03:08.307682991 CEST	192.168.2.4	8.8.8.8	0xad76	Standard query (0)	ebaoffice.com.br	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 8, 2023 15:03:08.692630053 CEST	8.8.8.8	192.168.2.4	0xad76	No error (0)	ebaoffice.com.br		187.45.187.42	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ebaoffice.com.br

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49697	187.45.187.42	443	C:\Users\user\AppData\Roaming\abd1 .exe

Timestamp	Direction	Data
2023-04-08 13:03:09 UTC	OUT	GET /imagens/bo/inspecionando.php HTTP/1.1 Accept: / Accept-Language: en-US Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: ebaoffice.com.br Connection: Keep-Alive
2023-04-08 13:03:09 UTC	IN	HTTP/1.1 200 OK Date: Sat, 08 Apr 2023 13:03:09 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Server: imunify360-webshield/1.18 Last-Modified: Saturday, 08-Apr-2023 13:03:09 GMT Cache-Control: private, no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0, s-maxage=0 cf-edge-cache: no-cache
2023-04-08 13:03:09 UTC	IN	Data Raw: 35 36 31 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 3e 0a 3c 74 69 74 6c 65 3e 4f 6e 65 20 6d 6f 6d 65 6e 74 2c 20 70 6c 65 61 73 65 2e 2e 2e 3c 2f 74 69 74 6c 65 3e 0a 3c 73 74 79 6c 65 3e 0a 62 6f 64 79 20 7b 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 46 36 46 37 46 38 3b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 30 33 31 33 31 3b 0a 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 34 35 76 68 3b 0a Data Ascii: 561<!doctype html><html><head><meta charset="utf-8"><meta name="robots" content="noindex, nofollow"><title>One moment, please...</title><style>body { background: #F6F7F8; color: #303131; font-family: sans-serif; margin-top: 45vh;

Target ID:	0
Start time:	15:03:00
Start date:	08/04/2023
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\n_f_3_f_1_s_k_4_l.msi"
Imagebase:	0x7ff7a00a0000
File size:	66048 bytes
MD5 hash:	4767B71A318E201188A0D0A420C8B608
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	1
Start time:	15:03:00
Start date:	08/04/2023
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\msiexec.exe /V
Imagebase:	0x7ff7a00a0000
File size:	66048 bytes
MD5 hash:	4767B71A318E201188A0D0A420C8B608
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	2
Start time:	15:03:02
Start date:	08/04/2023
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding B175E679D861DA44C1D62490FCC9BB11
Imagebase:	0x880000
File size:	59904 bytes
MD5 hash:	12C17B5A5C2A7B97342C362CA467E9A2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	3
Start time:	15:03:04
Start date:	08/04/2023
Path:	C:\Users\user\AppData\Roaming\abd1 .exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\abd1 .exe
Imagebase:	0x400000
File size:	1856512 bytes
MD5 hash:	CEEF4762B36067F1D32A0DB621EE967E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: Windows_Trojan_Generic_a160ca52, Description: unknown, Source: 00000003.00000002.577793430.000000006C72B000.00000040.00000001.01000000.00000004.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_a7da40b7, Description: unknown, Source: 00000003.00000002.577793430.000000006C72B000.00000040.00000001.01000000.00000004.sdmp, Author: unknown Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000003.00000000.304487946.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_a7da40b7, Description: unknown, Source: 00000003.00000002.570577629.00000000023A0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Roaming\abd1 .exe, Author: Joe Security
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	moderate

Show Windows behavior

Target ID:	4
Start time:	15:03:39
Start date:	08/04/2023
Path:	C:\Users\user\AppData\Roaming\abd1 .exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\abd1 .exe"
Imagebase:	0x400000
File size:	1856512 bytes
MD5 hash:	CEEF4762B36067F1D32A0DB621EE967E
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Yara matches:	Rule: Windows_Trojan_RedLineStealer_a7da40b7, Description: unknown, Source: 00000004.00000002.386779049.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Generic_a160ca52, Description: unknown, Source: 00000004.00000002.419723352.000000006C72B000.00000040.00000001.01000000.00000004.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_a7da40b7, Description: unknown, Source: 00000004.00000002.419723352.000000006C72B000.00000040.00000001.01000000.00000004.sdmp, Author: unknown
Reputation:	moderate

Show Windows behavior

Target ID:	5
Start time:	15:03:47
Start date:	08/04/2023
Path:	C:\Users\user\AppData\Roaming\abd1 .exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\abd1 .exe"
Imagebase:	0x400000
File size:	1856512 bytes
MD5 hash:	CEEF4762B36067F1D32A0DB621EE967E
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Yara matches:	Rule: Windows_Trojan_RedLineStealer_a7da40b7, Description: unknown, Source: 00000005.00000002.408834670.0000000002260000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Generic_a160ca52, Description: unknown, Source: 00000005.00000002.419737912.000000006C72A000.00000040.00000001.01000000.00000004.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_a7da40b7, Description: unknown, Source: 00000005.00000002.419737912.000000006C72A000.00000040.00000001.01000000.00000004.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_d4b38e13, Description: unknown, Source: 00000005.00000002.419737912.000000006C72A000.00000040.00000001.01000000.00000004.sdmp, Author: unknown
Reputation:	moderate

Show Windows behavior

Execution Graph

Execution Coverage:	2.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	15.1%
Total number of Nodes:	86
Total number of Limit Nodes:	4

Executed Functions

Function 0240CB88 Relevance: .1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.570577629.00000000023A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_23a0000_abd1 .jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c653e45b4aaf56a49958bf8b1e4822883be0f87dacb0755924bbac30410974a
Instruction ID: b5a8a8091672ac86026546ab0040be4e793e1eb1cc225d1cfe36ad699f2e87b4
Opcode Fuzzy Hash: 5c653e45b4aaf56a49958bf8b1e4822883be0f87dacb0755924bbac30410974a
Instruction Fuzzy Hash: 3521F974D0020AEADF14DFA5C8C0BADB776EF44304F1486BBDD08AA2A5D7309685DF60

Uniqueness

Uniqueness Score: -1.00%

Function 0240DDC2 Relevance: 1.7, APIs: 1, Instructions: 209
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL(E00000F8,00000000,00000000,023A00F8,?,?,?,?,?,?,?,?,0240DC4F,?,00000000), ref: 0240DDCE

Memory Dump Source

Source File: 00000003.00000002.570577629.00000000023A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_23a0000_abd1 .jbxd

Yara matches

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 6f2e5f2b06326ddf79c1acd411bb72cf8da9839ada6840fc0fc4d193e29e05a6
Instruction ID: 4a661bc3cfd48efdca1ae3f75815b21d68e3b7b05bf7df671604d271b33863c6
Opcode Fuzzy Hash: 6f2e5f2b06326ddf79c1acd411bb72cf8da9839ada6840fc0fc4d193e29e05a6
Instruction Fuzzy Hash: B2613971A49781CFC701CFBCC89465ABBE1EF9A210B1845AFE485CB2D6D7309489C792

Uniqueness

Uniqueness Score: -1.00%

Function 0240BFBF Relevance: 1.6, APIs: 1, Instructions: 107
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL(E0000107,?,0240B89E,?), ref: 0240BFCB

Memory Dump Source

Source File: 00000003.00000002.570577629.00000000023A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_23a0000_abd1 .jbxd

