Edit tour

Windows Analysis Report
n_f_3_e_l_3_t_r_0_n_1_k_4_00545.msi

Overview

General Information

Sample Name:	n_f_3_e_l_3_t_r_0_n_1_k_4_00545.msi
Analysis ID:	846833
MD5:	52aa0c3a70909fe80e53faeb823bb55c
SHA1:	71291ff0d6aa3f58cbc73037a4c7001b83423f07
SHA256:	7a15f6773f997f669b096f5499146a34f496cdd13b44993821d762fed2a8793b
Tags:	msi
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Antivirus detection for URL or domain

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Hides threads from debuggers

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Tries to detect sandboxes and other dynamic analysis tools (window names)

Query firmware table information (likely to detect VMs)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Machine Learning detection for dropped file

PE file contains section with special chars

Queries the volume information (name, serial number etc) of a device

Deletes files inside the Windows folder

May sleep (evasive loops) to hinder dynamic analysis

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

PE file contains sections with non-standard names

Detected potential crypto function

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to call native functions

Found dropped PE file which has not been started or loaded

IP address seen in connection with other malware

Contains functionality for execution timing, often used to detect debuggers

Entry point lies outside standard sections

Creates a DirectInput object (often for capturing keystrokes)

AV process strings found (often used to terminate AV products)

Sample file is different than original file name gathered from version info

Allocates memory with a write watch (potentially for evading sandboxes)

Drops PE files

Tries to load missing DLLs

Uses a known web browser user agent for HTTP communication

Drops PE files to the windows directory (C:\Windows)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Queries keyboard layouts

PE file contains more sections than normal

Launches processes in debugging mode, may be used to hinder debugging

Checks for available system drives (often done to infect USB drives)

Dropped file seen in connection with other malware

Classification

Process Tree

System is w10x64

msiexec.exe (PID: 6356 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\n_f_3_e_l_3_t_r_0_n_1_k_4_00545.msi" MD5: 4767B71A318E201188A0D0A420C8B608)

msiexec.exe (PID: 5148 cmdline: C:\Windows\system32\msiexec.exe /V MD5: 4767B71A318E201188A0D0A420C8B608)

msiexec.exe (PID: 4468 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 64567A7FD192A26AA97A644E368FA553 MD5: 12C17B5A5C2A7B97342C362CA467E9A2)

abd1 .exe (PID: 3172 cmdline: C:\Users\user\AppData\Roaming\abd1 .exe MD5: CEEF4762B36067F1D32A0DB621EE967E)

abd1 .exe (PID: 4688 cmdline: "C:\Users\user\AppData\Roaming\abd1 .exe" MD5: CEEF4762B36067F1D32A0DB621EE967E)

abd1 .exe (PID: 812 cmdline: "C:\Users\user\AppData\Roaming\abd1 .exe" MD5: CEEF4762B36067F1D32A0DB621EE967E)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Roaming\abd1 .exe	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000000.255880949.0000000000401000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
3.0.abd1 .exe.400000.0.unpack	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

HTTP traffic detected: GET /imagens/bo/inspecionando.php HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ebaoffice.com.brConnection: Keep-Alive

Source: unknown	Network traffic detected: HTTP traffic on port 49698 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49698

Source: unknown	TCP traffic detected without corresponding DNS query: 15.228.77.178
Source: unknown	TCP traffic detected without corresponding DNS query: 15.228.77.178
Source: unknown	TCP traffic detected without corresponding DNS query: 15.228.77.178

Source: abd1 .exe.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: abd1 .exe.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: abd1 .exe.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA.crt0
Source: abd1 .exe.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: abd1 .exe.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: abd1 .exe, 00000003.00000002.515139561.0000000000835000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 00000003.00000003.275608857.0000000000837000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 0000000D.00000003.366378911.00000000007DA000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 0000000E.00000003.379995396.00000000009E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: abd1 .exe.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: abd1 .exe.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: abd1 .exe.1.dr	String found in binary or memory: http://crl3.digicert.com/EVCodeSigning-g1.crl03
Source: abd1 .exe.1.dr	String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: abd1 .exe.1.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: abd1 .exe.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: abd1 .exe.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: abd1 .exe.1.dr	String found in binary or memory: http://crl4.digicert.com/EVCodeSigning-g1.crl0K
Source: abd1 .exe.1.dr	String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: abd1 .exe.1.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: abd1 .exe.1.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: abd1 .exe.1.dr	String found in binary or memory: http://ocsp.digicert.com0H
Source: abd1 .exe.1.dr	String found in binary or memory: http://ocsp.digicert.com0I
Source: abd1 .exe.1.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: abd1 .exe, 00000003.00000000.255880949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, abd1 .exe.1.dr	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: abd1 .exe, 00000003.00000000.255880949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, abd1 .exe.1.dr	String found in binary or memory: http://stats.itopvpn.com/iusage.php
Source: abd1 .exe.1.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: abd1 .exe.1.dr	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: abd1 .exe, abd1 .exe, 0000000D.00000002.372193818.0000000069EFF000.00000020.00000001.01000000.00000004.sdmp, abd1 .exe, 0000000D.00000002.369687197.0000000002930000.00000004.00001000.00020000.00000000.sdmp, abd1 .exe, 0000000E.00000002.382791676.0000000002800000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.indyproject.org/
Source: abd1 .exe, 00000003.00000002.515139561.000000000075A000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 0000000D.00000002.368504246.0000000000817000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 0000000D.00000003.366378911.00000000007DA000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 0000000E.00000003.379995396.00000000009E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ebaoffice.com.br/
Source: abd1 .exe, 00000003.00000002.515139561.00000000007F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ebaoffice.com.br//?
Source: abd1 .exe, 0000000E.00000003.379995396.00000000009E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ebaoffice.com.br/6
Source: abd1 .exe, 0000000E.00000003.379995396.00000000009E9000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 0000000E.00000002.381879988.0000000000A3D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ebaoffice.com.br/e
Source: abd1 .exe, 0000000E.00000002.381879988.0000000000A3D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ebaoffice.com.br/imagens/bo/inspecionando.php
Source: abd1 .exe, 00000003.00000002.515139561.000000000083B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ebaoffice.com.br/imagens/bo/inspecionando.php#
Source: abd1 .exe, 0000000D.00000002.368504246.0000000000794000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 0000000D.00000003.366378911.0000000000787000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ebaoffice.com.br/imagens/bo/inspecionando.php$
Source: abd1 .exe, 0000000D.00000002.368504246.00000000007B3000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 0000000D.00000003.366378911.00000000007A3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ebaoffice.com.br/imagens/bo/inspecionando.php(
Source: abd1 .exe, 0000000E.00000003.379995396.00000000009E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ebaoffice.com.br/imagens/bo/inspecionando.php.
Source: abd1 .exe, 00000003.00000002.515139561.00000000007F0000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 00000003.00000002.515139561.00000000007AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ebaoffice.com.br/imagens/bo/inspecionando.php...
Source: abd1 .exe, 00000003.00000002.515139561.000000000083B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ebaoffice.com.br/imagens/bo/inspecionando.php1
Source: abd1 .exe, 00000003.00000002.515139561.000000000083B000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 0000000E.00000002.381879988.00000000009CD000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 0000000E.00000003.379995396.00000000009C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ebaoffice.com.br/imagens/bo/inspecionando.php2
Source: abd1 .exe, 00000003.00000002.515139561.0000000000819000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ebaoffice.com.br/imagens/bo/inspecionando.phpC:
Source: abd1 .exe, 00000003.00000002.515139561.00000000007AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ebaoffice.com.br/imagens/bo/inspecionando.phpHistory.IE5
Source: abd1 .exe, 0000000D.00000003.366378911.00000000007DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ebaoffice.com.br/imagens/bo/inspecionando.phpL
Source: abd1 .exe, 0000000E.00000003.379995396.00000000009E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ebaoffice.com.br/imagens/bo/inspecionando.phpLMEMp
Source: abd1 .exe, 00000003.00000002.515139561.00000000007F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ebaoffice.com.br/imagens/bo/inspecionando.phpR
Source: abd1 .exe, 0000000E.00000003.379995396.00000000009D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ebaoffice.com.br/imagens/bo/inspecionando.phpV#
Source: abd1 .exe, 0000000E.00000003.379995396.00000000009B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ebaoffice.com.br/imagens/bo/inspecionando.phpZZC:
Source: abd1 .exe, 00000003.00000002.515139561.00000000007AD000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 0000000D.00000002.368504246.0000000000817000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 0000000D.00000003.366378911.00000000007DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ebaoffice.com.br/imagens/bo/inspecionando.phpb
Source: abd1 .exe, 00000003.00000002.515139561.000000000084B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ebaoffice.com.br/imagens/bo/inspecionando.phpjC
Source: abd1 .exe, 0000000D.00000003.366378911.00000000007DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ebaoffice.com.br/imagens/bo/inspecionando.phpk
Source: abd1 .exe, 0000000D.00000002.368504246.00000000007B3000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 0000000D.00000003.366378911.00000000007A3000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 0000000E.00000002.381879988.00000000009D3000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 0000000E.00000003.379995396.00000000009D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ebaoffice.com.br/imagens/bo/inspecionando.phpkies
Source: abd1 .exe, 0000000D.00000002.368504246.0000000000794000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 0000000D.00000003.366378911.0000000000787000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ebaoffice.com.br/imagens/bo/inspecionando.phpp
Source: abd1 .exe, 00000003.00000002.515139561.00000000007F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ebaoffice.com.br/imagens/bo/inspecionando.phps/bo/inspecionando.phpo.phpMAIN_ROAMINGP8
Source: abd1 .exe, 00000003.00000002.515139561.00000000007AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ebaoffice.com.br/imagens/bo/inspecionando.phptCookiesJ
Source: abd1 .exe, 0000000D.00000002.367215320.0000000000195000.00000004.00000010.00020000.00000000.sdmp, abd1 .exe, 0000000E.00000002.381276128.0000000000195000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://ebaoffice.com.br/imagens/bo/inspecionando.phputllib.dll.DLL
Source: abd1 .exe, 0000000D.00000003.366378911.00000000007DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ebaoffice.com.br/p#
Source: abd1 .exe, 00000003.00000002.515139561.00000000007AD000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 0000000D.00000002.368504246.0000000000817000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 0000000D.00000003.366378911.00000000007DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: abd1 .exe, 0000000E.00000002.381879988.0000000000A3B000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 0000000E.00000003.379995396.00000000009E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.coml
Source: abd1 .exe.1.dr	String found in binary or memory: https://www.digicert.com/CPS0

Source: unknown

DNS traffic detected: queries for: ebaoffice.com.br

Source: global traffic

Source: unknown

HTTPS traffic detected: 187.45.187.42:443 -> 192.168.2.3:49698 version: TLS 1.2

Source: abd1 .exe, 00000003.00000002.515139561.000000000075A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary

PE file contains section with special chars

Source: WebUI.dll.1.dr	Static PE information: section name:
Source: WebUI.dll.1.dr	Static PE information: section name:
Source: WebUI.dll.1.dr	Static PE information: section name:
Source: WebUI.dll.1.dr	Static PE information: section name:
Source: WebUI.dll.1.dr	Static PE information: section name:
Source: WebUI.dll.1.dr	Static PE information: section name:
Source: WebUI.dll.1.dr	Static PE information: section name:
Source: WebUI.dll.1.dr	Static PE information: section name:
Source: WebUI.dll.1.dr	Static PE information: section name:

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSIA394.tmp

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\Installer\489f4f.msi

Jump to behavior

Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 14_2_6BC6FF0A	14_2_6BC6FF0A
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 14_2_6BE21F41	14_2_6BE21F41
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 14_2_6BEBF1B9	14_2_6BEBF1B9
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 14_2_6BBA53E1	14_2_6BBA53E1

Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 14_2_6BDF3A9B NtQueryInformationProcess,	14_2_6BDF3A9B
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 14_2_6BDE4E53 NtSetInformationThread,	14_2_6BDE4E53
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 14_2_6BDEF44E NtQueryInformationProcess,	14_2_6BDEF44E

Source: n_f_3_e_l_3_t_r_0_n_1_k_4_00545.msi

Binary or memory string: OriginalFilenameAICustAct.dllF vs n_f_3_e_l_3_t_r_0_n_1_k_4_00545.msi

Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior

Source: WebUI.dll.1.dr

Static PE information: Number of sections : 15 > 10

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Roaming\abd1 .exe EFB6169BBB869A849AFB91184A75B906FE509CBF6E672B6B4F3311C02343BBBB

Source: WebUI.dll.1.dr	Static PE information: Section: ZLIB complexity 0.9925944010416666
Source: WebUI.dll.1.dr	Static PE information: Section: ZLIB complexity 0.9988442748708011

Source: n_f_3_e_l_3_t_r_0_n_1_k_4_00545.msi	ReversingLabs: Detection: 27%
Source: n_f_3_e_l_3_t_r_0_n_1_k_4_00545.msi	Virustotal: Detection: 40%

Source: C:\Users\user\AppData\Roaming\abd1 .exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\n_f_3_e_l_3_t_r_0_n_1_k_4_00545.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 64567A7FD192A26AA97A644E368FA553
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Users\user\AppData\Roaming\abd1 .exe C:\Users\user\AppData\Roaming\abd1 .exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\abd1 .exe "C:\Users\user\AppData\Roaming\abd1 .exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\abd1 .exe "C:\Users\user\AppData\Roaming\abd1 .exe"
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 64567A7FD192A26AA97A644E368FA553	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Users\user\AppData\Roaming\abd1 .exe C:\Users\user\AppData\Roaming\abd1 .exe	Jump to behavior

Source: C:\Users\user\AppData\Roaming\abd1 .exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8856F961-340A-11D0-A96B-00C04FD705A2}\InProcServer32

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user\AppData\Roaming\WebUI.dll

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user\AppData\Local\Temp\MSI89cce.LOG

Jump to behavior

Source: classification engine

Classification label: mal100.evad.winMSI@8/27@1/3

Source: C:\Users\user\AppData\Roaming\abd1 .exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: n_f_3_e_l_3_t_r_0_n_1_k_4_00545.msi

Static file information: TRID: Microsoft Windows Installer (77509/1) 52.18%

Source: C:\Users\user\AppData\Roaming\abd1 .exe	Mutant created: \Sessions\1\BaseNamedObjects\gg24UGs6BG
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Mutant created: \Sessions\1\BaseNamedObjects\madExceptSettingsMtx$1250
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Mutant created: \Sessions\1\BaseNamedObjects\madExceptSettingsMtx$c64
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Mutant created: \Sessions\1\BaseNamedObjects\madExceptSettingsMtx$32c

Source: Yara match	File source: 3.0.abd1 .exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000000.255880949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Roaming\abd1 .exe, type: DROPPED

Source: C:\Users\user\AppData\Roaming\abd1 .exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: n_f_3_e_l_3_t_r_0_n_1_k_4_00545.msi

Static file information: File size 9970176 > 1048576

Source:

Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: n_f_3_e_l_3_t_r_0_n_1_k_4_00545.msi, 489f4f.msi.1.dr, MSIA55B.tmp.1.dr, MSIA629.tmp.1.dr, MSIA58B.tmp.1.dr

Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 3_2_0019C314 push esp; ret	3_2_0019C329
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 3_2_0019CF80 pushfd ; iretd	3_2_0019CF81
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 3_2_0019CAB0 push esp; retf	3_2_0019CAD1
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 3_2_0019CE30 pushfd ; iretd	3_2_0019CE31
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 3_2_0019CEF8 pushfd ; iretd	3_2_0019CF19
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 3_2_0019C9E8 push esp; retf	3_2_0019C9E9
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 3_2_058AB587 push esi; retf 0000h	3_2_058AB588
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 3_2_058AC2D4 push eax; ret	3_2_058AC355
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 14_2_6BDE0380 push edi; mov dword ptr [esp], 022DFFD4h	14_2_6BDE03A5
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 14_2_6BDE0380 push ebp; mov dword ptr [esp], 2DA8F16Ch	14_2_6BDE03B9
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 14_2_6BDE0380 push edi; mov dword ptr [esp], esi	14_2_6BDE03F8
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 14_2_6BDE01D4 push 3AA6E39Ch; mov dword ptr [esp], ecx	14_2_6BDE028E
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 14_2_6BDE03D0 push edi; mov dword ptr [esp], esi	14_2_6BDE03F8
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 14_2_6BDE0269 push 3AA6E39Ch; mov dword ptr [esp], ecx	14_2_6BDE028E
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 14_2_6BDE0097 push 0FAF6AB1h; mov dword ptr [esp], ebp	14_2_6BDE00C3
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 14_2_6BDE0097 push 0EF15529h; mov dword ptr [esp], ebp	14_2_6BDE00CB
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 14_2_6BDE0097 push 10803909h; mov dword ptr [esp], ecx	14_2_6BDE00E2
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 14_2_6BDE0097 push 4DA89299h; mov dword ptr [esp], edi	14_2_6BDE00EA
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 14_2_6BDDC2BF push ebx; mov dword ptr [esp], 00000505h	14_2_6BDDC2DA
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 14_2_6BDDC2BF push ebp; mov dword ptr [esp], edi	14_2_6BDDC2ED
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 14_2_6BDDC2BF push 4A5694F5h; mov dword ptr [esp], ecx	14_2_6BDDC2F5
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 14_2_6BDDC97E pushad ; retf 0017h	14_2_6BDDC993
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 14_2_6BE32BE8 push ebp; retf	14_2_6BE32BE9
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 14_2_6BE32A78 push 0BCE9929h; mov dword ptr [esp], edi	14_2_6BE32A83
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 14_2_6BE32449 push 53AC0481h; mov dword ptr [esp], eax	14_2_6BE3249F
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 14_2_6BE32452 push 53AC0481h; mov dword ptr [esp], eax	14_2_6BE3249F
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 14_2_6BE325AB push 0B02AFF2h; mov dword ptr [esp], ebp	14_2_6BE32683
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 14_2_6BE3271A push edx; mov dword ptr [esp], ebp	14_2_6BE32762
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 14_2_6BE3271A push 379A69D6h; mov dword ptr [esp], ebp	14_2_6BE32816
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 14_2_6BEBDAE9 push 0E416EA3h; mov dword ptr [esp], esp	14_2_6BEBDAEF
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Code function: 14_2_6BEBDF7A push 68C4916Dh; mov dword ptr [esp], esp	14_2_6BEBDF80

Source: WebUI.dll.1.dr	Static PE information: section name:
Source: WebUI.dll.1.dr	Static PE information: section name:
Source: WebUI.dll.1.dr	Static PE information: section name:
Source: WebUI.dll.1.dr	Static PE information: section name:
Source: WebUI.dll.1.dr	Static PE information: section name:
Source: WebUI.dll.1.dr	Static PE information: section name:
Source: WebUI.dll.1.dr	Static PE information: section name:
Source: WebUI.dll.1.dr	Static PE information: section name:
Source: WebUI.dll.1.dr	Static PE information: section name:
Source: WebUI.dll.1.dr	Static PE information: section name: .themida
Source: WebUI.dll.1.dr	Static PE information: section name: .boot

Source: initial sample

Static PE information: section where entry point is pointing to: .boot

Source: initial sample

Static PE information: section name: entropy: 7.807418537016979

Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\WebUI.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA58B.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA55B.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA629.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\abd1 .exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA394.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA4FD.tmp	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA58B.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA55B.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA629.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA394.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA4FD.tmp	Jump to dropped file

Source: C:\Users\user\AppData\Roaming\abd1 .exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run abd1 .exe			Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run abd1 .exe			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Source: C:\Users\user\AppData\Roaming\abd1 .exe	Memory written: PID: 3172 base: 4A3E60 value: E9 FB 65 06 00	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Memory written: PID: 3172 base: 4A397C value: E9 FB 68 06 00	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Memory written: PID: 3172 base: 49FCC0 value: E9 0B E7 06 00	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Memory written: PID: 3172 base: 49FCE4 value: E9 6B E7 06 00	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Memory written: PID: 3172 base: 49FCF4 value: E9 FF E8 06 00	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Memory written: PID: 3172 base: 49FCB0 value: E9 B7 EA 06 00	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Memory written: PID: 4688 base: 4A3E60 value: E9 FB 65 06 00	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Memory written: PID: 4688 base: 4A397C value: E9 FB 68 06 00	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Memory written: PID: 4688 base: 49FCC0 value: E9 0B E7 06 00	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Memory written: PID: 4688 base: 49FCE4 value: E9 6B E7 06 00	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Memory written: PID: 4688 base: 49FCF4 value: E9 FF E8 06 00	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Memory written: PID: 4688 base: 49FCB0 value: E9 B7 EA 06 00	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Memory written: PID: 812 base: 4A3E60 value: E9 FB 65 06 00	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Memory written: PID: 812 base: 4A397C value: E9 FB 68 06 00	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Memory written: PID: 812 base: 49FCC0 value: E9 0B E7 06 00	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Memory written: PID: 812 base: 49FCE4 value: E9 6B E7 06 00	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Memory written: PID: 812 base: 49FCF4 value: E9 FF E8 06 00	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Memory written: PID: 812 base: 49FCB0 value: E9 B7 EA 06 00	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\AppData\Roaming\abd1 .exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	System information queried: FirmwareTableInformation	Jump to behavior

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\AppData\Roaming\abd1 .exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior

Source: C:\Users\user\AppData\Roaming\abd1 .exe TID: 3508

Thread sleep time: -40000s >= -30000s

Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIA58B.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIA55B.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIA629.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIA4FD.tmp	Jump to dropped file

Source: C:\Users\user\AppData\Roaming\abd1 .exe

Code function: 14_2_6BE21126 rdtsc

14_2_6BE21126

Source: C:\Users\user\AppData\Roaming\abd1 .exe	Memory allocated: 5D20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Memory allocated: 6500000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Memory allocated: 6680000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Memory allocated: 66A0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Memory allocated: 5FF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Memory allocated: 5F60000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\AppData\Roaming\abd1 .exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\AppData\Roaming\abd1 .exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04090409	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04090409	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04090409	Jump to behavior

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Roaming\abd1 .exe

Thread delayed: delay time: 40000

Jump to behavior

Source: C:\Users\user\AppData\Roaming\abd1 .exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: abd1 .exe, 00000003.00000002.515139561.00000000007F0000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 00000003.00000002.515139561.00000000007AD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: abd1 .exe, 0000000D.00000003.366378911.00000000007A3000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 0000000E.00000003.379995396.00000000009C2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\AppData\Roaming\abd1 .exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Thread information set: HideFromDebugger	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Roaming\abd1 .exe	Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\AppData\Roaming\abd1 .exe

Code function: 14_2_6BE21126 rdtsc

14_2_6BE21126

Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\AppData\Roaming\abd1 .exe	Process queried: DebugPort	Jump to behavior

Source: C:\Windows\System32\msiexec.exe

Process created: C:\Users\user\AppData\Roaming\abd1 .exe C:\Users\user\AppData\Roaming\abd1 .exe

Jump to behavior

Source: abd1 .exe, 00000003.00000002.519978919.0000000002898000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Program Manager@
Source: abd1 .exe, 00000003.00000000.255880949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, abd1 .exe.1.dr	Binary or memory string: ProgmanU

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\AppData\Roaming\abd1 .exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Source: abd1 .exe, 00000003.00000002.515139561.00000000007AD000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
1 Replication Through Removable Media	1 Windows Management Instrumentation	1 Registry Run Keys / Startup Folder	2 Process Injection	21 Masquerading	1 Credential API Hooking	551 Security Software Discovery	1 Replication Through Removable Media	1 Credential API Hooking	Exfiltration Over Other Network Medium	11 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Registry Run Keys / Startup Folder	1 Disable or Modify Tools	1 Input Capture	2 Process Discovery	Remote Desktop Protocol	1 Input Capture	Exfiltration Over Bluetooth	1 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	1 DLL Side-Loading	341 Virtualization/Sandbox Evasion	Security Account Manager	341 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Archive Collected Data	Automated Exfiltration	2 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	2 Process Injection	NTDS	11 Peripheral Device Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	13 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	1 Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	2 Software Packing	Cached Domain Credentials	23 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	1 File Deletion	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
n_f_3_e_l_3_t_r_0_n_1_k_4_00545.msi	27%	ReversingLabs	Win32.Trojan.Barys
n_f_3_e_l_3_t_r_0_n_1_k_4_00545.msi	40%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\WebUI.dll	100%	Avira	TR/Crypt.XPACK.Gen2
C:\Users\user\AppData\Roaming\WebUI.dll	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\WebUI.dll	41%	ReversingLabs	Win32.Trojan.Barys
C:\Users\user\AppData\Roaming\abd1 .exe	0%	ReversingLabs
C:\Windows\Installer\MSIA394.tmp	0%	ReversingLabs
C:\Windows\Installer\MSIA4FD.tmp	0%	ReversingLabs
C:\Windows\Installer\MSIA55B.tmp	0%	ReversingLabs
C:\Windows\Installer\MSIA58B.tmp	0%	ReversingLabs
C:\Windows\Installer\MSIA629.tmp	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
ebaoffice.com.br	2%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://www.indyproject.org/	0%	URL Reputation	safe
https://ebaoffice.com.br/imagens/bo/inspecionando.phpR	0%	Avira URL Cloud	safe
https://ebaoffice.com.br/imagens/bo/inspecionando.phpZZC:	0%	Avira URL Cloud	safe
https://ebaoffice.com.br/imagens/bo/inspecionando.phpV#	0%	Avira URL Cloud	safe
https://ebaoffice.com.br/imagens/bo/inspecionando.phpL	0%	Avira URL Cloud	safe
https://ebaoffice.com.br/p#	0%	Avira URL Cloud	safe
https://ebaoffice.com.br/imagens/bo/inspecionando.phps/bo/inspecionando.phpo.phpMAIN_ROAMINGP8	0%	Avira URL Cloud	safe
https://ebaoffice.com.br//?	0%	Avira URL Cloud	safe
https://ebaoffice.com.br/imagens/bo/inspecionando.phpb	0%	Avira URL Cloud	safe
https://ebaoffice.com.br/imagens/bo/inspecionando.php#	100%	Avira URL Cloud	malware
https://ebaoffice.com.br/imagens/bo/inspecionando.phpLMEMp	0%	Avira URL Cloud	safe
https://ebaoffice.com.br/imagens/bo/inspecionando.php(	0%	Avira URL Cloud	safe
https://ebaoffice.com.br/imagens/bo/inspecionando.phpk	0%	Avira URL Cloud	safe
https://ebaoffice.com.br/e	0%	Avira URL Cloud	safe
https://ebaoffice.com.br/imagens/bo/inspecionando.php$	0%	Avira URL Cloud	safe
https://ebaoffice.com.br/imagens/bo/inspecionando.php2	0%	Avira URL Cloud	safe
https://ebaoffice.com.br/imagens/bo/inspecionando.php1	0%	Avira URL Cloud	safe
https://ebaoffice.com.br/imagens/bo/inspecionando.phpp	0%	Avira URL Cloud	safe
http://stats.itopvpn.com/iusage.php	0%	Avira URL Cloud	safe
https://ebaoffice.com.br/imagens/bo/inspecionando.php.	0%	Avira URL Cloud	safe
https://ebaoffice.com.br/	0%	Avira URL Cloud	safe
https://ebaoffice.com.br/imagens/bo/inspecionando.phptCookiesJ	0%	Avira URL Cloud	safe
https://ebaoffice.com.br/6	0%	Avira URL Cloud	safe
https://ebaoffice.com.br/imagens/bo/inspecionando.php	100%	Avira URL Cloud	malware
https://ebaoffice.com.br/imagens/bo/inspecionando.phputllib.dll.DLL	0%	Avira URL Cloud	safe
https://ebaoffice.com.br/imagens/bo/inspecionando.php...	0%	Avira URL Cloud	safe
https://ebaoffice.com.br/imagens/bo/inspecionando.phpkies	0%	Avira URL Cloud	safe
https://ebaoffice.com.br/imagens/bo/inspecionando.phpC:	0%	Avira URL Cloud	safe
https://ebaoffice.com.br/imagens/bo/inspecionando.phpHistory.IE5	0%	Avira URL Cloud	safe
https://ebaoffice.com.br/imagens/bo/inspecionando.phpjC	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ebaoffice.com.br	187.45.187.42	true	false	2%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://ebaoffice.com.br/imagens/bo/inspecionando.php	false	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://ebaoffice.com.br/imagens/bo/inspecionando.phpZZC:	abd1 .exe, 0000000E.00000003.379995396.00000000009B0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ebaoffice.com.br/p#	abd1 .exe, 0000000D.00000003.366378911.00000000007DA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ebaoffice.com.br/imagens/bo/inspecionando.phpR	abd1 .exe, 00000003.00000002.515139561.00000000007F0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ebaoffice.com.br/imagens/bo/inspecionando.phpV#	abd1 .exe, 0000000E.00000003.379995396.00000000009D2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ebaoffice.com.br/imagens/bo/inspecionando.phpL	abd1 .exe, 0000000D.00000003.366378911.00000000007DA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ebaoffice.com.br/imagens/bo/inspecionando.phps/bo/inspecionando.phpo.phpMAIN_ROAMINGP8	abd1 .exe, 00000003.00000002.515139561.00000000007F0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ebaoffice.com.br//?	abd1 .exe, 00000003.00000002.515139561.00000000007F0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/soap/envelope/	abd1 .exe, 00000003.00000000.255880949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, abd1 .exe.1.dr	false		high
https://ebaoffice.com.br/imagens/bo/inspecionando.php#	abd1 .exe, 00000003.00000002.515139561.000000000083B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://ebaoffice.com.br/imagens/bo/inspecionando.phpb	abd1 .exe, 00000003.00000002.515139561.00000000007AD000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 0000000D.00000002.368504246.0000000000817000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 0000000D.00000003.366378911.00000000007DA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ebaoffice.com.br/imagens/bo/inspecionando.phpLMEMp	abd1 .exe, 0000000E.00000003.379995396.00000000009E9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.indyproject.org/	abd1 .exe, abd1 .exe, 0000000D.00000002.372193818.0000000069EFF000.00000020.00000001.01000000.00000004.sdmp, abd1 .exe, 0000000D.00000002.369687197.0000000002930000.00000004.00001000.00020000.00000000.sdmp, abd1 .exe, 0000000E.00000002.382791676.0000000002800000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ebaoffice.com.br/imagens/bo/inspecionando.phpk	abd1 .exe, 0000000D.00000003.366378911.00000000007DA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ebaoffice.com.br/imagens/bo/inspecionando.php(	abd1 .exe, 0000000D.00000002.368504246.00000000007B3000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 0000000D.00000003.366378911.00000000007A3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ebaoffice.com.br/e	abd1 .exe, 0000000E.00000003.379995396.00000000009E9000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 0000000E.00000002.381879988.0000000000A3D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ebaoffice.com.br/imagens/bo/inspecionando.php$	abd1 .exe, 0000000D.00000002.368504246.0000000000794000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 0000000D.00000003.366378911.0000000000787000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://stats.itopvpn.com/iusage.php	abd1 .exe, 00000003.00000000.255880949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, abd1 .exe.1.dr	false	Avira URL Cloud: safe	unknown
https://ebaoffice.com.br/imagens/bo/inspecionando.php2	abd1 .exe, 00000003.00000002.515139561.000000000083B000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 0000000E.00000002.381879988.00000000009CD000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 0000000E.00000003.379995396.00000000009C2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ebaoffice.com.br/imagens/bo/inspecionando.php1	abd1 .exe, 00000003.00000002.515139561.000000000083B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ebaoffice.com.br/imagens/bo/inspecionando.phpp	abd1 .exe, 0000000D.00000002.368504246.0000000000794000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 0000000D.00000003.366378911.0000000000787000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ebaoffice.com.br/imagens/bo/inspecionando.php.	abd1 .exe, 0000000E.00000003.379995396.00000000009E9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ebaoffice.com.br/	abd1 .exe, 00000003.00000002.515139561.000000000075A000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 0000000D.00000002.368504246.0000000000817000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 0000000D.00000003.366378911.00000000007DA000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 0000000E.00000003.379995396.00000000009E9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ebaoffice.com.br/imagens/bo/inspecionando.phptCookiesJ	abd1 .exe, 00000003.00000002.515139561.00000000007AD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ebaoffice.com.br/6	abd1 .exe, 0000000E.00000003.379995396.00000000009E9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ebaoffice.com.br/imagens/bo/inspecionando.phputllib.dll.DLL	abd1 .exe, 0000000D.00000002.367215320.0000000000195000.00000004.00000010.00020000.00000000.sdmp, abd1 .exe, 0000000E.00000002.381276128.0000000000195000.00000004.00000010.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ebaoffice.com.br/imagens/bo/inspecionando.php...	abd1 .exe, 00000003.00000002.515139561.00000000007F0000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 00000003.00000002.515139561.00000000007AD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ebaoffice.com.br/imagens/bo/inspecionando.phpkies	abd1 .exe, 0000000D.00000002.368504246.00000000007B3000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 0000000D.00000003.366378911.00000000007A3000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 0000000E.00000002.381879988.00000000009D3000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 0000000E.00000003.379995396.00000000009D2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ebaoffice.com.br/imagens/bo/inspecionando.phpC:	abd1 .exe, 00000003.00000002.515139561.0000000000819000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ebaoffice.com.br/imagens/bo/inspecionando.phpHistory.IE5	abd1 .exe, 00000003.00000002.515139561.00000000007AD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ebaoffice.com.br/imagens/bo/inspecionando.phpjC	abd1 .exe, 00000003.00000002.515139561.000000000084B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
15.228.77.178	unknown	United States		16509	AMAZON-02US	false
187.45.187.42	ebaoffice.com.br	Brazil		33182	DIMENOCUS	false

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	37.0.0 Beryl
Analysis ID:	846833
Start date and time:	2023-04-14 14:45:10 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 15s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	n_f_3_e_l_3_t_r_0_n_1_k_4_00545.msi
Detection:	MAL
Classification:	mal100.evad.winMSI@8/27@1/3
EGA Information:	Successful, ratio: 33.3%
HDC Information:	Failed
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .msi

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com
Execution Graph export aborted for target abd1 .exe, PID 3172 because there are no executed function
Execution Graph export aborted for target abd1 .exe, PID 4688 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
14:46:15	API Interceptor	1x Sleep call for process: abd1 .exe modified
14:46:41	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run abd1.exe C:\Users\user\AppData\Roaming\abd1.exe
14:46:50	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run abd1.exe C:\Users\user\AppData\Roaming\abd1.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
15.228.77.178	n_f_3_f_1_s_k_4_l.msi	Get hash	malicious	Unknown	Browse
	Mandado-Intima#U00e7#U00e3o_Art516mlhg.msi	Get hash	malicious	Unknown	Browse
	z12A____o-Trabalhista.msi	Get hash	malicious	Unknown	Browse
	z1F_4_T_U_r_4_2024mfdfgryry5.msi	Get hash	malicious	Unknown	Browse
	F_4_T_U_R_4___nf____0992344.4354.msi	Get hash	malicious	Unknown	Browse
	rPEDIDOS-10032023-X491kkum.msi	Get hash	malicious	Unknown	Browse
	z93nf_e_mnhhh345553.msi	Get hash	malicious	Unknown	Browse
	z1n_f_e_Fa_tu_r4_03.msi	Get hash	malicious	Unknown	Browse
	PEDIDOS-08032023-X388omke.msi	Get hash	malicious	Unknown	Browse
	Nota-LG-emitida-13488mhqt.msi	Get hash	malicious	Unknown	Browse
	__B0L3T0_06Marc_23_f4tur4__.msi	Get hash	malicious	Unknown	Browse
	__B0L3T0_06Marc_23_f4tur4__.msi	Get hash	malicious	Unknown	Browse
	rPedido-Danfe-03-03-202316872pnlc.msi	Get hash	malicious	Unknown	Browse
	Autos-Processo 27-02-2023 ligh.msi	Get hash	malicious	Unknown	Browse
	rEmita-Danfe-01-03-20234076czdg.msi	Get hash	malicious	Unknown	Browse
187.45.187.42	n_f_3_f_1_s_k_4_l.msi	Get hash	malicious	Unknown	Browse
	z1F_4_T_U_r_4_2024mfdfgryry5.msi	Get hash	malicious	Unknown	Browse
	F_4_T_U_R_4___nf____0992344.4354.msi	Get hash	malicious	Unknown	Browse
	z93nf_e_mnhhh345553.msi	Get hash	malicious	Unknown	Browse
	z1n_f_e_Fa_tu_r4_03.msi	Get hash	malicious	Unknown	Browse
	__B0L3T0_06Marc_23_f4tur4__.msi	Get hash	malicious	Unknown	Browse
	__B0L3T0_06Marc_23_f4tur4__.msi	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ebaoffice.com.br	n_f_3_f_1_s_k_4_l.msi	Get hash	malicious	Unknown	Browse	187.45.187.42
	z1F_4_T_U_r_4_2024mfdfgryry5.msi	Get hash	malicious	Unknown	Browse	187.45.187.42
	F_4_T_U_R_4___nf____0992344.4354.msi	Get hash	malicious	Unknown	Browse	187.45.187.42
	z93nf_e_mnhhh345553.msi	Get hash	malicious	Unknown	Browse	187.45.187.42
	z1n_f_e_Fa_tu_r4_03.msi	Get hash	malicious	Unknown	Browse	187.45.187.42
	__B0L3T0_06Marc_23_f4tur4__.msi	Get hash	malicious	Unknown	Browse	187.45.187.42
	__B0L3T0_06Marc_23_f4tur4__.msi	Get hash	malicious	Unknown	Browse	187.45.187.42

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-02US	http://find.zsrc-now.com	Get hash	malicious	Unknown	Browse	13.224.103.16
	new_list.xls	Get hash	malicious	FormBook	Browse	52.41.71.133
	dekont.exe	Get hash	malicious	FormBook	Browse	76.76.21.98
	Central Authentication Service.html	Get hash	malicious	Unknown	Browse	13.225.78.107
	cj10wPH1BS.exe	Get hash	malicious	njRat	Browse	35.157.111.131
	https://trk.klclick1.com/ls/click?upn=pQxQkPCHi609l64uIBccFxlAcc-2Fz1IvOBdgvx7vyD7ak5tTAYnKgqHq6wNsyyHyhU60UqCYxP0-2FvQO9ESOMZtsAukeq8PETi67uyU8nPk92Gsgg2MWTosWW3S474RhIgS8-2FjePCVgV57AovuxZ8e7V-2FXRXzceC0F-2FAURYES6O4IypT3xHuMp9WAzUYA7YhG8mafh2vX-2Bsrkr4FskwSReW9NDi-2BGgjEboQ9DPZ-2FGHGWWa3lJPcNtolVQBfMkNsWwgBlLInhl-2BiKWj6RwPrOoNwbJr1djBg-2FuAw1NK79yLnIoID1c0hHn3vAGysWtbecuGsEMkJ5C7j-2FqX4ZummbkR2HA-2FUEW5ZjVTQxrtpFDylOe5oWPWNwGaDyKSAYi7-2Bm1m8OKA_I8B0La722FaheTZHi47R61v28WpnAr2NnLb-2F9FkGNWDA0Q8tuMrSU13rbrC3IsS73ZHAofaPXKcvU4gRbDVrlxFNWYpsvFMlM-2FeyNCX41yRxql7slZR4-2BCXmxzz5Gs81jlvAGJQoC08leFsAU4w0dOnxXCj-2BbAbSMYneQWphgVjFHNWU7WCHSbRF3b6OEcmmvyNe9DuDgh2DpYDqY7NG5yM3q3l8Hg71Tl-2F2a7aGMHmsycBHSDyHm7piwTCglqtreiU9-2Fy5kr-2FdOh9S5gKNyMiRbzi94673DEA-2F0R3HD-2FZeRNygzWzfrhAFaZaOVvF5uHBvDYvVTdThKxiXVvjsdpSRJtEEtEFDlLhzpleCruGAxwal7JJTfP-2Fp0NQl2p-2BE2iJZK5LVbTDTcGAzIHbQv4qV7up4Lp5M3J9p7NwK8KkKQgC0XhQezvptWIG342YF6	Get hash	malicious	Unknown	Browse	54.187.119.242
	Spildtids.exe	Get hash	malicious	FormBook, GuLoader	Browse	18.140.6.45
	https://www.youtube.com/attribution_link?c=achblog13-ytm-acq-int-blog24-txt-coach&u=http%3A%2F%2Fdsena3net.web.app%2Fani2Pk17ady9Fe5BM2Fe5rsWO3nx0qqrdy9s3RWO3BM2dy9au?id=com.google.android.apps.youtube.music	Get hash	malicious	HTMLPhisher	Browse	44.224.229.21
	wippy-5-41-2.apk	Get hash	malicious	Unknown	Browse	18.179.219.41
	Nuevo_orden..exe	Get hash	malicious	FormBook	Browse	3.64.163.50
	PDFViewer.exe	Get hash	malicious	Unknown	Browse	13.224.103.62
	y	Get hash	malicious	Unknown	Browse	34.249.145.219
	https://m3ahwvlacle25xovupbx443jenru236opl2acsxtakkz72tq-ipfs-dweb-link.translate.goog/?_x_tr_hp=bafybeif22e&_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en-US#us-ruby.stern@areca-groups.com	Get hash	malicious	HTMLPhisher	Browse	13.224.103.120
	https://terracombrmemberinfoupdate.webflow.io/	Get hash	malicious	HTMLPhisher	Browse	52.222.232.144
	http://app.plangrid.com/oauth_link?token=oauth_da6596803402246b4ea05a279c69b892&redirect=http://imax.integracionservicios.cl/?code=ZGZyYW5jaXNAaW1heC5jb20=	Get hash	malicious	Unknown	Browse	18.195.122.2
	https://pointlomaonelogin.webflow.io/	Get hash	malicious	HTMLPhisher	Browse	44.236.131.64
	https://d.agkn.com/pixel/10751/?che=1680529529190&ip=146.70.117.118&l1=http://7pnnyuzt.jirehsolux.com?ZGFyeWxAaGVhbHRoZXN5c3RlbXMuY29t	Get hash	malicious	Unknown	Browse	63.33.168.195
	Aging Balance_FULLDATE2_KM_C454e Hhtm.html	Get hash	malicious	HTMLPhisher	Browse	52.218.117.41
	Aging Balance_FULLDATE2_KM_C454e Hhtm.html	Get hash	malicious	HTMLPhisher	Browse	52.218.105.161
	https://t.rdsv1.net/ls/click?upn=3baIzsXZ3-2Bz1fo5w3aqQ957uZT1Mp0-2FvlZ2YVtnwwS-2FMgdVI-2FpWRQncuLC4mQ5-2FY73ZQCMDGY8HogDwe10ZeLud1Gzb7xggCfDD-2FH4bNgZqisN0iwOSwhYAqP-2FoJYPK7pI18conGXxIQUtudrr-2Bd8hcoMWP1jUoW1KLuTdOdBBH8k0VTbFkuXvjHPpGzVEPUhjQn5b6XPmWEFco1ZH-2BAbTu0-2FVf1EZ6B58T44naF4uxoo4P5PSwTDD4E61GheGBSZIJk_8e3fajpSrfGPEyGUmKBad3w54axtRaMxuX-2B7DKhQM8QRSbyc76uT-2Bj-2FSQMhM6npRqvZEEkbgOf-2Bff-2BfiLTnFZ3kXlHrMwZ-2BfS3xkAlNn2ARhXHv1V5bejQcMtVw2uBIoT-2F0kbtsfXa5asleBxOHFIPRqAfA8v7HlFi7Jqm3Jpv5bsuxU3MXsSuU0oN8QZGQP0J-2F78hVcgB3Szao6dsZnPM3TAuQEba7-2Bg4b3qViDVWBsnxyNvqO1o4P9Uybx1CbYiQgFbzJHEl07q9qNwGm1pcycXLqjSc05RxwLJJRS04hQdJ4eC-2BDh8soKRuQjslHDPQTLFNq8E55qD30RoVea37vMvSOKW8xOstHshy69zy16w-2B1-2FuwqU6MQ2-2BByZpqPW9m3cF6QEPtEfuH0PyOp8OD-2BYL-2FsvYZnaJ5R35XBV-2BSiwiXEN1NsPBxqVHMZ2dhgfik8NM1m-2B8ZdunZaAmSV9QRBRfgI4AGJWIfHRfVzjBQ72z3DZtlPXHcDC0gccW1DqYCwfHdIZVymAZWlJDX1LuWRD6oPeHmZnPaSfsectGkFIWu3KtHgcOcNX9ZAwjLSjQaL0EcCE3AULrN8fT8fyIbMm-2F9pDBc57PJomJZ5MrxVC4j6OphvdhEOLXiw9usGdGvGu9GNp-2BMyOc2agywpSh8YJFRG3Wndq4AYDwl3jz6q2SCiYQTx-2BhGqE6vrSBLEpfaIbmmeL2VmQFMDijqtRJg-3D-3D	Get hash	malicious	Unknown	Browse	13.224.189.46
DIMENOCUS	https://cardahi.com/am/voluptasut.php?usito=5	Get hash	malicious	Qbot	Browse	184.171.244.120
	n_f_3_f_1_s_k_4_l.msi	Get hash	malicious	Unknown	Browse	187.45.187.42
	Cubicles.eml	Get hash	malicious	Qbot	Browse	107.190.143.58
	http://lleuques.cl/pur/pur.php	Get hash	malicious	Unknown	Browse	98.142.108.122
	E67f7vaDdM.exe	Get hash	malicious	AgentTesla	Browse	186.227.194.42
	Technical_Datasheet.exe	Get hash	malicious	AgentTesla, zgRAT	Browse	186.227.194.42
	Technical_Datasheet.exe	Get hash	malicious	AgentTesla, zgRAT	Browse	186.227.194.42
	Expedita.html	Get hash	malicious	HtmlDropper	Browse	198.49.74.2
	Expedita.html	Get hash	malicious	HtmlDropper, Qbot	Browse	198.49.74.2
	https://casa.tiscali.it/promo/?u=https://sistemaexacto.com.br/gt/test/test@savion.huji.ac.il	Get hash	malicious	HTMLPhisher	Browse	187.45.181.109
	Excepturi.html	Get hash	malicious	HtmlDropper	Browse	184.171.244.22
	https://www.youtube.com/attribution_link?c=coachblog-ytm-acq-int-blog-txt-coach&u=https%3A%2F%2Fderivadosbiodegradables.com%2Fhdefneifeifiefneifn%2Fhuhudhindneefefe%2F/pzp6oa%2F%2F%2F%2Fdhalaszynski@magmutual.com%3Fid%3Dcom.google.android.apps.youtube.music	Get hash	malicious	Unknown	Browse	98.142.99.242
	Copia_di_pagamento.vbs	Get hash	malicious	AgentTesla	Browse	67.23.238.170
	cotizaci#U00f3n.vbs	Get hash	malicious	AgentTesla	Browse	67.23.238.170
	In.html	Get hash	malicious	Qbot	Browse	67.23.254.45
	Laudantium.html	Get hash	malicious	Qbot	Browse	177.234.150.42
	Teklif_Talebi_763734838.vbs	Get hash	malicious	AgentTesla	Browse	67.23.238.170
	Payment_Swift_645547366353646.pdf.vbs	Get hash	malicious	AgentTesla	Browse	67.23.238.170
	33ab528f-ebe0-4177-aae1-4e27bc03f2df.exe	Get hash	malicious	AgentTesla	Browse	67.23.238.170
	Produktlista.vbs	Get hash	malicious	AgentTesla	Browse	67.23.238.170

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	vtwSQve47C.exe	Get hash	malicious	Socelars	Browse	187.45.187.42
	804m7m5D60.exe	Get hash	malicious	Socelars	Browse	187.45.187.42
	dAdirQtTXJ.exe	Get hash	malicious	Vidar	Browse	187.45.187.42
	facturas.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	187.45.187.42
	Afklde.exe	Get hash	malicious	FormBook, GuLoader	Browse	187.45.187.42
	20k3R83J4z.exe	Get hash	malicious	Vidar	Browse	187.45.187.42
	Spildtids.exe	Get hash	malicious	FormBook, GuLoader	Browse	187.45.187.42
	P3eOTlBexl.exe	Get hash	malicious	Vidar	Browse	187.45.187.42
	GsO2dlZj8w.exe	Get hash	malicious	Vidar	Browse	187.45.187.42
	zv9Wl4fLF6.exe	Get hash	malicious	DarkCloud	Browse	187.45.187.42
	(NATIONAL_UNIVERSITY_OF_SINGAPORE)_NUS5694BU463_QT.js	Get hash	malicious	DarkCloud	Browse	187.45.187.42
	Faktura_LCF00130423.bat.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	187.45.187.42
	CrgVRF4f1i.exe	Get hash	malicious	Vidar	Browse	187.45.187.42
	fe1b82d8fada96c0ebe4429000c600ff88c19a55340a9.exe	Get hash	malicious	Nymaim	Browse	187.45.187.42
	Swift_Confirmation_Detail_000797427.exe	Get hash	malicious	AgentTesla, AveMaria	Browse	187.45.187.42
	ujGa4j2b21.exe	Get hash	malicious	Vidar	Browse	187.45.187.42
	fixed_raccoon.bin.exe	Get hash	malicious	Raccoon Stealer v2	Browse	187.45.187.42
	setup.exe	Get hash	malicious	Laplas Clipper, Vidar	Browse	187.45.187.42
	file.exe	Get hash	malicious	Amadey, Djvu, Fabookie, SmokeLoader	Browse	187.45.187.42
	file.exe	Get hash	malicious	Vidar	Browse	187.45.187.42

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\abd1 .exe	Aplica#U00e7#U00e3o.msi	Get hash	malicious	Unknown	Browse
	n_f_3_f_1_s_k_4_l.msi	Get hash	malicious	Unknown	Browse
	Mandado-Intima#U00e7#U00e3o_Art516mlhg.msi	Get hash	malicious	Unknown	Browse
	z12A____o-Trabalhista.msi	Get hash	malicious	Unknown	Browse
	z1F_4_T_U_r_4_2024mfdfgryry5.msi	Get hash	malicious	Unknown	Browse
	F_4_T_U_R_4___nf____0992344.4354.msi	Get hash	malicious	Unknown	Browse
	rPEDIDOS-10032023-X491kkum.msi	Get hash	malicious	Unknown	Browse
	j3PHT0tBBF.msi	Get hash	malicious	Unknown	Browse
	j3PHT0tBBF.msi	Get hash	malicious	Unknown	Browse
	B0LET0 VENC 060320234273168 WFTBCLZUJMVFEDSWZXMLWSBRA.msi	Get hash	malicious	Unknown	Browse
	rPedido-Danfe-03-03-202316872pnlc.msi	Get hash	malicious	Unknown	Browse
	Autos-Processo 27-02-2023 ligh.msi	Get hash	malicious	Unknown	Browse
	rEmita-Danfe-01-03-20234076czdg.msi	Get hash	malicious	Unknown	Browse
	Formulario_20183.msi	Get hash	malicious	Hidden Macro 4.0	Browse

Created / dropped Files

C:\Config.Msi\489f51.rbs

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	modified
Size (bytes):	1646
Entropy (8bit):	5.548025194564816
Encrypted:	false
SSDEEP:	48:a0huJARRhAhJqhJh3+fU/l8CMPAX65DYQ:a0huJAjhAhUhJhORi65Dt
MD5:	CE32E387482826DF9219FE41765EB067
SHA1:	58AF6A4AFADDB740F9E783A6A9D12A1AF96CA125
SHA-256:	C42C3DD0F607A4B67C466BBD6677D68A5BF774DB36DAD8A9EBA50A1B5B77F573
SHA-512:	0080C1295967E6C46FDD7E82BF6750B8A6B7BE1823FDEFB20A6D637B62D67842AEFF4F60EA8E8740BF7C93CAE0A7CD8A6BBA73DB3F7C5330DB85A7593A166BCE
Malicious:	false
Reputation:	low
Preview:	...@IXOS.@.....@.u.V.@.....@.....@.....@.....@.....@......&.{5F65DA2B-5AA3-4FE5-B5B2-F2DFC7554A05}..Aplicativo Windows#.n_f_3_e_l_3_t_r_0_n_1_k_4_00545.msi.@.....@...,.@.....@........&.{BA58A5A0-3E06-4F30-BC4A-9D26413FE551}.....@.....@.....@.....@.......@.....@.....@.......@......Aplicativo Windows......Rollback..A.....o. .d.e. .r.e.s.t.a.u.r.a.....o.....RollbackCleanup..Removendo arquivos de backup..Arquivo: [1]....ProcessComponents%.Atualizando o registro de componentes..&.{1CED642A-C80C-46CE-B6F2-85542DF0EAE6}&.{5F65DA2B-5AA3-4FE5-B5B2-F2DFC7554A05}.@......&.{3817173D-E36D-4B1F-AC27-F5FE2DBE7792}&.{5F65DA2B-5AA3-4FE5-B5B2-F2DFC7554A05}.@......&.{76B12E9E-C9B9-4D41-8CC0-DAF204ABFEAC}&.{5F65DA2B-5AA3-4FE5-B5B2-F2DFC7554A05}.@......&.{79281E80-E00A-49F7-B840-CF58E20E3B60}&.{5F65DA2B-5AA3-4FE5-B5B2-F2DFC7554A05}.@........CreateFolders..Criando novas pastas..Pasta: [1]"...C:\Users\user\AppData\Roaming\.@..............0.......L...................I..~.......................I..~.........

C:\Users\user\AppData\Local\767668

Download File

Process:	C:\Users\user\AppData\Roaming\abd1 .exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	32
Entropy (8bit):	4.452819531114783
Encrypted:	false
SSDEEP:	3:1EypySx3rBov:1XpysBov
MD5:	2BDD4EE98662382C7174D410DCCC8C76
SHA1:	E385E4793019F2BFB9B1BC1DD6039AF0EA236232
SHA-256:	6DC9029EAB9BA9520D8E2605D9D37F01D1B1DCC8430CAAE3D28B1FED17F8D4EF
SHA-512:	532B94E2F53E7A8BA3A34CA3A8CA7BBADF09AC5774F5129128111980CBDF82265A61FB4ABCC1799A3602F338765D00EF3DDD16C19B545E9565807749217261A7
Malicious:	false
Reputation:	low
Preview:	[Generate Pasta]..HJucCRNcVBDk..

C:\Users\user\AppData\Local\Temp\MSI89cce.LOG

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	158682
Entropy (8bit):	3.800590242988794
Encrypted:	false
SSDEEP:	1536:n0tPtbO4qyLEHNc2hYyNs6cPNbuICKbtErGfZk4DPtFfcWPvzEDiXgOzCVviWopM:PjzyFOI2f
MD5:	A021DF1CA16B66EBDBFBA02488CCD485
SHA1:	17F52BB58849A2A75BD9AEA78418410A003B036D
SHA-256:	109FBAC2A50F55003E606D1AFF23BFE296208A6140C06DC1C8FCCF0C38EBC7AA
SHA-512:	7FE57B09F88B51F359C423EC3DB959CD2E60EC1AAF9B0F2AEAC4433933CB4C01B827D29BD1017077F75ADB5552C937E00C4322763419D462DEDE13CA30958455
Malicious:	false
Reputation:	low
Preview:	..=.=.=. .V.e.r.b.o.s.e. .l.o.g.g.i.n.g. .s.t.a.r.t.e.d.:. .4./.1.4./.2.0.2.3. . .1.4.:.4.6.:.0.4. . .B.u.i.l.d. .t.y.p.e.:. .S.H.I.P. .U.N.I.C.O.D.E. .5...0.0...1.0.0.1.1...0.0. . .C.a.l.l.i.n.g. .p.r.o.c.e.s.s.:. .C.:.\.W.i.n.d.o.w.s.\.S.y.s.t.e.m.3.2.\.m.s.i.e.x.e.c...e.x.e. .=.=.=.....M.S.I. .(.c.). .(.D.4.:.D.8.). .[.1.4.:.4.6.:.0.4.:.7.7.2.].:. .F.o.n.t. .c.r.e.a.t.e.d... . .C.h.a.r.s.e.t.:. .R.e.q.=.0.,. .R.e.t.=.0.,. .F.o.n.t.:. .R.e.q.=.M.S. .S.h.e.l.l. .D.l.g.,. .R.e.t.=.M.S. .S.h.e.l.l. .D.l.g.......M.S.I. .(.c.). .(.D.4.:.D.8.). .[.1.4.:.4.6.:.0.4.:.7.7.2.].:. .F.o.n.t. .c.r.e.a.t.e.d... . .C.h.a.r.s.e.t.:. .R.e.q.=.0.,. .R.e.t.=.0.,. .F.o.n.t.:. .R.e.q.=.M.S. .S.h.e.l.l. .D.l.g.,. .R.e.t.=.M.S. .S.h.e.l.l. .D.l.g.......M.S.I. .(.c.). .(.D.4.:.4.8.). .[.1.4.:.4.6.:.0.4.:.8.1.9.].:. .R.e.s.e.t.t.i.n.g. .c.a.c.h.e.d. .p.o.l.i.c.y. .v.a.l.u.e.s.....M.S.I. .(.c.). .(.D.4.:.4.8.). .[.1.4.:.4.6.:.0.4.:.8.1.9.].:. .M.a.c.h.i.n.e. .p.o.l.i.c.y. .v.a.l.u.e. .'.D.e.b.u.g.'. .i.s. .0.

C:\Users\user\AppData\Roaming\WebUI.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	8053248
Entropy (8bit):	7.981062022347329
Encrypted:	false
SSDEEP:	196608:JUZbf/P9/wc7Ys+t550uY5v/NouXLRXFtTJ5omVObMWv:EP9/z0sU50PnNoELR1VJ5g
MD5:	F341F02149686778C3AC5F776AF5CC31
SHA1:	01338A44B6787037ECE7C693A0A01C082216FB84
SHA-256:	35FD17CEA33977893C4DD97FD2D559032B907A7034790B1C422102185AD4AB94
SHA-512:	7BC06CFBE492176674538D0B99AF6627DE44CEF5DB4186B8BE298BF9DB312B5BCA5F478C7E3ECE01E367D96563AB00296A584719753E7BC3B68D3F35363268E0
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 41%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...G.5d...........!......A.........X.K...... A...@...........................\|.......{...@..................................................................................................................................pC..................... .@......................... ..` ./....@......4.............. ..` d.... A......N..............@....bss.....z....B......................... 0>...0C.....................@... .....pC.....................@... ......C.....................@..@ E.....C.....................@..@ ......C.....................@..B .N...0I.../..$..............@..@.edata...............>J.............@..@.idata...............BJ.............@....rsrc...........

C:\Users\user\AppData\Roaming\abd1 .exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1856512
Entropy (8bit):	6.763893864307226
Encrypted:	false
SSDEEP:	24576:fMWohhojVlG981FE03Pb+Cp67LkDdlXUi+nNv3O5AcAQNwuWSfJST4HCLgCGT/TH:KhujVl6p8UiaAKRT4HCUN1
MD5:	CEEF4762B36067F1D32A0DB621EE967E
SHA1:	D23DA38DF6B0FCA8C524B641C59C700A2338648E
SHA-256:	EFB6169BBB869A849AFB91184A75B906FE509CBF6E672B6B4F3311C02343BBBB
SHA-512:	6301871A95E48F2873B60C706757AF38D956C895112F14C28EAC4C4A83456A1ACDF15D0A5B1CD35F267A4149DC78B2469C427BDE6A1BF5AA99DE51D5E824D1B3
Malicious:	true
Yara Hits:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Roaming\abd1 .exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Aplica#U00e7#U00e3o.msi, Detection: malicious, Browse Filename: n_f_3_f_1_s_k_4_l.msi, Detection: malicious, Browse Filename: Mandado-Intima#U00e7#U00e3o_Art516mlhg.msi, Detection: malicious, Browse Filename: z12A____o-Trabalhista.msi, Detection: malicious, Browse Filename: z1F_4_T_U_r_4_2024mfdfgryry5.msi, Detection: malicious, Browse Filename: F_4_T_U_R_4___nf____0992344.4354.msi, Detection: malicious, Browse Filename: rPEDIDOS-10032023-X491kkum.msi, Detection: malicious, Browse Filename: j3PHT0tBBF.msi, Detection: malicious, Browse Filename: j3PHT0tBBF.msi, Detection: malicious, Browse Filename: B0LET0 VENC 060320234273168 WFTBCLZUJMVFEDSWZXMLWSBRA.msi, Detection: malicious, Browse Filename: rPedido-Danfe-03-03-202316872pnlc.msi, Detection: malicious, Browse Filename: Autos-Processo 27-02-2023 ligh.msi, Detection: malicious, Browse Filename: rEmita-Danfe-01-03-20234076czdg.msi, Detection: malicious, Browse Filename: Formulario_20183.msi, Detection: malicious, Browse
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....a..................................... ....@........................... .................@......................P....@...F.......................@......@....................................................L...............................text...t........................... ..`.itext.............................. ..`.data........ ......................@....bss.....f...............................idata...F...@...H..................@....edata..P...........................@..@.tls....L................................rdata..............................@..@.reloc..@...........................@..B.rsrc...............................@..@....................................@..@........................................................

C:\Windows\Installer\489f4f.msi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {BA58A5A0-3E06-4F30-BC4A-9D26413FE551}, Number of Words: 10, Subject: Aplicativo Windows, Author: Microsoft Corporation, Name of Creating Application: Aplicativo Windows, Template: ;1046, Comments: Microsoft Corporation, Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Tue Apr 11 22:16:17 2023, Number of Pages: 200
Category:	dropped
Size (bytes):	9970176
Entropy (8bit):	7.938191044684477
Encrypted:	false
SSDEEP:	196608:pg+wKbn0eOuizOMCWOno1ZCdIR2nytNYMbCiZiMY7xv6dd+:pgSsFzOMK2XRZDTCiZixEdd+
MD5:	52AA0C3A70909FE80E53FAEB823BB55C
SHA1:	71291FF0D6AA3F58CBC73037A4C7001B83423F07
SHA-256:	7A15F6773F997F669B096F5499146A34F496CDD13B44993821D762FED2A8793B
SHA-512:	2F4A45110002CFF505885A4A6F350CFFD614DA8263019B4518B9EAD144DD5CCE8CB77BC17B358C09B4E2A15B43430555C74B5234441616E8D7AA3AE3BB3D2410
Malicious:	false
Preview:	......................>.......................................................E.......b.......n...............................................r...s...t...u...v...w...x...y...z...{...\|...}...~...........................................................................................................................................................................................................................................................................................................................................<...........!...4............................................................................................... ...+..."...#...$...%...&...'...(...)...*...1...,...-......./...0...5...2...3...=...?...6...7...8...9...:...;...........>.......@...A...B...C...D...........G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Windows\Installer\MSIA394.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	598840
Entropy (8bit):	6.4742572330426045
Encrypted:	false
SSDEEP:	12288:JTjOV8EDRaQsUDE2dYu8z5fN8HcsvwaqN:hjOeEMQNLS5W8svwaqN
MD5:	8E565FD81CA10A65CC02E7901A78C95B
SHA1:	1BCA3979C233321AE527D4508CFE9B3BA825DBD3
SHA-256:	7B64112C2C534203BB59CE1A9B7D5390448C045DDA424FB3CFD5878EDB262016
SHA-512:	144BDE89EBA469B32B59F30E7F4D451329C541ED7B556BC60D118C9E2E5CDF148C2275CCA51C4B9355686AEFA16A4B86A26D4C8FE0DD2CF318B979863109592E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m..)..)..)......$...........8.....>.....c......0......(.........)........A......(....U.(..).=.(......(..Rich)..................PE..L...W.%d.........."!...#.6...........S.......P...............................0............@..........................W..(...8`..,.......................8=.......g..x...p...............................@............P..P............................text....5.......6.................. ..`.rdata...+...P...,...:..............@..@.data... %...........f..............@....rsrc................v..............@..@.reloc...g.......h...~..............@..B................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSIA4FD.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	598840
Entropy (8bit):	6.4742572330426045
Encrypted:	false
SSDEEP:	12288:JTjOV8EDRaQsUDE2dYu8z5fN8HcsvwaqN:hjOeEMQNLS5W8svwaqN
MD5:	8E565FD81CA10A65CC02E7901A78C95B
SHA1:	1BCA3979C233321AE527D4508CFE9B3BA825DBD3
SHA-256:	7B64112C2C534203BB59CE1A9B7D5390448C045DDA424FB3CFD5878EDB262016
SHA-512:	144BDE89EBA469B32B59F30E7F4D451329C541ED7B556BC60D118C9E2E5CDF148C2275CCA51C4B9355686AEFA16A4B86A26D4C8FE0DD2CF318B979863109592E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m..)..)..)......$...........8.....>.....c......0......(.........)........A......(....U.(..).=.(......(..Rich)..................PE..L...W.%d.........."!...#.6...........S.......P...............................0............@..........................W..(...8`..,.......................8=.......g..x...p...............................@............P..P............................text....5.......6.................. ..`.rdata...+...P...,...:..............@..@.data... %...........f..............@....rsrc................v..............@..@.reloc...g.......h...~..............@..B................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSIA55B.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	598840
Entropy (8bit):	6.4742572330426045
Encrypted:	false
SSDEEP:	12288:JTjOV8EDRaQsUDE2dYu8z5fN8HcsvwaqN:hjOeEMQNLS5W8svwaqN
MD5:	8E565FD81CA10A65CC02E7901A78C95B
SHA1:	1BCA3979C233321AE527D4508CFE9B3BA825DBD3
SHA-256:	7B64112C2C534203BB59CE1A9B7D5390448C045DDA424FB3CFD5878EDB262016
SHA-512:	144BDE89EBA469B32B59F30E7F4D451329C541ED7B556BC60D118C9E2E5CDF148C2275CCA51C4B9355686AEFA16A4B86A26D4C8FE0DD2CF318B979863109592E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m..)..)..)......$...........8.....>.....c......0......(.........)........A......(....U.(..).=.(......(..Rich)..................PE..L...W.%d.........."!...#.6...........S.......P...............................0............@..........................W..(...8`..,.......................8=.......g..x...p...............................@............P..P............................text....5.......6.................. ..`.rdata...+...P...,...:..............@..@.data... %...........f..............@....rsrc................v..............@..@.reloc...g.......h...~..............@..B................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSIA58B.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	598840
Entropy (8bit):	6.4742572330426045
Encrypted:	false
SSDEEP:	12288:JTjOV8EDRaQsUDE2dYu8z5fN8HcsvwaqN:hjOeEMQNLS5W8svwaqN
MD5:	8E565FD81CA10A65CC02E7901A78C95B
SHA1:	1BCA3979C233321AE527D4508CFE9B3BA825DBD3
SHA-256:	7B64112C2C534203BB59CE1A9B7D5390448C045DDA424FB3CFD5878EDB262016
SHA-512:	144BDE89EBA469B32B59F30E7F4D451329C541ED7B556BC60D118C9E2E5CDF148C2275CCA51C4B9355686AEFA16A4B86A26D4C8FE0DD2CF318B979863109592E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m..)..)..)......$...........8.....>.....c......0......(.........)........A......(....U.(..).=.(......(..Rich)..................PE..L...W.%d.........."!...#.6...........S.......P...............................0............@..........................W..(...8`..,.......................8=.......g..x...p...............................@............P..P............................text....5.......6.................. ..`.rdata...+...P...,...:..............@..@.data... %...........f..............@....rsrc................v..............@..@.reloc...g.......h...~..............@..B................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSIA629.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	598840
Entropy (8bit):	6.4742572330426045
Encrypted:	false
SSDEEP:	12288:JTjOV8EDRaQsUDE2dYu8z5fN8HcsvwaqN:hjOeEMQNLS5W8svwaqN
MD5:	8E565FD81CA10A65CC02E7901A78C95B
SHA1:	1BCA3979C233321AE527D4508CFE9B3BA825DBD3
SHA-256:	7B64112C2C534203BB59CE1A9B7D5390448C045DDA424FB3CFD5878EDB262016
SHA-512:	144BDE89EBA469B32B59F30E7F4D451329C541ED7B556BC60D118C9E2E5CDF148C2275CCA51C4B9355686AEFA16A4B86A26D4C8FE0DD2CF318B979863109592E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m..)..)..)......$...........8.....>.....c......0......(.........)........A......(....U.(..).=.(......(..Rich)..................PE..L...W.%d.........."!...#.6...........S.......P...............................0............@..........................W..(...8`..,.......................8=.......g..x...p...............................@............P..P............................text....5.......6.................. ..`.rdata...+...P...,...:..............@..@.data... %...........f..............@....rsrc................v..............@..@.reloc...g.......h...~..............@..B................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSIA791.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	1975
Entropy (8bit):	5.270842823154599
Encrypted:	false
SSDEEP:	48:f0huJA4m2D7M6L6D+sJmquCcGAX6bDYtmLS:f0huJAaD7D1quNGi6bDemm
MD5:	A2F7B258562EA7A51AE1213BD5BEEF24
SHA1:	2A26738302216D97340D47E46C358F7E0A9E397C
SHA-256:	57530D860D5069B052C0837D72DBA9BB941AD03CECAAAD0CF7DF04C9D6B4EF7A
SHA-512:	CB55245AAA32D3CA37CADE711AC749FB7966CC67038BC3AAEF21227B3A458F01DF9661DBB883BA5CE06C8B862551E2420C070E4780B1585DB10541FA6CC4371B
Malicious:	false
Preview:	...@IXOS.@.....@.u.V.@.....@.....@.....@.....@.....@......&.{5F65DA2B-5AA3-4FE5-B5B2-F2DFC7554A05}..Aplicativo Windows#.n_f_3_e_l_3_t_r_0_n_1_k_4_00545.msi.@.....@...,.@.....@........&.{BA58A5A0-3E06-4F30-BC4A-9D26413FE551}.....@.....@.....@.....@.......@.....@.....@.......@......Aplicativo Windows......Rollback..A.....o. .d.e. .r.e.s.t.a.u.r.a.....o.....RollbackCleanup..Removendo arquivos de backup..Arquivo: [1]...@.......@........ProcessComponents%.Atualizando o registro de componentes...@.....@.....@.]....&.{1CED642A-C80C-46CE-B6F2-85542DF0EAE6}..C:\Users\user\AppData\Roaming\.@.......@.....@.....@......&.{3817173D-E36D-4B1F-AC27-F5FE2DBE7792}=.01:\Software\Microsoft Corporation\Aplicativo Windows\Version.@.......@.....@.....@......&.{76B12E9E-C9B9-4D41-8CC0-DAF204ABFEAC}(.C:\Users\user\AppData\Roaming\WebUI.dll.@.......@.....@.....@......&.{79281E80-E00A-49F7-B840-CF58E20E3B60}(.C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.a.b.d.1.....e.x.e..@.......@.....@.....@

C:\Windows\Installer\SourceHash{5F65DA2B-5AA3-4FE5-B5B2-F2DFC7554A05}

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.1764388835612314
Encrypted:	false
SSDEEP:	12:JSbX72FjRAGiLIlHVRpg5h/7777777777777777777777777vDHFyZYPhqll0i8Q:JPQI5GAZYPhdF
MD5:	BB7F175297365D42D82919FB11221640
SHA1:	5721BA99BCA7EEA436FC78B36C61502FAEBD09B0
SHA-256:	E8036824465974F586D04C77899CF568B405781A4C784C4D73BC7E7BAFAB25EB
SHA-512:	2B6180E54DDD744BF54A94593ECF5F8CAE1B6CF041210E40619F3EBA651DF687DE997CB41F829FB59A9F22CB2B66061AB233CD1E56D85F14EDC120F75C9D8F08
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\inprogressinstallinfo.ipi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.5115107146495648
Encrypted:	false
SSDEEP:	48:7W8PhBuRc06WXJOFT5LYdKdmSKsAEKgCyjMHk0mSKqT0xG:7phB1lFTl6KYlkC0MuPG
MD5:	B261E228522274425DA86D53275934B5
SHA1:	90418E6145799057D00F7AAA5C6AA0A0C81CB8D8
SHA-256:	D20E161730D7CECE6C48814E3DCE1DD5E5371A0116148D1CAABE7DA23A3B56E8
SHA-512:	9298CC6FF6F1D5EBA01FF803950037D78270A6C3CDF1F11B1113B808E8DAEDFD6DE465E28088BF53AA0FC776E7CF7613659D5BF4D3F852D67F2B049B2D62E6B2
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	192827
Entropy (8bit):	5.392033252007005
Encrypted:	false
SSDEEP:	3072:iHHJCoX5CNWFHjkzRl1pqf5JjzH6wbxygaK8Nkv6kF8Kwu8K8uBD556GIlZZ6bFD:i0LVlAB
MD5:	99A71E5F8088FE1F8989BC2E0B042607
SHA1:	7E1865441AF5F7139F92ED9D5B7166F01CE27C22
SHA-256:	935CE46B4BB9965674711CED84E7F05B89F666986764FA3F948C29ADC72D739C
SHA-512:	7DF70490103EB6D8C0ABC47955F72BBF36260B677FED028E56E4C3601AA4A81D6D038D5AE93BE964CA51266E6A46A4F6B8B10365048117126911C266D8C07C44
Malicious:	false
Preview:	.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..07/23/2020 10:13:25.847 [3928]: Command line: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install Microsoft.VisualStudio.Tools.Applications.Hosting, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A /queue:3 /NoDependencies ..07/23/2020 10:13:25.863 [3928]: ngen returning 0x00000000..07/23/2020 10:13:25.925 [1900]: Command line: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install Microsoft.VisualStudio.Tools.Applications.ServerDocument, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A /queue:3 /NoDependencies ..07/23/2020 10:13:25.925 [1900]: ngen returning 0x00000000..07/23/2020 10:13:25.972 [4436]: Command line: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install Microsoft.Office.Tools.v4.0.Framework, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A /queue:3 /N

C:\Windows\Temp\~DF05040D7A2D8E1160.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.5115107146495648
Encrypted:	false
SSDEEP:	48:7W8PhBuRc06WXJOFT5LYdKdmSKsAEKgCyjMHk0mSKqT0xG:7phB1lFTl6KYlkC0MuPG
MD5:	B261E228522274425DA86D53275934B5
SHA1:	90418E6145799057D00F7AAA5C6AA0A0C81CB8D8
SHA-256:	D20E161730D7CECE6C48814E3DCE1DD5E5371A0116148D1CAABE7DA23A3B56E8
SHA-512:	9298CC6FF6F1D5EBA01FF803950037D78270A6C3CDF1F11B1113B808E8DAEDFD6DE465E28088BF53AA0FC776E7CF7613659D5BF4D3F852D67F2B049B2D62E6B2
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF22899793185B4B4D.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	0.11701519971028748
Encrypted:	false
SSDEEP:	24:R8f3CFmisYRTxwtwipVwtawtwipVwtSAEVwtyjCyjMHVO3wGQbl/+agLsQ:AG5RT2mSKZmSKsAEKgCyjMHkq1dQ
MD5:	86BA6501B77682340398F191D364C7AB
SHA1:	D4BA94742AB195B804D8C8C22E7B1874C9A6B30F
SHA-256:	E07AD0E3DE2B42EAFD0735CD1207F553A573D95A70F0141FE4CC7145596A9931
SHA-512:	F2A1E7568389720FE69F7CE10EC28990882792685FBA693F6574EB3E4D0D5303127AA694A07C24628F6B410FE8140D90B44CBE6244066D1452863E3CD7981162
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF2A6526E5441232BA.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.08042830089367933
Encrypted:	false
SSDEEP:	6:2/9LG7iVCnLG7iVrKOzPLHKOy4132YkWLV6RKVky6l31:2F0i8n0itFzDHFyZYPhql
MD5:	E840B2F93945EF4AFAEB51703976B3F2
SHA1:	425D9871D1850BC4C49D28B2C0BD59594F60B6B4
SHA-256:	FAFD321A545B28637CEC5E19AA1915C508D04C86175B1A23750F678FA7C3835A
SHA-512:	F91657DC7FDD1AE88976246DE61BDEEF30D85F4CDBCC24A0DAA9949EF71B5B2BBA2EC19BDE54B8AD050A999C16B9943FBED1AF0092452E1FFCFFB003BC48920F
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF3B4D5C78F71C4742.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2148688802926442
Encrypted:	false
SSDEEP:	48:+05uZO+CFXJPT5NYdKdmSKsAEKgCyjMHk0mSKqT0xG:T5hnT76KYlkC0MuPG
MD5:	DFE370B9C60BACC428E61744B0B81E3E
SHA1:	22136354EA5FD0E65707B32A09DEA8FE152F1D26
SHA-256:	7958B5CBB635D02D4E92C9EDB1540477B51ECB646253724FD778E7BE3CED453D
SHA-512:	F204576E569FE1EA648F9D01D610E923E6D57D320634946F3842EE980832242F166112642989D1F556B027DFAD19C1A34E957E083410077C5C6AC9DBA1FEE8A9
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF4FD6203267DF6440.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF5ACE2CC1E9407A17.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2148688802926442
Encrypted:	false
SSDEEP:	48:+05uZO+CFXJPT5NYdKdmSKsAEKgCyjMHk0mSKqT0xG:T5hnT76KYlkC0MuPG
MD5:	DFE370B9C60BACC428E61744B0B81E3E
SHA1:	22136354EA5FD0E65707B32A09DEA8FE152F1D26
SHA-256:	7958B5CBB635D02D4E92C9EDB1540477B51ECB646253724FD778E7BE3CED453D
SHA-512:	F204576E569FE1EA648F9D01D610E923E6D57D320634946F3842EE980832242F166112642989D1F556B027DFAD19C1A34E957E083410077C5C6AC9DBA1FEE8A9
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF6D2C7D62D6C3FECB.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF76AE5281927BBE86.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFB682B42EC463436C.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFBC9D43390436C4A5.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2148688802926442
Encrypted:	false
SSDEEP:	48:+05uZO+CFXJPT5NYdKdmSKsAEKgCyjMHk0mSKqT0xG:T5hnT76KYlkC0MuPG
MD5:	DFE370B9C60BACC428E61744B0B81E3E
SHA1:	22136354EA5FD0E65707B32A09DEA8FE152F1D26
SHA-256:	7958B5CBB635D02D4E92C9EDB1540477B51ECB646253724FD778E7BE3CED453D
SHA-512:	F204576E569FE1EA648F9D01D610E923E6D57D320634946F3842EE980832242F166112642989D1F556B027DFAD19C1A34E957E083410077C5C6AC9DBA1FEE8A9
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFF93AEA8D5716573F.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.5115107146495648
Encrypted:	false
SSDEEP:	48:7W8PhBuRc06WXJOFT5LYdKdmSKsAEKgCyjMHk0mSKqT0xG:7phB1lFTl6KYlkC0MuPG
MD5:	B261E228522274425DA86D53275934B5
SHA1:	90418E6145799057D00F7AAA5C6AA0A0C81CB8D8
SHA-256:	D20E161730D7CECE6C48814E3DCE1DD5E5371A0116148D1CAABE7DA23A3B56E8
SHA-512:	9298CC6FF6F1D5EBA01FF803950037D78270A6C3CDF1F11B1113B808E8DAEDFD6DE465E28088BF53AA0FC776E7CF7613659D5BF4D3F852D67F2B049B2D62E6B2
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFFFFFBE72C598A521.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {BA58A5A0-3E06-4F30-BC4A-9D26413FE551}, Number of Words: 10, Subject: Aplicativo Windows, Author: Microsoft Corporation, Name of Creating Application: Aplicativo Windows, Template: ;1046, Comments: Microsoft Corporation, Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Tue Apr 11 22:16:17 2023, Number of Pages: 200
Entropy (8bit):	7.938191044684477
TrID:	Microsoft Windows Installer (77509/1) 52.18% Windows SDK Setup Transform Script (63028/2) 42.43% Generic OLE2 / Multistream Compound File (8008/1) 5.39%
File name:	n_f_3_e_l_3_t_r_0_n_1_k_4_00545.msi
File size:	9970176
MD5:	52aa0c3a70909fe80e53faeb823bb55c
SHA1:	71291ff0d6aa3f58cbc73037a4c7001b83423f07
SHA256:	7a15f6773f997f669b096f5499146a34f496cdd13b44993821d762fed2a8793b
SHA512:	2f4a45110002cff505885a4a6f350cffd614da8263019b4518b9ead144dd5cce8cb77bc17b358c09b4e2a15b43430555c74b5234441616e8d7aa3ae3bb3d2410
SSDEEP:	196608:pg+wKbn0eOuizOMCWOno1ZCdIR2nytNYMbCiZiMY7xv6dd+:pgSsFzOMK2XRZDTCiZixEdd+
TLSH:	AAA62321A2C78522C55D027BE928FE5F1539BFB3473041E7B6F83D6A48F4CC152BAA16
File Content Preview:	........................>.......................................................E.......b.......n...............................................r...s...t...u...v...w...x...y...z...{...\|...}...~..............................................................

File Icon


Icon Hash:	a2a0b496b2caca72

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 14, 2023 14:46:16.277205944 CEST	49698	443	192.168.2.3	187.45.187.42
Apr 14, 2023 14:46:16.277277946 CEST	443	49698	187.45.187.42	192.168.2.3
Apr 14, 2023 14:46:16.277517080 CEST	49698	443	192.168.2.3	187.45.187.42
Apr 14, 2023 14:46:16.300812960 CEST	49699	80	192.168.2.3	15.228.77.178
Apr 14, 2023 14:46:16.345114946 CEST	49698	443	192.168.2.3	187.45.187.42
Apr 14, 2023 14:46:16.345179081 CEST	443	49698	187.45.187.42	192.168.2.3
Apr 14, 2023 14:46:17.012741089 CEST	443	49698	187.45.187.42	192.168.2.3
Apr 14, 2023 14:46:17.012937069 CEST	49698	443	192.168.2.3	187.45.187.42
Apr 14, 2023 14:46:17.372783899 CEST	49698	443	192.168.2.3	187.45.187.42
Apr 14, 2023 14:46:17.372849941 CEST	443	49698	187.45.187.42	192.168.2.3
Apr 14, 2023 14:46:17.373337030 CEST	443	49698	187.45.187.42	192.168.2.3
Apr 14, 2023 14:46:17.373395920 CEST	49698	443	192.168.2.3	187.45.187.42
Apr 14, 2023 14:46:17.387332916 CEST	49698	443	192.168.2.3	187.45.187.42
Apr 14, 2023 14:46:17.427417040 CEST	443	49698	187.45.187.42	192.168.2.3
Apr 14, 2023 14:46:18.002707005 CEST	443	49698	187.45.187.42	192.168.2.3
Apr 14, 2023 14:46:18.002876997 CEST	49698	443	192.168.2.3	187.45.187.42
Apr 14, 2023 14:46:18.002880096 CEST	443	49698	187.45.187.42	192.168.2.3
Apr 14, 2023 14:46:18.002943039 CEST	49698	443	192.168.2.3	187.45.187.42
Apr 14, 2023 14:46:18.008996010 CEST	49698	443	192.168.2.3	187.45.187.42
Apr 14, 2023 14:46:18.009020090 CEST	443	49698	187.45.187.42	192.168.2.3
Apr 14, 2023 14:46:18.009032011 CEST	49698	443	192.168.2.3	187.45.187.42
Apr 14, 2023 14:46:18.009094000 CEST	49698	443	192.168.2.3	187.45.187.42
Apr 14, 2023 14:46:19.307137012 CEST	49699	80	192.168.2.3	15.228.77.178
Apr 14, 2023 14:46:25.370138884 CEST	49699	80	192.168.2.3	15.228.77.178

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 14, 2023 14:46:15.874398947 CEST	62704	53	192.168.2.3	8.8.8.8
Apr 14, 2023 14:46:16.252891064 CEST	53	62704	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 14, 2023 14:46:15.874398947 CEST	192.168.2.3	8.8.8.8	0x7442	Standard query (0)	ebaoffice.com.br	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 14, 2023 14:46:16.252891064 CEST	8.8.8.8	192.168.2.3	0x7442	No error (0)	ebaoffice.com.br		187.45.187.42	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ebaoffice.com.br

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49698	187.45.187.42	443	C:\Users\user\AppData\Roaming\abd1 .exe

Timestamp	kBytes transferred	Direction	Data
2023-04-14 12:46:17 UTC	0	OUT	GET /imagens/bo/inspecionando.php HTTP/1.1 Accept: / Accept-Language: en-US Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: ebaoffice.com.br Connection: Keep-Alive
2023-04-14 12:46:17 UTC	0	IN	HTTP/1.1 200 OK Connection: close x-powered-by: PHP/5.6.40 content-type: text/html; charset=UTF-8 cache-control: public, max-age=0 expires: Fri, 14 Apr 2023 12:46:17 GMT content-length: 0 date: Fri, 14 Apr 2023 12:46:17 GMT server: LiteSpeed x-ua-compatible: IE=Edge,chrome=1 alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"

Target ID:	0
Start time:	14:46:04
Start date:	14/04/2023
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\n_f_3_e_l_3_t_r_0_n_1_k_4_00545.msi"
Imagebase:	0x7ff68e9d0000
File size:	66048 bytes
MD5 hash:	4767B71A318E201188A0D0A420C8B608
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	1
Start time:	14:46:04
Start date:	14/04/2023
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\msiexec.exe /V
Imagebase:	0x7ff68e9d0000
File size:	66048 bytes
MD5 hash:	4767B71A318E201188A0D0A420C8B608
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	2
Start time:	14:46:06
Start date:	14/04/2023
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding 64567A7FD192A26AA97A644E368FA553
Imagebase:	0xf20000
File size:	59904 bytes
MD5 hash:	12C17B5A5C2A7B97342C362CA467E9A2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	3
Start time:	14:46:08
Start date:	14/04/2023
Path:	C:\Users\user\AppData\Roaming\abd1 .exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\abd1 .exe
Imagebase:	0x400000
File size:	1856512 bytes
MD5 hash:	CEEF4762B36067F1D32A0DB621EE967E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000003.00000000.255880949.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Roaming\abd1 .exe, Author: Joe Security
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	moderate

Show Windows behavior

Target ID:	13
Start time:	14:46:50
Start date:	14/04/2023
Path:	C:\Users\user\AppData\Roaming\abd1 .exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\abd1 .exe"
Imagebase:	0x400000
File size:	1856512 bytes
MD5 hash:	CEEF4762B36067F1D32A0DB621EE967E
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Reputation:	moderate

Show Windows behavior

Target ID:	14
Start time:	14:46:59
Start date:	14/04/2023
Path:	C:\Users\user\AppData\Roaming\abd1 .exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\abd1 .exe"
Imagebase:	0x400000
File size:	1856512 bytes
MD5 hash:	CEEF4762B36067F1D32A0DB621EE967E
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Reputation:	moderate

Show Windows behavior

Execution Graph

Execution Coverage:	5.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	9.8%
Total number of Nodes:	41
Total number of Limit Nodes:	1

Executed Functions

Function 6BE21F41 Relevance: 1.8, APIs: 1, Instructions: 317
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000E.00000002.392927366.000000006BE21000.00000040.00000001.01000000.00000004.sdmp, Offset: 6BE21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6be21000_abd1 .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7e2d79a589eff94192694d6820d8afc2a1d08dbf27eaed4145b5f0576c3151f
Instruction ID: 7d97413f804ccc86eb4effd2a09e972ca5a42a414ffa3ed6f516cc4d272929a7
Opcode Fuzzy Hash: d7e2d79a589eff94192694d6820d8afc2a1d08dbf27eaed4145b5f0576c3151f
Instruction Fuzzy Hash: 19B12FA240D7C0AFD3039B749C616A6BFB0AF53210F1A85DFC1C08B6A3E339491AD752

Uniqueness

Uniqueness Score: -1.00%

Function 6BDF3A9B Relevance: 1.6, APIs: 1, Instructions: 97
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtQueryInformationProcess.NTDLL ref: 6BDF3AB1

Memory Dump Source

Source File: 0000000E.00000002.392927366.000000006BDF2000.00000040.00000001.01000000.00000004.sdmp, Offset: 6BDF2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6bdf2000_abd1 .jbxd

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: be9d641f0ad49debd02f90a612c67c8f42bd8083a2d321fa78df2527b29e7234
Instruction ID: b685bbf1d80a6296d09fed5956ae81d08ae4baaa18e7085e0aa5ff7e3a422245
Opcode Fuzzy Hash: be9d641f0ad49debd02f90a612c67c8f42bd8083a2d321fa78df2527b29e7234
Instruction Fuzzy Hash: A9311AB250C610EFE305AF09EC81ABEBFE5EF88760F05482DE6D882710D63598108B97

Uniqueness

Uniqueness Score: -1.00%

Function 6BDE4E53 Relevance: 1.6, APIs: 1, Instructions: 91
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtSetInformationThread.NTDLL ref: 6BDE4E56

Memory Dump Source

Source File: 0000000E.00000002.392927366.000000006BDE4000.00000040.00000001.01000000.00000004.sdmp, Offset: 6BDE4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6bde4000_abd1 .jbxd

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: 017a0e61230caa4da2368ae74fc3b0cf15745a117ff77e5b16a99f04dc214dfb
Instruction ID: 28a96248aae1637ef9bcb841ec078ce2a8e9365a6fe7072aa5daefd9befa7749
Opcode Fuzzy Hash: 017a0e61230caa4da2368ae74fc3b0cf15745a117ff77e5b16a99f04dc214dfb
Instruction Fuzzy Hash: F9312DF251C610AFE315AF59D881BAAFBE5EF48710F06492EE7D8C3640D67548508B87

Uniqueness

Uniqueness Score: -1.00%

Function 6BDEF44E Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.392927366.000000006BDEE000.00000040.00000001.01000000.00000004.sdmp, Offset: 6BDEE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6bdee000_abd1 .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 464c821e1e5a2f40c82e6f43996df7e7c60a9d96fbc092d0d078934568edade3
Instruction ID: 9bfa7bd03a186188f729b3c094f4a48eb8648711f2cce45404ea6d62addc24d4
Opcode Fuzzy Hash: 464c821e1e5a2f40c82e6f43996df7e7c60a9d96fbc092d0d078934568edade3
Instruction Fuzzy Hash: 873138F250C700DFE705BF29E88166ABBF2EF88310F02892DE6D487254E73558548B87

Uniqueness

Uniqueness Score: -1.00%

Function 6BE4E083 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileMappingW.KERNELBASE ref: 6BE4E083

Strings

|S<y, xrefs: 6BE4E0BB

Memory Dump Source

Source File: 0000000E.00000002.392927366.000000006BE4E000.00000040.00000001.01000000.00000004.sdmp, Offset: 6BE4E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6be4e000_abd1 .jbxd

Similarity

API ID: CreateFileMapping
String ID: |S<y
API String ID: 524692379-880664758
Opcode ID: 68187923bcc49333b9d9ea739374c9ca42b509f8a53eb8d693349f513f457ee7
Instruction ID: 3f2cf7b28498ca808e67287a06be5bed11e7a6c622286d35cbffbcab418b1f8c
Opcode Fuzzy Hash: 68187923bcc49333b9d9ea739374c9ca42b509f8a53eb8d693349f513f457ee7
Instruction Fuzzy Hash: 383161B250C304AFE311BF19EC816BEBBE8EB48720F01891DFAD487A00E73559549B97

Uniqueness

Uniqueness Score: -1.00%

Function 6BE21CFB Relevance: 1.6, APIs: 1, Instructions: 129
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyA.ADVAPI32 ref: 6BE21D2B

Memory Dump Source

Source File: 0000000E.00000002.392927366.000000006BE21000.00000040.00000001.01000000.00000004.sdmp, Offset: 6BE21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6be21000_abd1 .jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: bc7d6bf37552fe37ed467e079085e62b1606796987a6699ed760f62e4a5257f4
Instruction ID: 2fb061fdb11e13d6be795b8029b5716ec0e1029ea693142aed8eb429af7788c2
Opcode Fuzzy Hash: bc7d6bf37552fe37ed467e079085e62b1606796987a6699ed760f62e4a5257f4
Instruction Fuzzy Hash: F5410AF391C304AFD712AF28DC816BABBE5EF95310F16492DE6D483350E63158048B97

Uniqueness

Uniqueness Score: -1.00%

Function 6BE450C4 Relevance: 1.6, APIs: 1, Instructions: 110
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindWindowA.USER32 ref: 6BE4515B

Memory Dump Source

Source File: 0000000E.00000002.392927366.000000006BE43000.00000040.00000001.01000000.00000004.sdmp, Offset: 6BE43000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6be43000_abd1 .jbxd

Similarity

API ID: FindWindow
String ID:
API String ID: 134000473-0
Opcode ID: 9468503ebe3da55ac82e9cc041c56b108b4c7765fdb87aaf3a4e7b46cb0544a1
Instruction ID: 78ca9e1d5edb89e271b705d26ebfaaccffbe795388601dc083d3098a81e51d03
Opcode Fuzzy Hash: 9468503ebe3da55ac82e9cc041c56b108b4c7765fdb87aaf3a4e7b46cb0544a1
Instruction Fuzzy Hash: 9B319EF290C750AFE306AF19DC816AABBE0EF05360F05492DEAC987640DA359850C787

Uniqueness

Uniqueness Score: -1.00%

Function 6BE45833 Relevance: 1.6, APIs: 1, Instructions: 105
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyA.ADVAPI32 ref: 6BE4583B

Memory Dump Source

Source File: 0000000E.00000002.392927366.000000006BE43000.00000040.00000001.01000000.00000004.sdmp, Offset: 6BE43000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6be43000_abd1 .jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 6bde6196fea8639350f2f6affd3ed6c09f563e3706bf44388c9674ec31d20127
Instruction ID: a1b77b36b0eb698601af997f33d45a48b9b74caa9f16196d7603d01b285ac6f0
Opcode Fuzzy Hash: 6bde6196fea8639350f2f6affd3ed6c09f563e3706bf44388c9674ec31d20127
Instruction Fuzzy Hash: 933198B250C704AFE711AF59DC416BBBBE9EF89350F16492DE5C4C3710E63198008B97

Uniqueness

Uniqueness Score: -1.00%

Function 6BEBB146 Relevance: 1.6, APIs: 1, Instructions: 103
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNEL32 ref: 6BEBB146

Memory Dump Source

Source File: 0000000E.00000002.392927366.000000006BEBB000.00000040.00000001.01000000.00000004.sdmp, Offset: 6BEBB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6bebb000_abd1 .jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 21367f41e7875c34dbf093c3eacaacb780517a1a32d2dbbb1dccab12e2df7679
Instruction ID: fa0a33cb8bd711c271448b1400d67fe100058113859e2345091d394beb3d47b2
Opcode Fuzzy Hash: 21367f41e7875c34dbf093c3eacaacb780517a1a32d2dbbb1dccab12e2df7679
Instruction Fuzzy Hash: 05313AF251C710AFE711BF19DC856AABBE4EB48720F05492DE6C583740E63168448B87

Uniqueness

Uniqueness Score: -1.00%

Function 6BDC12C7 Relevance: 1.6, APIs: 1, Instructions: 101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNEL32(00C3343F), ref: 6BDC12DF

Memory Dump Source

Source File: 0000000E.00000002.392927366.000000006BDC1000.00000040.00000001.01000000.00000004.sdmp, Offset: 6BDC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6bdc1000_abd1 .jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 660a4a52d9526342cbb417b0eda203b62dda15fb51b4c6f266aa4c988e6bea1e
Instruction ID: 3d535b7db98f943ec54d5cb18b5dcb15af7a93bc071a25719f6866899339b092
Opcode Fuzzy Hash: 660a4a52d9526342cbb417b0eda203b62dda15fb51b4c6f266aa4c988e6bea1e
Instruction Fuzzy Hash: C1318FB290C610AFE712AF58DC817AEFBE4EF88320F06496DE6C497610D73598108B97

Uniqueness

Uniqueness Score: -1.00%

Function 6BE430A7 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindWindowA.USER32 ref: 6BE430A7

Memory Dump Source

Source File: 0000000E.00000002.392927366.000000006BE43000.00000040.00000001.01000000.00000004.sdmp, Offset: 6BE43000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6be43000_abd1 .jbxd

Similarity

API ID: FindWindow
String ID:
API String ID: 134000473-0
Opcode ID: 1e3360fa51f42281d4ff075129b619f8b67f45925b0f6c63cebd3da456f926a3
Instruction ID: cc79d0ccf96a88a53e401168f198a87139c62ffd6e1e6f35aa5332eb63990f18
Opcode Fuzzy Hash: 1e3360fa51f42281d4ff075129b619f8b67f45925b0f6c63cebd3da456f926a3
Instruction Fuzzy Hash: BC314FF151C304AFD715AF59DC81B6ABBE8EB48710F06492DF6D8C3340E63598108B9B

Uniqueness

Uniqueness Score: -1.00%

Function 6BE48AA9 Relevance: 1.6, APIs: 1, Instructions: 94
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MapViewOfFile.KERNEL32(FFFF225E), ref: 6BE48AAF

Memory Dump Source

Source File: 0000000E.00000002.392927366.000000006BE43000.00000040.00000001.01000000.00000004.sdmp, Offset: 6BE43000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6be43000_abd1 .jbxd

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: 7b68b9d81f52549b136ac1188e4be5227d464560cac6d808ade4582aa0ccbaef
Instruction ID: 561a9e5fae56f564660018b29c3e3c42b9208553d8bec6e209fb5410dc50710b
Opcode Fuzzy Hash: 7b68b9d81f52549b136ac1188e4be5227d464560cac6d808ade4582aa0ccbaef
Instruction Fuzzy Hash: AC3125B251C700AFE716AE18DC86BBEBBE4EB98710F05492DE7D483650E67198508B87

Uniqueness

Uniqueness Score: -1.00%

Function 6BEBD336 Relevance: 1.6, APIs: 1, Instructions: 91
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNEL32 ref: 6BEBD336

Memory Dump Source

Source File: 0000000E.00000002.392927366.000000006BEBD000.00000040.00000001.01000000.00000004.sdmp, Offset: 6BEBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6bebd000_abd1 .jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 77f4bdd98149bf487837ceb0925d342af55492ff2919e0bbcd1af3777f096b94
Instruction ID: 3e69d8033808c1f03abe73c27f2253a96cdf2d290f94d084e122462e3121745b
Opcode Fuzzy Hash: 77f4bdd98149bf487837ceb0925d342af55492ff2919e0bbcd1af3777f096b94
Instruction Fuzzy Hash: 8F21FBF251C304AFE711BE58EC817AABBE4EB18354F05093DEBD483740E636A9548B97

Uniqueness

Uniqueness Score: -1.00%

Function 6BE40F25 Relevance: 1.6, APIs: 1, Instructions: 85
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNEL32 ref: 6BE40F25

Memory Dump Source

Source File: 0000000E.00000002.392927366.000000006BE3C000.00000040.00000001.01000000.00000004.sdmp, Offset: 6BE3C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6be3c000_abd1 .jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 7708f7c444d06c27633f69399a3cc6622f65c4e016cdd0262de6a239171a6ab4
Instruction ID: f19a53af9f30e86056a3e4f9dce04d982c0c93aad88175d20418ddb78df1b441
Opcode Fuzzy Hash: 7708f7c444d06c27633f69399a3cc6622f65c4e016cdd0262de6a239171a6ab4
Instruction Fuzzy Hash: E521D5B250C700AFE705AF09D891B7EFBE5EF88710F06482DE6C487340EA3558508B9B

Uniqueness

Uniqueness Score: -1.00%

Function 6BE499BB Relevance: 1.6, APIs: 1, Instructions: 85
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32 ref: 6BE499BB

Memory Dump Source

Source File: 0000000E.00000002.392927366.000000006BE43000.00000040.00000001.01000000.00000004.sdmp, Offset: 6BE43000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6be43000_abd1 .jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 3562728cd4d3ed849ecbb5beda676ae106dc467186980bbae1357b8d1764d401
Instruction ID: fd3833f19634f9bf4e6ef2c56351ee8566d4712ff04639eb5fee074faaf4d53d
Opcode Fuzzy Hash: 3562728cd4d3ed849ecbb5beda676ae106dc467186980bbae1357b8d1764d401
Instruction Fuzzy Hash: 8121E8F150C604AFE702AF18DC82B6EBBE4EB58714F05492DE6C483710E636A9608B87

Uniqueness

Uniqueness Score: -1.00%

Function 6BDE0380 Relevance: 1.6, APIs: 1, Instructions: 84
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Process32First.KERNEL32 ref: 6BDE0380

Memory Dump Source

Source File: 0000000E.00000002.392927366.000000006BDE0000.00000040.00000001.01000000.00000004.sdmp, Offset: 6BDE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6bde0000_abd1 .jbxd

Similarity

API ID: FirstProcess32
String ID:
API String ID: 2623510744-0
Opcode ID: 3ca93311b9fa867ec5a9a457fc7d3d8f76237d6b58df9ad618dbaf2db44b7c2a
Instruction ID: 856721e2be6bb1251b89bc38bec7a113513c73c57b1292b4cf392b0fccf0fcbb
Opcode Fuzzy Hash: 3ca93311b9fa867ec5a9a457fc7d3d8f76237d6b58df9ad618dbaf2db44b7c2a
Instruction Fuzzy Hash: 87212BB250C314AFE711BF09DC81ABAFBE8EF44610F06482DE6C483700EA31A8508B97

Uniqueness

Uniqueness Score: -1.00%

Function 6BE36186 Relevance: 1.6, APIs: 1, Instructions: 81registryCOMMON

Download Yara Rule

APIs

RegCloseKey.KERNEL32 ref: 6BE36186

Memory Dump Source

Source File: 0000000E.00000002.392927366.000000006BE36000.00000040.00000001.01000000.00000004.sdmp, Offset: 6BE36000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6be36000_abd1 .jbxd

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: ef5aa90f2c50f9e0502475d767ec07f385caecc6c4fd85528d3645989efd884d
Instruction ID: a4e2f681cc070a705522b3833793aea6dacde2309830576a3de3fc7580b45616
Opcode Fuzzy Hash: ef5aa90f2c50f9e0502475d767ec07f385caecc6c4fd85528d3645989efd884d
Instruction Fuzzy Hash: BB21F9B190C7149FE711BF19D88176AFBE4EF54710F06492CEBD843710E63669648B8B

Uniqueness

Uniqueness Score: -1.00%

Function 6BE3E9FF Relevance: 1.6, APIs: 1, Instructions: 81registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.KERNEL32 ref: 6BE3E9FF

Memory Dump Source

Source File: 0000000E.00000002.392927366.000000006BE3C000.00000040.00000001.01000000.00000004.sdmp, Offset: 6BE3C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6be3c000_abd1 .jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 5ecf750ec9053525c48670156c79244b8cbce00124e1a909615209e954f88c0c
Instruction ID: a7a5955abf4970f1111b3f5f7bb72799827e87f744c1b4838ec68f8c86a46812
Opcode Fuzzy Hash: 5ecf750ec9053525c48670156c79244b8cbce00124e1a909615209e954f88c0c
Instruction Fuzzy Hash: 94212AF2508204EFE711AF09EC81BAAFBE5EB88724F01482DF6D482600D73658149A57

Uniqueness

Uniqueness Score: -1.00%

Function 6BE41FC0 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

FindWindowA.USER32 ref: 6BE41FC3

Memory Dump Source

Source File: 0000000E.00000002.392927366.000000006BE3C000.00000040.00000001.01000000.00000004.sdmp, Offset: 6BE3C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6be3c000_abd1 .jbxd

Similarity

API ID: FindWindow
String ID:
API String ID: 134000473-0
Opcode ID: de57f22ea47db8565a0c8bb7d5b65dd0bc6b7dc4e6fb2e8494b201ecca1dc566
Instruction ID: adeb338a14085de03208061e56580b5883529cdf7d9f700d9edd23cb5a40f4b1
Opcode Fuzzy Hash: de57f22ea47db8565a0c8bb7d5b65dd0bc6b7dc4e6fb2e8494b201ecca1dc566
Instruction Fuzzy Hash: 5BD0ECF0508614ABD2016F59D48086AFEF5EF94B40F41892DE5C447704C6319810CB92

Uniqueness

Uniqueness Score: -1.00%

Function 6BDDC2BF Relevance: 1.3, APIs: 1, Instructions: 96memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32 ref: 6BDDC2D4

Memory Dump Source

Source File: 0000000E.00000002.392927366.000000006BDDC000.00000040.00000001.01000000.00000004.sdmp, Offset: 6BDDC000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6bddc000_abd1 .jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 9220c11efcdbb73cf2cabe02fa1cdd5206d072a92a4a929d52e88a77d956caf9
Instruction ID: 562a25ef1287d5b194d6c15a0299794b9ba9cc99de3a09c54cd7ddf2c3d7c733
Opcode Fuzzy Hash: 9220c11efcdbb73cf2cabe02fa1cdd5206d072a92a4a929d52e88a77d956caf9
Instruction Fuzzy Hash: 3C310FF110C700AFE709AF19DC86A7EBBE5EF85710F05893DE2C546750EA356450CA5B

Uniqueness

Uniqueness Score: -1.00%

Function 6BEBF7A8 Relevance: 1.3, Strings: 1, Instructions: 95COMMON

Download Yara Rule

Strings

=us, xrefs: 6BEBF873

Memory Dump Source

Source File: 0000000E.00000002.392927366.000000006BEBF000.00000040.00000001.01000000.00000004.sdmp, Offset: 6BEBF000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6bebf000_abd1 .jbxd

Similarity

API ID:
String ID: =us
API String ID: 0-2960227172
Opcode ID: 089f64747858fcae571f37339ce430066db4b0116c03fcf51f96b7a6fe970c19
Instruction ID: 572794ad0d7736c83257f66e4bfa2929441f32818952468bd8046aa6045bbfaf
Opcode Fuzzy Hash: 089f64747858fcae571f37339ce430066db4b0116c03fcf51f96b7a6fe970c19
Instruction Fuzzy Hash: 613181F290C7109FD7169F09D891AAEBBE5EB88714F05492EE6C847750E6321854CBC7

Uniqueness

Uniqueness Score: -1.00%

Function 6BBA5A42 Relevance: 1.3, APIs: 1, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32 ref: 6BBA5A42

Memory Dump Source

Source File: 0000000E.00000002.392927366.000000006BBA5000.00000040.00000001.01000000.00000004.sdmp, Offset: 6BBA5000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6bba5000_abd1 .jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e310e0273b417220f666186461a9635f551726fd71de6e83d22a0da46103cedb
Instruction ID: 5c58b1ff775cf556f9d18d176135df87a4390b2d6f6edd505c976072076a8628
Opcode Fuzzy Hash: e310e0273b417220f666186461a9635f551726fd71de6e83d22a0da46103cedb
Instruction Fuzzy Hash: C5212CF1908210AFD721AF09D881BAABBE5EF84710F05892DEBD853750E6364864CBC7

Uniqueness

Uniqueness Score: -1.00%

Function 6BDD6FAA Relevance: 1.3, APIs: 1, Instructions: 26memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32 ref: 6BDD6FAA

Memory Dump Source

Source File: 0000000E.00000002.392927366.000000006BDD6000.00000040.00000001.01000000.00000004.sdmp, Offset: 6BDD6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6bdd6000_abd1 .jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: eb83c868047c1a5d1f98a3defce34f7a8c07dade8fa2f82a210410e26a61072d
Instruction ID: e256853c38a119b63e225978bde0a27f2d080a4d67f213302b0f89134c4e4f30
Opcode Fuzzy Hash: eb83c868047c1a5d1f98a3defce34f7a8c07dade8fa2f82a210410e26a61072d
Instruction Fuzzy Hash: 60E0E5F221D600BFE214AF899D46A7BFAE8EFC4720F16881DF1C8D7600D27088418B62

Uniqueness

Uniqueness Score: -1.00%

Function 6BE0DB3B Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.392927366.000000006BE0D000.00000040.00000001.01000000.00000004.sdmp, Offset: 6BE0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6be0d000_abd1 .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01cc710de742d3b85e0e88595f97c43418c7641c6ed37b1a2f3134e0000d7099
Instruction ID: 955bd9fdd293809d9a42a25fe73ccf1bba88d2a701a3e6df165064028e848b1d
Opcode Fuzzy Hash: 01cc710de742d3b85e0e88595f97c43418c7641c6ed37b1a2f3134e0000d7099
Instruction Fuzzy Hash: A0317CF251C600EFEB05AF18DC827AABBE5EF98320F15492DE6C487640E33588148B87

Uniqueness

Uniqueness Score: -1.00%

Function 6BDD4EF5 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.392927366.000000006BDD3000.00000040.00000001.01000000.00000004.sdmp, Offset: 6BDD3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6bdd3000_abd1 .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1aa012a4b9a776503bfc5681fa039f6f822afa910d65db3d02d4aa8c26615dba
Instruction ID: cdb73ae7ec1529651e4af85f526003ee2a01d70d54a7535a3d444a198f353ab6
Opcode Fuzzy Hash: 1aa012a4b9a776503bfc5681fa039f6f822afa910d65db3d02d4aa8c26615dba
Instruction Fuzzy Hash: EE21F9F2508714AFE715AF09D8817AAFBE8EF44750F06482DE7D883740D635A8508B9B

Uniqueness

Uniqueness Score: -1.00%

Function 6BC6EA63 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.392927366.000000006BC6E000.00000040.00000001.01000000.00000004.sdmp, Offset: 6BC6E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6bc6e000_abd1 .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8fd4af4d2ea87b6d43d105758dd36af83b2dc4c785012168f8a8dee085e858f
Instruction ID: 67bdb94cf73db4fc9fea7d845d88f56bce577b794c291c5aeb58915f76823778
Opcode Fuzzy Hash: a8fd4af4d2ea87b6d43d105758dd36af83b2dc4c785012168f8a8dee085e858f
Instruction Fuzzy Hash: 332117F260C600AFE715AF09EC81B7ABBE8EF84724F05882DE7C887350D63558548B97

Uniqueness

Uniqueness Score: -1.00%

Function 6BDCCFB6 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.392927366.000000006BDCC000.00000040.00000001.01000000.00000004.sdmp, Offset: 6BDCC000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6bdcc000_abd1 .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 493e9fd7544a1eaedf6a1b15e74d8d816599fe354ba71e03229df4e27d48a636
Instruction ID: a571f75e98de0902d6886d3a7a229c8083f5c9fc55e38c2301c14b5760660c1a
Opcode Fuzzy Hash: 493e9fd7544a1eaedf6a1b15e74d8d816599fe354ba71e03229df4e27d48a636
Instruction Fuzzy Hash: FFE09AB0508744ABC3116F0BD844A2EFFF8EFD4B10F01482DA5D882711D6745590CA12

Uniqueness

Uniqueness Score: -1.00%

Function 6BE577E2 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.392927366.000000006BE57000.00000040.00000001.01000000.00000004.sdmp, Offset: 6BE57000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6be57000_abd1 .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 264749cb8640a0b18965f238cc76090c102642b2da193a25a1e0f0aaba725e17
Instruction ID: f5e8e1daac958105ef4c3f31dccd4a1b0a54b0b3e6446cb7f5ec5af4b67d96c6
Opcode Fuzzy Hash: 264749cb8640a0b18965f238cc76090c102642b2da193a25a1e0f0aaba725e17
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 6BC6FF0A Relevance: .4, Instructions: 440COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.392927366.000000006BC6E000.00000040.00000001.01000000.00000004.sdmp, Offset: 6BC6E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6bc6e000_abd1 .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48a6f1ebd017a9acb5b0843b0d542007a66f6160d9c3c7979f02473dca7b4da9
Instruction ID: 8dff815cffbe694d5f091fc4ca42e4f19b1aadd62dbd128d21fe1d5c54be3044
Opcode Fuzzy Hash: 48a6f1ebd017a9acb5b0843b0d542007a66f6160d9c3c7979f02473dca7b4da9
Instruction Fuzzy Hash: 98D1D2F360C200AFE3146E59EC817BABBE9EF94720F1A493DE6C487740E63995418797

Uniqueness

Uniqueness Score: -1.00%

Function 6BBA53E1 Relevance: .3, Instructions: 299COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.392927366.000000006BBA5000.00000040.00000001.01000000.00000004.sdmp, Offset: 6BBA5000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6bba5000_abd1 .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cf541cf9ce497f588a8ddb1699df6e2d7037b7fe2f57ba117d22f4fe39f79ff
Instruction ID: 2e1ebc7ff3661b287624f40982681d24586ddf2c79de998aaa5fdd5ffe1cc745
Opcode Fuzzy Hash: 8cf541cf9ce497f588a8ddb1699df6e2d7037b7fe2f57ba117d22f4fe39f79ff
Instruction Fuzzy Hash: 66A18DF3F516254BF3584C68CD683626683EBD5310F2F82788F49ABBC5D87E5D0A5284

Uniqueness

Uniqueness Score: -1.00%

Function 6BEBF1B9 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.392927366.000000006BEBF000.00000040.00000001.01000000.00000004.sdmp, Offset: 6BEBF000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6bebf000_abd1 .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a212dafdeea883a2e9455a510acb9ea1fb6e7f066d15e531fa024f599ef9e195
Instruction ID: b531f55f10e2b68fb06eba84068496e79abceec320feee4b9bebacc4198726b5
Opcode Fuzzy Hash: a212dafdeea883a2e9455a510acb9ea1fb6e7f066d15e531fa024f599ef9e195
Instruction Fuzzy Hash: 38316EB390C210AFE3056E19DC816BAFBE5EF98760F16092EE6D8D3650D6315840CB87

Uniqueness

Uniqueness Score: -1.00%

Function 6BE21126 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.392927366.000000006BE21000.00000040.00000001.01000000.00000004.sdmp, Offset: 6BE21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6be21000_abd1 .jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 062b4592218231f735d9003cc335e50d3cf707cdbe4803829cfc6d1bdd17a0aa
Instruction ID: b1793121122a844062fb485179ee24160be7fd99d82249ac89e4b20da584c1d2
Opcode Fuzzy Hash: 062b4592218231f735d9003cc335e50d3cf707cdbe4803829cfc6d1bdd17a0aa
Instruction Fuzzy Hash: 6411027684E791DFD3125BF0D851290BFB0EF07244B2A80EAC0C89B262D2364A47CB63

Uniqueness

Uniqueness Score: -1.00%

Source: https://ebaoffice.com.br/imagens/bo/inspecionando.php#	Avira URL Cloud: Label: malware
Source: https://ebaoffice.com.br/imagens/bo/inspecionando.php	Avira URL Cloud: Label: malware

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Source: Joe Sandbox View	IP Address: 15.228.77.178 15.228.77.178
Source: Joe Sandbox View	IP Address: 187.45.187.42 187.45.187.42

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Data loss prevention, File monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report n_f_3_e_l_3_t_r_0_n_1_k_4_00545.msi

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Config.Msi\489f51.rbs

C:\Users\user\AppData\Local\767668

C:\Users\user\AppData\Local\Temp\MSI89cce.LOG

C:\Users\user\AppData\Roaming\WebUI.dll

C:\Users\user\AppData\Roaming\abd1 .exe

C:\Windows\Installer\489f4f.msi

C:\Windows\Installer\MSIA394.tmp

C:\Windows\Installer\MSIA4FD.tmp

C:\Windows\Installer\MSIA55B.tmp

C:\Windows\Installer\MSIA58B.tmp

C:\Windows\Installer\MSIA629.tmp

C:\Windows\Installer\MSIA791.tmp

C:\Windows\Installer\SourceHash{5F65DA2B-5AA3-4FE5-B5B2-F2DFC7554A05}

C:\Windows\Installer\inprogressinstallinfo.ipi

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

Windows Analysis Report
n_f_3_e_l_3_t_r_0_n_1_k_4_00545.msi

Function 6BE21F41 Relevance: 1.8, APIs: 1, Instructions: 317
COMMON

Function 6BDF3A9B Relevance: 1.6, APIs: 1, Instructions: 97
nativeCOMMON

Function 6BDE4E53 Relevance: 1.6, APIs: 1, Instructions: 91
nativethreadCOMMON

Function 6BE4E083 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96
COMMON

Function 6BE21CFB Relevance: 1.6, APIs: 1, Instructions: 129
registryCOMMON

Function 6BE450C4 Relevance: 1.6, APIs: 1, Instructions: 110
COMMON

Function 6BE45833 Relevance: 1.6, APIs: 1, Instructions: 105
registryCOMMON

Function 6BEBB146 Relevance: 1.6, APIs: 1, Instructions: 103
memoryCOMMON

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre