Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
f_4_T_u_r_4_34536_45645_3345_wo.msi

Overview

General Information

Sample Name:f_4_T_u_r_4_34536_45645_3345_wo.msi
Analysis ID:848975
MD5:3987c0f3ab2a1bb65a0d5e9208b62d46
SHA1:6e7013e293c5a0910666ea488868d9216b2bb791
SHA256:61b65fe68d4a0acbcb1ea4512ebdc5c7a41aee8a3bf848cb52657738a6033156
Tags:msi
Infos:

Detection

Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Antivirus detection for URL or domain
Antivirus detection for dropped file
Hides threads from debuggers
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Tries to evade debugger and weak emulator (self modifying code)
Machine Learning detection for dropped file
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
PE file contains sections with non-standard names
Detected potential crypto function
JA3 SSL client fingerprint seen in connection with other malware
Found dropped PE file which has not been started or loaded
PE file contains executable resources (Code or Archives)
IP address seen in connection with other malware
Entry point lies outside standard sections
Creates a DirectInput object (often for capturing keystrokes)
AV process strings found (often used to terminate AV products)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))
Allocates memory with a write watch (potentially for evading sandboxes)
Drops PE files
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
Checks if the current process is being debugged
Checks for debuggers (devices)
Contains capabilities to detect virtual machines
Queries keyboard layouts
Launches processes in debugging mode, may be used to hinder debugging
Checks for available system drives (often done to infect USB drives)
Dropped file seen in connection with other malware
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • msiexec.exe (PID: 508 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\f_4_T_u_r_4_34536_45645_3345_wo.msi" MD5: 4767B71A318E201188A0D0A420C8B608)
  • msiexec.exe (PID: 5280 cmdline: C:\Windows\system32\msiexec.exe /V MD5: 4767B71A318E201188A0D0A420C8B608)
    • msiexec.exe (PID: 3172 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 715EC454D0BEADF2C26248DD1CAED610 MD5: 12C17B5A5C2A7B97342C362CA467E9A2)
    • abd1 .exe (PID: 796 cmdline: C:\Users\user\AppData\Roaming\abd1 .exe MD5: CEEF4762B36067F1D32A0DB621EE967E)
  • abd1 .exe (PID: 2904 cmdline: "C:\Users\user\AppData\Roaming\abd1 .exe" MD5: CEEF4762B36067F1D32A0DB621EE967E)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Roaming\abd1 .exeJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000003.00000002.517143988.000000006C729000.00000040.00000001.01000000.00000004.sdmpWindows_Trojan_Generic_a160ca52unknownunknown
    • 0x1f9f:$a1: 1C 85 C9 74 02 8B 09 8D 41 FF 89 45 F0 89 55 EC 8B 55 EC 8B
    0000000D.00000002.350190121.0000000002260000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_a7da40b7unknownunknown
    • 0x6a2ea:$a: 18 B9 10 00 00 00 83 E2 0F 2B CA 3B 4D 14 76 03 8B 4D 14 8D 5C
    0000000D.00000002.407213851.000000006C720000.00000040.00000001.01000000.00000004.sdmpWindows_Trojan_Generic_a160ca52unknownunknown
    • 0xaf9f:$a1: 1C 85 C9 74 02 8B 09 8D 41 FF 89 45 F0 89 55 EC 8B 55 EC 8B
    0000000D.00000002.407213851.000000006C720000.00000040.00000001.01000000.00000004.sdmpWindows_Trojan_RedLineStealer_a7da40b7unknownunknown
    • 0xb5fb:$a: 18 B9 10 00 00 00 83 E2 0F 2B CA 3B 4D 14 76 03 8B 4D 14 8D 5C
    0000000D.00000002.407213851.000000006C720000.00000040.00000001.01000000.00000004.sdmpWindows_Trojan_RedLineStealer_d4b38e13unknownunknown
    • 0x8738:$a: 5B 5D C2 04 00 8B C2 5F 5E 5B 5D C2 04 00 55 8B EC 57 8B 45 08 0F
    Click to see the 2 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    3.0.abd1 .exe.400000.0.unpackJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
      13.2.abd1 .exe.6a500000.1.unpackWindows_Trojan_Generic_a160ca52unknownunknown
      • 0x7822b7:$a1: 1C 85 C9 74 02 8B 09 8D 41 FF 89 45 F0 89 55 EC 8B 55 EC 8B
      13.2.abd1 .exe.6a500000.1.unpackWindows_Trojan_RedLineStealer_a7da40b7unknownunknown
      • 0x782913:$a: 18 B9 10 00 00 00 83 E2 0F 2B CA 3B 4D 14 76 03 8B 4D 14 8D 5C
      13.2.abd1 .exe.6a500000.1.unpackWindows_Trojan_RedLineStealer_d4b38e13unknownunknown
      • 0x77fa50:$a: 5B 5D C2 04 00 8B C2 5F 5E 5B 5D C2 04 00 55 8B EC 57 8B 45 08 0F

      Sigma Signatures

      No Sigma rule has matched

      Snort Signatures

      No Snort rule has matched

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Multi AV Scanner detection for submitted file
      Source: f_4_T_u_r_4_34536_45645_3345_wo.msiVirustotal: Detection: 30%Perma Link
      Antivirus detection for URL or domain
      Source: https://ebaoffice.com.br/imagens/bo/inspecionando.php;Avira URL Cloud: Label: malware
      Source: https://ebaoffice.com.br/imagens/bo/inspecionando.phpAvira URL Cloud: Label: malware
      Antivirus detection for dropped file
      Source: C:\Users\user\AppData\Roaming\WebUI.dllAvira: detection malicious, Label: HEUR/AGEN.1300181
      Machine Learning detection for dropped file
      Source: C:\Users\user\AppData\Roaming\WebUI.dllJoe Sandbox ML: detected
      Source: 3.3.abd1 .exe.2520000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen2
      Source: 13.2.abd1 .exe.6a500000.1.unpackAvira: Label: TR/Crypt.XPACK.Gen3
      Source: unknownHTTPS traffic detected: 187.45.187.42:443 -> 192.168.2.7:49697 version: TLS 1.2
      Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: f_4_T_u_r_4_34536_45645_3345_wo.msi, MSIF130.tmp.1.dr, MSIF22B.tmp.1.dr, 54ea57.msi.1.dr, MSIEF68.tmp.1.dr
      Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
      Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
      Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
      Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
      Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
      Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
      Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
      Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
      Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
      Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
      Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
      Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
      Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
      Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
      Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
      Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
      Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
      Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
      Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
      Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
      Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
      Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
      Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
      Source: C:\Windows\System32\msiexec.exeFile opened: c:Jump to behavior
      Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior
      Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 4x nop then test dword ptr [esi+08h], 00000080h3_2_00831416
      Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 4x nop then mov edx, dword ptr [esi]3_2_00831416
      Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 4x nop then cmp eax, dword ptr [edx+013BEC98h]3_2_007C6628
      Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 4x nop then cmp eax, dword ptr [edx+013BEC34h]3_2_007C6628
      Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 4x nop then push eax3_2_00831FC8
      Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 4x nop then push 00008000h3_2_008248A0
      Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 4x nop then jmp 0082318Bh3_2_008230E5
      Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 4x nop then push dword ptr [ebp+10h]3_2_008244F0
      Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 4x nop then cmp eax, 7Ah3_2_0082B818
      Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 4x nop then sub eax, 20h3_2_0082B818
      Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 4x nop then cmp eax, 7Ah3_2_0082B818
      Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 4x nop then sub eax, 20h3_2_0082B818
      Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 4x nop then mov ecx, 00000005h3_2_0082F43A
      Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 4x nop then add edi, 04h3_2_007C6167
      Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 4x nop then push dword ptr [ebp+14h]3_2_008319A0
      Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 4x nop then mov ebx, dword ptr [edx+00000340h]3_2_00834DAE
      Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 4x nop then mov eax, dword ptr [ebp-08h]3_2_00823DBE
      Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 4x nop then cmp edx, dword ptr [esi+000012F3h]3_2_00823DBE
      Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 4x nop then cmp ecx, dword ptr [esi+000012E3h]3_2_00823DBE
      Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 4x nop then mov eax, esi3_2_00823DBE
      Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 4x nop then mov edx, dword ptr [ebp+08h]3_2_00823DBE
      Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 4x nop then push dword ptr [ebp+14h]3_2_00831923
      Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 4x nop then add edi, 04h3_2_007C61D7
      Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 4x nop then mov edx, dword ptr [ebp+08h]3_2_00824139
      Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 4x nop then mov eax, dword ptr [ebp+10h]3_2_00824574
      Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 4x nop then push dword ptr [ebp+20h]3_2_00824688
      Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 4x nop then jmp 00822F7Ah3_2_00822EC3
      Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 4x nop then mov eax, dword ptr [ebp-08h]3_2_00823EFC
      Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 4x nop then mov edx, dword ptr [ebp+08h]3_2_00823EFC
      Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 4x nop then push dword ptr [ebp+20h]3_2_0082460B
      Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 4x nop then push dword ptr [ebp+1Ch]3_2_00824218
      Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 4x nop then jmp 008232DBh3_2_00823234
      Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
      Source: Joe Sandbox ViewIP Address: 15.228.77.178 15.228.77.178
      Source: global trafficHTTP traffic detected: GET /imagens/bo/inspecionando.php HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ebaoffice.com.brConnection: Keep-Alive
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49697
      Source: unknownNetwork traffic detected: HTTP traffic on port 49697 -> 443
      Source: unknownTCP traffic detected without corresponding DNS query: 15.228.77.178
      Source: unknownTCP traffic detected without corresponding DNS query: 15.228.77.178
      Source: unknownTCP traffic detected without corresponding DNS query: 15.228.77.178
      Source: abd1 .exe.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
      Source: abd1 .exe.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
      Source: abd1 .exe.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA.crt0
      Source: abd1 .exe.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
      Source: abd1 .exe.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
      Source: abd1 .exe, 00000003.00000003.261340368.000000000097A000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 0000000D.00000002.348957842.000000000090E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
      Source: abd1 .exe.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
      Source: abd1 .exe.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
      Source: abd1 .exe.1.drString found in binary or memory: http://crl3.digicert.com/EVCodeSigning-g1.crl03
      Source: abd1 .exe.1.drString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
      Source: abd1 .exe.1.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
      Source: abd1 .exe.1.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
      Source: abd1 .exe.1.drString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
      Source: abd1 .exe.1.drString found in binary or memory: http://crl4.digicert.com/EVCodeSigning-g1.crl0K
      Source: abd1 .exe.1.drString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
      Source: abd1 .exe.1.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
      Source: abd1 .exe.1.drString found in binary or memory: http://ocsp.digicert.com0C
      Source: abd1 .exe.1.drString found in binary or memory: http://ocsp.digicert.com0H
      Source: abd1 .exe.1.drString found in binary or memory: http://ocsp.digicert.com0I
      Source: abd1 .exe.1.drString found in binary or memory: http://ocsp.digicert.com0O
      Source: abd1 .exe, 00000003.00000000.246395172.0000000000401000.00000020.00000001.01000000.00000003.sdmp, abd1 .exe.1.drString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
      Source: abd1 .exe, 00000003.00000000.246395172.0000000000401000.00000020.00000001.01000000.00000003.sdmp, abd1 .exe.1.drString found in binary or memory: http://stats.itopvpn.com/iusage.php
      Source: abd1 .exe.1.drString found in binary or memory: http://www.digicert.com/CPS0
      Source: abd1 .exe.1.drString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
      Source: abd1 .exe, 00000003.00000002.509813241.00000000023D0000.00000004.00001000.00020000.00000000.sdmp, abd1 .exe, 0000000D.00000002.356488267.0000000002450000.00000004.00001000.00020000.00000000.sdmp, abd1 .exe, 0000000D.00000002.365405919.000000006A90D000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: http://www.indyproject.org/
      Source: abd1 .exe, 0000000D.00000002.348957842.000000000090E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ebaoffice.com.br/
      Source: abd1 .exe, 0000000D.00000002.348957842.000000000090E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ebaoffice.com.br/)B3
      Source: abd1 .exe, 0000000D.00000002.348957842.000000000090E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ebaoffice.com.br/SS
      Source: abd1 .exe, 0000000D.00000002.348957842.000000000090E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ebaoffice.com.br/imagens/bo/inspecionando.php
      Source: abd1 .exe, 00000003.00000003.319331406.0000000000999000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ebaoffice.com.br/imagens/bo/inspecionando.php$
      Source: abd1 .exe, 00000003.00000002.512897795.0000000006251000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ebaoffice.com.br/imagens/bo/inspecionando.php...
      Source: abd1 .exe, 0000000D.00000002.348957842.000000000090E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ebaoffice.com.br/imagens/bo/inspecionando.php1gW
      Source: abd1 .exe, 00000003.00000003.319331406.0000000000999000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ebaoffice.com.br/imagens/bo/inspecionando.php25
      Source: abd1 .exe, 00000003.00000003.319331406.0000000000922000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ebaoffice.com.br/imagens/bo/inspecionando.php4
      Source: abd1 .exe, 0000000D.00000002.348957842.00000000008D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ebaoffice.com.br/imagens/bo/inspecionando.php;
      Source: abd1 .exe, 00000003.00000002.506807500.000000000098B000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 00000003.00000003.319331406.0000000000989000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ebaoffice.com.br/imagens/bo/inspecionando.phpC:
      Source: abd1 .exe, 0000000D.00000002.348957842.000000000090E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ebaoffice.com.br/imagens/bo/inspecionando.phpE
      Source: abd1 .exe, 00000003.00000003.319331406.0000000000999000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ebaoffice.com.br/imagens/bo/inspecionando.phpF
      Source: abd1 .exe, 00000003.00000002.506807500.00000000008F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ebaoffice.com.br/imagens/bo/inspecionando.phpMm
      Source: abd1 .exe, 0000000D.00000002.348957842.00000000008D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ebaoffice.com.br/imagens/bo/inspecionando.phpTR
      Source: abd1 .exe, 0000000D.00000002.348957842.00000000008D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ebaoffice.com.br/imagens/bo/inspecionando.phpWO
      Source: abd1 .exe, 00000003.00000002.512897795.0000000006251000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ebaoffice.com.br/imagens/bo/inspecionando.phpX%
      Source: abd1 .exe, 0000000D.00000002.348957842.000000000090E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ebaoffice.com.br/imagens/bo/inspecionando.phpb$f
      Source: abd1 .exe, 00000003.00000003.319331406.0000000000940000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ebaoffice.com.br/imagens/bo/inspecionando.phpimagens/bo/inspecionando.php8
      Source: abd1 .exe, 00000003.00000003.319331406.0000000000940000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ebaoffice.com.br/imagens/bo/inspecionando.phpj
      Source: abd1 .exe, 00000003.00000002.506807500.00000000008F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ebaoffice.com.br/imagens/bo/inspecionando.phpom
      Source: abd1 .exe, 0000000D.00000002.348957842.000000000090E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ebaoffice.com.br/imagens/bo/inspecionando.phporC:
      Source: abd1 .exe, 00000003.00000003.319331406.0000000000999000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ebaoffice.com.br/imagens/bo/inspecionando.phpphG
      Source: abd1 .exe, 00000003.00000003.319331406.0000000000999000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ebaoffice.com.br/imagens/bo/inspecionando.phpq
      Source: abd1 .exe, 00000003.00000003.319331406.0000000000922000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ebaoffice.com.br/imagens/bo/inspecionando.phps/bo/inspecionando.php8
      Source: abd1 .exe, 00000003.00000002.506807500.0000000000907000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ebaoffice.com.br/imagens/bo/inspecionando.phptCache
      Source: abd1 .exe, 00000003.00000002.506807500.0000000000907000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ebaoffice.com.br/imagens/bo/inspecionando.phptCookies
      Source: abd1 .exe, 0000000D.00000002.347804013.0000000000196000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: https://ebaoffice.com.br/imagens/bo/inspecionando.phputllib.dll.DLL
      Source: abd1 .exe, 00000003.00000002.506807500.00000000008F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ebaoffice.com.br/imagens/bo/inspecionando.phpxm
      Source: abd1 .exe, 0000000D.00000002.348957842.000000000090E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
      Source: abd1 .exe, 00000003.00000002.506807500.000000000093D000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 00000003.00000003.319331406.0000000000922000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.comt
      Source: abd1 .exe.1.drString found in binary or memory: https://www.digicert.com/CPS0
      Source: unknownDNS traffic detected: queries for: ebaoffice.com.br
      Source: global trafficHTTP traffic detected: GET /imagens/bo/inspecionando.php HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ebaoffice.com.brConnection: Keep-Alive
      Source: unknownHTTPS traffic detected: 187.45.187.42:443 -> 192.168.2.7:49697 version: TLS 1.2
      Source: abd1 .exe, 00000003.00000002.506807500.00000000008AA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

      System Summary

      barindex
      Malicious sample detected (through community Yara rule)
      Source: 13.2.abd1 .exe.6a500000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a160ca52 Author: unknown
      Source: 13.2.abd1 .exe.6a500000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_a7da40b7 Author: unknown
      Source: 13.2.abd1 .exe.6a500000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_d4b38e13 Author: unknown
      Source: 00000003.00000002.517143988.000000006C729000.00000040.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a160ca52 Author: unknown
      Source: 0000000D.00000002.350190121.0000000002260000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_a7da40b7 Author: unknown
      Source: 0000000D.00000002.407213851.000000006C720000.00000040.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a160ca52 Author: unknown
      Source: 0000000D.00000002.407213851.000000006C720000.00000040.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_a7da40b7 Author: unknown
      Source: 0000000D.00000002.407213851.000000006C720000.00000040.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_d4b38e13 Author: unknown
      Source: 00000003.00000002.505703750.00000000007C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_a7da40b7 Author: unknown
      Source: 13.2.abd1 .exe.6a500000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Generic_a160ca52 reference_sample = 650bf19e73ac2d9ebbf62f15eeb603c2b4a6a65432c70b87edc429165d6706f3, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 06eca9064ca27784b61994844850f05c47c07ba6c4242a2572d6d0c484a920f0, id = a160ca52-8911-4649-a1fa-ac8f6f75e18d, last_modified = 2022-04-12
      Source: 13.2.abd1 .exe.6a500000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_a7da40b7 reference_sample = 2fb7241ffdfa7525f125e6d7b18e895cfb512ebb6905d056dbe7d76e8d6df806, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 62a62ede10d977582329b3daaa80b0b64576add77736135bac97d3a3eb6de558, id = a7da40b7-63cc-4456-a592-0485932092d5, last_modified = 2022-04-12
      Source: 13.2.abd1 .exe.6a500000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_d4b38e13 reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = c91f97a7e609d8138f8c5c7dd66cf675b1b3762f26baa5bf983ee212011b99cb, id = d4b38e13-1439-4549-ba90-0b4a8ed57fb3, last_modified = 2022-04-12
      Source: 00000003.00000002.517143988.000000006C729000.00000040.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a160ca52 reference_sample = 650bf19e73ac2d9ebbf62f15eeb603c2b4a6a65432c70b87edc429165d6706f3, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 06eca9064ca27784b61994844850f05c47c07ba6c4242a2572d6d0c484a920f0, id = a160ca52-8911-4649-a1fa-ac8f6f75e18d, last_modified = 2022-04-12
      Source: 0000000D.00000002.350190121.0000000002260000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_a7da40b7 reference_sample = 2fb7241ffdfa7525f125e6d7b18e895cfb512ebb6905d056dbe7d76e8d6df806, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 62a62ede10d977582329b3daaa80b0b64576add77736135bac97d3a3eb6de558, id = a7da40b7-63cc-4456-a592-0485932092d5, last_modified = 2022-04-12
      Source: 0000000D.00000002.407213851.000000006C720000.00000040.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: Windows_Trojan_Generic_a160ca52 reference_sample = 650bf19e73ac2d9ebbf62f15eeb603c2b4a6a65432c70b87edc429165d6706f3, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Generic, fingerprint = 06eca9064ca27784b61994844850f05c47c07ba6c4242a2572d6d0c484a920f0, id = a160ca52-8911-4649-a1fa-ac8f6f75e18d, last_modified = 2022-04-12
      Source: 0000000D.00000002.407213851.000000006C720000.00000040.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_a7da40b7 reference_sample = 2fb7241ffdfa7525f125e6d7b18e895cfb512ebb6905d056dbe7d76e8d6df806, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 62a62ede10d977582329b3daaa80b0b64576add77736135bac97d3a3eb6de558, id = a7da40b7-63cc-4456-a592-0485932092d5, last_modified = 2022-04-12
      Source: 0000000D.00000002.407213851.000000006C720000.00000040.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_d4b38e13 reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = c91f97a7e609d8138f8c5c7dd66cf675b1b3762f26baa5bf983ee212011b99cb, id = d4b38e13-1439-4549-ba90-0b4a8ed57fb3, last_modified = 2022-04-12
      Source: 00000003.00000002.505703750.00000000007C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_a7da40b7 reference_sample = 2fb7241ffdfa7525f125e6d7b18e895cfb512ebb6905d056dbe7d76e8d6df806, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 62a62ede10d977582329b3daaa80b0b64576add77736135bac97d3a3eb6de558, id = a7da40b7-63cc-4456-a592-0485932092d5, last_modified = 2022-04-12
      Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\MSIEF68.tmpJump to behavior
      Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\54ea57.msiJump to behavior
      Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_007D20503_2_007D2050
      Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_0082E8FC3_2_0082E8FC
      Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_0082E6F33_2_0082E6F3
      Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_008212163_2_00821216
      Source: WebUI.dll.1.drStatic PE information: Resource name: RT_STRING type: VAX-order 68K Blit (standalone) executable
      Source: f_4_T_u_r_4_34536_45645_3345_wo.msiBinary or memory string: OriginalFilenameAICustAct.dllF vs f_4_T_u_r_4_34536_45645_3345_wo.msi
      Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
      Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
      Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
      Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
      Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\abd1 .exe EFB6169BBB869A849AFB91184A75B906FE509CBF6E672B6B4F3311C02343BBBB
      Source: WebUI.dll.1.drStatic PE information: Section: .rodata ZLIB complexity 0.999481201171875
      Source: f_4_T_u_r_4_34536_45645_3345_wo.msiVirustotal: Detection: 30%
      Source: C:\Users\user\AppData\Roaming\abd1 .exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: unknownProcess created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\f_4_T_u_r_4_34536_45645_3345_wo.msi"
      Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
      Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 715EC454D0BEADF2C26248DD1CAED610
      Source: C:\Windows\System32\msiexec.exeProcess created: C:\Users\user\AppData\Roaming\abd1 .exe C:\Users\user\AppData\Roaming\abd1 .exe
      Source: unknownProcess created: C:\Users\user\AppData\Roaming\abd1 .exe "C:\Users\user\AppData\Roaming\abd1 .exe"
      Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 715EC454D0BEADF2C26248DD1CAED610Jump to behavior
      Source: C:\Windows\System32\msiexec.exeProcess created: C:\Users\user\AppData\Roaming\abd1 .exe C:\Users\user\AppData\Roaming\abd1 .exeJump to behavior
      Source: C:\Users\user\AppData\Roaming\abd1 .exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8856F961-340A-11D0-A96B-00C04FD705A2}\InProcServer32Jump to behavior
      Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\abd1 .exeJump to behavior
      Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user~1\AppData\Local\Temp\MSI4e70b.LOGJump to behavior
      Source: classification engineClassification label: mal88.evad.winMSI@7/27@1/2
      Source: C:\Users\user\AppData\Roaming\abd1 .exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
      Source: C:\Users\user\AppData\Roaming\abd1 .exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
      Source: C:\Users\user\AppData\Roaming\abd1 .exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
      Source: C:\Users\user\AppData\Roaming\abd1 .exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
      Source: C:\Users\user\AppData\Roaming\abd1 .exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
      Source: C:\Users\user\AppData\Roaming\abd1 .exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
      Source: f_4_T_u_r_4_34536_45645_3345_wo.msiStatic file information: TRID: Microsoft Windows Installer (77509/1) 52.18%
      Source: C:\Users\user\AppData\Roaming\abd1 .exeMutant created: \Sessions\1\BaseNamedObjects\gg24UGs6BG
      Source: C:\Users\user\AppData\Roaming\abd1 .exeMutant created: \Sessions\1\BaseNamedObjects\madExceptSettingsMtx$31c
      Source: C:\Users\user\AppData\Roaming\abd1 .exeMutant created: \Sessions\1\BaseNamedObjects\madExceptSettingsMtx$b58
      Source: Yara matchFile source: 3.0.abd1 .exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 00000003.00000000.246395172.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
      Source: Yara matchFile source: C:\Users\user\AppData\Roaming\abd1 .exe, type: DROPPED
      Source: C:\Users\user\AppData\Roaming\abd1 .exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\AppData\Roaming\abd1 .exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: f_4_T_u_r_4_34536_45645_3345_wo.msiStatic file information: File size 7266816 > 1048576
      Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: f_4_T_u_r_4_34536_45645_3345_wo.msi, MSIF130.tmp.1.dr, MSIF22B.tmp.1.dr, 54ea57.msi.1.dr, MSIEF68.tmp.1.dr
      Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_3_02345477 push ebx; retf 3_3_0234547C
      Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_3_02347E6A push ecx; retf 3_3_02347E6B
      Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_3_02348CEF push eax; retf 3_3_02348CFC
      Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_3_02346AC3 push fs; iretd 3_3_02346AD5
      Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_3_0234533B push ebx; iretd 3_3_0234533C
      Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_3_02345B22 push 00000048h; ret 3_3_02345B2C
      Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_3_0234872F push eax; retf 3_3_0234873C
      Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_3_023489AF push eax; retf 3_3_023489BC
      Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_3_02347FD1 push cs; iretd 3_3_02347FD4
      Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_007C007C push FFFFFFA2h; iretd 3_2_007C007E
      Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_007C2462 push ebx; ret 3_2_007C246C
      Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_007C3055 push eax; retf 3_2_007C305C
      Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_007C395D pushfd ; iretd 3_2_007C3960
      Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_007C1917 push ebx; retf 3_2_007C191C
      Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_007C2765 push edi; retf 3_2_007C276E
      Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 13_3_0258F2E8 push ss; retf 13_3_0258F2F2
      Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 13_3_0258F2BA push ss; retf 13_3_0258F2F2
      Source: WebUI.dll.1.drStatic PE information: section name: .ctors
      Source: WebUI.dll.1.drStatic PE information: section name: .rodata
      Source: initial sampleStatic PE information: section where entry point is pointing to: .rodata
      Source: initial sampleStatic PE information: section name: .rodata entropy: 7.996799289406116
      Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIF130.tmpJump to dropped file
      Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIF100.tmpJump to dropped file
      Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIF22B.tmpJump to dropped file
      Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIF092.tmpJump to dropped file
      Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\abd1 .exeJump to dropped file
      Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIEF68.tmpJump to dropped file
      Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\WebUI.dllJump to dropped file
      Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIF130.tmpJump to dropped file
      Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIF100.tmpJump to dropped file
      Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIF22B.tmpJump to dropped file
      Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIF092.tmpJump to dropped file
      Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIEF68.tmpJump to dropped file
      Source: C:\Users\user\AppData\Roaming\abd1 .exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run abd1 .exeJump to behavior
      Source: C:\Users\user\AppData\Roaming\abd1 .exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run abd1 .exeJump to behavior

      Hooking and other Techniques for Hiding and Protection

      barindex
      Overwrites code with unconditional jumps - possibly settings hooks in foreign process
      Source: C:\Users\user\AppData\Roaming\abd1 .exeMemory written: PID: 796 base: 4A3E60 value: E9 FB 65 06 00 Jump to behavior
      Source: C:\Users\user\AppData\Roaming\abd1 .exeMemory written: PID: 796 base: 4A397C value: E9 FB 68 06 00 Jump to behavior
      Source: C:\Users\user\AppData\Roaming\abd1 .exeMemory written: PID: 796 base: 49FCC0 value: E9 0B E7 06 00 Jump to behavior
      Source: C:\Users\user\AppData\Roaming\abd1 .exeMemory written: PID: 796 base: 49FCE4 value: E9 6B E7 06 00 Jump to behavior
      Source: C:\Users\user\AppData\Roaming\abd1 .exeMemory written: PID: 796 base: 49FCF4 value: E9 FF E8 06 00 Jump to behavior
      Source: C:\Users\user\AppData\Roaming\abd1 .exeMemory written: PID: 796 base: 49FCB0 value: E9 B7 EA 06 00 Jump to behavior
      Source: C:\Users\user\AppData\Roaming\abd1 .exeMemory written: PID: 2904 base: 4A3E60 value: E9 FB 65 06 00 Jump to behavior
      Source: C:\Users\user\AppData\Roaming\abd1 .exeMemory written: PID: 2904 base: 4A397C value: E9 FB 68 06 00 Jump to behavior
      Source: C:\Users\user\AppData\Roaming\abd1 .exeMemory written: PID: 2904 base: 49FCC0 value: E9 0B E7 06 00 Jump to behavior
      Source: C:\Users\user\AppData\Roaming\abd1 .exeMemory written: PID: 2904 base: 49FCE4 value: E9 6B E7 06 00 Jump to behavior
      Source: C:\Users\user\AppData\Roaming\abd1 .exeMemory written: PID: 2904 base: 49FCF4 value: E9 FF E8 06 00 Jump to behavior
      Source: C:\Users\user\AppData\Roaming\abd1 .exeMemory written: PID: 2904 base: 49FCB0 value: E9 B7 EA 06 00 Jump to behavior
      Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: NOGPFAULTERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion

      barindex
      Tries to evade debugger and weak emulator (self modifying code)
      Source: C:\Users\user\AppData\Roaming\abd1 .exeSpecial instruction interceptor: First address: 000000006C735989 instructions caused by: Self-modifying code
      Source: C:\Users\user\AppData\Roaming\abd1 .exeSpecial instruction interceptor: First address: 0000000000825FE9 instructions caused by: Self-modifying code
      Source: C:\Users\user\AppData\Roaming\abd1 .exeSpecial instruction interceptor: First address: 00000000022C5E99 instructions caused by: Self-modifying code
      Source: C:\Users\user\AppData\Roaming\abd1 .exe TID: 3148Thread sleep time: -40000s >= -30000sJump to behavior
      Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIF130.tmpJump to dropped file
      Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIF22B.tmpJump to dropped file
      Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIF100.tmpJump to dropped file
      Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIF092.tmpJump to dropped file
      Source: C:\Users\user\AppData\Roaming\abd1 .exeMemory allocated: 5E90000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\AppData\Roaming\abd1 .exeMemory allocated: 66F0000 memory commit | memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\AppData\Roaming\abd1 .exeMemory allocated: 6870000 memory commit | memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\AppData\Roaming\abd1 .exeMemory allocated: 6890000 memory commit | memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\AppData\Roaming\abd1 .exeMemory allocated: 5F20000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\AppData\Roaming\abd1 .exeFile opened / queried: VBoxGuestJump to behavior
      Source: C:\Users\user\AppData\Roaming\abd1 .exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04090409Jump to behavior
      Source: C:\Users\user\AppData\Roaming\abd1 .exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04090409Jump to behavior
      Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\abd1 .exeThread delayed: delay time: 40000Jump to behavior
      Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
      Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
      Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
      Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
      Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
      Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
      Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
      Source: abd1 .exe, 0000000D.00000002.348957842.00000000008D7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll9wNj
      Source: abd1 .exe, 00000003.00000003.319331406.0000000000940000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 00000003.00000002.506807500.000000000092E000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 00000003.00000003.319331406.0000000000922000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
      Source: abd1 .exe, 00000003.00000002.506807500.00000000008FD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWH

      Anti Debugging

      barindex
      Hides threads from debuggers
      Source: C:\Users\user\AppData\Roaming\abd1 .exeThread information set: HideFromDebuggerJump to behavior
      Source: C:\Users\user\AppData\Roaming\abd1 .exeThread information set: HideFromDebuggerJump to behavior
      Source: C:\Users\user\AppData\Roaming\abd1 .exeSystem information queried: KernelDebuggerInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess queried: DebugObjectHandleJump to behavior
      Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess queried: DebugFlagsJump to behavior
      Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess queried: DebugObjectHandleJump to behavior
      Source: C:\Users\user\AppData\Roaming\abd1 .exeProcess queried: DebugFlagsJump to behavior
      Source: C:\Users\user\AppData\Roaming\abd1 .exeFile opened: NTICE
      Source: C:\Users\user\AppData\Roaming\abd1 .exeFile opened: SICE
      Source: C:\Windows\System32\msiexec.exeProcess created: C:\Users\user\AppData\Roaming\abd1 .exe C:\Users\user\AppData\Roaming\abd1 .exeJump to behavior
      Source: C:\Users\user\AppData\Roaming\abd1 .exeCode function: 3_2_008318C6 LdrInitializeThunk,LoadLibraryA,LdrInitializeThunk,3_2_008318C6
      Source: abd1 .exe, 00000003.00000002.515353721.0000000006B6A000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: PROGRAM MANAGERq
      Source: abd1 .exe, 00000003.00000002.515353721.0000000006B6A000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: PROGRAM MANAGER1
      Source: abd1 .exe, 00000003.00000002.515353721.0000000006B6A000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: PROGRAM MANAGERa
      Source: abd1 .exe, 00000003.00000002.515353721.0000000006B6A000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: PROGRAM MANAGER
      Source: abd1 .exe, 00000003.00000002.509813241.0000000002438000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: Program Manager@
      Source: abd1 .exe, 00000003.00000000.246395172.0000000000401000.00000020.00000001.01000000.00000003.sdmp, abd1 .exe.1.drBinary or memory string: ProgmanU
      Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\abd1 .exeQueries volume information: C:\Users\user\AppData\Roaming\WebUI.dll VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\abd1 .exeQueries volume information: C:\Users\user\AppData\Roaming\WebUI.dll VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Roaming\abd1 .exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
      Source: abd1 .exe, 00000003.00000002.506807500.00000000008EB000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 00000003.00000003.319331406.0000000000922000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      1
      Replication Through Removable Media      		1
      Windows Management Instrumentation      		1
      Registry Run Keys / Startup Folder      		2
      Process Injection      		21
      Masquerading      		1
      Credential API Hooking      		261
      Security Software Discovery      		1
      Replication Through Removable Media      		1
      Credential API Hooking      		Exfiltration Over Other Network Medium11
      Encrypted Channel      		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScheduled Task/Job1
      DLL Side-Loading      		1
      Registry Run Keys / Startup Folder      		1
      Disable or Modify Tools      		1
      Input Capture      		2
      Process Discovery      		Remote Desktop Protocol1
      Input Capture      		Exfiltration Over Bluetooth1
      Ingress Tool Transfer      		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)1
      DLL Side-Loading      		161
      Virtualization/Sandbox Evasion      		Security Account Manager161
      Virtualization/Sandbox Evasion      		SMB/Windows Admin Shares1
      Archive Collected Data      		Automated Exfiltration2
      Non-Application Layer Protocol      		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)2
      Process Injection      		NTDS11
      Peripheral Device Discovery      		Distributed Component Object ModelInput CaptureScheduled Transfer13
      Application Layer Protocol      		SIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script3
      Obfuscated Files or Information      		LSA Secrets1
      Remote System Discovery      		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.common3
      Software Packing      		Cached Domain Credentials122
      System Information Discovery      		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
      External Remote ServicesScheduled TaskStartup ItemsStartup Items1
      DLL Side-Loading      		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
      File Deletion      		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      f_4_T_u_r_4_34536_45645_3345_wo.msi30%VirustotalBrowse

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Users\user\AppData\Roaming\WebUI.dll100%AviraHEUR/AGEN.1300181
      C:\Users\user\AppData\Roaming\WebUI.dll100%Joe Sandbox ML
      C:\Users\user\AppData\Roaming\abd1 .exe0%ReversingLabs
      C:\Windows\Installer\MSIEF68.tmp0%ReversingLabs

      Unpacked PE Files

      SourceDetectionScannerLabelLinkDownload
      3.3.abd1 .exe.2520000.0.unpack100%AviraTR/Crypt.ZPACK.Gen2Download File
      13.2.abd1 .exe.6a500000.1.unpack100%AviraTR/Crypt.XPACK.Gen3Download File

      Domains

      SourceDetectionScannerLabelLink
      ebaoffice.com.br2%VirustotalBrowse

      URLs

      SourceDetectionScannerLabelLink
      http://www.indyproject.org/0%URL Reputationsafe
      https://ebaoffice.com.br/imagens/bo/inspecionando.phpX%0%Avira URL Cloudsafe
      https://ebaoffice.com.br/imagens/bo/inspecionando.phpb$f0%Avira URL Cloudsafe
      https://ebaoffice.com.br/imagens/bo/inspecionando.phptCache0%Avira URL Cloudsafe
      https://ebaoffice.com.br/imagens/bo/inspecionando.phpTR0%Avira URL Cloudsafe
      https://ebaoffice.com.br/imagens/bo/inspecionando.php250%Avira URL Cloudsafe
      https://ebaoffice.com.br/imagens/bo/inspecionando.phpphG0%Avira URL Cloudsafe
      https://ebaoffice.com.br/imagens/bo/inspecionando.phpMm0%Avira URL Cloudsafe
      https://ebaoffice.com.br/imagens/bo/inspecionando.phpj0%Avira URL Cloudsafe
      https://ebaoffice.com.br/imagens/bo/inspecionando.phpxm0%Avira URL Cloudsafe
      https://ebaoffice.com.br/)B30%Avira URL Cloudsafe
      https://ebaoffice.com.br/imagens/bo/inspecionando.php$0%Avira URL Cloudsafe
      https://ebaoffice.com.br/imagens/bo/inspecionando.phpq0%Avira URL Cloudsafe
      https://ebaoffice.com.br/imagens/bo/inspecionando.php1gW0%Avira URL Cloudsafe
      https://ebaoffice.com.br/imagens/bo/inspecionando.phporC:0%Avira URL Cloudsafe
      https://ebaoffice.com.br/0%Avira URL Cloudsafe
      https://ebaoffice.com.br/imagens/bo/inspecionando.php40%Avira URL Cloudsafe
      https://ebaoffice.com.br/imagens/bo/inspecionando.php;100%Avira URL Cloudmalware
      http://stats.itopvpn.com/iusage.php0%Avira URL Cloudsafe
      https://ebaoffice.com.br/imagens/bo/inspecionando.phpimagens/bo/inspecionando.php80%Avira URL Cloudsafe
      https://ebaoffice.com.br/imagens/bo/inspecionando.php100%Avira URL Cloudmalware
      https://ebaoffice.com.br/imagens/bo/inspecionando.phputllib.dll.DLL0%Avira URL Cloudsafe
      https://ebaoffice.com.br/imagens/bo/inspecionando.php...0%Avira URL Cloudsafe
      https://ebaoffice.com.br/imagens/bo/inspecionando.phpC:0%Avira URL Cloudsafe
      https://ebaoffice.com.br/imagens/bo/inspecionando.phpom0%Avira URL Cloudsafe
      https://ebaoffice.com.br/imagens/bo/inspecionando.phptCookies0%Avira URL Cloudsafe
      https://ebaoffice.com.br/SS0%Avira URL Cloudsafe
      https://ebaoffice.com.br/imagens/bo/inspecionando.phpE0%Avira URL Cloudsafe
      https://ebaoffice.com.br/imagens/bo/inspecionando.phpF0%Avira URL Cloudsafe
      https://ebaoffice.com.br/imagens/bo/inspecionando.phpWO0%Avira URL Cloudsafe
      https://ebaoffice.com.br/imagens/bo/inspecionando.phps/bo/inspecionando.php80%Avira URL Cloudsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      ebaoffice.com.br
      		187.45.187.42
      		truefalseunknown

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      https://ebaoffice.com.br/imagens/bo/inspecionando.phpfalse
      • Avira URL Cloud: malware
      		unknown

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      https://ebaoffice.com.br/imagens/bo/inspecionando.phpX%abd1 .exe, 00000003.00000002.512897795.0000000006251000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://ebaoffice.com.br/imagens/bo/inspecionando.phpb$fabd1 .exe, 0000000D.00000002.348957842.000000000090E000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://ebaoffice.com.br/imagens/bo/inspecionando.phptCacheabd1 .exe, 00000003.00000002.506807500.0000000000907000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://schemas.xmlsoap.org/soap/envelope/abd1 .exe, 00000003.00000000.246395172.0000000000401000.00000020.00000001.01000000.00000003.sdmp, abd1 .exe.1.drfalse
        		high
        https://ebaoffice.com.br/imagens/bo/inspecionando.phpTRabd1 .exe, 0000000D.00000002.348957842.00000000008D7000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://ebaoffice.com.br/imagens/bo/inspecionando.php25abd1 .exe, 00000003.00000003.319331406.0000000000999000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://www.indyproject.org/abd1 .exe, 00000003.00000002.509813241.00000000023D0000.00000004.00001000.00020000.00000000.sdmp, abd1 .exe, 0000000D.00000002.356488267.0000000002450000.00000004.00001000.00020000.00000000.sdmp, abd1 .exe, 0000000D.00000002.365405919.000000006A90D000.00000040.00000001.01000000.00000004.sdmpfalse
        • URL Reputation: safe
        		unknown
        https://ebaoffice.com.br/imagens/bo/inspecionando.phpMmabd1 .exe, 00000003.00000002.506807500.00000000008F0000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://ebaoffice.com.br/imagens/bo/inspecionando.phpphGabd1 .exe, 00000003.00000003.319331406.0000000000999000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://ebaoffice.com.br/imagens/bo/inspecionando.phpjabd1 .exe, 00000003.00000003.319331406.0000000000940000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://ebaoffice.com.br/imagens/bo/inspecionando.phpxmabd1 .exe, 00000003.00000002.506807500.00000000008F0000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://ebaoffice.com.br/)B3abd1 .exe, 0000000D.00000002.348957842.000000000090E000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://ebaoffice.com.br/imagens/bo/inspecionando.php$abd1 .exe, 00000003.00000003.319331406.0000000000999000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://stats.itopvpn.com/iusage.phpabd1 .exe, 00000003.00000000.246395172.0000000000401000.00000020.00000001.01000000.00000003.sdmp, abd1 .exe.1.drfalse
        • Avira URL Cloud: safe
        		unknown
        https://ebaoffice.com.br/imagens/bo/inspecionando.phpqabd1 .exe, 00000003.00000003.319331406.0000000000999000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://ebaoffice.com.br/imagens/bo/inspecionando.php1gWabd1 .exe, 0000000D.00000002.348957842.000000000090E000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://ebaoffice.com.br/imagens/bo/inspecionando.php;abd1 .exe, 0000000D.00000002.348957842.00000000008D7000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        		unknown
        https://ebaoffice.com.br/imagens/bo/inspecionando.phporC:abd1 .exe, 0000000D.00000002.348957842.000000000090E000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://ebaoffice.com.br/abd1 .exe, 0000000D.00000002.348957842.000000000090E000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://ebaoffice.com.br/imagens/bo/inspecionando.php4abd1 .exe, 00000003.00000003.319331406.0000000000922000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://ebaoffice.com.br/imagens/bo/inspecionando.phpimagens/bo/inspecionando.php8abd1 .exe, 00000003.00000003.319331406.0000000000940000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://ebaoffice.com.br/imagens/bo/inspecionando.phputllib.dll.DLLabd1 .exe, 0000000D.00000002.347804013.0000000000196000.00000004.00000010.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://ebaoffice.com.br/imagens/bo/inspecionando.php...abd1 .exe, 00000003.00000002.512897795.0000000006251000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://ebaoffice.com.br/imagens/bo/inspecionando.phpomabd1 .exe, 00000003.00000002.506807500.00000000008F0000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://ebaoffice.com.br/imagens/bo/inspecionando.phptCookiesabd1 .exe, 00000003.00000002.506807500.0000000000907000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://ebaoffice.com.br/imagens/bo/inspecionando.phpC:abd1 .exe, 00000003.00000002.506807500.000000000098B000.00000004.00000020.00020000.00000000.sdmp, abd1 .exe, 00000003.00000003.319331406.0000000000989000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://ebaoffice.com.br/SSabd1 .exe, 0000000D.00000002.348957842.000000000090E000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://ebaoffice.com.br/imagens/bo/inspecionando.phpFabd1 .exe, 00000003.00000003.319331406.0000000000999000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://ebaoffice.com.br/imagens/bo/inspecionando.phps/bo/inspecionando.php8abd1 .exe, 00000003.00000003.319331406.0000000000922000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://ebaoffice.com.br/imagens/bo/inspecionando.phpEabd1 .exe, 0000000D.00000002.348957842.000000000090E000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://ebaoffice.com.br/imagens/bo/inspecionando.phpWOabd1 .exe, 0000000D.00000002.348957842.00000000008D7000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown

        World Map of Contacted IPs

        • No. of IPs < 25%
        • 25% < No. of IPs < 50%
        • 50% < No. of IPs < 75%
        • 75% < No. of IPs

        Public IPs

        IPDomainCountryFlagASNASN NameMalicious
        15.228.77.178
        		unknownUnited States
        		16509AMAZON-02USfalse
        187.45.187.42
        		ebaoffice.com.brBrazil
        		33182DIMENOCUSfalse

        General Information

        Joe Sandbox Version:37.0.0 Beryl
        Analysis ID:848975
        Start date and time:2023-04-18 16:28:42 +02:00
        Joe Sandbox Product:CloudBasic
        Overall analysis duration:0h 12m 39s
        Hypervisor based Inspection enabled:false
        Report type:full
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
        Number of analysed new started processes analysed:16
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • HDC enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Sample file name:f_4_T_u_r_4_34536_45645_3345_wo.msi
        Detection:MAL
        Classification:mal88.evad.winMSI@7/27@1/2
        EGA Information:
        • Successful, ratio: 50%
        HDC Information:Failed
        HCA Information:
        • Successful, ratio: 76%
        • Number of executed functions: 5
        • Number of non-executed functions: 23
        Cookbook Comments:
        • Found application associated with file extension: .msi

        Warnings

        • Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
        • Excluded domains from analysis (whitelisted): fs.microsoft.com
        • Execution Graph export aborted for target abd1 .exe, PID 2904 because there are no executed function
        • Not all processes where analyzed, report is missing behavior information
        • Report creation exceeded maximum time and may have missing disassembly code information.
        • Report size getting too big, too many NtOpenKeyEx calls found.
        • Report size getting too big, too many NtProtectVirtualMemory calls found.
        • Report size getting too big, too many NtQueryValueKey calls found.
        • Report size getting too big, too many NtSetInformationFile calls found.

        Simulations

        Behavior and APIs

        TimeTypeDescription
        16:29:44API Interceptor1x Sleep call for process: abd1 .exe modified
        16:30:11AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run abd1.exe C:\Users\user\AppData\Roaming\abd1.exe
        16:30:21AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run abd1.exe C:\Users\user\AppData\Roaming\abd1.exe

        Joe Sandbox View / Context

        IPs

        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        15.228.77.178n_f_3_e_l_3_t_r_0_n_1_k_4_00545.msiGet hashmaliciousUnknownBrowse
          n_f_3_f_1_s_k_4_l.msiGet hashmaliciousUnknownBrowse
            Mandado-Intima#U00e7#U00e3o_Art516mlhg.msiGet hashmaliciousUnknownBrowse
              z12A____o-Trabalhista.msiGet hashmaliciousUnknownBrowse
                z1F_4_T_U_r_4_2024mfdfgryry5.msiGet hashmaliciousUnknownBrowse
                  F_4_T_U_R_4___nf____0992344.4354.msiGet hashmaliciousUnknownBrowse
                    rPEDIDOS-10032023-X491kkum.msiGet hashmaliciousUnknownBrowse
                      z93nf_e_mnhhh345553.msiGet hashmaliciousUnknownBrowse
                        z1n_f_e_Fa_tu_r4_03.msiGet hashmaliciousUnknownBrowse
                          PEDIDOS-08032023-X388omke.msiGet hashmaliciousUnknownBrowse
                            Nota-LG-emitida-13488mhqt.msiGet hashmaliciousUnknownBrowse
                              __B0L3T0_06Marc_23_f4tur4__.msiGet hashmaliciousUnknownBrowse
                                __B0L3T0_06Marc_23_f4tur4__.msiGet hashmaliciousUnknownBrowse
                                  rPedido-Danfe-03-03-202316872pnlc.msiGet hashmaliciousUnknownBrowse
                                    Autos-Processo 27-02-2023 ligh.msiGet hashmaliciousUnknownBrowse
                                      rEmita-Danfe-01-03-20234076czdg.msiGet hashmaliciousUnknownBrowse

                                        Domains

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        ebaoffice.com.brn_f_3_e_l_3_t_r_0_n_1_k_4_00545.msiGet hashmaliciousUnknownBrowse
                                        • 187.45.187.42
                                        n_f_3_f_1_s_k_4_l.msiGet hashmaliciousUnknownBrowse
                                        • 187.45.187.42
                                        z1F_4_T_U_r_4_2024mfdfgryry5.msiGet hashmaliciousUnknownBrowse
                                        • 187.45.187.42
                                        F_4_T_U_R_4___nf____0992344.4354.msiGet hashmaliciousUnknownBrowse
                                        • 187.45.187.42
                                        z93nf_e_mnhhh345553.msiGet hashmaliciousUnknownBrowse
                                        • 187.45.187.42
                                        z1n_f_e_Fa_tu_r4_03.msiGet hashmaliciousUnknownBrowse
                                        • 187.45.187.42
                                        __B0L3T0_06Marc_23_f4tur4__.msiGet hashmaliciousUnknownBrowse
                                        • 187.45.187.42
                                        __B0L3T0_06Marc_23_f4tur4__.msiGet hashmaliciousUnknownBrowse
                                        • 187.45.187.42

                                        ASNs

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        AMAZON-02USbQQ1GGT8C6.elfGet hashmaliciousMiraiBrowse
                                        • 63.32.230.97
                                        https://links.lead.traininngsonline.com/servlet/MailView?ms=NDk4OTEwS0&r=MTg0NDI5NzExMgS2&j=MTEwMDAxMjY2MQS2&mt=1&rt=0Get hashmaliciousUnknownBrowse
                                        • 52.217.197.145
                                        https://links.lead.traininngsonline.com/servlet/MailView?ms=NDk4OTEwS0&r=MTg0NDI5NzExMgS2&j=MTEwMDAxMjY2MQS2&mt=1&rt=0Get hashmaliciousUnknownBrowse
                                        • 52.216.36.113
                                        NTzN4PpqcZ.elfGet hashmaliciousMiraiBrowse
                                        • 54.97.222.171
                                        https://links.lead.traininngsonline.com/servlet/MailView?ms=NDk4OTEwS0&r=MTg0NDI5NzExMgS2&j=MTEwMDAxMjY2MQS2&mt=1&rt=0Get hashmaliciousUnknownBrowse
                                        • 54.231.194.121
                                        Wp2jiU6tOK.elfGet hashmaliciousMiraiBrowse
                                        • 108.153.108.108
                                        nabx86.elfGet hashmaliciousUnknownBrowse
                                        • 18.167.8.228
                                        https://www.firefoxs.org/Get hashmaliciousUnknownBrowse
                                        • 13.32.119.185
                                        sora.x86.elfGet hashmaliciousMiraiBrowse
                                        • 13.223.33.108
                                        https://www.saanys.orgGet hashmaliciousUnknownBrowse
                                        • 65.9.66.81
                                        https://bit.ly/3ZxhUMsGet hashmaliciousGRQ ScamBrowse
                                        • 13.226.175.66
                                        #Doc.Signed.htmlGet hashmaliciousHTMLPhisherBrowse
                                        • 13.226.160.37
                                        https://www.fo-sec.com/articles/10-defender-bypass-methodsGet hashmaliciousMimikatzBrowse
                                        • 99.86.159.4
                                        #Doc.Signed.htmlGet hashmaliciousHTMLPhisherBrowse
                                        • 13.226.160.38
                                        #Doc.Signed.htmlGet hashmaliciousHTMLPhisherBrowse
                                        • 13.226.160.64
                                        Uncatastrophic.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                        • 3.1.17.18
                                        https://ubcspa.lt.emlnk.com/Prod/link-tracker?notrack=1&redirectUrl=aHR0cHMlM0ElMkYlMkZjbG91ZGZsYXJlLWlwZnMuY29tJTJGaXBmcyUyRmJhZmtyZWlob3p2NGp0b2JmM3VzcWRrcW83djZ4ZHRqZ3Nha3prM3p5aTJ4Y2s0MnZmZDZtcm0yYm80JTNGeEFmOTdxRnFzNnNlTTRsNU8waWxqczlvanc4MXcwcEVJZFpacElvckFtUFlBR1FyTDByb3NBJTI1M0QlMjUzRCUyNmglM0Q1OTE0MTlkYjIyNGZiYTA4dDQzNTY1Mw==&sig=DQgNWA6aQJexwdwbXCJxaoF9spDnUmiBz6uhfKMGUJ74&iat=1681797648&a=%7C%7C1002808898%7C%7C&account=ubcspa%2Eactivehosted%2Ecom&email=QMWgtWkVyJRdAxhI%2BDfqavf3ZNcRvSTI5RufnpP73IpsbduYmXU%3D%3AJ25UgFi9ooxAJezFNBiJBoE38jVzdR5z&s=d7e5172ae8ad32e6c27aeff6f776904d&i=1A3A1A5#Yml1cm9AaS1ob3N0LnBsGet hashmaliciousHTMLPhisherBrowse
                                        • 54.187.136.42
                                        https://dev-ficoparstrl.pantheonsite.io/home.phpGet hashmaliciousUnknownBrowse
                                        • 52.215.192.132
                                        http://url4972.ohiresources.com/ls/click?upn=XNzLsuQYzloW-2BTGZH9692yJ2CxVy2Edke5QyZUlMlr9SGhXXTLFUvyKPONNb-2Fkg46bYfs1n-2Byy-2BHwkii86KioIsOmOLlLXB2BhZg1fLWBww-3Du4hR_YqVc2Q6TaxfIVY64HpFtFz9OOv4xm6lumw5ffgtQ8F8qR2sKyOuCGgDcTWLy93e5cVN9xeXi9c2ZB8Iet1k3blzgGVerK-2BzzUeDgZ9XFfiUdcTmrak0bW5ozImAMtlqB-2FFqhFNXzT-2BU1daX3-2BWNBT1eY01Op-2FON-2BcY6XTT6y9anMSZiP2b5oJinTIF1LyrM1snk3s0KnLpYkx4s8vzE0KLvyK-2BS1aqUmphfI5Cg4EG0jKI5Hl8p7WEzuRPOb3Zsl8MplLuSvrILS9U8JoUN554KDLnR6xTDrP9OzcrH12NEYbkvI8GJi0GtTL1SaFFsJfILxr5tkiVplpEJW8BU7tI1UUW51Xh6ksn-2BCPJ6ttC2wgllxOMCWFrpog-2F0vELG3dI4QqwoEUktBx6xPPrSC1O9ge3SL8jL7-2FvR4QEqCawaWn1H6N98XdtLUr5qnmwIk9F0UuaTGzrsFy72BFC6jqpcYz5o1syXqLJgmuCHkLabZo-2BbmT0-2B95PMiAplppxqz3a889BHFcRDccMjJTdqCQieWSrSztjoIlq9nS7UKNWT5ZRnNYP5Ij1OrE7jvJ-2FHjSBOI74n3BCi8pW-2Bv72Fk4CIwxPeuLYSI8bKEKNeJtIYvQhG9omwTCBoLk2OdUSK89R325nOAQYktnVC5BEyb7RYNJ-2BYClXAmj-2FrnCEb1Nm-2BRF4DQE6I24QGV9f-2FoK8sfzAWpMlb2KsRnmrqAqplyHfRJ9sMwS47X07CL0F-2FQLHLqmGe8xFKHemOJ-2FMnLIiyW1kX2S-2BrJBa-2BJhjqG0e9rqKyihnkU5-2FNs0eALd4qk0AxTTa79aaCjOliO4t-2FTMJszwBcB-2F6oq-2FrDxJKCoqUrVZYvUmxO6koOfKNxP6yEsLNE9O9ON5gfQcNIT98u0bImm-2BtrnMZ0-2Fwy8y7YJ7KLs0FQ-3D-3DGet hashmaliciousHTMLPhisherBrowse
                                        • 13.225.239.38
                                        http://dsena3net.web.app/rdy9huek17k17enbergerx0qsk17WO3dy9s3RWO3BM2?id=com.google.android.apps.youtube.musicGet hashmaliciousHTMLPhisherBrowse
                                        • 34.213.63.128

                                        JA3 Fingerprints

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        37f463bf4616ecd445d4a1937da06e197lNejSq0Ny.exeGet hashmaliciousNymaimBrowse
                                        • 187.45.187.42
                                        7lNejSq0Ny.exeGet hashmaliciousNymaimBrowse
                                        • 187.45.187.42
                                        Misknew84.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                        • 187.45.187.42
                                        Uncatastrophic.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                        • 187.45.187.42
                                        FACT643e5.msiGet hashmaliciousUnknownBrowse
                                        • 187.45.187.42
                                        MzCuNJsGlH.exeGet hashmaliciousVidarBrowse
                                        • 187.45.187.42
                                        CpKw5qHaAT.exeGet hashmaliciousRedLineBrowse
                                        • 187.45.187.42
                                        Purchase_order_pdf.exeGet hashmaliciousBluStealer, ThunderFox Stealer, a310LoggerBrowse
                                        • 187.45.187.42
                                        S31849927.923637.94331.lNk.lnkGet hashmaliciousUnknownBrowse
                                        • 187.45.187.42
                                        34120426359317465.279573.66928.lNk.lnkGet hashmaliciousUnknownBrowse
                                        • 187.45.187.42
                                        Update.jsGet hashmaliciousUnknownBrowse
                                        • 187.45.187.42
                                        file.exeGet hashmaliciousVidarBrowse
                                        • 187.45.187.42
                                        Shipment_invoice.exeGet hashmaliciousBluStealer, ThunderFox Stealer, a310LoggerBrowse
                                        • 187.45.187.42
                                        2.bin.exeGet hashmaliciousBabuk, DjvuBrowse
                                        • 187.45.187.42
                                        file.exeGet hashmaliciousFabookie, Nymaim, SocelarsBrowse
                                        • 187.45.187.42
                                        file.exeGet hashmaliciousVidarBrowse
                                        • 187.45.187.42
                                        file.exeGet hashmaliciousAzorult, Vidar, zgRATBrowse
                                        • 187.45.187.42
                                        file.exeGet hashmaliciousClipboard Hijacker, VidarBrowse
                                        • 187.45.187.42
                                        file.exeGet hashmaliciousClipboard Hijacker, PrivateLoaderBrowse
                                        • 187.45.187.42
                                        LRYuDFK43J.exeGet hashmaliciousOski Stealer, VidarBrowse
                                        • 187.45.187.42

                                        Dropped Files

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        C:\Users\user\AppData\Roaming\abd1 .exen_f_3_e_l_3_t_r_0_n_1_k_4_00545.msiGet hashmaliciousUnknownBrowse
                                          Aplica#U00e7#U00e3o.msiGet hashmaliciousUnknownBrowse
                                            n_f_3_f_1_s_k_4_l.msiGet hashmaliciousUnknownBrowse
                                              Mandado-Intima#U00e7#U00e3o_Art516mlhg.msiGet hashmaliciousUnknownBrowse
                                                z12A____o-Trabalhista.msiGet hashmaliciousUnknownBrowse
                                                  z1F_4_T_U_r_4_2024mfdfgryry5.msiGet hashmaliciousUnknownBrowse
                                                    F_4_T_U_R_4___nf____0992344.4354.msiGet hashmaliciousUnknownBrowse
                                                      rPEDIDOS-10032023-X491kkum.msiGet hashmaliciousUnknownBrowse
                                                        j3PHT0tBBF.msiGet hashmaliciousUnknownBrowse
                                                          j3PHT0tBBF.msiGet hashmaliciousUnknownBrowse
                                                            B0LET0 VENC 060320234273168 WFTBCLZUJMVFEDSWZXMLWSBRA.msiGet hashmaliciousUnknownBrowse
                                                              rPedido-Danfe-03-03-202316872pnlc.msiGet hashmaliciousUnknownBrowse
                                                                Autos-Processo 27-02-2023 ligh.msiGet hashmaliciousUnknownBrowse
                                                                  rEmita-Danfe-01-03-20234076czdg.msiGet hashmaliciousUnknownBrowse
                                                                    Formulario_20183.msiGet hashmaliciousHidden Macro 4.0Browse

                                                                      Created / dropped Files

                                                                      C:\Config.Msi\54ea59.rbs

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:data
                                                                      Category:modified
                                                                      Size (bytes):1668
                                                                      Entropy (8bit):5.552859472934621
                                                                      Encrypted:false
                                                                      SSDEEP:24:n8gkBwsgj8nlTi6OZh26ANnQ8k/N/6+Mw4ib+w4ib3idnw4ibMPzP6qo6IPf0xXg:n8BlARNjw+F/l85KPAX6mOT
                                                                      MD5:6EB44F7B70C827E60AEA9044CFEB6CB0
                                                                      SHA1:FB0AAB7B59722C08E85A8508A44BF36E9FE6CCB7
                                                                      SHA-256:D96B8F6667309F7D03295C9A7B6AA341DD58A0CBBA7DAB7DA470D60D45DB7EC6
                                                                      SHA-512:C526A9121F9D3D233DA294CA543FFD2EEE8F3D613BD0378A50735B57966B520974D734A0F80B9C989578FAA855532BD98A6DFC84D4EFB9F2DE7CD4D8FA3CA3BC
                                                                      Malicious:false
                                                                      Reputation:low
                                                                      Preview:...@IXOS.@.....@...V.@.....@.....@.....@.....@.....@......&.{2B1CE961-C194-40CC-8C77-0B54440A63E6}..Aplicativo Windows#.f_4_T_u_r_4_34536_45645_3345_wo.msi.@.....@...2.@.....@........&.{835F383E-E04C-4466-A20C-2C6058280DC5}.....@.....@.....@.....@.......@.....@.....@.......@......Aplicativo Windows......Rollback..A.....o. .d.e. .r.e.s.t.a.u.r.a.....o.....RollbackCleanup..Removendo arquivos de backup..Arquivo: [1]....ProcessComponents%.Atualizando o registro de componentes..&.{F21D4BC4-5265-496E-B90A-9E04C0A0E623}&.{2B1CE961-C194-40CC-8C77-0B54440A63E6}.@......&.{5C14B548-CCD4-46CF-8BD7-9397894C79C6}&.{2B1CE961-C194-40CC-8C77-0B54440A63E6}.@......&.{1A883933-935B-4A08-980D-2C4BC5D041D8}&.{2B1CE961-C194-40CC-8C77-0B54440A63E6}.@......&.{EA360D96-D488-46C9-842A-7281F5BDA660}&.{2B1CE961-C194-40CC-8C77-0B54440A63E6}.@........CreateFolders..Criando novas pastas..Pasta: [1]".#.C:\Users\user\AppData\Roaming\.@..............0.......L...................I..~.......................I..~.....

                                                                      C:\Users\user\AppData\Local\648351

                                                                      Download File
                                                                      Process:C:\Users\user\AppData\Roaming\abd1 .exe
                                                                      File Type:ASCII text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):32
                                                                      Entropy (8bit):4.390319531114783
                                                                      Encrypted:false
                                                                      SSDEEP:3:1EypyFMxFvqy:1Xpy2x5
                                                                      MD5:70A299535F13B1CD790B5620CE6D2452
                                                                      SHA1:C11F88375BBD6401A9888A63B010BD4311A27E4E
                                                                      SHA-256:CAA51F567DE01888ACC9DD976EC89BE2E79E9635BC9863EBF587DC105CE3AE0E
                                                                      SHA-512:8BBDD562520EA492587C60481DED094B12D37625E11EE1DCFB27E931889986046801FDA7BBD5B9E6110CAC3E330345EFAAE65428787A0C10C1C49204060B6B4E
                                                                      Malicious:false
                                                                      Preview:[Generate Pasta]..kOiTXRFXLSmO..

                                                                      C:\Users\user\AppData\Local\Temp\MSI4e70b.LOG

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):160162
                                                                      Entropy (8bit):3.8064960054195156
                                                                      Encrypted:false
                                                                      SSDEEP:1536:V/UXirdyEEWLkWxgFFCXyTlqxV1Uq5jRhezfTfjh7WA2UVKodaQYLAfjTuOgHMWt:EjVwsppjs
                                                                      MD5:75A0A0C74F3F8B45FBA3743FD9E00774
                                                                      SHA1:0B433CBC01A15841187F2ED3A36606459F8D449F
                                                                      SHA-256:DC0AA7A7DB6A618DDA198D9D598264723A5AAD628759F2C30DBB9A767DDA9DD3
                                                                      SHA-512:3D0EB81CF35ED3B0B0611CBCA9B95757A9CAB94FCC5D6D01949A424D20AD1FA963EB9FA12B3CCF134AAF8BBEBEEB7085FCA85E9D6B63E3F7079EE2FA299B68FB
                                                                      Malicious:false
                                                                      Preview:..=.=.=. .V.e.r.b.o.s.e. .l.o.g.g.i.n.g. .s.t.a.r.t.e.d.:. .4./.1.8./.2.0.2.3. . .1.6.:.2.9.:.3.5. . .B.u.i.l.d. .t.y.p.e.:. .S.H.I.P. .U.N.I.C.O.D.E. .5...0.0...1.0.0.1.1...0.0. . .C.a.l.l.i.n.g. .p.r.o.c.e.s.s.:. .C.:.\.W.i.n.d.o.w.s.\.S.y.s.t.e.m.3.2.\.m.s.i.e.x.e.c...e.x.e. .=.=.=.....M.S.I. .(.c.). .(.F.C.:.A.4.). .[.1.6.:.2.9.:.3.5.:.6.6.2.].:. .F.o.n.t. .c.r.e.a.t.e.d... . .C.h.a.r.s.e.t.:. .R.e.q.=.0.,. .R.e.t.=.0.,. .F.o.n.t.:. .R.e.q.=.M.S. .S.h.e.l.l. .D.l.g.,. .R.e.t.=.M.S. .S.h.e.l.l. .D.l.g.......M.S.I. .(.c.). .(.F.C.:.A.4.). .[.1.6.:.2.9.:.3.5.:.6.6.2.].:. .F.o.n.t. .c.r.e.a.t.e.d... . .C.h.a.r.s.e.t.:. .R.e.q.=.0.,. .R.e.t.=.0.,. .F.o.n.t.:. .R.e.q.=.M.S. .S.h.e.l.l. .D.l.g.,. .R.e.t.=.M.S. .S.h.e.l.l. .D.l.g.......M.S.I. .(.c.). .(.F.C.:.A.4.). .[.1.6.:.2.9.:.3.5.:.7.7.1.].:. .R.e.s.e.t.t.i.n.g. .c.a.c.h.e.d. .p.o.l.i.c.y. .v.a.l.u.e.s.....M.S.I. .(.c.). .(.F.C.:.A.4.). .[.1.6.:.2.9.:.3.5.:.7.7.1.].:. .M.a.c.h.i.n.e. .p.o.l.i.c.y. .v.a.l.u.e. .'.D.e.b.u.g.'. .i.s. .0.

                                                                      C:\Users\user\AppData\Roaming\WebUI.dll

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:MS-DOS executable PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                      Category:dropped
                                                                      Size (bytes):5424400
                                                                      Entropy (8bit):7.9872634011144354
                                                                      Encrypted:false
                                                                      SSDEEP:98304:qoRAFoNY6edEu1goDNJ3HRN1VO43oLeJtLU38uvIusGSOGdx:/RuqedEu3H/pjCtRsxV
                                                                      MD5:B407F1EE6DD56ACFBA29CF140109447B
                                                                      SHA1:9B7C1A62A1480D496715B340C56F260B2A2EA2F7
                                                                      SHA-256:99EC15C63820E40DBE409AEEBA542D4B0C23C6A24AF878CD10E4B4726259DB99
                                                                      SHA-512:8A4AA202B8FB1BBE8F98BB614CF81E82EF007435CB9AD7ED5838D7E86FED6A600738A631B3864CA6DDFFB69972F74C911650198BE70D5D5665CA2001BEE1F71B
                                                                      Malicious:true
                                                                      Antivirus:
                                                                      • Antivirus: Avira, Detection: 100%
                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                      Preview:MZ.1...\.4..Av..i...7..'...H.dq.d..%..e..HM?T..(>..w..;c.}......Q..............................................................................................................................................................................................PE..L...z.=d...........!.....4A..Z........"......PA...@...........................#.....RvS...@...........................C.......D. .... D.l.....................D......................................................................................reloc....C............................@.tls..........C.....................@....reloc...@....C........................@.pdata........C.....................@..@.ctors........D.....................@..@.CRT..........D.....................@....rsrc...l.... D...3.................@..@.rodata.......".......3.............@.......................................................................................................................................................U~.......b:..6...=..E@.\w.

                                                                      C:\Users\user\AppData\Roaming\abd1 .exe

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                      Category:dropped
                                                                      Size (bytes):1856512
                                                                      Entropy (8bit):6.763893864307226
                                                                      Encrypted:false
                                                                      SSDEEP:24576:fMWohhojVlG981FE03Pb+Cp67LkDdlXUi+nNv3O5AcAQNwuWSfJST4HCLgCGT/TH:KhujVl6p8UiaAKRT4HCUN1
                                                                      MD5:CEEF4762B36067F1D32A0DB621EE967E
                                                                      SHA1:D23DA38DF6B0FCA8C524B641C59C700A2338648E
                                                                      SHA-256:EFB6169BBB869A849AFB91184A75B906FE509CBF6E672B6B4F3311C02343BBBB
                                                                      SHA-512:6301871A95E48F2873B60C706757AF38D956C895112F14C28EAC4C4A83456A1ACDF15D0A5B1CD35F267A4149DC78B2469C427BDE6A1BF5AA99DE51D5E824D1B3
                                                                      Malicious:true
                                                                      Yara Hits:
                                                                      • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Roaming\abd1 .exe, Author: Joe Security
                                                                      Antivirus:
                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                      Joe Sandbox View:
                                                                      • Filename: n_f_3_e_l_3_t_r_0_n_1_k_4_00545.msi, Detection: malicious, Browse
                                                                      • Filename: Aplica#U00e7#U00e3o.msi, Detection: malicious, Browse
                                                                      • Filename: n_f_3_f_1_s_k_4_l.msi, Detection: malicious, Browse
                                                                      • Filename: Mandado-Intima#U00e7#U00e3o_Art516mlhg.msi, Detection: malicious, Browse
                                                                      • Filename: z12A____o-Trabalhista.msi, Detection: malicious, Browse
                                                                      • Filename: z1F_4_T_U_r_4_2024mfdfgryry5.msi, Detection: malicious, Browse
                                                                      • Filename: F_4_T_U_R_4___nf____0992344.4354.msi, Detection: malicious, Browse
                                                                      • Filename: rPEDIDOS-10032023-X491kkum.msi, Detection: malicious, Browse
                                                                      • Filename: j3PHT0tBBF.msi, Detection: malicious, Browse
                                                                      • Filename: j3PHT0tBBF.msi, Detection: malicious, Browse
                                                                      • Filename: B0LET0 VENC 060320234273168 WFTBCLZUJMVFEDSWZXMLWSBRA.msi, Detection: malicious, Browse
                                                                      • Filename: rPedido-Danfe-03-03-202316872pnlc.msi, Detection: malicious, Browse
                                                                      • Filename: Autos-Processo 27-02-2023 ligh.msi, Detection: malicious, Browse
                                                                      • Filename: rEmita-Danfe-01-03-20234076czdg.msi, Detection: malicious, Browse
                                                                      • Filename: Formulario_20183.msi, Detection: malicious, Browse
                                                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....a..................................... ....@........................... .................@......................P....@...F.......................@......@....................................................L...............................text...t........................... ..`.itext.............................. ..`.data........ ......................@....bss.....f...............................idata...F...@...H..................@....edata..P...........................@..@.tls....L................................rdata..............................@..@.reloc..@...........................@..B.rsrc...............................@..@....................................@..@........................................................

                                                                      C:\Windows\Installer\54ea57.msi

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {835F383E-E04C-4466-A20C-2C6058280DC5}, Number of Words: 10, Subject: Aplicativo Windows, Author: Microsoft Security, Name of Creating Application: Aplicativo Windows, Template: ;1046, Comments: Aplicativo Windows, Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Mon Apr 17 20:16:00 2023, Number of Pages: 200
                                                                      Category:dropped
                                                                      Size (bytes):7266816
                                                                      Entropy (8bit):7.90403852924576
                                                                      Encrypted:false
                                                                      SSDEEP:196608:2oWn7jJ96d9Beq0OdBL9lPy9tXL5pwRD:2oOSd9wHOnLDq7XL5p
                                                                      MD5:3987C0F3AB2A1BB65A0D5E9208B62D46
                                                                      SHA1:6E7013E293C5A0910666EA488868D9216B2BB791
                                                                      SHA-256:61B65FE68D4A0ACBCB1EA4512EBDC5C7A41AEE8A3BF848CB52657738A6033156
                                                                      SHA-512:DC6A8D5AAAAA40C5FEEFBAD29170933EA4764507D09655054D036295876F7957A2FB7A87964BEE8088E4A01EAF35BBE60D1B95AE316F19458A478E0504A01732
                                                                      Malicious:false
                                                                      Preview:......................>...................o...................................E.......b.......n...............................................r...s...t...u...v...w...x...y...z...{...|...}...~...........................................................................................................................................................................................................................................................................................................................................<...........!...4............................................................................................... ...+..."...#...$...%...&...'...(...)...*...1...,...-......./...0...5...2...3...=...?...6...7...8...9...:...;...........>.......@...A...B...C...D...........G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                                                      C:\Windows\Installer\MSIEF68.tmp

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                      Category:dropped
                                                                      Size (bytes):598840
                                                                      Entropy (8bit):6.4742572330426045
                                                                      Encrypted:false
                                                                      SSDEEP:12288:JTjOV8EDRaQsUDE2dYu8z5fN8HcsvwaqN:hjOeEMQNLS5W8svwaqN
                                                                      MD5:8E565FD81CA10A65CC02E7901A78C95B
                                                                      SHA1:1BCA3979C233321AE527D4508CFE9B3BA825DBD3
                                                                      SHA-256:7B64112C2C534203BB59CE1A9B7D5390448C045DDA424FB3CFD5878EDB262016
                                                                      SHA-512:144BDE89EBA469B32B59F30E7F4D451329C541ED7B556BC60D118C9E2E5CDF148C2275CCA51C4B9355686AEFA16A4B86A26D4C8FE0DD2CF318B979863109592E
                                                                      Malicious:true
                                                                      Antivirus:
                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m..)..)..)......$...........8.....>.....c......0......(.........)........A......(....U.(..).=.(......(..Rich)..................PE..L...W.%d.........."!...#.6...........S.......P...............................0............@..........................W..(...8`..,.......................8=.......g..x...p...............................@............P..P............................text....5.......6.................. ..`.rdata...+...P...,...:..............@..@.data... %...........f..............@....rsrc................v..............@..@.reloc...g.......h...~..............@..B................................................................................................................................................................................................................................................................................

                                                                      C:\Windows\Installer\MSIF092.tmp

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                      Category:dropped
                                                                      Size (bytes):598840
                                                                      Entropy (8bit):6.4742572330426045
                                                                      Encrypted:false
                                                                      SSDEEP:12288:JTjOV8EDRaQsUDE2dYu8z5fN8HcsvwaqN:hjOeEMQNLS5W8svwaqN
                                                                      MD5:8E565FD81CA10A65CC02E7901A78C95B
                                                                      SHA1:1BCA3979C233321AE527D4508CFE9B3BA825DBD3
                                                                      SHA-256:7B64112C2C534203BB59CE1A9B7D5390448C045DDA424FB3CFD5878EDB262016
                                                                      SHA-512:144BDE89EBA469B32B59F30E7F4D451329C541ED7B556BC60D118C9E2E5CDF148C2275CCA51C4B9355686AEFA16A4B86A26D4C8FE0DD2CF318B979863109592E
                                                                      Malicious:true
                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m..)..)..)......$...........8.....>.....c......0......(.........)........A......(....U.(..).=.(......(..Rich)..................PE..L...W.%d.........."!...#.6...........S.......P...............................0............@..........................W..(...8`..,.......................8=.......g..x...p...............................@............P..P............................text....5.......6.................. ..`.rdata...+...P...,...:..............@..@.data... %...........f..............@....rsrc................v..............@..@.reloc...g.......h...~..............@..B................................................................................................................................................................................................................................................................................

                                                                      C:\Windows\Installer\MSIF100.tmp

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                      Category:dropped
                                                                      Size (bytes):598840
                                                                      Entropy (8bit):6.4742572330426045
                                                                      Encrypted:false
                                                                      SSDEEP:12288:JTjOV8EDRaQsUDE2dYu8z5fN8HcsvwaqN:hjOeEMQNLS5W8svwaqN
                                                                      MD5:8E565FD81CA10A65CC02E7901A78C95B
                                                                      SHA1:1BCA3979C233321AE527D4508CFE9B3BA825DBD3
                                                                      SHA-256:7B64112C2C534203BB59CE1A9B7D5390448C045DDA424FB3CFD5878EDB262016
                                                                      SHA-512:144BDE89EBA469B32B59F30E7F4D451329C541ED7B556BC60D118C9E2E5CDF148C2275CCA51C4B9355686AEFA16A4B86A26D4C8FE0DD2CF318B979863109592E
                                                                      Malicious:true
                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m..)..)..)......$...........8.....>.....c......0......(.........)........A......(....U.(..).=.(......(..Rich)..................PE..L...W.%d.........."!...#.6...........S.......P...............................0............@..........................W..(...8`..,.......................8=.......g..x...p...............................@............P..P............................text....5.......6.................. ..`.rdata...+...P...,...:..............@..@.data... %...........f..............@....rsrc................v..............@..@.reloc...g.......h...~..............@..B................................................................................................................................................................................................................................................................................

                                                                      C:\Windows\Installer\MSIF130.tmp

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                      Category:dropped
                                                                      Size (bytes):598840
                                                                      Entropy (8bit):6.4742572330426045
                                                                      Encrypted:false
                                                                      SSDEEP:12288:JTjOV8EDRaQsUDE2dYu8z5fN8HcsvwaqN:hjOeEMQNLS5W8svwaqN
                                                                      MD5:8E565FD81CA10A65CC02E7901A78C95B
                                                                      SHA1:1BCA3979C233321AE527D4508CFE9B3BA825DBD3
                                                                      SHA-256:7B64112C2C534203BB59CE1A9B7D5390448C045DDA424FB3CFD5878EDB262016
                                                                      SHA-512:144BDE89EBA469B32B59F30E7F4D451329C541ED7B556BC60D118C9E2E5CDF148C2275CCA51C4B9355686AEFA16A4B86A26D4C8FE0DD2CF318B979863109592E
                                                                      Malicious:true
                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m..)..)..)......$...........8.....>.....c......0......(.........)........A......(....U.(..).=.(......(..Rich)..................PE..L...W.%d.........."!...#.6...........S.......P...............................0............@..........................W..(...8`..,.......................8=.......g..x...p...............................@............P..P............................text....5.......6.................. ..`.rdata...+...P...,...:..............@..@.data... %...........f..............@....rsrc................v..............@..@.reloc...g.......h...~..............@..B................................................................................................................................................................................................................................................................................

                                                                      C:\Windows\Installer\MSIF22B.tmp

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                      Category:dropped
                                                                      Size (bytes):598840
                                                                      Entropy (8bit):6.4742572330426045
                                                                      Encrypted:false
                                                                      SSDEEP:12288:JTjOV8EDRaQsUDE2dYu8z5fN8HcsvwaqN:hjOeEMQNLS5W8svwaqN
                                                                      MD5:8E565FD81CA10A65CC02E7901A78C95B
                                                                      SHA1:1BCA3979C233321AE527D4508CFE9B3BA825DBD3
                                                                      SHA-256:7B64112C2C534203BB59CE1A9B7D5390448C045DDA424FB3CFD5878EDB262016
                                                                      SHA-512:144BDE89EBA469B32B59F30E7F4D451329C541ED7B556BC60D118C9E2E5CDF148C2275CCA51C4B9355686AEFA16A4B86A26D4C8FE0DD2CF318B979863109592E
                                                                      Malicious:true
                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m..)..)..)......$...........8.....>.....c......0......(.........)........A......(....U.(..).=.(......(..Rich)..................PE..L...W.%d.........."!...#.6...........S.......P...............................0............@..........................W..(...8`..,.......................8=.......g..x...p...............................@............P..P............................text....5.......6.................. ..`.rdata...+...P...,...:..............@..@.data... %...........f..............@....rsrc................v..............@..@.reloc...g.......h...~..............@..B................................................................................................................................................................................................................................................................................

                                                                      C:\Windows\Installer\MSIF4EB.tmp

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):2006
                                                                      Entropy (8bit):5.259183133976076
                                                                      Encrypted:false
                                                                      SSDEEP:24:nNgkBwsgj8nlTi6OZhEu6ANj0lC8ztK7Io6dclUtcx/6+SPMnNPfXI8cEwWHYHjP:nNBlA4PZRbnB+Hxwcpqv7AX6EO2mVf
                                                                      MD5:F8B6C2D7A8A41291F8C93FE8D815DDA0
                                                                      SHA1:DD9E81A12C52F1C430BD9C485A62CAD0DFED0345
                                                                      SHA-256:954267A6AA181104069F9F6DA5AF6FD831E22F48793DB4AAFC47E9D97BFC8D80
                                                                      SHA-512:54F4135274F008EE2DDAF47F9BC22DD5E5F0B664D449F9B50C799C999A45468D2E4947E954A22A297E4F2FC8ACCDA7BB6B0211FD768CD13E100B529EBDD46CA2
                                                                      Malicious:false
                                                                      Preview:...@IXOS.@.....@...V.@.....@.....@.....@.....@.....@......&.{2B1CE961-C194-40CC-8C77-0B54440A63E6}..Aplicativo Windows#.f_4_T_u_r_4_34536_45645_3345_wo.msi.@.....@...2.@.....@........&.{835F383E-E04C-4466-A20C-2C6058280DC5}.....@.....@.....@.....@.......@.....@.....@.......@......Aplicativo Windows......Rollback..A.....o. .d.e. .r.e.s.t.a.u.r.a.....o.....RollbackCleanup..Removendo arquivos de backup..Arquivo: [1]...@.......@........ProcessComponents%.Atualizando o registro de componentes...@.....@.....@.]....&.{F21D4BC4-5265-496E-B90A-9E04C0A0E623}#.C:\Users\user\AppData\Roaming\.@.......@.....@.....@......&.{5C14B548-CCD4-46CF-8BD7-9397894C79C6}:.01:\Software\Microsoft Security\Aplicativo Windows\Version.@.......@.....@.....@......&.{1A883933-935B-4A08-980D-2C4BC5D041D8},.C.:.\.U.s.e.r.s.\.f.r.o.n.t.d.e.s.k.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.a.b.d.1.....e.x.e..@.......@.....@.....@......&.{EA360D96-D488-46C9-842A-7281F5BDA660},.C:\Users\user\AppData\Roaming\WebUI.dll.@.......

                                                                      C:\Windows\Installer\SourceHash{2B1CE961-C194-40CC-8C77-0B54440A63E6}

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                      Category:dropped
                                                                      Size (bytes):20480
                                                                      Entropy (8bit):1.175743501730645
                                                                      Encrypted:false
                                                                      SSDEEP:12:JSbX72FjIAGiLIlHVRpg5h/7777777777777777777777777vDHF+G0U8BWjs/lz:JqQI5GAc8BwsEF
                                                                      MD5:3CB20D32760E18EBB4645FCF3CD57F79
                                                                      SHA1:DFAA38E3E972208EDB48506EF02908CC2EEA7D1E
                                                                      SHA-256:38E3BB110AF780A10D67FB34ED7CFB05D2BDEF0C98B3BCB66E9AA0341D4B9136
                                                                      SHA-512:273A7485ED4B826D89768F1E6900768B1C815FCA300A472B0F845E7DA1C26EFF15933E85E611284E0182EAD20EFCCBAEF02904C46980B169FAF33790C3EF3127
                                                                      Malicious:false
                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Windows\Installer\inprogressinstallinfo.ipi

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                      Category:dropped
                                                                      Size (bytes):20480
                                                                      Entropy (8bit):1.5227399761142526
                                                                      Encrypted:false
                                                                      SSDEEP:48:98PhCuRc06WXJGFT5FR/kMw3S+ZAE+lCyjMHMI3S+NTkcy:ghC1dFTrR/3w3raZlC0MsI3re
                                                                      MD5:F6EA4147DFDD915124214A0A3EB5A574
                                                                      SHA1:E4FD2D540F59B49D891B515B3D7762B777C619F5
                                                                      SHA-256:9551DBD70AA5B8F7CF8B8334CAE8F8798F871A78BF69C0C07581E65662CD0070
                                                                      SHA-512:6A318EE8322D5CE3802416B205618345793FEEE978100F1C7C8B605EB5335B3179F574D8E44A898EE8CFADC8A33EEB55488075F8FD863492931E95CAE4AB0939
                                                                      Malicious:false
                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):174137
                                                                      Entropy (8bit):5.355161768480203
                                                                      Encrypted:false
                                                                      SSDEEP:768:2JcfxyJbOd+nInu0SXmV9UmtiBMwM5CSXKqqQMxlqNYL/AxVDTAMOfbDj/nCwpTj:2JcI4n9Umtipi5QctdM
                                                                      MD5:5D0F0F15F819FE5C86768C70AF652CFF
                                                                      SHA1:9DBA7C9889A0EDB7AEFDB6B3EFA357926CF6A2B5
                                                                      SHA-256:9640F886C2EAFE8B3A0422F5DF9253933DE0650B1A0597B75977F9E142E54276
                                                                      SHA-512:4EE823333E9EC36C67A451EBDF548890E42A4AF850678597DF8AA97CA71141433497CB9CC82A6D038A0062D496A08510A0776A626992E4E42EEFE1E77DE62C6D
                                                                      Malicious:false
                                                                      Preview:.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..07/23/2020 11:01:23.494 [4132]: Command line: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install Microsoft.VisualStudio.Tools.Applications.Hosting.v9.0, Version=9.0.0.00000000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A /queue:3 /NoDependencies ..07/23/2020 11:01:23.494 [4132]: ngen returning 0x00000000..07/23/2020 11:01:23.541 [2300]: Command line: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install Microsoft.VisualStudio.Tools.Applications.ServerDocument.v10.0, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A /queue:3 /NoDependencies ..07/23/2020 11:01:23.557 [2300]: ngen returning 0x00000000..07/23/2020 11:01:23.603 [5144]: Command line: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install Microsoft.Office.Tools.Outlook.v9.0, Version=9.0.0.00000000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3

                                                                      C:\Windows\Temp\~DF35A35E76B3186934.TMP

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):512
                                                                      Entropy (8bit):0.0
                                                                      Encrypted:false
                                                                      SSDEEP:3::
                                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                      Malicious:false
                                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Windows\Temp\~DF38FD36B12048525C.TMP

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                      Category:dropped
                                                                      Size (bytes):32768
                                                                      Entropy (8bit):1.2236885335059848
                                                                      Encrypted:false
                                                                      SSDEEP:48:QOFKuXO+CFXJHT5XR/kMw3S+ZAE+lCyjMHMI3S+NTkcy:vKjvTJR/3w3raZlC0MsI3re
                                                                      MD5:3100AF756710CBD8903AAE5598AB419D
                                                                      SHA1:CA24B69EBD4CD584641508E670EC158D41CC81C0
                                                                      SHA-256:24B9C7A3F30F480A964A53C27268B598FC461C598FA4F1AC6C95D2531D997437
                                                                      SHA-512:8686D7E6CDDAC537DA362DDDF0B309EF2C9388A196669019C0CE053094FA08ABEE1C20FA3B2008AAE475028F88EBADF5B2558D6738699F95D4C667777678700E
                                                                      Malicious:false
                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Windows\Temp\~DF5DF7EAEA35B69F92.TMP

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                      Category:dropped
                                                                      Size (bytes):20480
                                                                      Entropy (8bit):1.5227399761142526
                                                                      Encrypted:false
                                                                      SSDEEP:48:98PhCuRc06WXJGFT5FR/kMw3S+ZAE+lCyjMHMI3S+NTkcy:ghC1dFTrR/3w3raZlC0MsI3re
                                                                      MD5:F6EA4147DFDD915124214A0A3EB5A574
                                                                      SHA1:E4FD2D540F59B49D891B515B3D7762B777C619F5
                                                                      SHA-256:9551DBD70AA5B8F7CF8B8334CAE8F8798F871A78BF69C0C07581E65662CD0070
                                                                      SHA-512:6A318EE8322D5CE3802416B205618345793FEEE978100F1C7C8B605EB5335B3179F574D8E44A898EE8CFADC8A33EEB55488075F8FD863492931E95CAE4AB0939
                                                                      Malicious:false
                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Windows\Temp\~DF8EE7A9681D2F0EAA.TMP

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):512
                                                                      Entropy (8bit):0.0
                                                                      Encrypted:false
                                                                      SSDEEP:3::
                                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                      Malicious:false
                                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Windows\Temp\~DF9286E837D141C4BC.TMP

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):73728
                                                                      Entropy (8bit):0.12168239254277692
                                                                      Encrypted:false
                                                                      SSDEEP:24:xqy/isoETxQowipVQoaQowipVQoSAEVQoyjCyjMHVqewGrS+1BMBR6:oyUETS3S+K3S+ZAE+lCyjMHM9kMBR
                                                                      MD5:5F4DB1DC341E86DF1DE8C391B1716BC0
                                                                      SHA1:47714AD1AF399720541D6056681A71D70063C7D4
                                                                      SHA-256:56859E944583A0864EE959B7D211084DAF82531545262FD3DF7D8AE700F0B3D6
                                                                      SHA-512:CA764CE7C02AAD36384306D6ED338663569A54E9ADCC7FA1CB575ECF1E1BD8B898769564BA43A6B2E55DA46409E17789A82CBB5D142467084F37AA3B8BF99F1F
                                                                      Malicious:false
                                                                      Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Windows\Temp\~DF93F70771894ADAAB.TMP

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                      Category:dropped
                                                                      Size (bytes):20480
                                                                      Entropy (8bit):1.5227399761142526
                                                                      Encrypted:false
                                                                      SSDEEP:48:98PhCuRc06WXJGFT5FR/kMw3S+ZAE+lCyjMHMI3S+NTkcy:ghC1dFTrR/3w3raZlC0MsI3re
                                                                      MD5:F6EA4147DFDD915124214A0A3EB5A574
                                                                      SHA1:E4FD2D540F59B49D891B515B3D7762B777C619F5
                                                                      SHA-256:9551DBD70AA5B8F7CF8B8334CAE8F8798F871A78BF69C0C07581E65662CD0070
                                                                      SHA-512:6A318EE8322D5CE3802416B205618345793FEEE978100F1C7C8B605EB5335B3179F574D8E44A898EE8CFADC8A33EEB55488075F8FD863492931E95CAE4AB0939
                                                                      Malicious:false
                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Windows\Temp\~DFA77B74CF5544B705.TMP

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                      Category:dropped
                                                                      Size (bytes):32768
                                                                      Entropy (8bit):1.2236885335059848
                                                                      Encrypted:false
                                                                      SSDEEP:48:QOFKuXO+CFXJHT5XR/kMw3S+ZAE+lCyjMHMI3S+NTkcy:vKjvTJR/3w3raZlC0MsI3re
                                                                      MD5:3100AF756710CBD8903AAE5598AB419D
                                                                      SHA1:CA24B69EBD4CD584641508E670EC158D41CC81C0
                                                                      SHA-256:24B9C7A3F30F480A964A53C27268B598FC461C598FA4F1AC6C95D2531D997437
                                                                      SHA-512:8686D7E6CDDAC537DA362DDDF0B309EF2C9388A196669019C0CE053094FA08ABEE1C20FA3B2008AAE475028F88EBADF5B2558D6738699F95D4C667777678700E
                                                                      Malicious:false
                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Windows\Temp\~DFBCCD9DE1D23200AF.TMP

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):512
                                                                      Entropy (8bit):0.0
                                                                      Encrypted:false
                                                                      SSDEEP:3::
                                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                      Malicious:false
                                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Windows\Temp\~DFCC05EA7F0C466022.TMP

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:Composite Document File V2 Document, Cannot read section info
                                                                      Category:dropped
                                                                      Size (bytes):32768
                                                                      Entropy (8bit):1.2236885335059848
                                                                      Encrypted:false
                                                                      SSDEEP:48:QOFKuXO+CFXJHT5XR/kMw3S+ZAE+lCyjMHMI3S+NTkcy:vKjvTJR/3w3raZlC0MsI3re
                                                                      MD5:3100AF756710CBD8903AAE5598AB419D
                                                                      SHA1:CA24B69EBD4CD584641508E670EC158D41CC81C0
                                                                      SHA-256:24B9C7A3F30F480A964A53C27268B598FC461C598FA4F1AC6C95D2531D997437
                                                                      SHA-512:8686D7E6CDDAC537DA362DDDF0B309EF2C9388A196669019C0CE053094FA08ABEE1C20FA3B2008AAE475028F88EBADF5B2558D6738699F95D4C667777678700E
                                                                      Malicious:false
                                                                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Windows\Temp\~DFE24625CFFA395684.TMP

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):512
                                                                      Entropy (8bit):0.0
                                                                      Encrypted:false
                                                                      SSDEEP:3::
                                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                      Malicious:false
                                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Windows\Temp\~DFECBB46174EC2312D.TMP

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):32768
                                                                      Entropy (8bit):0.08010693907045595
                                                                      Encrypted:false
                                                                      SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKO4L3G037eNz4BWj+5dRltKVky6l31:2F0i8n0itFzDHF+G0U8BWjs/l
                                                                      MD5:663BDE5B0C0BC1C68C9BC3C2FBD79D39
                                                                      SHA1:C5D2D9202178B9AE6F95063CEEE2636245D62437
                                                                      SHA-256:8DD3911500E2277006026F149632913562C144E3EB4AD0EFE915A0756454F34F
                                                                      SHA-512:22DD599A3F38A90AE9D67B44843B71E99F4885EBF6F6717DEA9A45B79B30AFE1AF6AF2F7FBC262E32CB52B5EBEFC8D3354DB64A7E4E12474280B84412BEFE125
                                                                      Malicious:false
                                                                      Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Windows\Temp\~DFF2EB52A30744D97E.TMP

                                                                      Download File
                                                                      Process:C:\Windows\System32\msiexec.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):512
                                                                      Entropy (8bit):0.0
                                                                      Encrypted:false
                                                                      SSDEEP:3::
                                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                      Malicious:false
                                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      Static File Info

                                                                      General

                                                                      File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {835F383E-E04C-4466-A20C-2C6058280DC5}, Number of Words: 10, Subject: Aplicativo Windows, Author: Microsoft Security, Name of Creating Application: Aplicativo Windows, Template: ;1046, Comments: Aplicativo Windows, Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Mon Apr 17 20:16:00 2023, Number of Pages: 200
                                                                      Entropy (8bit):7.90403852924576
                                                                      TrID:
                                                                      • Microsoft Windows Installer (77509/1) 52.18%
                                                                      • Windows SDK Setup Transform Script (63028/2) 42.43%
                                                                      • Generic OLE2 / Multistream Compound File (8008/1) 5.39%
                                                                      File name:f_4_T_u_r_4_34536_45645_3345_wo.msi
                                                                      File size:7266816
                                                                      MD5:3987c0f3ab2a1bb65a0d5e9208b62d46
                                                                      SHA1:6e7013e293c5a0910666ea488868d9216b2bb791
                                                                      SHA256:61b65fe68d4a0acbcb1ea4512ebdc5c7a41aee8a3bf848cb52657738a6033156
                                                                      SHA512:dc6a8d5aaaaa40c5feefbad29170933ea4764507d09655054d036295876f7957a2fb7a87964bee8088e4a01eaf35bbe60d1b95ae316f19458a478e0504a01732
                                                                      SSDEEP:196608:2oWn7jJ96d9Beq0OdBL9lPy9tXL5pwRD:2oOSd9wHOnLDq7XL5p
                                                                      TLSH:9C761216F287C622C55C01BBE969FE5E1439BE63473011E3B7F9396E98F0CC162B9A11
                                                                      File Content Preview:........................>...................o...................................E.......b.......n...............................................r...s...t...u...v...w...x...y...z...{...|...}...~..............................................................

                                                                      File Icon

                                                                      Icon Hash:a2a0b496b2caca72

                                                                      Network Behavior

                                                                      Network Port Distribution

                                                                      TCP Packets

                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      Apr 18, 2023 16:29:45.579792023 CEST49697443192.168.2.7187.45.187.42
                                                                      Apr 18, 2023 16:29:45.579864979 CEST44349697187.45.187.42192.168.2.7
                                                                      Apr 18, 2023 16:29:45.579958916 CEST49697443192.168.2.7187.45.187.42
                                                                      Apr 18, 2023 16:29:45.621965885 CEST49697443192.168.2.7187.45.187.42
                                                                      Apr 18, 2023 16:29:45.622006893 CEST44349697187.45.187.42192.168.2.7
                                                                      Apr 18, 2023 16:29:45.699254036 CEST4969980192.168.2.715.228.77.178
                                                                      Apr 18, 2023 16:29:46.296722889 CEST44349697187.45.187.42192.168.2.7
                                                                      Apr 18, 2023 16:29:46.296888113 CEST49697443192.168.2.7187.45.187.42
                                                                      Apr 18, 2023 16:29:46.584945917 CEST49697443192.168.2.7187.45.187.42
                                                                      Apr 18, 2023 16:29:46.584990025 CEST44349697187.45.187.42192.168.2.7
                                                                      Apr 18, 2023 16:29:46.585628986 CEST44349697187.45.187.42192.168.2.7
                                                                      Apr 18, 2023 16:29:46.585906029 CEST49697443192.168.2.7187.45.187.42
                                                                      Apr 18, 2023 16:29:46.588293076 CEST49697443192.168.2.7187.45.187.42
                                                                      Apr 18, 2023 16:29:46.635421991 CEST44349697187.45.187.42192.168.2.7
                                                                      Apr 18, 2023 16:29:47.198468924 CEST44349697187.45.187.42192.168.2.7
                                                                      Apr 18, 2023 16:29:47.198590994 CEST44349697187.45.187.42192.168.2.7
                                                                      Apr 18, 2023 16:29:47.198633909 CEST49697443192.168.2.7187.45.187.42
                                                                      Apr 18, 2023 16:29:47.198667049 CEST49697443192.168.2.7187.45.187.42
                                                                      Apr 18, 2023 16:29:47.198909044 CEST49697443192.168.2.7187.45.187.42
                                                                      Apr 18, 2023 16:29:47.198936939 CEST44349697187.45.187.42192.168.2.7
                                                                      Apr 18, 2023 16:29:47.198951006 CEST49697443192.168.2.7187.45.187.42
                                                                      Apr 18, 2023 16:29:47.199090958 CEST49697443192.168.2.7187.45.187.42
                                                                      Apr 18, 2023 16:29:48.851041079 CEST4969980192.168.2.715.228.77.178
                                                                      Apr 18, 2023 16:29:54.960866928 CEST4969980192.168.2.715.228.77.178

                                                                      UDP Packets

                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      Apr 18, 2023 16:29:45.187043905 CEST5947753192.168.2.78.8.8.8
                                                                      Apr 18, 2023 16:29:45.557060003 CEST53594778.8.8.8192.168.2.7

                                                                      DNS Queries

                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                      Apr 18, 2023 16:29:45.187043905 CEST192.168.2.78.8.8.80xf748Standard query (0)ebaoffice.com.brA (IP address)IN (0x0001)false

                                                                      DNS Answers

                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                      Apr 18, 2023 16:29:45.557060003 CEST8.8.8.8192.168.2.70xf748No error (0)ebaoffice.com.br187.45.187.42A (IP address)IN (0x0001)false

                                                                      HTTP Request Dependency Graph

                                                                      • ebaoffice.com.br

                                                                      HTTPS Proxied Packets

                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                      0192.168.2.749697187.45.187.42443C:\Users\user\AppData\Roaming\abd1 .exe
                                                                      TimestampkBytes transferredDirectionData
                                                                      2023-04-18 14:29:46 UTC0OUTGET /imagens/bo/inspecionando.php HTTP/1.1
                                                                      Accept: */*
                                                                      Accept-Language: en-US
                                                                      Accept-Encoding: gzip, deflate
                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                      Host: ebaoffice.com.br
                                                                      Connection: Keep-Alive
                                                                      2023-04-18 14:29:47 UTC0INHTTP/1.1 200 OK
                                                                      Connection: close
                                                                      x-powered-by: PHP/5.6.40
                                                                      content-type: text/html; charset=UTF-8
                                                                      cache-control: public, max-age=0
                                                                      expires: Tue, 18 Apr 2023 14:29:47 GMT
                                                                      content-length: 0
                                                                      date: Tue, 18 Apr 2023 14:29:47 GMT
                                                                      server: LiteSpeed
                                                                      x-ua-compatible: IE=Edge,chrome=1
                                                                      alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"


                                                                      Statistics

                                                                      CPU Usage

                                                                      Click to jump to process

                                                                      Memory Usage

                                                                      Click to jump to process

                                                                      High Level Behavior Distribution

                                                                      Click to dive into process behavior distribution

                                                                      Behavior

                                                                      Click to jump to process

                                                                      System Behavior

                                                                      General

                                                                      Target ID:0
                                                                      Start time:16:29:35
                                                                      Start date:18/04/2023
                                                                      Path:C:\Windows\System32\msiexec.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\f_4_T_u_r_4_34536_45645_3345_wo.msi"
                                                                      Imagebase:0x7ff7ce6e0000
                                                                      File size:66048 bytes
                                                                      MD5 hash:4767B71A318E201188A0D0A420C8B608
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high

                                                                      General

                                                                      Target ID:1
                                                                      Start time:16:29:35
                                                                      Start date:18/04/2023
                                                                      Path:C:\Windows\System32\msiexec.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\msiexec.exe /V
                                                                      Imagebase:0x7ff7ce6e0000
                                                                      File size:66048 bytes
                                                                      MD5 hash:4767B71A318E201188A0D0A420C8B608
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high

                                                                      General

                                                                      Target ID:2
                                                                      Start time:16:29:37
                                                                      Start date:18/04/2023
                                                                      Path:C:\Windows\SysWOW64\msiexec.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding 715EC454D0BEADF2C26248DD1CAED610
                                                                      Imagebase:0x1f0000
                                                                      File size:59904 bytes
                                                                      MD5 hash:12C17B5A5C2A7B97342C362CA467E9A2
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high

                                                                      General

                                                                      Target ID:3
                                                                      Start time:16:29:40
                                                                      Start date:18/04/2023
                                                                      Path:C:\Users\user\AppData\Roaming\abd1 .exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:C:\Users\user\AppData\Roaming\abd1 .exe
                                                                      Imagebase:0x400000
                                                                      File size:1856512 bytes
                                                                      MD5 hash:CEEF4762B36067F1D32A0DB621EE967E
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:Borland Delphi
                                                                      Yara matches:
                                                                      • Rule: Windows_Trojan_Generic_a160ca52, Description: unknown, Source: 00000003.00000002.517143988.000000006C729000.00000040.00000001.01000000.00000004.sdmp, Author: unknown
                                                                      • Rule: Windows_Trojan_RedLineStealer_a7da40b7, Description: unknown, Source: 00000003.00000002.505703750.00000000007C0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                      • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000003.00000000.246395172.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Roaming\abd1 .exe, Author: Joe Security
                                                                      Antivirus matches:
                                                                      • Detection: 0%, ReversingLabs
                                                                      Reputation:moderate

                                                                      General

                                                                      Target ID:13
                                                                      Start time:16:30:21
                                                                      Start date:18/04/2023
                                                                      Path:C:\Users\user\AppData\Roaming\abd1 .exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Users\user\AppData\Roaming\abd1 .exe"
                                                                      Imagebase:0x400000
                                                                      File size:1856512 bytes
                                                                      MD5 hash:CEEF4762B36067F1D32A0DB621EE967E
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:Borland Delphi
                                                                      Yara matches:
                                                                      • Rule: Windows_Trojan_RedLineStealer_a7da40b7, Description: unknown, Source: 0000000D.00000002.350190121.0000000002260000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                      • Rule: Windows_Trojan_Generic_a160ca52, Description: unknown, Source: 0000000D.00000002.407213851.000000006C720000.00000040.00000001.01000000.00000004.sdmp, Author: unknown
                                                                      • Rule: Windows_Trojan_RedLineStealer_a7da40b7, Description: unknown, Source: 0000000D.00000002.407213851.000000006C720000.00000040.00000001.01000000.00000004.sdmp, Author: unknown
                                                                      • Rule: Windows_Trojan_RedLineStealer_d4b38e13, Description: unknown, Source: 0000000D.00000002.407213851.000000006C720000.00000040.00000001.01000000.00000004.sdmp, Author: unknown
                                                                      Reputation:moderate

                                                                      Disassembly

                                                                      Reset < >

                                                                        Execution Graph

                                                                        Execution Coverage:3.8%
                                                                        Dynamic/Decrypted Code Coverage:100%
                                                                        Signature Coverage:17.5%
                                                                        Total number of Nodes:63
                                                                        Total number of Limit Nodes:2
                                                                        execution_graph 3916 831416 3917 831436 3916->3917 3918 831521 KiUserExceptionDispatcher 3917->3918 3919 831540 3917->3919 3918->3917 3920 831fc8 3921 83200a 3920->3921 3931 8329b7 3921->3931 3923 83207d 3925 832013 3925->3923 3926 832094 3925->3926 3927 83204e 3925->3927 3945 83280f 3926->3945 3927->3923 3939 83295e 3927->3939 3929 832099 3949 8328ab 3929->3949 3932 8329d1 3931->3932 3938 832a8c 3932->3938 3953 83303f 3932->3953 3935 8329e7 3957 832c13 3935->3957 3937 832a2a 3961 832b79 3937->3961 3938->3925 3940 83296c 3939->3940 3976 832e3b 3940->3976 3944 8329a7 3944->3923 3947 83282d 3945->3947 3946 8328a6 3946->3929 3947->3946 3992 83284f 3947->3992 3950 8328c0 3949->3950 3951 83322a KiUserExceptionDispatcher 3950->3951 3952 83290b 3950->3952 3951->3952 3952->3923 3954 83305f 3953->3954 3956 8330c7 3954->3956 3965 83322a 3954->3965 3956->3935 3959 832c31 3957->3959 3958 832ca6 3958->3937 3959->3958 3968 832c53 3959->3968 3963 832b95 3961->3963 3962 832c0a 3962->3938 3963->3962 3972 832bb7 3963->3972 3967 833238 KiUserExceptionDispatcher 3965->3967 3969 832c5f 3968->3969 3970 83322a KiUserExceptionDispatcher 3969->3970 3971 832c92 3970->3971 3971->3958 3973 832bc3 3972->3973 3974 83322a KiUserExceptionDispatcher 3973->3974 3975 832bf6 3974->3975 3975->3962 3978 832e59 3976->3978 3977 83299e 3980 832d75 3977->3980 3978->3977 3984 832e83 3978->3984 3982 832d91 3980->3982 3981 832e34 3981->3944 3982->3981 3988 832dbb 3982->3988 3985 832e8f 3984->3985 3986 83322a KiUserExceptionDispatcher 3985->3986 3987 832eee 3986->3987 3987->3977 3989 832dc7 3988->3989 3990 83322a KiUserExceptionDispatcher 3989->3990 3991 832e22 3990->3991 3991->3981 3993 83285b 3992->3993 3994 83322a KiUserExceptionDispatcher 3993->3994 3995 832892 3994->3995 3995->3946

                                                                        Executed Functions

                                                                        Function 00831416 Relevance: 1.6, APIs: 1, Instructions: 144COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 0 831416-8314f3 10 8314f5 0->10 11 8314f8-8314fd 0->11 10->11 12 83152b-831538 11->12 13 8314ff-83150a 11->13 14 83153a 12->14 15 83153d-83153e 12->15 13->12 16 83150c-83151c 13->16 14->15 15->11 17 831540-83154a 15->17 18 831521-831525 KiUserExceptionDispatcher 16->18 19 83151e 16->19 20 831550-831569 17->20 21 8315fa-831600 17->21 18->12 19->18 20->21 23 83156f-831583 20->23 23->21 25 831585-831593 call 831673 23->25 25->21 28 831595-8315b6 25->28 28->21 30 8315b8-8315f7 28->30 30->21
                                                                        APIs
                                                                        • KiUserExceptionDispatcher.NTDLL(?,007C0190,00000001), ref: 00831525
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.505703750.00000000007C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007C0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_7c0000_abd1 .jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: DispatcherExceptionUser
                                                                        • String ID:
                                                                        • API String ID: 6842923-0
                                                                        • Opcode ID: 0b8501eb7b498fd3cb14e19702350e5ee8acfd0cccca9fdb623e6c3acbc4e9bb
                                                                        • Instruction ID: 6aabd403d435bdea460a14abbeaa5acabc69991137a13d11c6887f18f6f0c326
                                                                        • Opcode Fuzzy Hash: 0b8501eb7b498fd3cb14e19702350e5ee8acfd0cccca9fdb623e6c3acbc4e9bb
                                                                        • Instruction Fuzzy Hash: D5516A71640701AFEB209F64CC8DFA6BBA8FF44B04F184479FE5AAE185D770A901CB65
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 007C6628 Relevance: .3, Instructions: 276COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 33 7c6628-7c6643 34 7c6645 33->34 35 7c6646-7c6651 33->35 34->35 36 7c6a8b-7c6aa6 35->36 37 7c6657-7c665d 35->37 37->36 38 7c6663-7c6669 37->38 38->36 39 7c666f-7c6675 38->39 39->36 40 7c667b-7c6680 39->40 40->36 41 7c6686-7c668d 40->41 41->36 42 7c6693-7c669c 41->42 42->36 43 7c66a2-7c66aa 42->43 43->36 44 7c66b0-7c66b2 43->44 45 7c66b4-7c66d1 44->45 46 7c66f5-7c6703 44->46 45->46 51 7c66d3-7c66e9 45->51 47 7c6707-7c670c 46->47 49 7c670e-7c6712 47->49 50 7c6719-7c671e 47->50 49->47 52 7c6714 49->52 50->49 53 7c6720-7c6752 50->53 51->46 52->36 53->36 55 7c6758-7c675d 53->55 56 7c6a6e-7c6a89 55->56 57 7c6763-7c6778 call 7c6f0e 55->57 56->36 61 7c677a-7c678c call 7c6f0e 57->61 62 7c67b4-7c67b7 57->62 61->62 70 7c678e-7c6792 61->70 64 7c67ba-7c67be 62->64 66 7c67af-7c67b2 64->66 67 7c67c0-7c67c9 64->67 66->55 68 7c67cf-7c67d5 67->68 69 7c6998-7c699e 67->69 71 7c6a3d-7c6a43 68->71 72 7c67db-7c67e1 68->72 74 7c6a64-7c6a69 69->74 70->66 73 7c6794-7c67a4 70->73 71->74 75 7c6a48-7c6a4e 72->75 76 7c67e7-7c67ed 72->76 73->66 82 7c67a6-7c67aa call 7c6617 73->82 74->64 75->74 77 7c6a53-7c6a59 76->77 78 7c67f3-7c67f9 76->78 77->74 80 7c6a5e 78->80 81 7c67ff-7c6805 78->81 80->74 83 7c680b-7c6811 81->83 84 7c6a06-7c6a0c 81->84 82->66 86 7c6817-7c681d 83->86 87 7c6a11-7c6a17 83->87 84->74 88 7c6a1c-7c6a22 86->88 89 7c6823-7c6829 86->89 87->74 88->74 90 7c682f-7c6835 89->90 91 7c6a27-7c6a2d 89->91 92 7c683b-7c6841 90->92 93 7c6a32-7c6a38 90->93 91->74 94 7c69fb-7c6a01 92->94 95 7c6847-7c684d 92->95 93->74 94->74 96 7c69f0-7c69f6 95->96 97 7c6853-7c6859 95->97 96->74 98 7c685f-7c6865 97->98 99 7c69e5-7c69eb 97->99 100 7c69ae-7c69b4 98->100 101 7c686b-7c6871 98->101 99->74 100->74 102 7c69b9-7c69bf 101->102 103 7c6877-7c687d 101->103 102->74 104 7c69c4-7c69ca 103->104 105 7c6883-7c6889 103->105 104->74 106 7c69cf-7c69d5 105->106 107 7c688f-7c6895 105->107 106->74 108 7c69da-7c69e0 107->108 109 7c689b-7c68a1 107->109 108->74 110 7c68a7-7c68ad 109->110 111 7c69a3-7c69a9 109->111 112 7c698d-7c6993 110->112 113 7c68b3-7c68b9 110->113 111->74 112->74 114 7c68bf-7c68c5 113->114 115 7c6982-7c6988 113->115 116 7c691f-7c6925 114->116 117 7c68c7-7c68d1 114->117 115->74 116->74 118 7c692a-7c6930 117->118 119 7c68d3-7c68dd 117->119 118->74 120 7c696c-7c6972 119->120 121 7c68e3-7c68e9 119->121 120->74 122 7c68ef-7c68f5 121->122 123 7c6977-7c697d 121->123 124 7c68f7-7c68fd 122->124 125 7c6940-7c6946 122->125 123->74 126 7c68ff-7c6905 124->126 127 7c694b-7c6951 124->127 125->74 128 7c6956-7c695c 126->128 129 7c6907-7c690d 126->129 127->74 128->74 130 7c690f-7c6915 129->130 131 7c6961-7c6967 129->131 132 7c6935-7c693b 130->132 133 7c6917-7c691a 130->133 131->74 132->74 133->64
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.505703750.00000000007C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007C0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_7c0000_abd1 .jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 021c853d2a3df309891dca4a57d426dc176167f18df314d41e3139fbe05db5f2
                                                                        • Instruction ID: 9d65db655629a2a3aacd2b9aaac31459714f6723ab297dfd6cf36a4d94f7efbd
                                                                        • Opcode Fuzzy Hash: 021c853d2a3df309891dca4a57d426dc176167f18df314d41e3139fbe05db5f2
                                                                        • Instruction Fuzzy Hash: CFC1A536504106EFCB24CE54C5E5EA8F771BF84704B18D6ADD60AAB285E738BD80DFA1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00831FC8 Relevance: .1, Instructions: 75COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 182 831fc8-83200e call 8329b7 185 832013-832018 182->185 186 832062-83206d call 8323e3 185->186 187 83201a-832028 call 8335d5 185->187 192 83206f 186->192 193 8320ad-8320b1 186->193 194 83202a-832034 call 833624 187->194 195 832039-832047 call 832690 187->195 196 832072-832078 call 83295e 192->196 194->195 201 83207d-832092 195->201 202 832049-83204c 195->202 196->201 201->193 203 832094-8320a8 call 83280f call 8322e3 call 832772 call 8328ab 202->203 204 83204e-832060 call 8322e3 202->204 203->193 204->196
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.505703750.00000000007C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007C0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_7c0000_abd1 .jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 7f9ed1de8f4dd9fbac50639af558ee48526b4a7d282f68ad7580d0de5c572cfa
                                                                        • Instruction ID: dcf789812eef37a5596cc531292bbd8ddc84a5c21fbedc20a5795d7e1f472880
                                                                        • Opcode Fuzzy Hash: 7f9ed1de8f4dd9fbac50639af558ee48526b4a7d282f68ad7580d0de5c572cfa
                                                                        • Instruction Fuzzy Hash: 99211D71900209EFCF04EFA9C881EEDBB75FF94300F1486B5E914EA256E7319A45DB91
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 008318C6 Relevance: .0, Instructions: 27COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 258 8318c6-8318ee 260 8318f0-8318fb call 831a7d 258->260 261 831909-831913 258->261 260->261 264 8318fd-831903 call 7c6628 260->264 264->261
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.505703750.00000000007C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007C0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_7c0000_abd1 .jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 32d9466ab082d754c5857ac360844da12495f3c18d2a76758841e3bc0cf5d52a
                                                                        • Instruction ID: bc9535ce68156f0d2e2db5d51b649442db19324e557216961f26ed9170c713d1
                                                                        • Opcode Fuzzy Hash: 32d9466ab082d754c5857ac360844da12495f3c18d2a76758841e3bc0cf5d52a
                                                                        • Instruction Fuzzy Hash: 92F03036601219ABDF119F59DD88AC9BBA9FF44751F1181B1FD0DDA210E6328D109A90
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00833238 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 32 833238-833251 KiUserExceptionDispatcher
                                                                        APIs
                                                                        • KiUserExceptionDispatcher.NTDLL(E00000F8,00000000,00000000,007C0190,?,?,?,?,?,?,?,?,008330C7,?,00000000), ref: 00833244
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.505703750.00000000007C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007C0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_7c0000_abd1 .jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: DispatcherExceptionUser
                                                                        • String ID:
                                                                        • API String ID: 6842923-0
                                                                        • Opcode ID: 4fe73378117aeb3b940880e8bab1d089d95608dfcddab6cb7d29a271d48fb766
                                                                        • Instruction ID: e1ae347e6405edeed2859d0cc0bf3f9371822eecde82135a14987dfe5fc9517e
                                                                        • Opcode Fuzzy Hash: 4fe73378117aeb3b940880e8bab1d089d95608dfcddab6cb7d29a271d48fb766
                                                                        • Instruction Fuzzy Hash: A9C04C76101400AFD7958AE8894C9F57BA97B49380F2504E5B219DB014CA15264D5B51
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Non-executed Functions

                                                                        Function 00821216 Relevance: 9.7, Strings: 6, Instructions: 2159COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.505703750.00000000007C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007C0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_7c0000_abd1 .jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: $$$$$
                                                                        • API String ID: 0-1395034193
                                                                        • Opcode ID: e1a2cecbd5d717c32daa21c098d03fd8f58ef7311799b5cc648fdc4af5df4f73
                                                                        • Instruction ID: c12796ba50fb23194420874a76c7f89d3082be8777d4cdfacdb6b3df9f99ee91
                                                                        • Opcode Fuzzy Hash: e1a2cecbd5d717c32daa21c098d03fd8f58ef7311799b5cc648fdc4af5df4f73
                                                                        • Instruction Fuzzy Hash: 32239DB6E10A099BCB08CB94CD96ADEFBF1FF98214F198558D411F7304E339EA11DA64
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0082E8FC Relevance: 5.3, Strings: 4, Instructions: 253COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.505703750.00000000007C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007C0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_7c0000_abd1 .jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 0$0$0$0
                                                                        • API String ID: 0-3558443385
                                                                        • Opcode ID: 0c126d4f01464ec752a92e9648e95bba4313b20dbaa55ad99e04e177459038b4
                                                                        • Instruction ID: 52f31f664a5c248fbd3c1620984d870773da19394adfe3bdbfec280502bc9a85
                                                                        • Opcode Fuzzy Hash: 0c126d4f01464ec752a92e9648e95bba4313b20dbaa55ad99e04e177459038b4
                                                                        • Instruction Fuzzy Hash: 7D91B07190022ADBEF15EFA4D891AADBBB5FF18310F5545A9E502E7241E730DEC0DB44
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 008230E5 Relevance: 1.3, Strings: 1, Instructions: 76COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.505703750.00000000007C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007C0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_7c0000_abd1 .jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID: 0-3916222277
                                                                        • Opcode ID: 7b2fab60ceb50e867c22014844886af6c9858fb1f09f1c81ce8fdfc9c73d740e
                                                                        • Instruction ID: f537c91c0d09037292933003db4dc66deba252e538dbc87565ae7cbd49294118
                                                                        • Opcode Fuzzy Hash: 7b2fab60ceb50e867c22014844886af6c9858fb1f09f1c81ce8fdfc9c73d740e
                                                                        • Instruction Fuzzy Hash: 12212330A0C23DEAD7158A44B4B8AB9B675FB1030DF3044A2F807DA105C7299FF1BA51
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 008319A0 Relevance: 1.3, Strings: 1, Instructions: 41COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.505703750.00000000007C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007C0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_7c0000_abd1 .jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: c
                                                                        • API String ID: 0-112844655
                                                                        • Opcode ID: a30322a0d7d501c8886dd065f4f800defb4e63820dd94eb919123dbc90f5bb17
                                                                        • Instruction ID: 585e417b2d0ff52695546169bc1047224806353faf806dcacdbc697815614a48
                                                                        • Opcode Fuzzy Hash: a30322a0d7d501c8886dd065f4f800defb4e63820dd94eb919123dbc90f5bb17
                                                                        • Instruction Fuzzy Hash: 0DF04F36911219ABDF219E58DD88BEABB75FF09351F108161FD08EA251D732CD20ABD0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00831923 Relevance: 1.3, Strings: 1, Instructions: 41COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.505703750.00000000007C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007C0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_7c0000_abd1 .jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: c
                                                                        • API String ID: 0-112844655
                                                                        • Opcode ID: 9c43a87c55474666c7caf3853178ca9bfc812dba77ae1a4c3babf431ecec9fea
                                                                        • Instruction ID: 47fa56a4d1e6c6829399212de115f2335404adb99e839534b4e6e357eec7c2f1
                                                                        • Opcode Fuzzy Hash: 9c43a87c55474666c7caf3853178ca9bfc812dba77ae1a4c3babf431ecec9fea
                                                                        • Instruction Fuzzy Hash: 73F04F3690111DABDF219E58DD88BDABBA9FF09321F104161FD08EA650D732CD21ABD0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00824218 Relevance: .2, Instructions: 245COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.505703750.00000000007C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007C0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_7c0000_abd1 .jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 87fae33c80cce51eedccfe706c99381271c10ee8454e9280bac1485d746d1d2f
                                                                        • Instruction ID: 9f270687cf3643472b4e85b3f2cb828442fa97c2fac5020d8ed192b90d73e498
                                                                        • Opcode Fuzzy Hash: 87fae33c80cce51eedccfe706c99381271c10ee8454e9280bac1485d746d1d2f
                                                                        • Instruction Fuzzy Hash: 3A819F71200209AFDB11DFA8EC81FAE7BA5FF44361F108165FD18DA291C73298A1DBB1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00822EC3 Relevance: .1, Instructions: 127COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.505703750.00000000007C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007C0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_7c0000_abd1 .jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 1aa5386fddca93fbcc06a5cd139a119ea25ccbcc1ae576dc787cabc7fa2e08fc
                                                                        • Instruction ID: de4b228a6a49dbcc9bf67d9e810f87877e7fa216d964e863b836fec62e2fc692
                                                                        • Opcode Fuzzy Hash: 1aa5386fddca93fbcc06a5cd139a119ea25ccbcc1ae576dc787cabc7fa2e08fc
                                                                        • Instruction Fuzzy Hash: D8416C3050C53DFBC7248A00F654AB9B671FB50308F7082A2D907EA105CB359FD1BB62
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00823DBE Relevance: .1, Instructions: 105COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.505703750.00000000007C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007C0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_7c0000_abd1 .jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: a8e0a5bf3eabff632830dbe9b60f8e16048269407162919ce9e5763725bcd323
                                                                        • Instruction ID: 34314d60261516341c9fffda4acc83da1e2060cd2b4d97ab8d9835f1687ea0a3
                                                                        • Opcode Fuzzy Hash: a8e0a5bf3eabff632830dbe9b60f8e16048269407162919ce9e5763725bcd323
                                                                        • Instruction Fuzzy Hash: B2314036A00119ABCF118E94E840AEAF771FF4A321F115165FD19E7250C336DE65DB54
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00823234 Relevance: .1, Instructions: 97COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.505703750.00000000007C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007C0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_7c0000_abd1 .jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 6cc7a0ec7fe2e56bfdeec117c2f9b8168facbdb40d569bc288108e3b368eda70
                                                                        • Instruction ID: b48945fd7774a092848039a1940e472e8ba4b95b1d89656906dc909ac591f300
                                                                        • Opcode Fuzzy Hash: 6cc7a0ec7fe2e56bfdeec117c2f9b8168facbdb40d569bc288108e3b368eda70
                                                                        • Instruction Fuzzy Hash: 6931253190C63DEBCB48CA65B0B8574B771FB5431EB348166C847DA604DB2CABD0AB96
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00834DAE Relevance: .1, Instructions: 95COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.505703750.00000000007C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007C0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_7c0000_abd1 .jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 0bda54921f69027fa48e312dbaacf865e4b515a811975807879e6fe262da6694
                                                                        • Instruction ID: dbfb5db2678bd8df064814674ef77df7344d73e016e89c27b0601a6b482ffccc
                                                                        • Opcode Fuzzy Hash: 0bda54921f69027fa48e312dbaacf865e4b515a811975807879e6fe262da6694
                                                                        • Instruction Fuzzy Hash: 23312D3150060A9FDB18CE15C444BA7B7B1FF89320F14DA28E969DB665C3B2F9A0DBC0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00823EFC Relevance: .1, Instructions: 91COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.505703750.00000000007C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007C0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_7c0000_abd1 .jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: ce2f8646bacc5d10be9cf71090905a3132677cd9e3443f7ad28678b601396211
                                                                        • Instruction ID: 851f3e735c99f834680cf3f95bd7383fcf40a92a8206e12460eb808114622324
                                                                        • Opcode Fuzzy Hash: ce2f8646bacc5d10be9cf71090905a3132677cd9e3443f7ad28678b601396211
                                                                        • Instruction Fuzzy Hash: 9E316D36A00218AFCF118E94E980AEEBB71FF49320F104265FE59D6190CB36DEA1DB50
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00824139 Relevance: .1, Instructions: 78COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.505703750.00000000007C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007C0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_7c0000_abd1 .jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: e4e26ef11daf87ab04a0686ce64f6e47af8d7da905aeb7d82c4699587d96a8ba
                                                                        • Instruction ID: ca74781849bee862ddebbe229ace4c37a0d904741dc86b3eb964ebf2931776b8
                                                                        • Opcode Fuzzy Hash: e4e26ef11daf87ab04a0686ce64f6e47af8d7da905aeb7d82c4699587d96a8ba
                                                                        • Instruction Fuzzy Hash: E8219632200219ABDB215EA8FC84BBAB729FF55321F105616FD18DA1D0D3729CE1DB71
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0082B818 Relevance: .1, Instructions: 72COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.505703750.00000000007C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007C0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_7c0000_abd1 .jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 10aa2256821d2209632b9e387cbaf4d94b8f4eb1b81bd2ecb5d0dedaf77d214d
                                                                        • Instruction ID: dbedc868e562db6265fbac62d2d5e25a5d18cb745cb46b56442a5f87f17c44c6
                                                                        • Opcode Fuzzy Hash: 10aa2256821d2209632b9e387cbaf4d94b8f4eb1b81bd2ecb5d0dedaf77d214d
                                                                        • Instruction Fuzzy Hash: 41017C60A875BE052E380C29308427AE3AEF717BD0F68B83AC59DD7218D300D8C3521E
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 007D2050 Relevance: .1, Instructions: 69COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.505703750.00000000007C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007C0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_7c0000_abd1 .jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 080ccfd2cdfb13ee61b32d154f436a0975223fa095e92e60431bfa2a60477620
                                                                        • Instruction ID: a15c74f85e12e012fae90f3534f6c4f13ac9a0ca3b50d0c8edda5809f537f515
                                                                        • Opcode Fuzzy Hash: 080ccfd2cdfb13ee61b32d154f436a0975223fa095e92e60431bfa2a60477620
                                                                        • Instruction Fuzzy Hash: 66218E32418350AFDFA1EEB5C5C5583FBE1BB4B300783A6DAC5545F85AC6207457EB81
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00824574 Relevance: .1, Instructions: 59COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.505703750.00000000007C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007C0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_7c0000_abd1 .jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: cc7e48c75a4ed9abd7a24ccbc41138df7f1b44b7c12d75df545bfba076468e16
                                                                        • Instruction ID: 96f3f7083101fbed8609487d111d4f2ac7a9da368dc724d2c7ec58140f5a1191
                                                                        • Opcode Fuzzy Hash: cc7e48c75a4ed9abd7a24ccbc41138df7f1b44b7c12d75df545bfba076468e16
                                                                        • Instruction Fuzzy Hash: EB019E367001195BDB10CE5DF980BBA7329FB82371F20926AFD14DB294C632DCA297B0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0082E6F3 Relevance: .1, Instructions: 54COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.505703750.00000000007C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007C0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_7c0000_abd1 .jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 119cd661c0b3c20ea8da54369756ec735ab73cb80c1fb8c43630a6d5d311cee5
                                                                        • Instruction ID: 0835ca050b5a00219d51a25ad5d38a4de1bea117bce9a0c56201a1679c4c59e0
                                                                        • Opcode Fuzzy Hash: 119cd661c0b3c20ea8da54369756ec735ab73cb80c1fb8c43630a6d5d311cee5
                                                                        • Instruction Fuzzy Hash: AD019E32710B154BD768CD3E8C440ABF7E7EBD4260B898B2ED5A3C7664C670E911C790
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 007C61D7 Relevance: .1, Instructions: 51COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.505703750.00000000007C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007C0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_7c0000_abd1 .jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 7d0a129585227074e2bb49faa414f42d080a94a9e0e1d7f9c658cbbe95fa2b7a
                                                                        • Instruction ID: f2217f8bed5d103d35e982c6a3a1e5e9e2571a68b8b3ceb98855a37745e5fa18
                                                                        • Opcode Fuzzy Hash: 7d0a129585227074e2bb49faa414f42d080a94a9e0e1d7f9c658cbbe95fa2b7a
                                                                        • Instruction Fuzzy Hash: C201B337900159EBCF128E84DC809EDBB72FB58311F1585A9FE18A6120C336DA31EB90
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 008244F0 Relevance: .0, Instructions: 50COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.505703750.00000000007C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007C0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_7c0000_abd1 .jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 5a865e6d1175138ba8c54bf5ed9a0fd646679dfc3c65505cd6bec62191f9c295
                                                                        • Instruction ID: 6d440e33df0c537ca8813178710304370dc924d77b29801b6c0eed1de91b57c4
                                                                        • Opcode Fuzzy Hash: 5a865e6d1175138ba8c54bf5ed9a0fd646679dfc3c65505cd6bec62191f9c295
                                                                        • Instruction Fuzzy Hash: E5F081336001195BDB119E9DB880BBAB729FB85371F10156AFD48DB290C622DCA197B1
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 00824688 Relevance: .0, Instructions: 44COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.505703750.00000000007C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007C0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_7c0000_abd1 .jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: a028ae148752d52ba0f443d12afa4d144b426cdbf7989731a9e66ad17e03a0d4
                                                                        • Instruction ID: 19297b7c54b534e7723c07b28fc852d1405e92402d18f00d5c830f1b8d7e658b
                                                                        • Opcode Fuzzy Hash: a028ae148752d52ba0f443d12afa4d144b426cdbf7989731a9e66ad17e03a0d4
                                                                        • Instruction Fuzzy Hash: B3018C3360020EABDF128E94FC40AEABB35FB55361F049166FE089B150C332D861EBA0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0082460B Relevance: .0, Instructions: 44COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.505703750.00000000007C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007C0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_7c0000_abd1 .jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: f5d6b9a881f788539957bb563709ef2e366caada2a9de3ae55a8283e191741b7
                                                                        • Instruction ID: 2713a069189b8faa43b5dadabdf859165b2be3ebdd67f81ada90e71df80178b9
                                                                        • Opcode Fuzzy Hash: f5d6b9a881f788539957bb563709ef2e366caada2a9de3ae55a8283e191741b7
                                                                        • Instruction Fuzzy Hash: 2501317250011AABDF118F94EC40EEABB36FB55361F045166FD189B554C732D861DBA0
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 008248A0 Relevance: .0, Instructions: 41COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.505703750.00000000007C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007C0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_7c0000_abd1 .jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 7998fcda27276da5fda10b3a9c220e508dfdd3bc5835f49543323e0da92a795c
                                                                        • Instruction ID: 8889928c4b762c34e4582c15ec2c2ac57e12646b6eba1f182cef3ff1752cd2c1
                                                                        • Opcode Fuzzy Hash: 7998fcda27276da5fda10b3a9c220e508dfdd3bc5835f49543323e0da92a795c
                                                                        • Instruction Fuzzy Hash: 75F06D36300218ABEB209E54F880BA9BB65FB40365F109036FA589E5D1C732A994CB24
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 007C6167 Relevance: .0, Instructions: 41COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.505703750.00000000007C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007C0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_7c0000_abd1 .jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: e7a9622055dae29e557a599c66e8b31cb8a7b3cb9ab97e06ed0b978a9881e9c5
                                                                        • Instruction ID: 6c4f0423c65875c4e858ce91162e954e8b8ad0faf7bad76a30095f85ac96f9c1
                                                                        • Opcode Fuzzy Hash: e7a9622055dae29e557a599c66e8b31cb8a7b3cb9ab97e06ed0b978a9881e9c5
                                                                        • Instruction Fuzzy Hash: DBF06837A40118ABCF11CE98D8809DCF771FB49361F1481A9EE08A7210C3329E60DB90
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%

                                                                        Function 0082F43A Relevance: .0, Instructions: 29COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000003.00000002.505703750.00000000007C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007C0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_3_2_7c0000_abd1 .jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 0c1a67db2fa763cde28673eea125f62b2815e3cdf7fee474c9252a8f279c2a93
                                                                        • Instruction ID: 8dde94a039da4c4278ccf80f743af3a092cdd6eb1afe90e2a05b2d7e312ece2a
                                                                        • Opcode Fuzzy Hash: 0c1a67db2fa763cde28673eea125f62b2815e3cdf7fee474c9252a8f279c2a93
                                                                        • Instruction Fuzzy Hash: 7AF08535E00029DBCF00CE69D8809FFF770FB8A321F508066EE0AAB201C2358801CF65
                                                                        Uniqueness

                                                                        Uniqueness Score: -1.00%