Yara matches

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: b745fba81bed9dc541eaa27bc6ccde16843077b48874c897e258226ce39ef9b1
Instruction ID: 27f2dbdb8a5f672520def1ad749e6dc293b4183d4b3d21fa36c815cb7c4f81af
Opcode Fuzzy Hash: b745fba81bed9dc541eaa27bc6ccde16843077b48874c897e258226ce39ef9b1
Instruction Fuzzy Hash: 7F31A7719542429FCB12EEB4C8D5AAABB75DB0621071492E7C892CB2C6E2714483CFD5

Uniqueness

Uniqueness Score: -1.00%

Function 0240DD2B Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL(E0000059,00000000,023A00F8,?,0240DBE7,?), ref: 0240DD37

Memory Dump Source

Source File: 00000003.00000002.570577629.00000000023A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_23a0000_abd1 .jbxd

Yara matches

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 747da454e62d866cdaf072997fa4dc9eeaea88443f351173ea9ca139dafd11e2
Instruction ID: 10424f989c3ccb81337cba66df781ef4e7208ca9bf2377cdceb738c353ac4aa3
Opcode Fuzzy Hash: 747da454e62d866cdaf072997fa4dc9eeaea88443f351173ea9ca139dafd11e2
Instruction Fuzzy Hash: F9C09B71269C20AFC101CF5C586C79573D57F48211FD89AE1E128C75A1C350C5114A55

Uniqueness

Uniqueness Score: -1.00%

Function 6C722434 Relevance: 1.5, Strings: 1, Instructions: 203
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

WJI, xrefs: 6C722477

Memory Dump Source

Source File: 00000003.00000002.577793430.000000006C722000.00000040.00000001.01000000.00000004.sdmp, Offset: 6C722000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c722000_abd1 .jbxd

Similarity

API ID:
String ID: WJI
API String ID: 0-2894010502
Opcode ID: 650b7b8712d387afb1b35a6483a397addf78f2ad77140446f23bd16ce27acca5
Instruction ID: 94ec4677e6b3022ab96c8d333c523833269ef6d8825ceab0df348016d76ef171
Opcode Fuzzy Hash: 650b7b8712d387afb1b35a6483a397addf78f2ad77140446f23bd16ce27acca5
Instruction Fuzzy Hash: 8551BCF1DFC142DBC3088A5C8F9C94936E0AB63370726C627D9715AE1AE63EDE008752

Uniqueness

Uniqueness Score: -1.00%

Function 6C72248E Relevance: .0, Instructions: 40
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.577793430.000000006C722000.00000040.00000001.01000000.00000004.sdmp, Offset: 6C722000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c722000_abd1 .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5500bf8596b1bd0ee7a476c572676d764aa8b8eb8467fcfd0e66eadff68a23f8
Instruction ID: 9cd6db5f6d875f80192fd4fd93c32800942cf4ebe4e0398086fa7838e890ba5c
Opcode Fuzzy Hash: 5500bf8596b1bd0ee7a476c572676d764aa8b8eb8467fcfd0e66eadff68a23f8
Instruction Fuzzy Hash: 75F0E2E02FCA92E7A354CC8D8FFCD5111286B97330B40C925BC3A2AC94E2ADCD018231

Uniqueness

Uniqueness Score: -1.00%

Function 6C722495 Relevance: .0, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.577793430.000000006C722000.00000040.00000001.01000000.00000004.sdmp, Offset: 6C722000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c722000_abd1 .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bef809882d84a89dc5a5aa30c256904ec0498673b84e02fa710f5d5d4da779d
Instruction ID: d2b87053c7ce144956735c72eb203faf1c5993bef2d6116c207fdfef68e1c242
Opcode Fuzzy Hash: 2bef809882d84a89dc5a5aa30c256904ec0498673b84e02fa710f5d5d4da779d
Instruction Fuzzy Hash: 3AF027F12FC952EBA7548D8D8FFCDA11118A7AB330B01C925BC3927D90E25DCD018231

Uniqueness

Uniqueness Score: -1.00%

Function 6C7224A1 Relevance: .0, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.577793430.000000006C722000.00000040.00000001.01000000.00000004.sdmp, Offset: 6C722000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c722000_abd1 .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41e189ed477a36a12ea7dc85f14978fd5ff9c62c3167d45d5269bd7d0773671f
Instruction ID: c2e8d19863d7f92df294c0e7b8a0aec45b9a3dbb36d89bfbade63d39198f723e
Opcode Fuzzy Hash: 41e189ed477a36a12ea7dc85f14978fd5ff9c62c3167d45d5269bd7d0773671f
Instruction Fuzzy Hash: 00F0E5E12FCA52E6A354888D8FECD56111C5797730B40C925BC3A26D90F15DCD018131

Uniqueness

Uniqueness Score: -1.00%

Function 6C7224A9 Relevance: .0, Instructions: 34
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.577793430.000000006C722000.00000040.00000001.01000000.00000004.sdmp, Offset: 6C722000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c722000_abd1 .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ffa8a5efa50c4faf02f92bd7ab2f5a9c4ec100caf67cfd7292e47ed479962d6
Instruction ID: ecbf18ec87600c263543e6837ae03071c268859cfa15b5805cefe208768ec300
Opcode Fuzzy Hash: 1ffa8a5efa50c4faf02f92bd7ab2f5a9c4ec100caf67cfd7292e47ed479962d6
Instruction Fuzzy Hash: 65E0D8D12FDA92F6A314488D4FFCD55001C579B770B01CA25BD3E2AD95F19DCD414131

Uniqueness

Uniqueness Score: -1.00%

Function 6C7224B0 Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.577793430.000000006C722000.00000040.00000001.01000000.00000004.sdmp, Offset: 6C722000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c722000_abd1 .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0f07e5e1f6c4af38390a62c97016b3546463d553f9a7231942766a0eec9d39d
Instruction ID: 6704479d874978d79cb44d932513ad03392db01afa25ebb8ca8511abd5df4565
Opcode Fuzzy Hash: b0f07e5e1f6c4af38390a62c97016b3546463d553f9a7231942766a0eec9d39d
Instruction Fuzzy Hash: 64E022E12FCA92EBA3108C4D8FECA4112686797330B018A20F83A1BC95F29DCD408270

Uniqueness

Uniqueness Score: -1.00%

Function 6C72C970 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.577793430.000000006C72B000.00000040.00000001.01000000.00000004.sdmp, Offset: 6C72B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c72b000_abd1 .jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 366e7f3b166a2d57ac4c7e7c26b05bb41f5d9a016d6160ba04766a62ec23b56a
Instruction ID: 60a513bdf59608f6427b310eaec3e1ba02f3e225bb1fa4faccaf22142612e1de
Opcode Fuzzy Hash: 366e7f3b166a2d57ac4c7e7c26b05bb41f5d9a016d6160ba04766a62ec23b56a
Instruction Fuzzy Hash: 2CC0EA3204024EBBDF025E95DE05E9A7F2AAB18651F008111BA1519561C7729571BBA5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 023A206E Relevance: 9.7, Strings: 6, Instructions: 2159COMMON

Download Yara Rule

Strings

, xrefs: 023A2165, 023A2182, 023A219C, 023A21C2, 023A21E8, 023A2214, 023A2231, 023A224B, 023A2271, 023A2297, 023A22C3, 023A22E4, 023A2308, 023A2329, 023A2355, 023A238E, 023A23B1, 023A23D5, 023A23F6, 023A2422, 023A245A, 023A247D, 023A24A1, 023A24C2, 023A24EE, 023A2527, 023A254A, 023A256B, 023A258D, 023A25BC, 023A25EC, 023A260D, 023A262E, 023A2650, 023A267F, 023A26AF, 023A26D0, 023A26F1, 023A2712, 023A2741, 023A2771, 023A2792, 023A27B3, 023A27D5, 023A2806, 023A283A, 023A285D, 023A287C, 023A28A1, 023A28D2, 023A2906, 023A2929, 023A2948, 023A296E, 023A299F, 023A29D3, 023A29F6, 023A2A15, 023A2A3B, 023A2A64, 023A2A9B, 023A2ABC, 023A2AE0, 023A2B04, 023A2B26, 023A2B5E, 023A2B7F, 023A2BA3, 023A2BC7, 023A2BE9, 023A2C21, 023A2C42, 023A2C66, 023A2C8A, 023A2CAC, 023A3916, 023A2139
, xrefs: 023A2D95, 023A2DCD, 023A2DEE, 023A2E12, 023A2E36, 023A2E58, 023A2E90, 023A2EB1, 023A2ED5, 023A2EF9, 023A2F1B, 023A2F55, 023A2F78, 023A2F97, 023A2FBD, 023A2FEE, 023A3021, 023A3044, 023A3063, 023A3089, 023A30BA, 023A30EE, 023A3111, 023A3130, 023A3156, 023A3187, 023A31BB, 023A31DC, 023A31FD, 023A321F, 023A324E, 023A327E, 023A329F, 023A32C0, 023A32E2, 023A3311, 023A3341, 023A3362, 023A3383, 023A33A5, 023A33D4, 023A3403, 023A3424, 023A3448, 023A3469, 023A3495, 023A34CE, 023A34F1, 023A3515, 023A3536, 023A3562, 023A359A, 023A35BD, 023A35E1, 023A3602, 023A362E, 023A3667, 023A368A, 023A36AE, 023A36D2, 023A36F8, 023A3724, 023A3741, 023A375B, 023A3781, 023A37A7, 023A37D3, 023A37F0, 023A380A, 023A3830, 023A3856, 023A3881, 023A389E, 023A38B8, 023A38DE, 023A3904
, xrefs: 023A2D48, 023A2D7F, 023A2DA0, 023A2DC4, 023A2DE8, 023A2E0A, 023A2E42, 023A2E63, 023A2E87, 023A2EAB, 023A2ECD, 023A2F05, 023A2F26, 023A2F45, 023A2F6B, 023A2F9C, 023A2FD0, 023A2FF3, 023A3011, 023A3037, 023A3068, 023A309C, 023A30BF, 023A30DE, 023A3104, 023A3135, 023A3169, 023A318C, 023A31AB, 023A31D1, 023A3200, 023A3230, 023A3251, 023A3272, 023A3294, 023A32C3, 023A32F3, 023A3314, 023A3335, 023A3357, 023A3386, 023A33B6, 023A33D7, 023A33F7, 023A3419, 023A3443, 023A347C, 023A349F, 023A34C3, 023A34E4, 023A3510, 023A3549, 023A356C, 023A358F, 023A35B0, 023A35DC, 023A3615, 023A3638, 023A365C, 023A367D, 023A36A9, 023A36DE, 023A36FB, 023A3715, 023A373B, 023A3761, 023A378D, 023A37AA, 023A37C4, 023A37EA, 023A3810, 023A383C, 023A3859, 023A3873, 023A3898, 023A38BE, 023A38EA, 023A3919
, xrefs: 023A2D53, 023A2D76, 023A2D9A, 023A2DBC, 023A2DF4, 023A2E15, 023A2E39, 023A2E5D, 023A2E7F, 023A2EB7, 023A2ED8, 023A2EFC, 023A2F20, 023A2F4A, 023A2F7E, 023A2FA1, 023A2FC0, 023A2FE6, 023A3016, 023A304A, 023A306D, 023A308C, 023A30B2, 023A30E3, 023A3117, 023A313A, 023A3159, 023A317F, 023A31B0, 023A31E2, 023A3203, 023A3224, 023A3246, 023A3275, 023A32A5, 023A32C6, 023A32E7, 023A3309, 023A3338, 023A3368, 023A3389, 023A33AA, 023A33CC, 023A33FA, 023A342A, 023A344D, 023A3471, 023A3492, 023A34BE, 023A34F7, 023A351A, 023A353E, 023A355F, 023A358A, 023A35C3, 023A35E6, 023A360A, 023A362B, 023A3657, 023A3690, 023A36B3, 023A36CF, 023A36F5, 023A371B, 023A3747, 023A3764, 023A377E, 023A37A4, 023A37CA, 023A37F6, 023A3813, 023A382D, 023A3853, 023A3879, 023A38A4, 023A38C1, 023A38DB, 023A3930, 023A2CFA, 023A2D32
, xrefs: 023A2119, 023A2133, 023A2159, 023A217F, 023A21AB, 023A21C8, 023A21E2, 023A2208, 023A222E, 023A225A, 023A2277, 023A2291, 023A22B7, 023A22DA, 023A2313, 023A2336, 023A235A, 023A237B, 023A23A7, 023A23E0, 023A2403, 023A2427, 023A2448, 023A2473, 023A24AC, 023A24CF, 023A24F3, 023A2514, 023A2540, 023A2577, 023A2598, 023A25B9, 023A25DB, 023A260A, 023A263A, 023A265B, 023A267C, 023A269E, 023A26CD, 023A26FC, 023A271D, 023A273E, 023A2760, 023A278F, 023A27BF, 023A27E2, 023A2801, 023A2827, 023A2858, 023A288B, 023A28AE, 023A28CD, 023A28F3, 023A2924, 023A2958, 023A297B, 023A299A, 023A29C0, 023A29F1, 023A2A25, 023A2A48, 023A2A6C, 023A2A90, 023A2AB1, 023A2AE9, 023A2B0A, 023A2B2E, 023A2B52, 023A2B74, 023A2BAC, 023A2BCD, 023A2BF1, 023A2C15, 023A2C37, 023A2C6F, 023A2C90, 023A2CB4, 023A3901, 023A20FC, 023A20D0
, xrefs: 023A2DA6, 023A2DC7, 023A2DEB, 023A2E0F, 023A2E31, 023A2E69, 023A2E8A, 023A2EAE, 023A2ED2, 023A2EF4, 023A2F2C, 023A2F4F, 023A2F6E, 023A2F94, 023A2FC5, 023A2FF8, 023A301B, 023A303A, 023A3060, 023A3091, 023A30C5, 023A30E8, 023A3107, 023A312D, 023A315E, 023A3192, 023A31B5, 023A31D6, 023A31F8, 023A3227, 023A3257, 023A3278, 023A3299, 023A32BB, 023A32EA, 023A331A, 023A333B, 023A335C, 023A337E, 023A33AD, 023A33DC, 023A33FD, 023A341E, 023A3440, 023A346C, 023A34A5, 023A34C8, 023A34EC, 023A350D, 023A3539, 023A3571, 023A3594, 023A35B8, 023A35D9, 023A3605, 023A363E, 023A3661, 023A3685, 023A36A6, 023A36D5, 023A3701, 023A371E, 023A3738, 023A375E, 023A3784, 023A37B0, 023A37CD, 023A37E7, 023A380D, 023A3833, 023A385F, 023A387C, 023A3895, 023A38BB, 023A38E1, 023A390D

Memory Dump Source

Source File: 00000003.00000002.570577629.00000000023A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_23a0000_abd1 .jbxd

Yara matches

Similarity

API ID:
String ID: $$$$$
API String ID: 0-1395034193
Opcode ID: e1a2cecbd5d717c32daa21c098d03fd8f58ef7311799b5cc648fdc4af5df4f73
Instruction ID: c12796ba50fb23194420874a76c7f89d3082be8777d4cdfacdb6b3df9f99ee91
Opcode Fuzzy Hash: e1a2cecbd5d717c32daa21c098d03fd8f58ef7311799b5cc648fdc4af5df4f73
Instruction Fuzzy Hash: 32239DB6E10A099BCB08CB94CD96ADEFBF1FF98214F198558D411F7304E339EA11DA64

Uniqueness

Uniqueness Score: -1.00%

Function 0240AEAA Relevance: 6.4, Strings: 5, Instructions: 170COMMON

Download Yara Rule

Strings

0, xrefs: 0240AF70
0, xrefs: 0240AEFB
0, xrefs: 0240AF97
0, xrefs: 0240AF49
0, xrefs: 0240AF22

Memory Dump Source

Source File: 00000003.00000002.570577629.00000000023A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_23a0000_abd1 .jbxd

Yara matches

Similarity

API ID:
String ID: 0$0$0$0$0
API String ID: 0-4235325143
Opcode ID: 2f35127adf7ed84c734ed8da0a90e85b3e41c2529bda75405762d1db815b9751
Instruction ID: 30a1a1d3eb04f4bb0275c4d1d8b9d3ed99ce9e225b68fa25c669a5a227b8875b
Opcode Fuzzy Hash: 2f35127adf7ed84c734ed8da0a90e85b3e41c2529bda75405762d1db815b9751
Instruction Fuzzy Hash: 4471FC75800219EFDF61EF91CD84BDEBBBAFF48700F0045AAE518A2291D7719A94DF50

Uniqueness

Uniqueness Score: -1.00%

Function 0240A041 Relevance: 5.3, Strings: 4, Instructions: 253COMMON

Download Yara Rule

Strings

0, xrefs: 0240A08D
0, xrefs: 0240A06F
0, xrefs: 0240A054
0, xrefs: 0240A0B1

Memory Dump Source

Source File: 00000003.00000002.570577629.00000000023A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_23a0000_abd1 .jbxd

Yara matches

Similarity

API ID:
String ID: 0$0$0$0
API String ID: 0-3558443385
Opcode ID: 5d8a3c5d0ceedec335aad318560a1b22cfd20e5e829733c975242ba032da890c
Instruction ID: afe9f645c50733e3f344d7fb0907dc8d970590eb238e1e618b3c9d918c0bc0c4
Opcode Fuzzy Hash: 5d8a3c5d0ceedec335aad318560a1b22cfd20e5e829733c975242ba032da890c
Instruction Fuzzy Hash: 47917D7190021ADBDB169FA4C8D0BAEB7B6FF08304F1545BAD602AB391E735DAD0DB40

Uniqueness

Uniqueness Score: -1.00%

Function 023FFE78 Relevance: 1.3, Strings: 1, Instructions: 79COMMON

Download Yara Rule

Strings

, xrefs: 023FFEB2

Memory Dump Source

Source File: 00000003.00000002.570577629.00000000023A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_23a0000_abd1 .jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 78dd48c94b001a9e101e90b643ec0c398dfedbcee4f94c04fbe2feaeb1e6f85f
Instruction ID: 34267e8f64966451cda062cefb54e1d59627b064f8127f53bb69668a5b17724d
Opcode Fuzzy Hash: 78dd48c94b001a9e101e90b643ec0c398dfedbcee4f94c04fbe2feaeb1e6f85f
Instruction Fuzzy Hash: 4321573190D306DBC7D48A04F4849B8B77DBB26B00F1244A6EF0B9ADD7E3318911CA91

Uniqueness

Uniqueness Score: -1.00%

Function 0240AA72 Relevance: 1.3, Strings: 1, Instructions: 74COMMON

Download Yara Rule

Strings

<, xrefs: 0240AABC

Memory Dump Source

Source File: 00000003.00000002.570577629.00000000023A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_23a0000_abd1 .jbxd

Yara matches

Similarity

API ID:
String ID: <
API String ID: 0-4251816714
Opcode ID: 7cbb458ecc71336aca730db906be71de756a91d90c2f67d82e8ad20602b5336d
Instruction ID: 347564b260fac7513112a64b4ec50ffa329728f69e04af6323d7f292a636791c
Opcode Fuzzy Hash: 7cbb458ecc71336aca730db906be71de756a91d90c2f67d82e8ad20602b5336d
Instruction Fuzzy Hash: 2721E875D012199FDB04CE55C9849EFB7B5FF8A314F50912AE9097B241C734EE42CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0240B6C6 Relevance: .3, Instructions: 251COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.570577629.00000000023A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_23a0000_abd1 .jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce151d7901f5e0ce65238f75a50f042223a9d5c7e81dd7ff6344013c59678d2a
Instruction ID: 07cd6d9d9e3b47b47d87e183f24bbdc6e088e7af2d09e92ca29068145cc957fc
Opcode Fuzzy Hash: ce151d7901f5e0ce65238f75a50f042223a9d5c7e81dd7ff6344013c59678d2a
Instruction Fuzzy Hash: 53817B32D0C605EBDB658A618CC5BBA7674EB0471CF1444B7E907AA1E1D3309AC3CB6E

Uniqueness

Uniqueness Score: -1.00%

Function 023FFC5E Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.570577629.00000000023A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_23a0000_abd1 .jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51cfebe4d6d8672492c604f033ad171fdb1a14da7b27fa925329922e894ef022
Instruction ID: 12c95ba143aa50104c175188e3e27e57807d8bfcd2f9365d825c3e5aa05a6d94
Opcode Fuzzy Hash: 51cfebe4d6d8672492c604f033ad171fdb1a14da7b27fa925329922e894ef022
Instruction Fuzzy Hash: 6A41373250C055DBC7D89A04F484AB9B63DBB50B44F6485A3EF0BAADCBE7306952CA91

Uniqueness

Uniqueness Score: -1.00%

Function 023A484F Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.570577629.00000000023A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_23a0000_abd1 .jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 836bd08ceabfc3e3b7173788a9fbc7d6eed8589a3d56bb68672e25ed720186d5
Instruction ID: 809a20de74aecc90352d2e3939f7d4bff5f18288a89e75a580c142c44c2e60f3
Opcode Fuzzy Hash: 836bd08ceabfc3e3b7173788a9fbc7d6eed8589a3d56bb68672e25ed720186d5
Instruction Fuzzy Hash: 25318A3240D3E0AFDBA79F7890A51C3BFA16E5B20435B66DEC8D05F823D6126846E791

Uniqueness

Uniqueness Score: -1.00%

Function 0240F820 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.570577629.00000000023A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_23a0000_abd1 .jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ba18875e41beaa5c8189aa70d496925135b69897238eaaf873fb3c19cd15788
Instruction ID: 99bd2e2a47bd32c0f20a8fa1cd5d558ef455f1b9fa4427f496cd05569d082ed0
Opcode Fuzzy Hash: 7ba18875e41beaa5c8189aa70d496925135b69897238eaaf873fb3c19cd15788
Instruction Fuzzy Hash: 31317E31900606ABDB28CE56C484BA7B7B1FF49314F16C539E9598BA91CB30E8D4DF80

Uniqueness

Uniqueness Score: -1.00%

Function 02406E7B Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.570577629.00000000023A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_23a0000_abd1 .jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10aa2256821d2209632b9e387cbaf4d94b8f4eb1b81bd2ecb5d0dedaf77d214d
Instruction ID: c684d02bc51574eaf759cacaf06eea0684357a748565cda8d690d82c5e86f20e
Opcode Fuzzy Hash: 10aa2256821d2209632b9e387cbaf4d94b8f4eb1b81bd2ecb5d0dedaf77d214d
Instruction Fuzzy Hash: 2A01B160AA534D0A2E38092CE0D427BE39E9257A59B6AB43BC483D67D4C734D1F361CD

Uniqueness

Uniqueness Score: -1.00%

Function 023FF721 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.570577629.00000000023A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_23a0000_abd1 .jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dae13e2e6710f8cc6cc1cc6b0f3effd0a5b34b27d5a96c6815123b4bbac2b491
Instruction ID: e22a2587408eb781e4316250aba1ccf7721c5999a6f898d1c87481dd0213b9a6
Opcode Fuzzy Hash: dae13e2e6710f8cc6cc1cc6b0f3effd0a5b34b27d5a96c6815123b4bbac2b491
Instruction Fuzzy Hash: 1621A2B2605201ABDBA08F55DCC8BA677A8EFC4B55F2901B9FE0CAE5D5EB705400CA20

Uniqueness

Uniqueness Score: -1.00%

Function 0240F63F Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.570577629.00000000023A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_23a0000_abd1 .jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb0d0630ae7ffe745aa6798ed88db84e9671e9de4f9522122fd4d4017adaffae
Instruction ID: 0c047846cc0b1f4aa1ab5911f39113e9b86609a7c355674f9bbfdac7f4595309
Opcode Fuzzy Hash: bb0d0630ae7ffe745aa6798ed88db84e9671e9de4f9522122fd4d4017adaffae
Instruction Fuzzy Hash: 1611C83165014B5ADF208EA08880FFBB732FF45B08F099977E4855A6B4EB31D8979B94

Uniqueness

Uniqueness Score: -1.00%

Function 02409EBB Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.570577629.00000000023A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_23a0000_abd1 .jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 713e57ae2468ecc67231e8973418ad8bc8e1510acad59b2080f0337c4bea1061
Instruction ID: bd584d4e9967ec653b79fdbd42c32ec01062ad301592fad82e044e49440ba49e
Opcode Fuzzy Hash: 713e57ae2468ecc67231e8973418ad8bc8e1510acad59b2080f0337c4bea1061
Instruction Fuzzy Hash: 8E118032710A194BD758CD2E88440ABF3D7EBD4260B888A2EC593C7769CAB0E912C691

Uniqueness

Uniqueness Score: -1.00%

Function 02409E38 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.570577629.00000000023A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_23a0000_abd1 .jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 119cd661c0b3c20ea8da54369756ec735ab73cb80c1fb8c43630a6d5d311cee5
Instruction ID: b08a9b0710b156e058ec7fcbc2daafad261a0e39aa473fe97a0567f27f14300d
Opcode Fuzzy Hash: 119cd661c0b3c20ea8da54369756ec735ab73cb80c1fb8c43630a6d5d311cee5
Instruction Fuzzy Hash: F4019E32710B154BD768CD3E8C440ABF7E7EBC4260B898B2ED6A3C7665C670E911C790

Uniqueness

Uniqueness Score: -1.00%

Function 02403A62 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.570577629.00000000023A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_23a0000_abd1 .jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75ba6668b8d07be3a7822478b93ffac8d80b6e60dfbdb3b1bb6df2d7b294001b
Instruction ID: 4ff9f5a8285fabcecf4bbef6b7a1fdc7d5b7972a6eb7f362733f9a5accd9fd10
Opcode Fuzzy Hash: 75ba6668b8d07be3a7822478b93ffac8d80b6e60dfbdb3b1bb6df2d7b294001b
Instruction Fuzzy Hash: F5012535A01205DFDB048F01D884AAAFFB1FB96314F24D1BAEC089B255C732D8A1CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0240D2F6 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.570577629.00000000023A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_23a0000_abd1 .jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 375d851f629ad767ccaeed867906e291473f0c5914d15c759753d14cabb5645a
Instruction ID: bce4581ffd08662469dd25f1c46ddf9f31ab7b4f46eb88ac67cd07bdb4c4602c
Opcode Fuzzy Hash: 375d851f629ad767ccaeed867906e291473f0c5914d15c759753d14cabb5645a
Instruction Fuzzy Hash: AEE09A21C10300A6D3215E999589ABBF2B8EB82700F00236A9D40B71A49BF2E0AA4598

Uniqueness

Uniqueness Score: -1.00%

Function 0240AB7F Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.570577629.00000000023A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_23a0000_abd1 .jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9954bf53b3a1323048892631ce329cb582253ca904c9ef5c72ab1d2985e0f11c
Instruction ID: 6bd5b304a480c41924155bd9d9302b0d751835c2d8fc24e6942d5d3c7bd61a59
Opcode Fuzzy Hash: 9954bf53b3a1323048892631ce329cb582253ca904c9ef5c72ab1d2985e0f11c
Instruction Fuzzy Hash: 01F0F275A0011A9BCF00CE69C8848FEF771FB4A321F509066EE1A6B201C6359A41CF65

Uniqueness

Uniqueness Score: -1.00%

Function 0240FD17 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.570577629.00000000023A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_23a0000_abd1 .jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ec9cf6568997ca653abce4c31464dc0581a0d83c43b7006b34c6b7c61b71155
Instruction ID: f2ea9af47760624f3c3854f2eda3dbcbb2e168fc590b399055f07fad41296e03
Opcode Fuzzy Hash: 1ec9cf6568997ca653abce4c31464dc0581a0d83c43b7006b34c6b7c61b71155
Instruction Fuzzy Hash: 35D05E32A1C60CD122B86EA544C0472B3784E22340F031933C94742EC0ED34D4DFC1DA

Uniqueness

Uniqueness Score: -1.00%

Function 023A0EE0 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.570577629.00000000023A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_23a0000_abd1 .jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67c74a835e024dcce0581481cbef60a992a2708a2c607cde614e43ba4a535e0d
Instruction ID: 027aeedd380ec1913e5f5d435ddd29fbb73e185a3b9b1037275698cd3cd76d56
Opcode Fuzzy Hash: 67c74a835e024dcce0581481cbef60a992a2708a2c607cde614e43ba4a535e0d
Instruction Fuzzy Hash: FFC08CA471930386FB2D04BEE4E87930289D34430AF05C0B9A40CE01D0F70EDC90E000

Uniqueness

Uniqueness Score: -1.00%

Function 6C72CF0E Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.577793430.000000006C72B000.00000040.00000001.01000000.00000004.sdmp, Offset: 6C72B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c72b000_abd1 .jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fec9b18dd5d5f9871a9bc8610b90691dbcaadd3f521946c3e8c53397e9d1a17
Instruction ID: 50f42a733be76b4a8b1a95ff6fbc9f00ae30099de05779299c84b5b0ac81fd46
Opcode Fuzzy Hash: 7fec9b18dd5d5f9871a9bc8610b90691dbcaadd3f521946c3e8c53397e9d1a17
Instruction Fuzzy Hash: 8FA001179651022277203E32076C1BAD4759A6328EF883A604D14B3E19AB0CC0580089

Uniqueness

Uniqueness Score: -1.00%

Function 6C72BEE6 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.577793430.000000006C72B000.00000040.00000001.01000000.00000004.sdmp, Offset: 6C72B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c72b000_abd1 .jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6c65fbfd1029db3f33ec6110b4aabeacd8af1873592b36eb135c7b070689964
Instruction ID: e662c32fe65dc1927fd89a681037dddacec98cc58202497c390ed94bd03ec2df
Opcode Fuzzy Hash: f6c65fbfd1029db3f33ec6110b4aabeacd8af1873592b36eb135c7b070689964
Instruction Fuzzy Hash: 8FA00275A0110456BB1657029A51B553632D15A1123A004F2680E14A45951EE2A05EC5

Uniqueness

Uniqueness Score: -1.00%

Function 6C72BE96 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.577793430.000000006C72B000.00000040.00000001.01000000.00000004.sdmp, Offset: 6C72B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6c72b000_abd1 .jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b27a762e4921c6606bab82f4a15b89a486d8ebc2866bddbea42c47237b6ce22
Instruction ID: d4041794d3e3a757d70c2f335ae244b5e26dc5951736c8403b4e67ae7933d8f7
Opcode Fuzzy Hash: 7b27a762e4921c6606bab82f4a15b89a486d8ebc2866bddbea42c47237b6ce22
Instruction Fuzzy Hash: CBA00272A5520555BB1A5A029A50B853632D1A612279018F2582A11A45451EA2A05ED9

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: abd1 .exePID: 6564, Parent PID: 3528COMMON

Execution Graph

Execution Coverage:	4.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	365
Total number of Limit Nodes:	28

Executed Functions

Function 6A5FF76C Relevance: .0, Instructions: 34
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.389273322.000000006A5F1000.00000040.00000001.01000000.00000004.sdmp, Offset: 6A5F0000, based on PE: true

Associated: 00000004.00000002.389255072.000000006A5F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.389273322.000000006A60E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.389273322.000000006A9FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391258071.000000006AA1B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391258071.000000006AA20000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391291276.000000006AA23000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391314836.000000006AA27000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391331640.000000006AA2C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391349159.000000006AA2E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006AA2F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006AC71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006AC7D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006AC84000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006ACB9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006ACC2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006ACC7000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006ACD0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006ACD5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006ACE3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006AD26000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006AD55000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006AD61000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006AD68000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006AD9D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006ADA6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006ADAB000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006ADBA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006ADC3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006ADC7000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006AE0A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006AF13000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006AF1E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006AF29000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006AF31000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006AF65000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006AF74000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006AF7D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006AF82000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006AF8B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006AF8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006AFDA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B002000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B00E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B015000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B049000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B058000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B061000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B066000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B073000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B0B7000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B0DB000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B0E3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B0E6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B0F2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B0F9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B12E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B137000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B13C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B145000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B14A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B158000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B19B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B1CB000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B1D6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B1DE000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B212000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B21B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B221000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B22A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B22F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B238000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B23C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B27F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B2AF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B2BB000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B2C2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B2F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B305000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B30E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B313000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B320000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B364000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B393000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B39F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B3A6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B3DB000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B3E9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B3F2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B3F7000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B405000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B447000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B44F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B477000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B483000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B48A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B4BF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B4C8000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B4CD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B4DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B4E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B4E9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B52C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B55C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B567000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B56F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B5A3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B5B2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B5BB000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B5C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B5CD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B611000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B640000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B64C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B653000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B687000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B696000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B69F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B6A4000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B6B1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B6F5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B724000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B730000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B737000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B76C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B775000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B77A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B789000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B796000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B7D9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B809000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B814000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B81C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B850000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B85F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B868000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B86D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B87A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B8BE000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B8E2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B8ED000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B8F9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B900000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B934000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B943000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B951000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B95E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B9A2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B9D1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B9DD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B9E4000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BA19000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BA22000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BA27000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BA30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BA35000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BA43000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BA86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BAB6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BAC1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BAC9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BAFD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BB0C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BB15000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BB1A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BB23000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BB27000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BB6A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BC7E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BC89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BC91000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BCC5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BCD4000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BCDD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BCE2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BCEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BD33000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BD62000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BD6E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BD75000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BDA9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BDB8000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BDC1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BDC6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BDD3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BE17000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BE46000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BE52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BE59000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BE8E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BE97000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BE9C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BEAA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BEB8000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BEFB000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BF2B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BF36000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BF3E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BF72000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BF81000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BF8A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BF8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BF98000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BF9C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BFDF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C00F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C01B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C022000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C056000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C065000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C06E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C073000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C080000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C0C4000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C0F3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C0FF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C106000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C13B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C144000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C149000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C152000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C165000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C1A8000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C1D8000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C1E3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C1EB000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C21F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C228000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C22E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C23C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C245000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C249000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C28C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C2B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C2BC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C2C8000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C2CF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C303000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C312000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C319000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C320000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C32D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C32F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C332000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C335000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C375000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C377000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C37D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C37F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C381000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C383000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C385000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C395000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C398000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C39A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C39C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C39E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C3A2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C3A5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C3A7000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C3A9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C3AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C3B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C3B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C3E9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C3ED000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C3F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C3F8000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C3FA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C3FC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C3FF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C404000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C407000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C409000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C40D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C411000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C415000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C417000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C419000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C44C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C450000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C452000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C454000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C456000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C459000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C45C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C45F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C464000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C466000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C468000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C46C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C46E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C489000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C48B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C48D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C492000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C498000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C4CC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C4CE000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C4D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C4D3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C4DA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C4DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C4DE000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C4E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C4E2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C4E4000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C4EA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C4EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C4F2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C4F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C4FA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C4FD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C500000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C53A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C53D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C541000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C545000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C547000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C549000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C54C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C54F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C552000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C554000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C558000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C55C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C560000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C563000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C565000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C569000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C56C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C56E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C570000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C574000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C576000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C578000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C57C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C57F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C5B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C5B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C5B7000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C5BA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C5C1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C5C3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C5C6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C5C8000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C5CF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C5D1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C5D3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C5D5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C5DA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C5DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C5DE000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C5E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C5E3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C61F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C622000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C625000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C627000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C62B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C62E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C630000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C632000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C634000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C637000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C63A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C63D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C640000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C642000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C645000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C647000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C64A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C64F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C651000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C653000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C655000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C659000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C65B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C660000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C663000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C695000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C698000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C69B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C69E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C6A4000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C6A6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C6A8000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C6AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C6B1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C6B4000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C6B8000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C6BB000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C6C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C6C3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C6C6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C702000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C704000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C706000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C708000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C70A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C70C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C70E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C712000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C714000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C716000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C718000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C71A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C71C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C71E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C720000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.419723352.000000006C722000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.419723352.000000006C728000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.419723352.000000006C72B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.419723352.000000006C730000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.419723352.000000006C733000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.419723352.000000006C736000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6a5f0000_abd1 .jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa9ce47e37044006440feb764ce68820d4134339bb89f0635b58f7358e3026ed
Instruction ID: 13c8732da5302f1b0ecc36d83748cec468486635489033164c70e3f71d96c03e
Opcode Fuzzy Hash: fa9ce47e37044006440feb764ce68820d4134339bb89f0635b58f7358e3026ed
Instruction Fuzzy Hash: C4F0E271400209EFC752EB74CD5585EFBFCDF892187630E62E400E2992EF329E059D10

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 6A5F99A4 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 64COMMON

Download Yara Rule

APIs

GetLogicalProcessorInformation.KERNEL32(00000000,?,00000000,kernel32.dll,GetLogicalProcessorInformation), ref: 6A5F99D2
GetLogicalProcessorInformation.KERNEL32(?,?,00000000,6A5F9A58,?,00000000,?,00000000,kernel32.dll,GetLogicalProcessorInformation), ref: 6A5F9A0A

Strings

GetLogicalProcessorInformation, xrefs: 6A5F99AF
kernel32.dll, xrefs: 6A5F99B4
@, xrefs: 6A5F9A5F

Memory Dump Source

Source File: 00000004.00000002.389273322.000000006A5F1000.00000040.00000001.01000000.00000004.sdmp, Offset: 6A5F0000, based on PE: true

Associated: 00000004.00000002.389255072.000000006A5F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.389273322.000000006A60E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.389273322.000000006A9FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391258071.000000006AA1B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391258071.000000006AA20000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391291276.000000006AA23000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391314836.000000006AA27000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391331640.000000006AA2C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391349159.000000006AA2E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006AA2F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006AC71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006AC7D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006AC84000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006ACB9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006ACC2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006ACC7000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006ACD0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006ACD5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006ACE3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006AD26000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006AD55000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006AD61000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006AD68000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006AD9D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006ADA6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006ADAB000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006ADBA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006ADC3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006ADC7000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006AE0A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006AF13000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006AF1E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006AF29000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006AF31000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006AF65000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006AF74000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006AF7D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006AF82000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006AF8B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006AF8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006AFDA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B002000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B00E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B015000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B049000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B058000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B061000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B066000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B073000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B0B7000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B0DB000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B0E3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B0E6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B0F2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B0F9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B12E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B137000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B13C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B145000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B14A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B158000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B19B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B1CB000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B1D6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B1DE000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B212000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B21B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B221000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B22A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B22F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B238000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B23C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B27F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B2AF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B2BB000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B2C2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B2F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B305000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B30E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B313000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B320000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B364000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B393000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B39F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B3A6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B3DB000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B3E9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B3F2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B3F7000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B405000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B447000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B44F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B477000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B483000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B48A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B4BF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B4C8000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B4CD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B4DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B4E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B4E9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B52C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B55C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B567000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B56F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B5A3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B5B2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B5BB000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B5C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B5CD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B611000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B640000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B64C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B653000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B687000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B696000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B69F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B6A4000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B6B1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B6F5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B724000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B730000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B737000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B76C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B775000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B77A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B789000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B796000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B7D9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B809000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B814000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B81C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B850000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B85F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B868000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B86D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B87A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B8BE000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B8E2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B8ED000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B8F9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B900000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B934000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B943000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B951000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B95E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B9A2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B9D1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B9DD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B9E4000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BA19000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BA22000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BA27000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BA30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BA35000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BA43000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BA86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BAB6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BAC1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BAC9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BAFD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BB0C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BB15000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BB1A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BB23000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BB27000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BB6A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BC7E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BC89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BC91000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BCC5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BCD4000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BCDD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BCE2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BCEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BD33000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BD62000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BD6E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BD75000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BDA9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BDB8000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BDC1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BDC6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BDD3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BE17000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BE46000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BE52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BE59000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BE8E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BE97000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BE9C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BEAA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BEB8000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BEFB000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BF2B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BF36000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BF3E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BF72000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BF81000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BF8A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BF8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BF98000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BF9C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BFDF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C00F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C01B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C022000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C056000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C065000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C06E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C073000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C080000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C0C4000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C0F3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C0FF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C106000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C13B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C144000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C149000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C152000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C165000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C1A8000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C1D8000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C1E3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C1EB000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C21F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C228000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C22E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C23C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C245000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C249000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C28C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C2B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C2BC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C2C8000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C2CF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C303000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C312000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C319000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C320000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C32D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C32F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C332000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C335000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C375000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C377000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C37D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C37F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C381000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C383000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C385000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C395000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C398000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C39A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C39C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C39E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C3A2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C3A5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C3A7000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C3A9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C3AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C3B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C3B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C3E9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C3ED000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C3F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C3F8000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C3FA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C3FC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C3FF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C404000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C407000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C409000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C40D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C411000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C415000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C417000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C419000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C44C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C450000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C452000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C454000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C456000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C459000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C45C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C45F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C464000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C466000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C468000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C46C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C46E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C489000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C48B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C48D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C492000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C498000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C4CC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C4CE000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C4D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C4D3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C4DA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C4DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C4DE000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C4E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C4E2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C4E4000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C4EA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C4EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C4F2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C4F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C4FA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C4FD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C500000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C53A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C53D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C541000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C545000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C547000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C549000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C54C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C54F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C552000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C554000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C558000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C55C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C560000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C563000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C565000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C569000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C56C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C56E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C570000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C574000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C576000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C578000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C57C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C57F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C5B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C5B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C5B7000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C5BA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C5C1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C5C3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C5C6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C5C8000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C5CF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C5D1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C5D3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C5D5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C5DA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C5DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C5DE000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C5E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C5E3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C61F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C622000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C625000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C627000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C62B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C62E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C630000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C632000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C634000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C637000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C63A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C63D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C640000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C642000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C645000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C647000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C64A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C64F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C651000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C653000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C655000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C659000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C65B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C660000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C663000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C695000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C698000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C69B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C69E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C6A4000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C6A6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C6A8000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C6AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C6B1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C6B4000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C6B8000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C6BB000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C6C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C6C3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C6C6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C702000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C704000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C706000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C708000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C70A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C70C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C70E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C712000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C714000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C716000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C718000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C71A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C71C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C71E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C720000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.419723352.000000006C722000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.419723352.000000006C728000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.419723352.000000006C72B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.419723352.000000006C730000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.419723352.000000006C733000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.419723352.000000006C736000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6a5f0000_abd1 .jbxd

Yara matches

Similarity

API ID: InformationLogicalProcessor
String ID: @$GetLogicalProcessorInformation$kernel32.dll
API String ID: 1773637529-79381301
Opcode ID: 4bffc73783ef41cd1181b845d1ae82b71aaf3ec2bb1d58c3aaf0817c0b60b77f
Instruction ID: ec09c2daf9c0940fd60525a3da5b33eb8bd30ebe2d2866560bc0d12743343f28
Opcode Fuzzy Hash: 4bffc73783ef41cd1181b845d1ae82b71aaf3ec2bb1d58c3aaf0817c0b60b77f
Instruction Fuzzy Hash: 9C116A71D04608EEDB01DFB9D808B9DBBB9EB44304F518CA6E954E7242EF758A82CF11

Uniqueness

Uniqueness Score: -1.00%

Function 6A5FEF24 Relevance: 6.1, APIs: 4, Instructions: 95threadCOMMON

Download Yara Rule

APIs

GetThreadUILanguage.KERNEL32(?,00000000), ref: 6A5FEF35
SetThreadPreferredUILanguages.KERNEL32(00000004,?,?), ref: 6A5FEF93
SetThreadPreferredUILanguages.KERNEL32(00000000,00000000,?), ref: 6A5FEFF0
SetThreadPreferredUILanguages.KERNEL32(00000008,?,?), ref: 6A5FF023

Part of subcall function 6A5FEEE0: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,00000000,?,?,6A5FEFA1), ref: 6A5FEEF7
Part of subcall function 6A5FEEE0: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,?,6A5FEFA1), ref: 6A5FEF14

Memory Dump Source

Source File: 00000004.00000002.389273322.000000006A5F1000.00000040.00000001.01000000.00000004.sdmp, Offset: 6A5F0000, based on PE: true

Associated: 00000004.00000002.389255072.000000006A5F0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.389273322.000000006A60E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.389273322.000000006A9FA000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391258071.000000006AA1B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391258071.000000006AA20000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391291276.000000006AA23000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391314836.000000006AA27000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391331640.000000006AA2C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391349159.000000006AA2E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006AA2F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006AC71000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006AC7D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006AC84000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006ACB9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006ACC2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006ACC7000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006ACD0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006ACD5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006ACE3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006AD26000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006AD55000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006AD61000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006AD68000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006AD9D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006ADA6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006ADAB000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006ADBA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006ADC3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006ADC7000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006AE0A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006AF13000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006AF1E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006AF29000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006AF31000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006AF65000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006AF74000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006AF7D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006AF82000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006AF8B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006AF8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006AFDA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B002000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B00E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B015000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B049000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B058000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B061000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B066000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B073000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B0B7000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B0DB000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B0E3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B0E6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B0F2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B0F9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B12E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B137000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B13C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B145000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B14A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B158000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B19B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B1CB000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B1D6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B1DE000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B212000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B21B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B221000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B22A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B22F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B238000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B23C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B27F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B2AF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B2BB000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B2C2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B2F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B305000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B30E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B313000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B320000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B364000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B393000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B39F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B3A6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B3DB000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B3E9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B3F2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B3F7000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B405000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B447000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B44F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B477000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B483000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B48A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B4BF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B4C8000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B4CD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B4DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B4E5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B4E9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B52C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B55C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B567000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B56F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B5A3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B5B2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B5BB000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B5C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B5CD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B611000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B640000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B64C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B653000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B687000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B696000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B69F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B6A4000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B6B1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B6F5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B724000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B730000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B737000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B76C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B775000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B77A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B789000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B796000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B7D9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B809000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B814000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B81C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B850000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B85F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B868000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B86D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B87A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B8BE000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B8E2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B8ED000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B8F9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B900000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B934000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B943000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B951000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B95E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B9A2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B9D1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B9DD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006B9E4000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BA19000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BA22000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BA27000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BA30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BA35000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BA43000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BA86000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BAB6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BAC1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BAC9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BAFD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BB0C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BB15000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BB1A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BB23000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BB27000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BB6A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BC7E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BC89000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BC91000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BCC5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BCD4000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BCDD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BCE2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BCEF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BD33000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BD62000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BD6E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BD75000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BDA9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BDB8000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BDC1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BDC6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BDD3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BE17000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BE46000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BE52000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BE59000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BE8E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BE97000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BE9C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BEAA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BEB8000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BEFB000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BF2B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BF36000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BF3E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BF72000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BF81000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BF8A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BF8F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BF98000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BF9C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006BFDF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C00F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C01B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C022000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C056000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C065000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C06E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C073000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C080000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C0C4000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C0F3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C0FF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C106000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C13B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C144000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C149000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C152000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C157000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C165000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C1A8000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C1D8000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C1E3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C1EB000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C21F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C228000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C22E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C23C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C245000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C249000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C28C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C2B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C2BC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C2C8000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C2CF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C303000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C312000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C319000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C320000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C32D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C32F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C332000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C335000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C372000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C375000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C377000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C37D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C37F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C381000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C383000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C385000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C395000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C398000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C39A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C39C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C39E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C3A2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C3A5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C3A7000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C3A9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C3AD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C3B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C3B6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C3E9000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C3ED000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C3F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C3F8000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C3FA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C3FC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C3FF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C404000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C407000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C409000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C40D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C411000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C415000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C417000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C419000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C44C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C450000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C452000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C454000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C456000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C459000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C45C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C45F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C464000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C466000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C468000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C46C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C46E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C489000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C48B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C48D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C490000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C492000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C498000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C4CC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C4CE000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C4D0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C4D3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C4DA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C4DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C4DE000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C4E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C4E2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C4E4000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C4EA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C4EC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C4F2000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C4F6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C4FA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C4FD000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C500000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C53A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C53D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C541000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C545000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C547000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C549000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C54C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C54F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C552000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C554000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C556000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C558000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C55C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C560000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C563000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C565000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C569000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C56C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C56E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C570000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C574000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C576000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C578000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C57C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C57F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C5B0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C5B3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C5B7000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C5BA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C5C1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C5C3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C5C6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C5C8000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C5CF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C5D1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C5D3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C5D5000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C5DA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C5DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C5DE000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C5E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C5E3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C61F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C622000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C625000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C627000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C62B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C62E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C630000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C632000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C634000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C637000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C63A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C63D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C640000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C642000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C645000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C647000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C64A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C64F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C651000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C653000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C655000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C659000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C65B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C660000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C663000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C695000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C698000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C69B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C69E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C6A4000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C6A6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C6A8000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C6AA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C6B1000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C6B4000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C6B8000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C6BB000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C6C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C6C3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C6C6000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C702000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C704000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C706000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C708000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C70A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C70C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C70E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C712000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C714000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C716000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C718000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C71A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C71C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C71E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.391368152.000000006C720000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.419723352.000000006C722000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.419723352.000000006C728000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.419723352.000000006C72B000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.419723352.000000006C730000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.419723352.000000006C733000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.419723352.000000006C736000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6a5f0000_abd1 .jbxd

Yara matches

Similarity

API ID: Thread$LanguagesPreferred$Language
String ID:
API String ID: 2255706666-0
Opcode ID: 2a9a68991abc43eb07a115812c60410f486c4b5f923c4fd4e53ab3b571c4bb1b
Instruction ID: d378f95aa3b18807795717b9a0e4ff509831992a38fa0ae53fb49ea4688225e2
Opcode Fuzzy Hash: 2a9a68991abc43eb07a115812c60410f486c4b5f923c4fd4e53ab3b571c4bb1b
Instruction Fuzzy Hash: 03316070A0021A9BDB01DFA9C884AAEB7F9FF45304F014965E921E7295DF749E0ACF51

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Data loss prevention, File monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report n_f_3_f_1_s_k_4_l.msi

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Config.Msi\5e576f.rbs

C:\Users\user\AppData\Local\760639

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\inspecionando[1].htm

C:\Users\user\AppData\Local\Temp\MSIe548f.LOG

C:\Users\user\AppData\Roaming\WebUI.dll

C:\Users\user\AppData\Roaming\abd1 .exe

C:\Windows\Installer\5e576d.msi

C:\Windows\Installer\MSI5AE8.tmp

C:\Windows\Installer\MSI5C12.tmp

C:\Windows\Installer\MSI5C51.tmp

C:\Windows\Installer\MSI5C81.tmp

C:\Windows\Installer\MSI5D0F.tmp

C:\Windows\Installer\MSI5E48.tmp

C:\Windows\Installer\SourceHash{C2D550F7-7A44-449E-9376-91329715675A}

C:\Windows\Installer\inprogressinstallinfo.ipi

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

Windows Analysis Report
n_f_3_f_1_s_k_4_l.msi

Function 0240CB88 Relevance: .1, Instructions: 64
COMMON

Function 0240DDC2 Relevance: 1.7, APIs: 1, Instructions: 209
COMMON

Function 0240BFBF Relevance: 1.6, APIs: 1, Instructions: 107
COMMON

Function 0240DD2B Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Function 6C722434 Relevance: 1.5, Strings: 1, Instructions: 203
COMMON

Function 6C72248E Relevance: .0, Instructions: 40
COMMON

Function 6C722495 Relevance: .0, Instructions: 39
COMMON

Function 6C7224A1 Relevance: .0, Instructions: 37
COMMON

Function 6C7224A9 Relevance: .0, Instructions: 34
COMMON

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre