Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
rNuevoPedidoPO-00843.pdf.com.exe

Overview

General Information

Sample name:rNuevoPedidoPO-00843.pdf.com.exe
Analysis ID:1501404
MD5:fe0244480b7be035c478b4778d082ed3
SHA1:8f13321bb29651c263227c7f796e85cb2527830e
SHA256:a388e34ff2cb46b718c443618a4597468bfc2236195c06bccbfa71dbf5d47479
Tags:comexe
Infos:

Detection

Quasar
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected Quasar RAT
.NET source code contains potential unpacker
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • rNuevoPedidoPO-00843.pdf.com.exe (PID: 7744 cmdline: "C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exe" MD5: FE0244480B7BE035C478B4778D082ED3)
    • rNuevoPedidoPO-00843.pdf.com.exe (PID: 7904 cmdline: "C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exe" MD5: FE0244480B7BE035C478B4778D082ED3)
      • schtasks.exe (PID: 7972 cmdline: "schtasks" /create /tn "workbook" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\workbook.exe" /rl HIGHEST /f MD5: 48C2FE20575769DE916F48EF0676A965)
        • conhost.exe (PID: 7984 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • workbook.exe (PID: 8024 cmdline: "C:\Users\user\AppData\Roaming\SubDir\workbook.exe" MD5: FE0244480B7BE035C478B4778D082ED3)
        • workbook.exe (PID: 4544 cmdline: "C:\Users\user\AppData\Roaming\SubDir\workbook.exe" MD5: FE0244480B7BE035C478B4778D082ED3)
        • workbook.exe (PID: 7256 cmdline: "C:\Users\user\AppData\Roaming\SubDir\workbook.exe" MD5: FE0244480B7BE035C478B4778D082ED3)
        • workbook.exe (PID: 7288 cmdline: "C:\Users\user\AppData\Roaming\SubDir\workbook.exe" MD5: FE0244480B7BE035C478B4778D082ED3)
          • schtasks.exe (PID: 7560 cmdline: "schtasks" /create /tn "workbook" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\workbook.exe" /rl HIGHEST /f MD5: 48C2FE20575769DE916F48EF0676A965)
            • conhost.exe (PID: 1652 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • workbook.exe (PID: 8132 cmdline: C:\Users\user\AppData\Roaming\SubDir\workbook.exe MD5: FE0244480B7BE035C478B4778D082ED3)
    • workbook.exe (PID: 5920 cmdline: "C:\Users\user\AppData\Roaming\SubDir\workbook.exe" MD5: FE0244480B7BE035C478B4778D082ED3)
    • workbook.exe (PID: 6900 cmdline: "C:\Users\user\AppData\Roaming\SubDir\workbook.exe" MD5: FE0244480B7BE035C478B4778D082ED3)
    • workbook.exe (PID: 6620 cmdline: "C:\Users\user\AppData\Roaming\SubDir\workbook.exe" MD5: FE0244480B7BE035C478B4778D082ED3)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Quasar RAT, QuasarRATQuasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult.
  • APT33
  • Dropping Elephant
  • Stone Panda
  • The Gorgon Group
https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat

Malware Configuration

Threatname: Quasar

{"Version": "1.4.1", "Host:Port": "twart.myfirewall.org:9792;", "SubDirectory": "SubDir", "InstallName": "workbook.exe", "MutexName": "0235e291-5d04-4fa3-932c-869aeec51499", "StartupKey": "workbook", "Tag": "Long Leg", "LogDirectoryName": "Logs", "ServerSignature": "XBBvS+rvDQy/NRA7cnb+1Bf2zFbsUHBtrkbS5j0N0VYcCxHngz7kKbyn5Jk5bqDEI6eX9AB+bIEClKSPSVh4o0tmRTlCyQR8n6K5WidNbCUdY2+XqfpKSeeSe+/39iGrb9ZLHaZnA9ciC9yC4PwnmFUO4AD6c2tNeWgm2PU1ohA9OikWzIuh/ks9RkLPCX2N5NbpAd+AvnufkOJwDLDXLT4MfcZlD2s7folRvVMxMcO7qQh4qI3ucP90WFCEokdbM4Rp3wOtslDricIMAIkAmogGRz4B5aLGHo+UKGsYDeV1bWBtzFi1XTWQ/6q4qfqiD4xLJpDFMICIRPNdK9raQkGcTP03+NhWNSswQU59I2Ar9A0CAUdysw34N2Kjm/UbGRrW3+j9kbJxMldClUDkeN0cGmVyyaiGpPUQBlBuqH620bBOymsxD3XZ6Ouxl9MgjTV6Il/iiq/NSebMLiET2K09Tvpmc/8DD8KLeu+5NrJnmChJat6LR2NCPqv1vp8xPgJNCm4DSv6HB78QRq0Ni/oqW7UBnQR4da5/ckoEk+1ZyMZ/TftczNdKaLoyii2gXx3EzDhVEQy9OH8iNQqevGPW/pTYqLGAkH4hRs0+kir9p7nSGZpHvgHSJL7DbCzKlTEYyAlb4VFoR4L+DhJ0+A8JWxhOkfSCX2jo3RVCcPs=", "ServerCertificate": "MIIE9DCCAtygAwIBAgIQANqzkhOLx49IztAjuviKazANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI0MDgyMDEyNDQxNVoYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAgCzkFEuivKBaTsClmq/3wI2X1uYUZUxf0vEiobTv72lQBIu1jz/r6PADg+cpeGisY1MV3VsdWhecO8dT7LosHtl/FnpTjASkUp3LF0d6cPTgeLsKbK/xJ06uq5gaKvG8Q5zXq6Jbxv+STJdEgmxCf1SPAXViD1PIiGLt2B24qZyOtsSpTSnM5cQuLAvr/6xZG7GYkCU7PRADMGFUm3Xg6L3vRUU3h6vaddoMBAW9ENXVaym1eN5aax3x4tLNUp+kerM+kb/Ab/mi01+PfutPKTptP/dqEGZuKmVrGdX9A+s2Wo6sPtSl85NJT+HT+SSrROvGbx4GH3d6MSHx71JSzy+dph46LV3brBMzY/2xvLbIuPVHqniL/Y0bsUke6aD9cfXIa4UBi7TiKBuoKJYqoYa/VgdoqB4yDaczAnzzYXov7thvPL1Rwv5TueNsPSrQbXbvEJUDxRazlLIrGLuYzeGrnbFHOTM8KKpSVnE8uiXiSEW31DRNHXyLImklMHjwtGd4sjZD5EfkUcg1v9gVCu80ggT+/l7SflY07DOLFvS1ii2ZUPu3IjcbyPtlFj6pGUYjMbIZj8AdqIKyMh6IWtbsu6TMC2yEPSk5pwXrEf7M89nIfHtuhZio+mZ0MhGyHos3nv51/dDBKQnEtcJiODik24kI3JTMGnfQsp7IMjECAwEAAaMyMDAwHQYDVR0OBBYEFFUq5ihhM0we5AVYMhcmFpT6wUKMMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBAFQvpu2xTTenJ6N6YiRWxJ1cwH673yEt60lfsF/xncTeD79qdjD371b1GzQtcYZtYuSdgajGG4YZ8gBrwthm2fOcfuWK2VRDOe7/++mJVEvvsUzzexNeB5nZCYuu1N4UA7z8RHJy6ycPTTcelqyMKUjAGTCZa2BQhkxoFq+wBrEZrY975RcEe7bNNWg0S8YpvdKXxwy/gDZUoWyWXvgmDFQ6VjzDk3jJb0fonxnP/9F7sjd1uU2t5d6aQdPXzbzgWC/IKRXpfdIIZe15uHs1o1O909ymViRRsyy36cjwZ1M2snHWsU7vO//CptldBoV6k6bKkvXA23Cg1vUT0mj0MW554Vb20afxPhyWqHQa4ffHspH2HxViicHx9YaD+WjNAER0Skdo7/sxVR9Ozms2kb8Tyd18mwtVvwmlBNdtwsw8MX9PeW0AXlJUXkHkj47TVP+yyv1dKdUaGZq+ErPjiGoQGBCeHrrtGh+WryK38T7huLnpt++Q4U+CJ6+u9Mvd+C7MCZmgsO9sn0fTL/z54j3zBaWZoRcUZg8IZ7U+C5eGCrg9VjubVdYSar5CrCQnw8x2Rl63qjLVOwpiRoNnEXxmE23yyx1hkP8r27EcTbH7PpJHI22khScfDhf0X/99HEaBqcs+GI+YnC5dpPHY9koTdT5JckCfPJ9sprOn9Ble"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000C.00000002.3851669330.000000000379F000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
    00000000.00000002.1397931960.00000000026DF000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
      00000007.00000002.1536599229.00000000027A8000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
        00000003.00000002.1421217938.0000000000720000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
          00000006.00000002.1460317798.0000000002C21000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
            Click to see the 14 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            6.2.workbook.exe.47189b0.1.raw.unpackJoeSecurity_QuasarYara detected Quasar RATJoe Security
              6.2.workbook.exe.47189b0.1.raw.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                6.2.workbook.exe.47189b0.1.raw.unpackMAL_QuasarRAT_May19_1Detects QuasarRAT malwareFlorian Roth
                • 0x28ef4d:$x1: Quasar.Common.Messages
                • 0x29f276:$x1: Quasar.Common.Messages
                • 0x2ab83a:$x4: Uninstalling... good bye :-(
                • 0x2ad02f:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
                6.2.workbook.exe.47189b0.1.raw.unpackINDICATOR_SUSPICIOUS_GENInfoStealerDetects executables containing common artifcats observed in infostealersditekSHen
                • 0x2aadec:$f1: FileZilla\recentservers.xml
                • 0x2aae2c:$f2: FileZilla\sitemanager.xml
                • 0x2aae6e:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions
                • 0x2ab0ba:$b1: Chrome\User Data\
                • 0x2ab110:$b1: Chrome\User Data\
                • 0x2ab3e8:$b2: Mozilla\Firefox\Profiles
                • 0x2ab4e4:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
                • 0x2fd440:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
                • 0x2ab63c:$b4: Opera Software\Opera Stable\Login Data
                • 0x2ab6f6:$b5: YandexBrowser\User Data\
                • 0x2ab764:$b5: YandexBrowser\User Data\
                • 0x2ab438:$s4: logins.json
                • 0x2ab16e:$a1: username_value
                • 0x2ab18c:$a2: password_value
                • 0x2ab478:$a3: encryptedUsername
                • 0x2fd384:$a3: encryptedUsername
                • 0x2ab49c:$a4: encryptedPassword
                • 0x2fd3a2:$a4: encryptedPassword
                • 0x2fd320:$a5: httpRealm
                6.2.workbook.exe.47189b0.1.raw.unpackMALWARE_Win_QuasarStealerDetects Quasar infostealerditekshen
                • 0x164f16:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null
                • 0x2ab924:$s3: Process already elevated.
                • 0x28ec4c:$s4: get_PotentiallyVulnerablePasswords
                • 0x278d08:$s5: GetKeyloggerLogsDirectory
                • 0x29e9d5:$s5: GetKeyloggerLogsDirectory
                • 0x28ec6f:$s6: set_PotentiallyVulnerablePasswords
                • 0x2fea6e:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>
                Click to see the 27 entries

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Suspicious Add Scheduled Task Parent
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "schtasks" /create /tn "workbook" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\workbook.exe" /rl HIGHEST /f, CommandLine: "schtasks" /create /tn "workbook" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\workbook.exe" /rl HIGHEST /f, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\SubDir\workbook.exe", ParentImage: C:\Users\user\AppData\Roaming\SubDir\workbook.exe, ParentProcessId: 7288, ParentProcessName: workbook.exe, ProcessCommandLine: "schtasks" /create /tn "workbook" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\workbook.exe" /rl HIGHEST /f, ProcessId: 7560, ProcessName: schtasks.exe
                Sigma detected: Suspicious Schtasks From Env Var Folder
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "schtasks" /create /tn "workbook" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\workbook.exe" /rl HIGHEST /f, CommandLine: "schtasks" /create /tn "workbook" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\workbook.exe" /rl HIGHEST /f, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exe", ParentImage: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exe, ParentProcessId: 7904, ParentProcessName: rNuevoPedidoPO-00843.pdf.com.exe, ProcessCommandLine: "schtasks" /create /tn "workbook" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\workbook.exe" /rl HIGHEST /f, ProcessId: 7972, ProcessName: schtasks.exe

                Suricata Signatures

                Timestamp:2024-08-29T21:36:29.045504+0200
                SID:2027619
                Severity:1
                Source Port:9792
                Destination Port:49724
                Protocol:TCP
                Classtype:Domain Observed Used for C2 Detected
                Timestamp:2024-08-29T21:36:29.045504+0200
                SID:2035595
                Severity:1
                Source Port:9792
                Destination Port:49724
                Protocol:TCP
                Classtype:Domain Observed Used for C2 Detected

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Found malware configuration
                Source: 7.2.workbook.exe.3de5fb0.1.raw.unpackMalware Configuration Extractor: Quasar {"Version": "1.4.1", "Host:Port": "twart.myfirewall.org:9792;", "SubDirectory": "SubDir", "InstallName": "workbook.exe", "MutexName": "0235e291-5d04-4fa3-932c-869aeec51499", "StartupKey": "workbook", "Tag": "Long Leg", "LogDirectoryName": "Logs", "ServerSignature": "XBBvS+rvDQy/NRA7cnb+1Bf2zFbsUHBtrkbS5j0N0VYcCxHngz7kKbyn5Jk5bqDEI6eX9AB+bIEClKSPSVh4o0tmRTlCyQR8n6K5WidNbCUdY2+XqfpKSeeSe+/39iGrb9ZLHaZnA9ciC9yC4PwnmFUO4AD6c2tNeWgm2PU1ohA9OikWzIuh/ks9RkLPCX2N5NbpAd+AvnufkOJwDLDXLT4MfcZlD2s7folRvVMxMcO7qQh4qI3ucP90WFCEokdbM4Rp3wOtslDricIMAIkAmogGRz4B5aLGHo+UKGsYDeV1bWBtzFi1XTWQ/6q4qfqiD4xLJpDFMICIRPNdK9raQkGcTP03+NhWNSswQU59I2Ar9A0CAUdysw34N2Kjm/UbGRrW3+j9kbJxMldClUDkeN0cGmVyyaiGpPUQBlBuqH620bBOymsxD3XZ6Ouxl9MgjTV6Il/iiq/NSebMLiET2K09Tvpmc/8DD8KLeu+5NrJnmChJat6LR2NCPqv1vp8xPgJNCm4DSv6HB78QRq0Ni/oqW7UBnQR4da5/ckoEk+1ZyMZ/TftczNdKaLoyii2gXx3EzDhVEQy9OH8iNQqevGPW/pTYqLGAkH4hRs0+kir9p7nSGZpHvgHSJL7DbCzKlTEYyAlb4VFoR4L+DhJ0+A8JWxhOkfSCX2jo3RVCcPs=", "ServerCertificate": "MIIE9DCCAtygAwIBAgIQANqzkhOLx49IztAjuviKazANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI0MDgyMDEyNDQxNVoYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAgCzkFEuivKBaTsClmq/3wI2X1uYUZUxf0vEiobTv72lQBIu1jz/r6PADg+cpeGisY1MV3VsdWhecO8dT7LosHtl/FnpTjASkUp3LF0d6cPTgeLsKbK/xJ06uq5gaKvG8Q5zXq6Jbxv+STJdEgmxCf1SPAXViD1PIiGLt2B24qZyOtsSpTSnM5cQuLAvr/6xZG7GYkCU7PRADMGFUm3Xg6L3vRUU3h6vaddoMBAW9ENXVaym1eN5aax3x4tLNUp+kerM+kb/Ab/mi01+PfutPKTptP/dqEGZuKmVrGdX9A+s2Wo6sPtSl85NJT+HT+SSrROvGbx4GH3d6MSHx71JSzy+dph46LV3brBMzY/2xvLbIuPVHqniL/Y0bsUke6aD9cfXIa4UBi7TiKBuoKJYqoYa/VgdoqB4yDaczAnzzYXov7thvPL1Rwv5TueNsPSrQbXbvEJUDxRazlLIrGLuYzeGrnbFHOTM8KKpSVnE8uiXiSEW31DRNHXyLImklMHjwtGd4sjZD5EfkUcg1v9gVCu80ggT+/l7SflY07DOLFvS1ii2ZUPu3IjcbyPtlFj6pGUYjMbIZj8AdqIKyMh6IWtbsu6TMC2yEPSk5pwXrEf7M89nIfHtuhZio+mZ0MhGyHos3nv51/dDBKQnEtcJiODik24kI3JTMGnfQsp7IMjECAwEAAaMyMDAwHQYDVR0OBBYEFFUq5ihhM0we5AVYMhcmFpT6wUKMMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBAFQvpu2xTTenJ6N6YiRWxJ1cwH673yEt60lfsF/xncTeD79qdjD371b1GzQtcYZtYuSdgajGG4YZ8gBrwthm2fOcfuWK2VRDOe7/++mJVEvvsUzzexNeB5nZCYuu1N4UA7z8RHJy6ycPTTcelqyMKUjAGTCZa2BQhkxoFq+wBrEZrY975RcEe7bNNWg0S8YpvdKXxwy/gDZUoWyWXvgmDFQ6VjzDk3jJb0fonxnP/9F7sjd1uU2t5d6aQdPXzbzgWC/IKRXpfdIIZe15uHs1o1O909ymViRRsyy36cjwZ1M2snHWsU7vO//CptldBoV6k6bKkvXA23Cg1vUT0mj0MW554Vb20afxPhyWqHQa4ffHspH2HxViicHx9YaD+WjNAER0Skdo7/sxVR9Ozms2kb8Tyd18mwtVvwmlBNdtwsw8MX9PeW0AXlJUXkHkj47TVP+yyv1dKdUaGZq+ErPjiGoQGBCeHrrtGh+WryK38T7huLnpt++Q4U+CJ6+u9Mvd+C7MCZmgsO9sn0fTL/z54j3zBaWZoRcUZg8IZ7U+C5eGCrg9VjubVdYSar5CrCQnw8x2Rl63qjLVOwpiRoNnEXxmE23yyx1hkP8r27EcTbH7PpJHI22khScfDhf0X/99HEaBqcs+GI+YnC5dpPHY9koTdT5JckCfPJ9sprOn9Ble"}
                Multi AV Scanner detection for dropped file
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeReversingLabs: Detection: 26%
                Multi AV Scanner detection for submitted file
                Source: rNuevoPedidoPO-00843.pdf.com.exeReversingLabs: Detection: 26%
                Yara detected Quasar RAT
                Source: Yara matchFile source: 6.2.workbook.exe.47189b0.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.workbook.exe.47189b0.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.rNuevoPedidoPO-00843.pdf.com.exe.3e79990.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.workbook.exe.3de5fb0.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.rNuevoPedidoPO-00843.pdf.com.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.workbook.exe.3de5fb0.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.rNuevoPedidoPO-00843.pdf.com.exe.3e79990.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000C.00000002.3851669330.000000000379F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1397931960.00000000026DF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.1536599229.00000000027A8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.1421217938.0000000000720000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.1460317798.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.1479598155.0000000004718000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.1504871509.0000000008CF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.1421217938.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1399966281.0000000003E79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.1586129058.0000000003DE5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1418504461.0000000007A01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: rNuevoPedidoPO-00843.pdf.com.exe PID: 7744, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: rNuevoPedidoPO-00843.pdf.com.exe PID: 7904, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: workbook.exe PID: 8024, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: workbook.exe PID: 8132, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: workbook.exe PID: 7288, type: MEMORYSTR
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for dropped file
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeJoe Sandbox ML: detected
                Machine Learning detection for sample
                Source: rNuevoPedidoPO-00843.pdf.com.exeJoe Sandbox ML: detected
                Source: rNuevoPedidoPO-00843.pdf.com.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: unknownHTTPS traffic detected: 195.201.57.90:443 -> 192.168.2.7:49726 version: TLS 1.2
                Source: rNuevoPedidoPO-00843.pdf.com.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: FKGT.pdbSHA256 source: rNuevoPedidoPO-00843.pdf.com.exe, workbook.exe.3.dr
                Source: Binary string: FKGT.pdb source: rNuevoPedidoPO-00843.pdf.com.exe, workbook.exe.3.dr
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeCode function: 4x nop then jmp 046D8853h0_2_046D7DA3
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 4x nop then jmp 04C18853h6_2_04C17DA3
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 4x nop then jmp 024E8853h7_2_024E7DA3

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2027619 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (Quasar CnC) : 213.159.74.80:9792 -> 192.168.2.7:49724
                Source: Network trafficSuricata IDS: 2035595 - Severity 1 - ET MALWARE Generic AsyncRAT Style SSL Cert : 213.159.74.80:9792 -> 192.168.2.7:49724
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: twart.myfirewall.org
                Yara detected Generic Downloader
                Source: Yara matchFile source: 6.2.workbook.exe.47189b0.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.rNuevoPedidoPO-00843.pdf.com.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.workbook.exe.3de5fb0.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.rNuevoPedidoPO-00843.pdf.com.exe.3e79990.1.raw.unpack, type: UNPACKEDPE
                Source: global trafficTCP traffic: 192.168.2.7:49724 -> 213.159.74.80:9792
                Source: Joe Sandbox ViewIP Address: 195.201.57.90 195.201.57.90
                Source: Joe Sandbox ViewIP Address: 195.201.57.90 195.201.57.90
                Source: Joe Sandbox ViewASN Name: CTINET-ASCTINETAutonomousSystemRU CTINET-ASCTINETAutonomousSystemRU
                Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                Source: unknownDNS query: name: ipwho.is
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0Host: ipwho.isConnection: Keep-Alive
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0Host: ipwho.isConnection: Keep-Alive
                Source: global trafficDNS traffic detected: DNS query: twart.myfirewall.org
                Source: global trafficDNS traffic detected: DNS query: ipwho.is
                Source: workbook.exe, 0000000C.00000002.3848010144.00000000018D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
                Source: workbook.exe, 0000000C.00000002.3869203445.0000000005F81000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.12.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                Source: workbook.exe, 0000000C.00000002.3851669330.0000000003753000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ipwho.is
                Source: workbook.exe, 0000000C.00000002.3851669330.0000000003753000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ipwho.isd
                Source: workbook.exe, 0000000C.00000002.3851669330.000000000379F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/
                Source: workbook.exe, 0000000C.00000002.3851669330.000000000379F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/d
                Source: rNuevoPedidoPO-00843.pdf.com.exe, 00000003.00000002.1431679235.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp, workbook.exe, 0000000C.00000002.3851669330.000000000359C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: rNuevoPedidoPO-00843.pdf.com.exe, workbook.exe.3.drString found in binary or memory: http://tempuri.org/DataSet1.xsdSAll
                Source: rNuevoPedidoPO-00843.pdf.com.exe, 00000000.00000002.1399966281.0000000003E79000.00000004.00000800.00020000.00000000.sdmp, rNuevoPedidoPO-00843.pdf.com.exe, 00000000.00000002.1418504461.0000000007A01000.00000004.00000800.00020000.00000000.sdmp, rNuevoPedidoPO-00843.pdf.com.exe, 00000003.00000002.1421217938.0000000000402000.00000040.00000400.00020000.00000000.sdmp, workbook.exe, 00000006.00000002.1504871509.0000000008CF0000.00000004.00000800.00020000.00000000.sdmp, workbook.exe, 00000006.00000002.1479598155.0000000004718000.00000004.00000800.00020000.00000000.sdmp, workbook.exe, 00000007.00000002.1586129058.0000000003DE5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                Source: workbook.exe, 0000000C.00000002.3851669330.0000000003741000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ipwho.is
                Source: rNuevoPedidoPO-00843.pdf.com.exe, 00000000.00000002.1399966281.0000000003E79000.00000004.00000800.00020000.00000000.sdmp, rNuevoPedidoPO-00843.pdf.com.exe, 00000000.00000002.1418504461.0000000007A01000.00000004.00000800.00020000.00000000.sdmp, rNuevoPedidoPO-00843.pdf.com.exe, 00000003.00000002.1421217938.0000000000402000.00000040.00000400.00020000.00000000.sdmp, workbook.exe, 00000006.00000002.1504871509.0000000008CF0000.00000004.00000800.00020000.00000000.sdmp, workbook.exe, 00000006.00000002.1479598155.0000000004718000.00000004.00000800.00020000.00000000.sdmp, workbook.exe, 00000007.00000002.1586129058.0000000003DE5000.00000004.00000800.00020000.00000000.sdmp, workbook.exe, 0000000C.00000002.3851669330.0000000003741000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ipwho.is/
                Source: rNuevoPedidoPO-00843.pdf.com.exe, 00000000.00000002.1399966281.0000000003E79000.00000004.00000800.00020000.00000000.sdmp, rNuevoPedidoPO-00843.pdf.com.exe, 00000000.00000002.1418504461.0000000007A01000.00000004.00000800.00020000.00000000.sdmp, rNuevoPedidoPO-00843.pdf.com.exe, 00000003.00000002.1421217938.0000000000402000.00000040.00000400.00020000.00000000.sdmp, workbook.exe, 00000006.00000002.1504871509.0000000008CF0000.00000004.00000800.00020000.00000000.sdmp, workbook.exe, 00000006.00000002.1479598155.0000000004718000.00000004.00000800.00020000.00000000.sdmp, workbook.exe, 00000007.00000002.1586129058.0000000003DE5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/11564914/23354;
                Source: rNuevoPedidoPO-00843.pdf.com.exe, 00000000.00000002.1399966281.0000000003E79000.00000004.00000800.00020000.00000000.sdmp, rNuevoPedidoPO-00843.pdf.com.exe, 00000000.00000002.1418504461.0000000007A01000.00000004.00000800.00020000.00000000.sdmp, rNuevoPedidoPO-00843.pdf.com.exe, 00000003.00000002.1421217938.0000000000402000.00000040.00000400.00020000.00000000.sdmp, workbook.exe, 00000006.00000002.1504871509.0000000008CF0000.00000004.00000800.00020000.00000000.sdmp, workbook.exe, 00000006.00000002.1479598155.0000000004718000.00000004.00000800.00020000.00000000.sdmp, workbook.exe, 00000007.00000002.1586129058.0000000003DE5000.00000004.00000800.00020000.00000000.sdmp, workbook.exe, 0000000C.00000002.3851669330.00000000035C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/14436606/23354
                Source: rNuevoPedidoPO-00843.pdf.com.exe, 00000000.00000002.1399966281.0000000003E79000.00000004.00000800.00020000.00000000.sdmp, rNuevoPedidoPO-00843.pdf.com.exe, 00000000.00000002.1418504461.0000000007A01000.00000004.00000800.00020000.00000000.sdmp, rNuevoPedidoPO-00843.pdf.com.exe, 00000003.00000002.1421217938.0000000000402000.00000040.00000400.00020000.00000000.sdmp, workbook.exe, 00000006.00000002.1504871509.0000000008CF0000.00000004.00000800.00020000.00000000.sdmp, workbook.exe, 00000006.00000002.1479598155.0000000004718000.00000004.00000800.00020000.00000000.sdmp, workbook.exe, 00000007.00000002.1586129058.0000000003DE5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/2152978/23354sCannot
                Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
                Source: unknownHTTPS traffic detected: 195.201.57.90:443 -> 192.168.2.7:49726 version: TLS 1.2

                Key, Mouse, Clipboard, Microphone and Screen Capturing

                barindex
                Installs a global keyboard hook
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\SubDir\workbook.exeJump to behavior

                E-Banking Fraud

                barindex
                Yara detected Quasar RAT
                Source: Yara matchFile source: 6.2.workbook.exe.47189b0.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.workbook.exe.47189b0.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.rNuevoPedidoPO-00843.pdf.com.exe.3e79990.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.workbook.exe.3de5fb0.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.rNuevoPedidoPO-00843.pdf.com.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.workbook.exe.3de5fb0.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.rNuevoPedidoPO-00843.pdf.com.exe.3e79990.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000C.00000002.3851669330.000000000379F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1397931960.00000000026DF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.1536599229.00000000027A8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.1421217938.0000000000720000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.1460317798.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.1479598155.0000000004718000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.1504871509.0000000008CF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.1421217938.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1399966281.0000000003E79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.1586129058.0000000003DE5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1418504461.0000000007A01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: rNuevoPedidoPO-00843.pdf.com.exe PID: 7744, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: rNuevoPedidoPO-00843.pdf.com.exe PID: 7904, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: workbook.exe PID: 8024, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: workbook.exe PID: 8132, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: workbook.exe PID: 7288, type: MEMORYSTR

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 6.2.workbook.exe.47189b0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
                Source: 6.2.workbook.exe.47189b0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                Source: 6.2.workbook.exe.47189b0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Quasar infostealer Author: ditekshen
                Source: 6.2.workbook.exe.47189b0.1.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
                Source: 6.2.workbook.exe.47189b0.1.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                Source: 6.2.workbook.exe.47189b0.1.unpack, type: UNPACKEDPEMatched rule: Detects Quasar infostealer Author: ditekshen
                Source: 0.2.rNuevoPedidoPO-00843.pdf.com.exe.3e79990.1.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
                Source: 0.2.rNuevoPedidoPO-00843.pdf.com.exe.3e79990.1.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                Source: 0.2.rNuevoPedidoPO-00843.pdf.com.exe.3e79990.1.unpack, type: UNPACKEDPEMatched rule: Detects Quasar infostealer Author: ditekshen
                Source: 7.2.workbook.exe.3de5fb0.1.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
                Source: 7.2.workbook.exe.3de5fb0.1.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                Source: 7.2.workbook.exe.3de5fb0.1.unpack, type: UNPACKEDPEMatched rule: Detects Quasar infostealer Author: ditekshen
                Source: 3.2.rNuevoPedidoPO-00843.pdf.com.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
                Source: 3.2.rNuevoPedidoPO-00843.pdf.com.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                Source: 3.2.rNuevoPedidoPO-00843.pdf.com.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Quasar infostealer Author: ditekshen
                Source: 7.2.workbook.exe.3de5fb0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
                Source: 7.2.workbook.exe.3de5fb0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                Source: 7.2.workbook.exe.3de5fb0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Quasar infostealer Author: ditekshen
                Source: 0.2.rNuevoPedidoPO-00843.pdf.com.exe.3e79990.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
                Source: 0.2.rNuevoPedidoPO-00843.pdf.com.exe.3e79990.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                Source: 0.2.rNuevoPedidoPO-00843.pdf.com.exe.3e79990.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Quasar infostealer Author: ditekshen
                Initial sample is a PE file and has a suspicious name
                Source: initial sampleStatic PE information: Filename: rNuevoPedidoPO-00843.pdf.com.exe
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeCode function: 0_2_0250DE4C0_2_0250DE4C
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeCode function: 0_2_046D0F580_2_046D0F58
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeCode function: 0_2_046D5DC00_2_046D5DC0
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeCode function: 0_2_046D5DB10_2_046D5DB1
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeCode function: 0_2_046D3EA80_2_046D3EA8
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeCode function: 0_2_046D3E990_2_046D3E99
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeCode function: 0_2_046D0F480_2_046D0F48
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeCode function: 0_2_046D571A0_2_046D571A
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeCode function: 0_2_046D59780_2_046D5978
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeCode function: 0_2_046D59880_2_046D5988
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeCode function: 0_2_046D3A700_2_046D3A70
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeCode function: 0_2_046D3A510_2_046D3A51
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeCode function: 0_2_046D42E00_2_046D42E0
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeCode function: 0_2_04C970800_2_04C97080
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeCode function: 0_2_04C905080_2_04C90508
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeCode function: 0_2_04C905180_2_04C90518
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeCode function: 0_2_04C970720_2_04C97072
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeCode function: 3_2_02D4F03C3_2_02D4F03C
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeCode function: 3_2_053C15703_2_053C1570
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeCode function: 3_2_053C90683_2_053C9068
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeCode function: 3_2_053C05183_2_053C0518
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeCode function: 3_2_053C05083_2_053C0508
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeCode function: 3_2_053C9EE03_2_053C9EE0
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 6_2_0127DE4C6_2_0127DE4C
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 6_2_04C10F586_2_04C10F58
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 6_2_04C142E06_2_04C142E0
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 6_2_04C15DC06_2_04C15DC0
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 6_2_04C15DB16_2_04C15DB1
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 6_2_04C13E996_2_04C13E99
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 6_2_04C13EA86_2_04C13EA8
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 6_2_04C10F486_2_04C10F48
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 6_2_04C159886_2_04C15988
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 6_2_04C159786_2_04C15978
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 6_2_04C13A516_2_04C13A51
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 6_2_04C13A706_2_04C13A70
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 6_2_051370806_2_05137080
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 6_2_051305186_2_05130518
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 6_2_051305086_2_05130508
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 6_2_051370726_2_05137072
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 7_2_00CBDE4C7_2_00CBDE4C
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 7_2_024E0F587_2_024E0F58
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 7_2_024E3A517_2_024E3A51
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 7_2_024E3A707_2_024E3A70
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 7_2_024E42E07_2_024E42E0
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 7_2_024E59787_2_024E5978
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 7_2_024E59887_2_024E5988
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 7_2_024E3E997_2_024E3E99
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 7_2_024E3EA87_2_024E3EA8
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 7_2_024E0F487_2_024E0F48
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 7_2_024E571A7_2_024E571A
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 7_2_024E5DC07_2_024E5DC0
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 7_2_024E5DB17_2_024E5DB1
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 7_2_04D870807_2_04D87080
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 7_2_04D805187_2_04D80518
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 7_2_04D805087_2_04D80508
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 7_2_04D870727_2_04D87072
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 12_2_01BCF03C12_2_01BCF03C
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 12_2_0859B2C012_2_0859B2C0
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 12_2_08597E4812_2_08597E48
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 17_2_02EAF03C17_2_02EAF03C
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 17_2_0545906817_2_05459068
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 17_2_054520B017_2_054520B0
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 17_2_0545050817_2_05450508
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 17_2_0545051817_2_05450518
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 17_2_05459EE017_2_05459EE0
                Source: rNuevoPedidoPO-00843.pdf.com.exe, 00000000.00000002.1399966281.0000000003E79000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameClient.exe. vs rNuevoPedidoPO-00843.pdf.com.exe
                Source: rNuevoPedidoPO-00843.pdf.com.exe, 00000000.00000002.1404977123.0000000005290000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameGB-lesson-forms.dll@ vs rNuevoPedidoPO-00843.pdf.com.exe
                Source: rNuevoPedidoPO-00843.pdf.com.exe, 00000000.00000002.1397135760.0000000000A2E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs rNuevoPedidoPO-00843.pdf.com.exe
                Source: rNuevoPedidoPO-00843.pdf.com.exe, 00000000.00000002.1397931960.0000000002671000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameGB-lesson-forms.dll@ vs rNuevoPedidoPO-00843.pdf.com.exe
                Source: rNuevoPedidoPO-00843.pdf.com.exe, 00000000.00000000.1375136998.0000000000406000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameFKGT.exeF vs rNuevoPedidoPO-00843.pdf.com.exe
                Source: rNuevoPedidoPO-00843.pdf.com.exe, 00000000.00000002.1397931960.00000000026DF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameClient.exe. vs rNuevoPedidoPO-00843.pdf.com.exe
                Source: rNuevoPedidoPO-00843.pdf.com.exe, 00000000.00000002.1418504461.0000000007A01000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameClient.exe. vs rNuevoPedidoPO-00843.pdf.com.exe
                Source: rNuevoPedidoPO-00843.pdf.com.exe, 00000000.00000002.1418504461.0000000007A01000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs rNuevoPedidoPO-00843.pdf.com.exe
                Source: rNuevoPedidoPO-00843.pdf.com.exe, 00000003.00000002.1421217938.0000000000720000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameClient.exe. vs rNuevoPedidoPO-00843.pdf.com.exe
                Source: rNuevoPedidoPO-00843.pdf.com.exeBinary or memory string: OriginalFilenameFKGT.exeF vs rNuevoPedidoPO-00843.pdf.com.exe
                Source: rNuevoPedidoPO-00843.pdf.com.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 6.2.workbook.exe.47189b0.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                Source: 6.2.workbook.exe.47189b0.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                Source: 6.2.workbook.exe.47189b0.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
                Source: 6.2.workbook.exe.47189b0.1.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                Source: 6.2.workbook.exe.47189b0.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                Source: 6.2.workbook.exe.47189b0.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
                Source: 0.2.rNuevoPedidoPO-00843.pdf.com.exe.3e79990.1.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                Source: 0.2.rNuevoPedidoPO-00843.pdf.com.exe.3e79990.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                Source: 0.2.rNuevoPedidoPO-00843.pdf.com.exe.3e79990.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
                Source: 7.2.workbook.exe.3de5fb0.1.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                Source: 7.2.workbook.exe.3de5fb0.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                Source: 7.2.workbook.exe.3de5fb0.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
                Source: 3.2.rNuevoPedidoPO-00843.pdf.com.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                Source: 3.2.rNuevoPedidoPO-00843.pdf.com.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                Source: 3.2.rNuevoPedidoPO-00843.pdf.com.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
                Source: 7.2.workbook.exe.3de5fb0.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                Source: 7.2.workbook.exe.3de5fb0.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                Source: 7.2.workbook.exe.3de5fb0.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
                Source: 0.2.rNuevoPedidoPO-00843.pdf.com.exe.3e79990.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                Source: 0.2.rNuevoPedidoPO-00843.pdf.com.exe.3e79990.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                Source: 0.2.rNuevoPedidoPO-00843.pdf.com.exe.3e79990.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@24/5@2/2
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rNuevoPedidoPO-00843.pdf.com.exe.logJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeMutant created: NULL
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeMutant created: \Sessions\1\BaseNamedObjects\Local\0235e291-5d04-4fa3-932c-869aeec51499
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7984:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1652:120:WilError_03
                Source: rNuevoPedidoPO-00843.pdf.com.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: rNuevoPedidoPO-00843.pdf.com.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: rNuevoPedidoPO-00843.pdf.com.exeReversingLabs: Detection: 26%
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeFile read: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exe "C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exe"
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeProcess created: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exe "C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exe"
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /create /tn "workbook" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\workbook.exe" /rl HIGHEST /f
                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\workbook.exe "C:\Users\user\AppData\Roaming\SubDir\workbook.exe"
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\SubDir\workbook.exe C:\Users\user\AppData\Roaming\SubDir\workbook.exe
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\workbook.exe "C:\Users\user\AppData\Roaming\SubDir\workbook.exe"
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\workbook.exe "C:\Users\user\AppData\Roaming\SubDir\workbook.exe"
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\workbook.exe "C:\Users\user\AppData\Roaming\SubDir\workbook.exe"
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /create /tn "workbook" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\workbook.exe" /rl HIGHEST /f
                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\workbook.exe "C:\Users\user\AppData\Roaming\SubDir\workbook.exe"
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\workbook.exe "C:\Users\user\AppData\Roaming\SubDir\workbook.exe"
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\workbook.exe "C:\Users\user\AppData\Roaming\SubDir\workbook.exe"
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeProcess created: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exe "C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exe"Jump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /create /tn "workbook" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\workbook.exe" /rl HIGHEST /fJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\workbook.exe "C:\Users\user\AppData\Roaming\SubDir\workbook.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\workbook.exe "C:\Users\user\AppData\Roaming\SubDir\workbook.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\workbook.exe "C:\Users\user\AppData\Roaming\SubDir\workbook.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\workbook.exe "C:\Users\user\AppData\Roaming\SubDir\workbook.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\workbook.exe "C:\Users\user\AppData\Roaming\SubDir\workbook.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\workbook.exe "C:\Users\user\AppData\Roaming\SubDir\workbook.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\workbook.exe "C:\Users\user\AppData\Roaming\SubDir\workbook.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /create /tn "workbook" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\workbook.exe" /rl HIGHEST /fJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: cryptnet.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: webio.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: cabinet.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: rasapi32.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: rasman.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: rtutils.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: rNuevoPedidoPO-00843.pdf.com.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: rNuevoPedidoPO-00843.pdf.com.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                Source: rNuevoPedidoPO-00843.pdf.com.exeStatic file information: File size 3750400 > 1048576
                Source: rNuevoPedidoPO-00843.pdf.com.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x393000
                Source: rNuevoPedidoPO-00843.pdf.com.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: rNuevoPedidoPO-00843.pdf.com.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: FKGT.pdbSHA256 source: rNuevoPedidoPO-00843.pdf.com.exe, workbook.exe.3.dr
                Source: Binary string: FKGT.pdb source: rNuevoPedidoPO-00843.pdf.com.exe, workbook.exe.3.dr

                Data Obfuscation

                barindex
                .NET source code contains potential unpacker
                Source: 0.2.rNuevoPedidoPO-00843.pdf.com.exe.26a6ed8.0.raw.unpack, .cs.Net Code: System.Reflection.Assembly.Load(byte[])
                Source: 0.2.rNuevoPedidoPO-00843.pdf.com.exe.5290000.2.raw.unpack, .cs.Net Code: System.Reflection.Assembly.Load(byte[])
                Source: rNuevoPedidoPO-00843.pdf.com.exeStatic PE information: 0xD3A71AE1 [Fri Jul 10 21:19:29 2082 UTC]
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeCode function: 0_2_0250B73A push esp; ret 0_2_0250B73B
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeCode function: 0_2_0250D4E0 pushfd ; ret 0_2_0250D4E1
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeCode function: 0_2_0250D4E3 push edi; ret 0_2_0250D4EE
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeCode function: 0_2_046DA6AD push FFFFFF8Bh; iretd 0_2_046DA6AF
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeCode function: 0_2_046D9BF1 push ebp; ret 0_2_046D9BFE
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 6_2_0127D4E0 pushfd ; ret 6_2_0127D4E1
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 6_2_04C177E7 push cs; retn 0004h6_2_04C177EA
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 6_2_04C1A7AD push FFFFFF8Bh; iretd 6_2_04C1A7AF
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 6_2_04C17769 push cs; retn 0004h6_2_04C1776A
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 7_2_024EA7AD push FFFFFF8Bh; iretd 7_2_024EA7AF
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeFile created: C:\Users\user\AppData\Roaming\SubDir\workbook.exeJump to dropped file

                Boot Survival

                barindex
                Uses schtasks.exe or at.exe to add and modify task schedules
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /create /tn "workbook" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\workbook.exe" /rl HIGHEST /f

                Hooking and other Techniques for Hiding and Protection

                barindex
                Hides that the sample has been downloaded from the Internet (zone.identifier)
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeFile opened: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exe:Zone.Identifier read attributes | deleteJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeFile opened: C:\Users\user\AppData\Roaming\SubDir\workbook.exe:Zone.Identifier read attributes | deleteJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeFile opened: C:\Users\user\AppData\Roaming\SubDir\workbook.exe:Zone.Identifier read attributes | deleteJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Yara detected AntiVM3
                Source: Yara matchFile source: Process Memory Space: rNuevoPedidoPO-00843.pdf.com.exe PID: 7744, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: workbook.exe PID: 8024, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: workbook.exe PID: 8132, type: MEMORYSTR
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeMemory allocated: 2500000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeMemory allocated: 2670000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeMemory allocated: 4670000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeMemory allocated: 7A00000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeMemory allocated: 69A0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeMemory allocated: 8A00000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeMemory allocated: 7300000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeMemory allocated: 1450000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeMemory allocated: 2DD0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeMemory allocated: 4DD0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeMemory allocated: 1210000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeMemory allocated: 2BB0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeMemory allocated: 4BB0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeMemory allocated: 8190000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeMemory allocated: 6F50000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeMemory allocated: 9190000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeMemory allocated: 7580000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeMemory allocated: CB0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeMemory allocated: 2760000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeMemory allocated: 2480000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeMemory allocated: 6F60000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeMemory allocated: 7F60000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeMemory allocated: 80F0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeMemory allocated: 90F0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeMemory allocated: 1B80000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeMemory allocated: 3590000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeMemory allocated: 33A0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeMemory allocated: 2CB0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeMemory allocated: 2F10000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeMemory allocated: 2CB0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeWindow / User API: threadDelayed 5588Jump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeWindow / User API: threadDelayed 4220Jump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exe TID: 7796Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exe TID: 7940Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe TID: 8048Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe TID: 7456Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe TID: 5456Thread sleep time: -25825441703193356s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe TID: 6036Thread sleep time: -30000s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe TID: 5896Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BaseBoard
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BIOS
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: workbook.exe, 0000000C.00000002.3869203445.0000000006023000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWy
                Source: workbook.exe, 0000000C.00000002.3869203445.0000000006023000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: workbook.exe, 0000000C.00000002.3869203445.0000000005F81000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Injects a PE file into a foreign processes
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeMemory written: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeMemory written: C:\Users\user\AppData\Roaming\SubDir\workbook.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeMemory written: C:\Users\user\AppData\Roaming\SubDir\workbook.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeProcess created: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exe "C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exe"Jump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /create /tn "workbook" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\workbook.exe" /rl HIGHEST /fJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\workbook.exe "C:\Users\user\AppData\Roaming\SubDir\workbook.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\workbook.exe "C:\Users\user\AppData\Roaming\SubDir\workbook.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\workbook.exe "C:\Users\user\AppData\Roaming\SubDir\workbook.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\workbook.exe "C:\Users\user\AppData\Roaming\SubDir\workbook.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\workbook.exe "C:\Users\user\AppData\Roaming\SubDir\workbook.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\workbook.exe "C:\Users\user\AppData\Roaming\SubDir\workbook.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\workbook.exe "C:\Users\user\AppData\Roaming\SubDir\workbook.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /create /tn "workbook" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\workbook.exe" /rl HIGHEST /fJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeQueries volume information: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeQueries volume information: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeQueries volume information: C:\Users\user\AppData\Roaming\SubDir\workbook.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeQueries volume information: C:\Users\user\AppData\Roaming\SubDir\workbook.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeQueries volume information: C:\Users\user\AppData\Roaming\SubDir\workbook.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeQueries volume information: C:\Users\user\AppData\Roaming\SubDir\workbook.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected Quasar RAT
                Source: Yara matchFile source: 6.2.workbook.exe.47189b0.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.workbook.exe.47189b0.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.rNuevoPedidoPO-00843.pdf.com.exe.3e79990.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.workbook.exe.3de5fb0.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.rNuevoPedidoPO-00843.pdf.com.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.workbook.exe.3de5fb0.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.rNuevoPedidoPO-00843.pdf.com.exe.3e79990.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000C.00000002.3851669330.000000000379F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1397931960.00000000026DF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.1536599229.00000000027A8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.1421217938.0000000000720000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.1460317798.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.1479598155.0000000004718000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.1504871509.0000000008CF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.1421217938.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1399966281.0000000003E79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.1586129058.0000000003DE5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1418504461.0000000007A01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: rNuevoPedidoPO-00843.pdf.com.exe PID: 7744, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: rNuevoPedidoPO-00843.pdf.com.exe PID: 7904, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: workbook.exe PID: 8024, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: workbook.exe PID: 8132, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: workbook.exe PID: 7288, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected Quasar RAT
                Source: Yara matchFile source: 6.2.workbook.exe.47189b0.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.workbook.exe.47189b0.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.rNuevoPedidoPO-00843.pdf.com.exe.3e79990.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.workbook.exe.3de5fb0.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.rNuevoPedidoPO-00843.pdf.com.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.workbook.exe.3de5fb0.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.rNuevoPedidoPO-00843.pdf.com.exe.3e79990.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000C.00000002.3851669330.000000000379F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1397931960.00000000026DF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.1536599229.00000000027A8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.1421217938.0000000000720000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.1460317798.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.1479598155.0000000004718000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.1504871509.0000000008CF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.1421217938.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1399966281.0000000003E79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.1586129058.0000000003DE5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1418504461.0000000007A01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: rNuevoPedidoPO-00843.pdf.com.exe PID: 7744, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: rNuevoPedidoPO-00843.pdf.com.exe PID: 7904, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: workbook.exe PID: 8024, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: workbook.exe PID: 8132, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: workbook.exe PID: 7288, type: MEMORYSTR

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts21
                Windows Management Instrumentation                		1
                Scheduled Task/Job                		111
                Process Injection                		1
                Masquerading                		11
                Input Capture                		1
                Query Registry                		Remote Services11
                Input Capture                		11
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts1
                Scheduled Task/Job                		1
                DLL Side-Loading                		1
                Scheduled Task/Job                		1
                Disable or Modify Tools                		LSASS Memory111
                Security Software Discovery                		Remote Desktop Protocol1
                Archive Collected Data                		1
                Non-Standard Port                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                DLL Side-Loading                		41
                Virtualization/Sandbox Evasion                		Security Account Manager1
                Process Discovery                		SMB/Windows Admin SharesData from Network Shared Drive1
                Ingress Tool Transfer                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
                Process Injection                		NTDS41
                Virtualization/Sandbox Evasion                		Distributed Component Object ModelInput Capture2
                Non-Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Hidden Files and Directories                		LSA Secrets1
                Application Window Discovery                		SSHKeylogging113
                Application Layer Protocol                		Scheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Network Configuration Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                Software Packing                		DCSync23
                System Information Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                Timestomp                		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                DLL Side-Loading                		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1501404 Sample: rNuevoPedidoPO-00843.pdf.com.exe Startdate: 29/08/2024 Architecture: WINDOWS Score: 100 54 twart.myfirewall.org 2->54 56 ipwho.is 2->56 64 Suricata IDS alerts for network traffic 2->64 66 Found malware configuration 2->66 68 Malicious sample detected (through community Yara rule) 2->68 70 9 other signatures 2->70 11 rNuevoPedidoPO-00843.pdf.com.exe 3 2->11         started        15 workbook.exe 2 2->15         started        signatures3 process4 file5 48 C:\...\rNuevoPedidoPO-00843.pdf.com.exe.log, ASCII 11->48 dropped 78 Uses schtasks.exe or at.exe to add and modify task schedules 11->78 80 Injects a PE file into a foreign processes 11->80 17 rNuevoPedidoPO-00843.pdf.com.exe 4 11->17         started        21 workbook.exe 2 15->21         started        23 workbook.exe 15->23         started        25 workbook.exe 15->25         started        signatures6 process7 file8 46 C:\Users\user\AppData\...\workbook.exe, PE32 17->46 dropped 62 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->62 27 workbook.exe 3 17->27         started        30 schtasks.exe 1 17->30         started        signatures9 process10 signatures11 72 Multi AV Scanner detection for dropped file 27->72 74 Machine Learning detection for dropped file 27->74 76 Injects a PE file into a foreign processes 27->76 32 workbook.exe 15 2 27->32         started        36 workbook.exe 27->36         started        38 workbook.exe 27->38         started        40 conhost.exe 30->40         started        process12 dnsIp13 50 twart.myfirewall.org 213.159.74.80, 49724, 9792 CTINET-ASCTINETAutonomousSystemRU Russian Federation 32->50 52 ipwho.is 195.201.57.90, 443, 49726 HETZNER-ASDE Germany 32->52 58 Hides that the sample has been downloaded from the Internet (zone.identifier) 32->58 60 Installs a global keyboard hook 32->60 42 schtasks.exe 1 32->42         started        signatures14 process15 process16 44 conhost.exe 42->44         started       

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                rNuevoPedidoPO-00843.pdf.com.exe26%ReversingLabsByteCode-MSIL.Trojan.SnakeKeyLogger
                rNuevoPedidoPO-00843.pdf.com.exe100%Joe Sandbox ML

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Roaming\SubDir\workbook.exe100%Joe Sandbox ML
                C:\Users\user\AppData\Roaming\SubDir\workbook.exe26%ReversingLabsByteCode-MSIL.Trojan.SnakeKeyLogger

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                https://api.ipify.org/0%URL Reputationsafe
                https://stackoverflow.com/q/14436606/233540%URL Reputationsafe
                http://schemas.datacontract.org/2004/07/0%URL Reputationsafe
                https://stackoverflow.com/q/11564914/23354;0%URL Reputationsafe
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                http://schemas.datacontract.org/2004/07/d0%Avira URL Cloudsafe
                https://ipwho.is0%Avira URL Cloudsafe
                https://ipwho.is/0%Avira URL Cloudsafe
                http://tempuri.org/DataSet1.xsdSAll0%Avira URL Cloudsafe
                https://stackoverflow.com/q/2152978/23354sCannot0%Avira URL Cloudsafe
                http://ipwho.is0%Avira URL Cloudsafe
                twart.myfirewall.org0%Avira URL Cloudsafe
                http://ipwho.isd0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                ipwho.is
                		195.201.57.90
                		truefalse
                  		unknown
                  twart.myfirewall.org
                  		213.159.74.80
                  		truetrue
                    		unknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    twart.myfirewall.orgtrue
                    • Avira URL Cloud: safe
                    		unknown
                    https://ipwho.is/false
                    • Avira URL Cloud: safe
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    https://api.ipify.org/rNuevoPedidoPO-00843.pdf.com.exe, 00000000.00000002.1399966281.0000000003E79000.00000004.00000800.00020000.00000000.sdmp, rNuevoPedidoPO-00843.pdf.com.exe, 00000000.00000002.1418504461.0000000007A01000.00000004.00000800.00020000.00000000.sdmp, rNuevoPedidoPO-00843.pdf.com.exe, 00000003.00000002.1421217938.0000000000402000.00000040.00000400.00020000.00000000.sdmp, workbook.exe, 00000006.00000002.1504871509.0000000008CF0000.00000004.00000800.00020000.00000000.sdmp, workbook.exe, 00000006.00000002.1479598155.0000000004718000.00000004.00000800.00020000.00000000.sdmp, workbook.exe, 00000007.00000002.1586129058.0000000003DE5000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.datacontract.org/2004/07/dworkbook.exe, 0000000C.00000002.3851669330.000000000379F000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://stackoverflow.com/q/14436606/23354rNuevoPedidoPO-00843.pdf.com.exe, 00000000.00000002.1399966281.0000000003E79000.00000004.00000800.00020000.00000000.sdmp, rNuevoPedidoPO-00843.pdf.com.exe, 00000000.00000002.1418504461.0000000007A01000.00000004.00000800.00020000.00000000.sdmp, rNuevoPedidoPO-00843.pdf.com.exe, 00000003.00000002.1421217938.0000000000402000.00000040.00000400.00020000.00000000.sdmp, workbook.exe, 00000006.00000002.1504871509.0000000008CF0000.00000004.00000800.00020000.00000000.sdmp, workbook.exe, 00000006.00000002.1479598155.0000000004718000.00000004.00000800.00020000.00000000.sdmp, workbook.exe, 00000007.00000002.1586129058.0000000003DE5000.00000004.00000800.00020000.00000000.sdmp, workbook.exe, 0000000C.00000002.3851669330.00000000035C2000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.datacontract.org/2004/07/workbook.exe, 0000000C.00000002.3851669330.000000000379F000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://stackoverflow.com/q/11564914/23354;rNuevoPedidoPO-00843.pdf.com.exe, 00000000.00000002.1399966281.0000000003E79000.00000004.00000800.00020000.00000000.sdmp, rNuevoPedidoPO-00843.pdf.com.exe, 00000000.00000002.1418504461.0000000007A01000.00000004.00000800.00020000.00000000.sdmp, rNuevoPedidoPO-00843.pdf.com.exe, 00000003.00000002.1421217938.0000000000402000.00000040.00000400.00020000.00000000.sdmp, workbook.exe, 00000006.00000002.1504871509.0000000008CF0000.00000004.00000800.00020000.00000000.sdmp, workbook.exe, 00000006.00000002.1479598155.0000000004718000.00000004.00000800.00020000.00000000.sdmp, workbook.exe, 00000007.00000002.1586129058.0000000003DE5000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://ipwho.isdworkbook.exe, 0000000C.00000002.3851669330.0000000003753000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://tempuri.org/DataSet1.xsdSAllrNuevoPedidoPO-00843.pdf.com.exe, workbook.exe.3.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://ipwho.isworkbook.exe, 0000000C.00000002.3851669330.0000000003741000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://stackoverflow.com/q/2152978/23354sCannotrNuevoPedidoPO-00843.pdf.com.exe, 00000000.00000002.1399966281.0000000003E79000.00000004.00000800.00020000.00000000.sdmp, rNuevoPedidoPO-00843.pdf.com.exe, 00000000.00000002.1418504461.0000000007A01000.00000004.00000800.00020000.00000000.sdmp, rNuevoPedidoPO-00843.pdf.com.exe, 00000003.00000002.1421217938.0000000000402000.00000040.00000400.00020000.00000000.sdmp, workbook.exe, 00000006.00000002.1504871509.0000000008CF0000.00000004.00000800.00020000.00000000.sdmp, workbook.exe, 00000006.00000002.1479598155.0000000004718000.00000004.00000800.00020000.00000000.sdmp, workbook.exe, 00000007.00000002.1586129058.0000000003DE5000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namerNuevoPedidoPO-00843.pdf.com.exe, 00000003.00000002.1431679235.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp, workbook.exe, 0000000C.00000002.3851669330.000000000359C000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://ipwho.isworkbook.exe, 0000000C.00000002.3851669330.0000000003753000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious
                    213.159.74.80
                    		twart.myfirewall.orgRussian Federation
                    		13078CTINET-ASCTINETAutonomousSystemRUtrue
                    195.201.57.90
                    		ipwho.isGermany
                    		24940HETZNER-ASDEfalse

                    General Information

                    Joe Sandbox version:40.0.0 Tourmaline
                    Analysis ID:1501404
                    Start date and time:2024-08-29 21:35:08 +02:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 10m 25s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:23
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:rNuevoPedidoPO-00843.pdf.com.exe
                    Detection:MAL
                    Classification:mal100.troj.spyw.evad.winEXE@24/5@2/2
                    EGA Information:
                    • Successful, ratio: 100%
                    HCA Information:
                    • Successful, ratio: 98%
                    • Number of executed functions: 211
                    • Number of non-executed functions: 15
                    Cookbook Comments:
                    • Found application associated with file extension: .exe
                    • Override analysis time to 240000 for current running targets taking high CPU consumption

                    Warnings

                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe, UsoClient.exe
                    • Excluded IPs from analysis (whitelisted): 93.184.221.240
                    • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, wu.ec.azureedge.net, settings-win.data.microsoft.com, ctldl.windowsupdate.com, wu.azureedge.net, fe3cr.delivery.mp.microsoft.com, login.live.com, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, wu-b-net.trafficmanager.net
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size exceeded maximum capacity and may have missing behavior information.
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    • Report size getting too big, too many NtReadVirtualMemory calls found.
                    • VT rate limit hit for: rNuevoPedidoPO-00843.pdf.com.exe

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    15:36:17API Interceptor1x Sleep call for process: rNuevoPedidoPO-00843.pdf.com.exe modified
                    15:36:21API Interceptor10014391x Sleep call for process: workbook.exe modified
                    21:36:23Task SchedulerRun new task: workbook path: C:\Users\user\AppData\Roaming\SubDir\workbook.exe

                    Joe Sandbox View / Context

                    IPs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    213.159.74.80rVAKIFBANK-#U00d6demeonaymakbuzu20240826.pdf.exeGet hashmaliciousQuasarBrowse
                      ZKB - Zahlungsbest#U00e4tigung an 20240828.pdf.exeGet hashmaliciousQuasarBrowse
                        Vak#U0131fBank - #U00d6deme onay makbuzu 20240826.pdf.exeGet hashmaliciousQuasarBrowse
                          4dALKsHYFM.exeGet hashmaliciousAgentTesla, AsyncRAT, PureLog Stealer, zgRATBrowse
                            195.201.57.90SPt4FUjZMt.exeGet hashmaliciousAsyncRAT, Luca Stealer, MicroClip, PythonCryptoHijacker, RedLineBrowse
                            • /?output=json
                            765iYbgWn9.exeGet hashmaliciousLuca StealerBrowse
                            • /?output=json
                            765iYbgWn9.exeGet hashmaliciousLuca StealerBrowse
                            • /?output=json
                            WfKynArKjH.exeGet hashmaliciousAsyncRAT, Luca Stealer, MicroClip, RedLineBrowse
                            • /?output=json
                            ubes6SC7Vd.exeGet hashmaliciousUnknownBrowse
                            • ipwhois.app/xml/
                            cOQD62FceM.exeGet hashmaliciousLuca Stealer, Rusty StealerBrowse
                            • /?output=json
                            Clipper.exeGet hashmaliciousUnknownBrowse
                            • /?output=json
                            cOQD62FceM.exeGet hashmaliciousLuca StealerBrowse
                            • /?output=json
                            Cryptor.exeGet hashmaliciousLuca StealerBrowse
                            • /?output=json
                            Cryptor.exeGet hashmaliciousLuca Stealer, Rusty StealerBrowse
                            • /?output=json

                            Domains

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            ipwho.isrVAKIFBANK-#U00d6demeonaymakbuzu20240826.pdf.exeGet hashmaliciousQuasarBrowse
                            • 108.181.98.179
                            ZKB - Zahlungsbest#U00e4tigung an 20240828.pdf.exeGet hashmaliciousQuasarBrowse
                            • 195.201.57.90
                            Vak#U0131fBank - #U00d6deme onay makbuzu 20240826.pdf.exeGet hashmaliciousQuasarBrowse
                            • 195.201.57.90
                            SenditIllrunitinmyvirtualmachineinsidemyvirtualmachine.batGet hashmaliciousUnknownBrowse
                            • 195.201.57.90
                            i.batGet hashmaliciousUnknownBrowse
                            • 195.201.57.90
                            lnk.batGet hashmaliciousUnknownBrowse
                            • 195.201.57.90
                            saving.exeGet hashmaliciousNjratBrowse
                            • 195.201.57.90
                            98.exeGet hashmaliciousUnknownBrowse
                            • 195.201.57.90
                            98.exeGet hashmaliciousUnknownBrowse
                            • 195.201.57.90
                            DD9HRh91B1.exeGet hashmaliciousQuasarBrowse
                            • 195.201.57.90
                            twart.myfirewall.orgrVAKIFBANK-#U00d6demeonaymakbuzu20240826.pdf.exeGet hashmaliciousQuasarBrowse
                            • 213.159.74.80
                            ZKB - Zahlungsbest#U00e4tigung an 20240828.pdf.exeGet hashmaliciousQuasarBrowse
                            • 213.159.74.80
                            Vak#U0131fBank - #U00d6deme onay makbuzu 20240826.pdf.exeGet hashmaliciousQuasarBrowse
                            • 213.159.74.80
                            4dALKsHYFM.exeGet hashmaliciousAgentTesla, AsyncRAT, PureLog Stealer, zgRATBrowse
                            • 213.159.74.80
                            doc_RFQ NEW ORDER #2400228341.pdf.exeGet hashmaliciousAsyncRATBrowse
                            • 41.151.251.119
                            doc_Rfq_TNTM #U00daj rend TM00002916620 exp_pdf.exeGet hashmaliciousXWormBrowse
                            • 103.35.191.158
                            6KfY269eO6.exeGet hashmaliciousLodaRATBrowse
                            • 103.35.191.158
                            #U00daj megrendel#U00e9s - 00905173088 CPTL #U00e1raj#U00e1nlat - egyenk#U00e9nt 100.exeGet hashmaliciousMailPassView, XpertRATBrowse
                            • 103.35.191.158
                            Enquiry_300522_PDF.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                            • 2.56.57.193
                            Enquire_260522_pdf.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                            • 2.56.57.193

                            ASNs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            HETZNER-ASDEfile.exeGet hashmaliciousVidarBrowse
                            • 94.130.188.148
                            Sepco RFQ.xlsGet hashmaliciousRemcosBrowse
                            • 88.99.66.38
                            Thermo Fisher RFQ_TFS-1805.xlsGet hashmaliciousGuLoaderBrowse
                            • 88.99.66.38
                            Swift Payment.xlsGet hashmaliciousFormBookBrowse
                            • 88.99.66.38
                            Paul Agrotis List.xlsGet hashmaliciousFormBookBrowse
                            • 88.99.66.38
                            http://control.frilix.com/grace/fxc/aW5mby5jcmVkaXRldXJlbkBicmVkYS5ubA==Get hashmaliciousHTMLPhisherBrowse
                            • 88.99.252.96
                            IDM_ACT.exeGet hashmaliciousFredy StealerBrowse
                            • 5.161.243.5
                            IDM_ACT.exeGet hashmaliciousFredy StealerBrowse
                            • 5.161.243.5
                            PMT-INV0230824AUG.xla.xlsxGet hashmaliciousRemcosBrowse
                            • 88.99.66.38
                            PO-014842-2.xlsGet hashmaliciousFormBookBrowse
                            • 88.99.66.38
                            CTINET-ASCTINETAutonomousSystemRUrVAKIFBANK-#U00d6demeonaymakbuzu20240826.pdf.exeGet hashmaliciousQuasarBrowse
                            • 213.159.74.80
                            ZKB - Zahlungsbest#U00e4tigung an 20240828.pdf.exeGet hashmaliciousQuasarBrowse
                            • 213.159.74.80
                            Vak#U0131fBank - #U00d6deme onay makbuzu 20240826.pdf.exeGet hashmaliciousQuasarBrowse
                            • 213.159.74.80
                            4dALKsHYFM.exeGet hashmaliciousAgentTesla, AsyncRAT, PureLog Stealer, zgRATBrowse
                            • 213.159.74.80
                            yEL4yMV0s4.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                            • 213.159.64.146
                            AGREEMENT AND APPROVAL REPORT FECRWY RN & FR OF 2024-501144_6.5.24.pdfGet hashmaliciousHTMLPhisherBrowse
                            • 213.159.64.109

                            JA3 Fingerprints

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            3b5074b1b5d032e5620f69f9f700ff0eDTR Image_capture 27082024 JPEG FILE.exeGet hashmaliciousFormBookBrowse
                            • 195.201.57.90
                            file.exeGet hashmaliciousUnknownBrowse
                            • 195.201.57.90
                            Invoice.wsfGet hashmaliciousAsyncRAT, PureLog StealerBrowse
                            • 195.201.57.90
                            SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exeGet hashmaliciousUnknownBrowse
                            • 195.201.57.90
                            SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exeGet hashmaliciousUnknownBrowse
                            • 195.201.57.90
                            http://getquckbulck.topGet hashmaliciousUnknownBrowse
                            • 195.201.57.90
                            z47maaaaaaaaaaaaax.exeGet hashmaliciousAgentTeslaBrowse
                            • 195.201.57.90
                            https://decktop.us/MUYKd1Get hashmaliciousUnknownBrowse
                            • 195.201.57.90
                            Page1.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                            • 195.201.57.90
                            Detailed Itinerary.exeGet hashmaliciousPureLog Stealer, XWormBrowse
                            • 195.201.57.90

                            Dropped Files

                            No context

                            Created / dropped Files

                            C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                            Download File
                            Process:C:\Users\user\AppData\Roaming\SubDir\workbook.exe
                            File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                            Category:dropped
                            Size (bytes):71954
                            Entropy (8bit):7.996617769952133
                            Encrypted:true
                            SSDEEP:1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
                            MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
                            SHA1:1723BE06719828DDA65AD804298D0431F6AFF976
                            SHA-256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
                            SHA-512:BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
                            Malicious:false
                            Reputation:high, very likely benign file
                            Preview:MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..*Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=*....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.|.c.&>?..^t. ..;..X.d.E.0G....[Q.*,*......#.Dp..L.o|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

                            C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                            Download File
                            Process:C:\Users\user\AppData\Roaming\SubDir\workbook.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):328
                            Entropy (8bit):3.137989037915285
                            Encrypted:false
                            SSDEEP:6:kKRd9UswDLL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:uDnLNkPlE99SNxAhUe/3
                            MD5:892AD05CCF78DB95970AEDFD5334654D
                            SHA1:4EE34A91E5E380878F225DB4413E9FAA2FA08925
                            SHA-256:22E934A65845DF387976C8DDE352EB2EF9960D74D31CDBCEA5F90772B48BC449
                            SHA-512:351673D5FBA010AB7F0114080C65428B3F15E29CE2EC5FA9F9E93BEA7B73B4DB0BDA1296B2B7AB2B98D4C38F9DA46DB941D9829E95AE5FDB5AF2B2160BB88025
                            Malicious:false
                            Reputation:low
                            Preview:p...... ........v.P.J...(....................................................... ........G..@.......&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rNuevoPedidoPO-00843.pdf.com.exe.log

                            Download File
                            Process:C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1216
                            Entropy (8bit):5.34331486778365
                            Encrypted:false
                            SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                            MD5:1330C80CAAC9A0FB172F202485E9B1E8
                            SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                            SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                            SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                            Malicious:true
                            Reputation:high, very likely benign file
                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\workbook.exe.log

                            Download File
                            Process:C:\Users\user\AppData\Roaming\SubDir\workbook.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1216
                            Entropy (8bit):5.34331486778365
                            Encrypted:false
                            SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                            MD5:1330C80CAAC9A0FB172F202485E9B1E8
                            SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                            SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                            SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                            Malicious:false
                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                            C:\Users\user\AppData\Roaming\SubDir\workbook.exe

                            Download File
                            Process:C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exe
                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                            Category:dropped
                            Size (bytes):3750400
                            Entropy (8bit):7.992710382199595
                            Encrypted:true
                            SSDEEP:49152:au2JhK0dN9R2QAhDm2NMDy0h7EFM6mNaZWZQ303GS3Wb9Slw+NVa3nhjzCAIjq4m:V2e0tAhayzFM6T5gGJbElw+P4nh6N
                            MD5:FE0244480B7BE035C478B4778D082ED3
                            SHA1:8F13321BB29651C263227C7F796E85CB2527830E
                            SHA-256:A388E34FF2CB46B718C443618A4597468BFC2236195C06BCCBFA71DBF5D47479
                            SHA-512:624DCC507E48A945C2956A8DA39E28DB477397173241022D30232653B32D2907A6048FBD2E79013D33157293F73A1ED2996AB2EC7E51D663C022C5F99AAFCC00
                            Malicious:true
                            Antivirus:
                            • Antivirus: Joe Sandbox ML, Detection: 100%
                            • Antivirus: ReversingLabs, Detection: 26%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0..09..........O9.. ...`9...@.. ........................9...........@..................................O9.O....`9.......................9.....H:9.p............................................ ............... ..H............text....09.. ...09................. ..`.rsrc........`9......29.............@..@.reloc........9......89.............@..B.................O9.....H........@...6......C...Hw....8..........................................0..N.........}......}.....(.......(......{...........s....o......{...........s....o.....*&..(.....*f..s....}.....{....o ....*...0..+.........,..{.......+....,...{....o!.......("....*..0..t.........s#...}.....s#...}.....($.....{.....5.Cs%...o&.....{....r...po'.....{.... .....}s(...o).....{.....o*.....{....r...po+.....{.....o,.....{.....5 ....s%...o&.....{....r!..po'.....{.... ......s(...o).....{.....o*...

                            Static File Info

                            General

                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                            Entropy (8bit):7.992710382199595
                            TrID:
                            • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                            • Win32 Executable (generic) a (10002005/4) 49.75%
                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                            • Windows Screen Saver (13104/52) 0.07%
                            • Generic Win/DOS Executable (2004/3) 0.01%
                            File name:rNuevoPedidoPO-00843.pdf.com.exe
                            File size:3'750'400 bytes
                            MD5:fe0244480b7be035c478b4778d082ed3
                            SHA1:8f13321bb29651c263227c7f796e85cb2527830e
                            SHA256:a388e34ff2cb46b718c443618a4597468bfc2236195c06bccbfa71dbf5d47479
                            SHA512:624dcc507e48a945c2956a8da39e28db477397173241022d30232653b32d2907a6048fbd2e79013d33157293f73a1ed2996ab2ec7e51d663c022c5f99aafcc00
                            SSDEEP:49152:au2JhK0dN9R2QAhDm2NMDy0h7EFM6mNaZWZQ303GS3Wb9Slw+NVa3nhjzCAIjq4m:V2e0tAhayzFM6T5gGJbElw+P4nh6N
                            TLSH:300633ABD9A9C071E45E46B4D9CF62A0337134EB4911E3CEB9BCAFC7F270166D204496
                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0..09..........O9.. ...`9...@.. ........................9...........@................................

                            File Icon

                            Icon Hash:00928e8e8686b000

                            Static PE Info

                            General

                            Entrypoint:0x794ffa
                            Entrypoint Section:.text
                            Digitally signed:false
                            Imagebase:0x400000
                            Subsystem:windows gui
                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                            Time Stamp:0xD3A71AE1 [Fri Jul 10 21:19:29 2082 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:
                            OS Version Major:4
                            OS Version Minor:0
                            File Version Major:4
                            File Version Minor:0
                            Subsystem Version Major:4
                            Subsystem Version Minor:0
                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                            Entrypoint Preview

                            Instruction
                            jmp dword ptr [00402000h]
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al

                            Data Directories

                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IMPORT0x394fa50x4f.text
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x3960000x5c4.rsrc
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x3980000xc.reloc
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x393a480x70.text
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            .text0x20000x3930000x393000c1d11ebc83fd6ae3bca14ea366c715acunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            .rsrc0x3960000x5c40x6005d21724b2a1c5990a7f49eac6fc070e3False0.427734375data4.154188559116303IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .reloc0x3980000xc0x2007e83c368f8219298a22f43298af8d432False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                            Resources

                            NameRVASizeTypeLanguageCountryZLIB Complexity
                            RT_VERSION0x3960900x334data0.4317073170731707
                            RT_MANIFEST0x3963d40x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                            Imports

                            DLLImport
                            mscoree.dll_CorExeMain

                            Network Behavior

                            Suricata IDS Alerts

                            TimestampProtocolSIDSignatureSeveritySource PortDest PortSource IPDest IP
                            2024-08-29T21:36:29.045504+0200TCP2027619ET MALWARE Observed Malicious SSL Cert (Quasar CnC)1979249724213.159.74.80192.168.2.7
                            2024-08-29T21:36:29.045504+0200TCP2035595ET MALWARE Generic AsyncRAT Style SSL Cert1979249724213.159.74.80192.168.2.7

                            Network Port Distribution

                            TCP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Aug 29, 2024 21:36:28.545073032 CEST497249792192.168.2.7213.159.74.80
                            Aug 29, 2024 21:36:28.550127983 CEST979249724213.159.74.80192.168.2.7
                            Aug 29, 2024 21:36:28.550240040 CEST497249792192.168.2.7213.159.74.80
                            Aug 29, 2024 21:36:28.557168007 CEST497249792192.168.2.7213.159.74.80
                            Aug 29, 2024 21:36:28.562094927 CEST979249724213.159.74.80192.168.2.7
                            Aug 29, 2024 21:36:29.031904936 CEST979249724213.159.74.80192.168.2.7
                            Aug 29, 2024 21:36:29.031924009 CEST979249724213.159.74.80192.168.2.7
                            Aug 29, 2024 21:36:29.032018900 CEST497249792192.168.2.7213.159.74.80
                            Aug 29, 2024 21:36:29.037333965 CEST497249792192.168.2.7213.159.74.80
                            Aug 29, 2024 21:36:29.045504093 CEST979249724213.159.74.80192.168.2.7
                            Aug 29, 2024 21:36:29.142438889 CEST979249724213.159.74.80192.168.2.7
                            Aug 29, 2024 21:36:29.335897923 CEST497249792192.168.2.7213.159.74.80
                            Aug 29, 2024 21:36:30.605688095 CEST49726443192.168.2.7195.201.57.90
                            Aug 29, 2024 21:36:30.605717897 CEST44349726195.201.57.90192.168.2.7
                            Aug 29, 2024 21:36:30.605777979 CEST49726443192.168.2.7195.201.57.90
                            Aug 29, 2024 21:36:30.607011080 CEST49726443192.168.2.7195.201.57.90
                            Aug 29, 2024 21:36:30.607028961 CEST44349726195.201.57.90192.168.2.7
                            Aug 29, 2024 21:36:31.474729061 CEST44349726195.201.57.90192.168.2.7
                            Aug 29, 2024 21:36:31.475013971 CEST49726443192.168.2.7195.201.57.90
                            Aug 29, 2024 21:36:31.481141090 CEST49726443192.168.2.7195.201.57.90
                            Aug 29, 2024 21:36:31.481158018 CEST44349726195.201.57.90192.168.2.7
                            Aug 29, 2024 21:36:31.481379986 CEST44349726195.201.57.90192.168.2.7
                            Aug 29, 2024 21:36:31.486629963 CEST49726443192.168.2.7195.201.57.90
                            Aug 29, 2024 21:36:31.532500982 CEST44349726195.201.57.90192.168.2.7
                            Aug 29, 2024 21:36:31.749367952 CEST44349726195.201.57.90192.168.2.7
                            Aug 29, 2024 21:36:31.749444008 CEST44349726195.201.57.90192.168.2.7
                            Aug 29, 2024 21:36:31.749680042 CEST49726443192.168.2.7195.201.57.90
                            Aug 29, 2024 21:36:31.813637018 CEST49726443192.168.2.7195.201.57.90
                            Aug 29, 2024 21:36:32.005661011 CEST497249792192.168.2.7213.159.74.80
                            Aug 29, 2024 21:36:32.013067007 CEST979249724213.159.74.80192.168.2.7
                            Aug 29, 2024 21:36:32.013180017 CEST497249792192.168.2.7213.159.74.80
                            Aug 29, 2024 21:36:32.022629023 CEST979249724213.159.74.80192.168.2.7
                            Aug 29, 2024 21:36:32.152961016 CEST979249724213.159.74.80192.168.2.7
                            Aug 29, 2024 21:36:32.238750935 CEST979249724213.159.74.80192.168.2.7
                            Aug 29, 2024 21:36:32.238877058 CEST497249792192.168.2.7213.159.74.80
                            Aug 29, 2024 21:36:57.242259979 CEST497249792192.168.2.7213.159.74.80
                            Aug 29, 2024 21:36:57.248559952 CEST979249724213.159.74.80192.168.2.7
                            Aug 29, 2024 21:37:22.257946014 CEST497249792192.168.2.7213.159.74.80
                            Aug 29, 2024 21:37:22.263698101 CEST979249724213.159.74.80192.168.2.7
                            Aug 29, 2024 21:37:47.273883104 CEST497249792192.168.2.7213.159.74.80
                            Aug 29, 2024 21:37:47.283979893 CEST979249724213.159.74.80192.168.2.7
                            Aug 29, 2024 21:38:12.289372921 CEST497249792192.168.2.7213.159.74.80
                            Aug 29, 2024 21:38:12.294512987 CEST979249724213.159.74.80192.168.2.7
                            Aug 29, 2024 21:38:37.305120945 CEST497249792192.168.2.7213.159.74.80
                            Aug 29, 2024 21:38:37.310055017 CEST979249724213.159.74.80192.168.2.7
                            Aug 29, 2024 21:39:02.508558035 CEST497249792192.168.2.7213.159.74.80
                            Aug 29, 2024 21:39:02.513468027 CEST979249724213.159.74.80192.168.2.7
                            Aug 29, 2024 21:39:27.696500063 CEST497249792192.168.2.7213.159.74.80
                            Aug 29, 2024 21:39:27.701427937 CEST979249724213.159.74.80192.168.2.7
                            Aug 29, 2024 21:39:52.713473082 CEST497249792192.168.2.7213.159.74.80
                            Aug 29, 2024 21:39:52.718523979 CEST979249724213.159.74.80192.168.2.7
                            Aug 29, 2024 21:40:17.727370024 CEST497249792192.168.2.7213.159.74.80
                            Aug 29, 2024 21:40:17.733793974 CEST979249724213.159.74.80192.168.2.7

                            UDP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Aug 29, 2024 21:36:28.523500919 CEST5789553192.168.2.71.1.1.1
                            Aug 29, 2024 21:36:28.536295891 CEST53578951.1.1.1192.168.2.7
                            Aug 29, 2024 21:36:30.589589119 CEST5513653192.168.2.71.1.1.1
                            Aug 29, 2024 21:36:30.599805117 CEST53551361.1.1.1192.168.2.7

                            DNS Queries

                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                            Aug 29, 2024 21:36:28.523500919 CEST192.168.2.71.1.1.10xbfdStandard query (0)twart.myfirewall.orgA (IP address)IN (0x0001)false
                            Aug 29, 2024 21:36:30.589589119 CEST192.168.2.71.1.1.10xf85dStandard query (0)ipwho.isA (IP address)IN (0x0001)false

                            DNS Answers

                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                            Aug 29, 2024 21:36:28.536295891 CEST1.1.1.1192.168.2.70xbfdNo error (0)twart.myfirewall.org213.159.74.80A (IP address)IN (0x0001)false
                            Aug 29, 2024 21:36:30.599805117 CEST1.1.1.1192.168.2.70xf85dNo error (0)ipwho.is195.201.57.90A (IP address)IN (0x0001)false

                            HTTP Request Dependency Graph

                            • ipwho.is

                            HTTPS Proxied Packets

                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            0192.168.2.749726195.201.57.904437288C:\Users\user\AppData\Roaming\SubDir\workbook.exe
                            TimestampBytes transferredDirectionData
                            2024-08-29 19:36:31 UTC150OUTGET / HTTP/1.1
                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0
                            Host: ipwho.is
                            Connection: Keep-Alive
                            2024-08-29 19:36:31 UTC223INHTTP/1.1 200 OK
                            Date: Thu, 29 Aug 2024 19:36:31 GMT
                            Content-Type: application/json; charset=utf-8
                            Transfer-Encoding: chunked
                            Connection: close
                            Server: ipwhois
                            Access-Control-Allow-Headers: *
                            X-Robots-Tag: noindex
                            2024-08-29 19:36:31 UTC1028INData Raw: 33 66 38 0d 0a 7b 0a 20 20 20 20 22 41 62 6f 75 74 20 55 73 22 3a 20 22 68 74 74 70 73 3a 5c 2f 5c 2f 69 70 77 68 6f 69 73 2e 69 6f 22 2c 0a 20 20 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 20 20 22 73 75 63 63 65 73 73 22 3a 20 74 72 75 65 2c 0a 20 20 20 20 22 74 79 70 65 22 3a 20 22 49 50 76 34 22 2c 0a 20 20 20 20 22 63 6f 6e 74 69 6e 65 6e 74 22 3a 20 22 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 22 2c 0a 20 20 20 20 22 63 6f 6e 74 69 6e 65 6e 74 5f 63 6f 64 65 22 3a 20 22 4e 41 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f 72
                            Data Ascii: 3f8{ "About Us": "https:\/\/ipwhois.io", "ip": "8.46.123.33", "success": true, "type": "IPv4", "continent": "North America", "continent_code": "NA", "country": "United States", "country_code": "US", "region": "New Yor


                            Statistics

                            CPU Usage

                            Click to jump to process

                            Memory Usage

                            Click to jump to process

                            High Level Behavior Distribution

                            Click to dive into process behavior distribution

                            Behavior

                            Click to jump to process

                            System Behavior

                            General

                            Target ID:0
                            Start time:15:36:16
                            Start date:29/08/2024
                            Path:C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exe"
                            Imagebase:0x70000
                            File size:3'750'400 bytes
                            MD5 hash:FE0244480B7BE035C478B4778D082ED3
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000002.1397931960.00000000026DF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000002.1399966281.0000000003E79000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000002.1418504461.0000000007A01000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            Reputation:low
                            Has exited:true

                            General

                            Target ID:3
                            Start time:15:36:18
                            Start date:29/08/2024
                            Path:C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\rNuevoPedidoPO-00843.pdf.com.exe"
                            Imagebase:0x730000
                            File size:3'750'400 bytes
                            MD5 hash:FE0244480B7BE035C478B4778D082ED3
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000003.00000002.1421217938.0000000000720000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000003.00000002.1421217938.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                            Reputation:low
                            Has exited:true

                            General

                            Target ID:4
                            Start time:15:36:21
                            Start date:29/08/2024
                            Path:C:\Windows\SysWOW64\schtasks.exe
                            Wow64 process (32bit):true
                            Commandline:"schtasks" /create /tn "workbook" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\workbook.exe" /rl HIGHEST /f
                            Imagebase:0xe0000
                            File size:187'904 bytes
                            MD5 hash:48C2FE20575769DE916F48EF0676A965
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:5
                            Start time:15:36:21
                            Start date:29/08/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff75da10000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:6
                            Start time:15:36:21
                            Start date:29/08/2024
                            Path:C:\Users\user\AppData\Roaming\SubDir\workbook.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\AppData\Roaming\SubDir\workbook.exe"
                            Imagebase:0x510000
                            File size:3'750'400 bytes
                            MD5 hash:FE0244480B7BE035C478B4778D082ED3
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000006.00000002.1460317798.0000000002C21000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000006.00000002.1479598155.0000000004718000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000006.00000002.1504871509.0000000008CF0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            Antivirus matches:
                            • Detection: 100%, Joe Sandbox ML
                            • Detection: 26%, ReversingLabs
                            Reputation:low
                            Has exited:true

                            General

                            Target ID:7
                            Start time:15:36:23
                            Start date:29/08/2024
                            Path:C:\Users\user\AppData\Roaming\SubDir\workbook.exe
                            Wow64 process (32bit):true
                            Commandline:C:\Users\user\AppData\Roaming\SubDir\workbook.exe
                            Imagebase:0xb0000
                            File size:3'750'400 bytes
                            MD5 hash:FE0244480B7BE035C478B4778D082ED3
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000007.00000002.1536599229.00000000027A8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000007.00000002.1586129058.0000000003DE5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            Reputation:low
                            Has exited:true

                            General

                            Target ID:10
                            Start time:15:36:23
                            Start date:29/08/2024
                            Path:C:\Users\user\AppData\Roaming\SubDir\workbook.exe
                            Wow64 process (32bit):false
                            Commandline:"C:\Users\user\AppData\Roaming\SubDir\workbook.exe"
                            Imagebase:0x690000
                            File size:3'750'400 bytes
                            MD5 hash:FE0244480B7BE035C478B4778D082ED3
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:low
                            Has exited:true

                            General

                            Target ID:11
                            Start time:15:36:24
                            Start date:29/08/2024
                            Path:C:\Users\user\AppData\Roaming\SubDir\workbook.exe
                            Wow64 process (32bit):false
                            Commandline:"C:\Users\user\AppData\Roaming\SubDir\workbook.exe"
                            Imagebase:0x3a0000
                            File size:3'750'400 bytes
                            MD5 hash:FE0244480B7BE035C478B4778D082ED3
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:low
                            Has exited:true

                            General

                            Target ID:12
                            Start time:15:36:24
                            Start date:29/08/2024
                            Path:C:\Users\user\AppData\Roaming\SubDir\workbook.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\AppData\Roaming\SubDir\workbook.exe"
                            Imagebase:0xfc0000
                            File size:3'750'400 bytes
                            MD5 hash:FE0244480B7BE035C478B4778D082ED3
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 0000000C.00000002.3851669330.000000000379F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            Reputation:low
                            Has exited:false

                            General

                            Target ID:13
                            Start time:15:36:27
                            Start date:29/08/2024
                            Path:C:\Windows\SysWOW64\schtasks.exe
                            Wow64 process (32bit):true
                            Commandline:"schtasks" /create /tn "workbook" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\workbook.exe" /rl HIGHEST /f
                            Imagebase:0xe0000
                            File size:187'904 bytes
                            MD5 hash:48C2FE20575769DE916F48EF0676A965
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:14
                            Start time:15:36:27
                            Start date:29/08/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff75da10000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:15
                            Start time:15:36:33
                            Start date:29/08/2024
                            Path:C:\Users\user\AppData\Roaming\SubDir\workbook.exe
                            Wow64 process (32bit):false
                            Commandline:"C:\Users\user\AppData\Roaming\SubDir\workbook.exe"
                            Imagebase:0x500000
                            File size:3'750'400 bytes
                            MD5 hash:FE0244480B7BE035C478B4778D082ED3
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:low
                            Has exited:true

                            General

                            Target ID:16
                            Start time:15:36:33
                            Start date:29/08/2024
                            Path:C:\Users\user\AppData\Roaming\SubDir\workbook.exe
                            Wow64 process (32bit):false
                            Commandline:"C:\Users\user\AppData\Roaming\SubDir\workbook.exe"
                            Imagebase:0x1a0000
                            File size:3'750'400 bytes
                            MD5 hash:FE0244480B7BE035C478B4778D082ED3
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:low
                            Has exited:true

                            General

                            Target ID:17
                            Start time:15:36:33
                            Start date:29/08/2024
                            Path:C:\Users\user\AppData\Roaming\SubDir\workbook.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\AppData\Roaming\SubDir\workbook.exe"
                            Imagebase:0x7e0000
                            File size:3'750'400 bytes
                            MD5 hash:FE0244480B7BE035C478B4778D082ED3
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:low
                            Has exited:true

                            Disassembly

                            Reset < >

                              Execution Graph

                              Execution Coverage:10.3%
                              Dynamic/Decrypted Code Coverage:100%
                              Signature Coverage:0%
                              Total number of Nodes:219
                              Total number of Limit Nodes:9
                              execution_graph 30124 250b390 30125 250b3d2 30124->30125 30126 250b3d8 GetModuleHandleW 30124->30126 30125->30126 30127 250b405 30126->30127 30167 46d705b 30169 46d6f31 30167->30169 30168 46d7300 30170 46d7052 30169->30170 30174 46d78e8 30169->30174 30187 46d7946 30169->30187 30201 46d78d8 30169->30201 30175 46d7902 30174->30175 30214 46d820b 30175->30214 30218 46d7e13 30175->30218 30223 46d80b0 30175->30223 30228 46d7d80 30175->30228 30233 46d7d11 30175->30233 30237 46d7e26 30175->30237 30242 46d7df6 30175->30242 30247 46d7e57 30175->30247 30252 46d7e94 30175->30252 30257 46d8244 30175->30257 30176 46d7926 30176->30168 30188 46d78d4 30187->30188 30189 46d7949 30187->30189 30191 46d820b 2 API calls 30188->30191 30192 46d8244 2 API calls 30188->30192 30193 46d7e94 2 API calls 30188->30193 30194 46d7e57 2 API calls 30188->30194 30195 46d7df6 2 API calls 30188->30195 30196 46d7e26 2 API calls 30188->30196 30197 46d7d11 2 API calls 30188->30197 30198 46d7d80 2 API calls 30188->30198 30199 46d80b0 2 API calls 30188->30199 30200 46d7e13 2 API calls 30188->30200 30189->30168 30190 46d7926 30190->30168 30191->30190 30192->30190 30193->30190 30194->30190 30195->30190 30196->30190 30197->30190 30198->30190 30199->30190 30200->30190 30202 46d7902 30201->30202 30204 46d820b 2 API calls 30202->30204 30205 46d8244 2 API calls 30202->30205 30206 46d7e94 2 API calls 30202->30206 30207 46d7e57 2 API calls 30202->30207 30208 46d7df6 2 API calls 30202->30208 30209 46d7e26 2 API calls 30202->30209 30210 46d7d11 2 API calls 30202->30210 30211 46d7d80 2 API calls 30202->30211 30212 46d80b0 2 API calls 30202->30212 30213 46d7e13 2 API calls 30202->30213 30203 46d7926 30203->30168 30204->30203 30205->30203 30206->30203 30207->30203 30208->30203 30209->30203 30210->30203 30211->30203 30212->30203 30213->30203 30262 46d6698 30214->30262 30266 46d6694 30214->30266 30215 46d8228 30219 46d7e20 30218->30219 30270 46d6829 30219->30270 30274 46d6830 30219->30274 30220 46d813a 30224 46d830a 30223->30224 30278 46d6919 30224->30278 30282 46d6920 30224->30282 30225 46d832f 30225->30176 30229 46d7d8a 30228->30229 30231 46d6829 WriteProcessMemory 30229->30231 30232 46d6830 WriteProcessMemory 30229->30232 30230 46d7d6c 30230->30176 30231->30230 30232->30230 30286 46d6aac 30233->30286 30290 46d6ab8 30233->30290 30238 46d7e33 30237->30238 30294 46d65e8 30238->30294 30298 46d65e0 30238->30298 30239 46d8054 30239->30176 30243 46d7e08 30242->30243 30302 46d8958 30243->30302 30307 46d8947 30243->30307 30244 46d86d4 30248 46d82a8 30247->30248 30250 46d6698 Wow64SetThreadContext 30248->30250 30251 46d6694 Wow64SetThreadContext 30248->30251 30249 46d7fe1 30249->30176 30250->30249 30251->30249 30253 46d7e08 30252->30253 30255 46d8958 2 API calls 30253->30255 30256 46d8947 2 API calls 30253->30256 30254 46d86d4 30255->30254 30256->30254 30258 46d8267 30257->30258 30260 46d6829 WriteProcessMemory 30258->30260 30261 46d6830 WriteProcessMemory 30258->30261 30259 46d83e8 30260->30259 30261->30259 30263 46d66dd Wow64SetThreadContext 30262->30263 30265 46d6725 30263->30265 30265->30215 30267 46d66dd Wow64SetThreadContext 30266->30267 30269 46d6725 30267->30269 30269->30215 30271 46d6878 WriteProcessMemory 30270->30271 30273 46d68cf 30271->30273 30273->30220 30275 46d6878 WriteProcessMemory 30274->30275 30277 46d68cf 30275->30277 30277->30220 30279 46d696b ReadProcessMemory 30278->30279 30281 46d69af 30279->30281 30281->30225 30283 46d696b ReadProcessMemory 30282->30283 30285 46d69af 30283->30285 30285->30225 30287 46d6b41 CreateProcessA 30286->30287 30289 46d6d03 30287->30289 30291 46d6b41 CreateProcessA 30290->30291 30293 46d6d03 30291->30293 30295 46d6628 ResumeThread 30294->30295 30297 46d6659 30295->30297 30297->30239 30299 46d65e7 ResumeThread 30298->30299 30301 46d6659 30299->30301 30301->30239 30303 46d896d 30302->30303 30312 46d6768 30303->30312 30316 46d6770 30303->30316 30304 46d898c 30304->30244 30308 46d896d 30307->30308 30310 46d6768 VirtualAllocEx 30308->30310 30311 46d6770 VirtualAllocEx 30308->30311 30309 46d898c 30309->30244 30310->30309 30311->30309 30313 46d67b0 VirtualAllocEx 30312->30313 30315 46d67ed 30313->30315 30315->30304 30317 46d67b0 VirtualAllocEx 30316->30317 30319 46d67ed 30317->30319 30319->30304 30128 250d558 30129 250d59e 30128->30129 30133 250d727 30129->30133 30136 250d738 30129->30136 30130 250d68b 30135 250d766 30133->30135 30139 250b7f0 30133->30139 30135->30130 30137 250b7f0 DuplicateHandle 30136->30137 30138 250d766 30137->30138 30138->30130 30140 250d7a0 DuplicateHandle 30139->30140 30141 250d836 30140->30141 30141->30135 30320 2504668 30321 250467a 30320->30321 30322 2504686 30321->30322 30324 2504778 30321->30324 30325 250479d 30324->30325 30329 2504877 30325->30329 30333 2504888 30325->30333 30331 25048af 30329->30331 30330 250498c 30331->30330 30337 25044b4 30331->30337 30335 25048af 30333->30335 30334 250498c 30334->30334 30335->30334 30336 25044b4 CreateActCtxA 30335->30336 30336->30334 30338 2505918 CreateActCtxA 30337->30338 30340 25059db 30338->30340 30341 250b0a8 30342 250b0b7 30341->30342 30344 250b18f 30341->30344 30345 250b1b1 30344->30345 30346 250b1cc 30344->30346 30345->30346 30349 250b838 30345->30349 30353 250b829 30345->30353 30346->30342 30350 250b84c 30349->30350 30352 250b871 30350->30352 30357 250b428 30350->30357 30352->30346 30354 250b84c 30353->30354 30355 250b428 LoadLibraryExW 30354->30355 30356 250b871 30354->30356 30355->30356 30356->30346 30359 250ba18 LoadLibraryExW 30357->30359 30360 250ba91 30359->30360 30360->30352 30142 46d8aa0 30143 46d8c2b 30142->30143 30145 46d8ac6 30142->30145 30145->30143 30146 46d4c18 30145->30146 30147 46d9128 PostMessageW 30146->30147 30148 46d9192 30147->30148 30148->30145 30149 46d9c00 30150 46d9c28 30149->30150 30151 46d9c1e 30149->30151 30154 46d9c68 30151->30154 30159 46d9c53 30151->30159 30155 46d9c76 30154->30155 30158 46d9c95 30154->30158 30164 46d9020 30155->30164 30158->30150 30160 46d9c76 30159->30160 30163 46d9c95 30159->30163 30161 46d9020 FindCloseChangeNotification 30160->30161 30162 46d9c91 30161->30162 30162->30150 30163->30150 30165 46d9de0 FindCloseChangeNotification 30164->30165 30166 46d9c91 30165->30166 30166->30150 30361 a1d01c 30362 a1d034 30361->30362 30363 a1d08e 30362->30363 30366 4c92ce9 30362->30366 30372 4c92cf8 30362->30372 30367 4c92d25 30366->30367 30368 4c92d57 30367->30368 30378 4c92f4c 30367->30378 30384 4c92e70 30367->30384 30389 4c92e80 30367->30389 30373 4c92d25 30372->30373 30374 4c92d57 30373->30374 30375 4c92f4c 2 API calls 30373->30375 30376 4c92e80 2 API calls 30373->30376 30377 4c92e70 2 API calls 30373->30377 30375->30374 30376->30374 30377->30374 30379 4c92f0a 30378->30379 30380 4c92f5a 30378->30380 30394 4c92f38 30379->30394 30397 4c92f37 30379->30397 30381 4c92f20 30381->30368 30386 4c92e94 30384->30386 30385 4c92f20 30385->30368 30387 4c92f38 2 API calls 30386->30387 30388 4c92f37 2 API calls 30386->30388 30387->30385 30388->30385 30391 4c92e94 30389->30391 30390 4c92f20 30390->30368 30392 4c92f38 2 API calls 30391->30392 30393 4c92f37 2 API calls 30391->30393 30392->30390 30393->30390 30395 4c92f49 30394->30395 30400 4c94370 30394->30400 30395->30381 30398 4c92f49 30397->30398 30399 4c94370 2 API calls 30397->30399 30398->30381 30399->30398 30404 4c94391 30400->30404 30408 4c943a0 30400->30408 30401 4c9438a 30401->30395 30405 4c943e2 30404->30405 30407 4c943e9 30404->30407 30406 4c9443a CallWindowProcW 30405->30406 30405->30407 30406->30407 30407->30401 30409 4c943e2 30408->30409 30411 4c943e9 30408->30411 30410 4c9443a CallWindowProcW 30409->30410 30409->30411 30410->30411 30411->30401

                              Executed Functions

                              Function 04C97080 Relevance: 2.6, Strings: 1, Instructions: 1359COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 316 4c97080-4c970ab 317 4c970ad 316->317 318 4c970b2-4c97667 call 4c96e48 call 4c96e58 call 4c96e48 call 4c96e58 call 4c96e68 call 4c96e48 call 4c96e78 call 4c96e48 call 4c96e88 * 2 call 4c96e98 call 4c96ea8 call 4c96eb8 call 4c96ec8 call 4c96e98 call 4c96ea8 call 4c96eb8 call 4c96ec8 call 4c96e98 call 4c96ea8 call 4c96eb8 316->318 317->318 401 4c97688-4c9769c 318->401 402 4c97669-4c97676 401->402 403 4c9769e-4c976a4 401->403 405 4c97678 402->405 406 4c9767d-4c97685 402->406 404 4c97786-4c9779a 403->404 407 4c976a9-4c976c1 404->407 408 4c977a0-4c977b4 404->408 405->406 406->401 415 4c976ce-4c976d1 407->415 416 4c976c3-4c976c5 407->416 409 4c97970-4c97987 408->409 410 4c97989 409->410 411 4c9798f-4c97991 409->411 413 4c9798b-4c9798d 410->413 414 4c97993 410->414 417 4c97998-4c979a7 411->417 413->411 413->414 414->417 422 4c976d8-4c976de 415->422 423 4c976d3 415->423 418 4c976cc 416->418 419 4c976c7 416->419 420 4c977b9-4c977d7 417->420 421 4c979ad-4c97eb7 call 4c96ec8 call 4c96e98 call 4c96ea8 call 4c96eb8 call 4c96ec8 call 4c96e98 call 4c96ea8 call 4c96eb8 call 4c96ec8 call 4c96ed8 call 4c96e98 call 4c96ea8 call 4c96eb8 call 4c96ec8 call 4c96ee8 call 4c96e98 call 4c96ea8 call 4c96eb8 call 4c96ec8 417->421 418->422 419->418 424 4c977d9 420->424 425 4c977de-4c977f8 420->425 528 4c97eb9 421->528 529 4c97ebe-4c97ede 421->529 427 4c976e0 422->427 428 4c976e5-4c976ff 422->428 423->422 424->425 429 4c977fa 425->429 430 4c977ff-4c97812 425->430 427->428 432 4c97701 428->432 433 4c97706-4c97720 428->433 429->430 436 4c97819-4c9782f 430->436 437 4c97814 430->437 432->433 434 4c97722 433->434 435 4c97727-4c9773a 433->435 434->435 438 4c9773c 435->438 439 4c97741-4c97757 435->439 440 4c97831 436->440 441 4c97836-4c9784c 436->441 437->436 438->439 443 4c97759 439->443 444 4c9775e-4c97774 439->444 440->441 445 4c9784e 441->445 446 4c97853-4c9785f 441->446 443->444 449 4c9777b-4c97783 444->449 450 4c97776 444->450 445->446 447 4c9786e-4c97872 446->447 448 4c97861-4c97865 446->448 454 4c97879-4c9787f 447->454 455 4c97874 447->455 452 4c9786c 448->452 453 4c97867 448->453 449->404 450->449 452->454 453->452 457 4c97881 454->457 458 4c97886-4c9789a 454->458 455->454 457->458 461 4c9789c 458->461 462 4c978a1-4c978b1 458->462 461->462 464 4c978b8-4c978d7 462->464 465 4c978b3 462->465 466 4c978d9 464->466 467 4c978de-4c978f4 464->467 465->464 466->467 469 4c97903-4c97907 467->469 470 4c978f6-4c978fa 467->470 474 4c97909 469->474 475 4c9790e-4c97944 469->475 472 4c978fc 470->472 473 4c97901 470->473 472->473 473->475 474->475 480 4c9794b-4c9796f 475->480 481 4c97946 475->481 480->409 481->480 528->529 531 4c97ee0 529->531 532 4c97ee5-4c97fd0 529->532 531->532 541 4c97fd7-4c986f2 call 4c96ef8 call 4c96e98 call 4c96ea8 call 4c96eb8 call 4c96ec8 call 4c96e98 call 4c96ea8 call 4c96eb8 call 4c96ec8 call 4c96ed8 call 4c96f08 call 4c96e98 call 4c96ea8 call 4c96eb8 call 4c96ec8 call 4c96ed8 call 4c96f08 call 4c96f18 call 4c96f28 call 4c96f38 call 4c96f48 * 10 call 4c96f58 call 4c96f68 call 4c96ea8 call 4c96f78 532->541
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1404483872.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c90000_rNuevoPedidoPO-00843.jbxd
                              Similarity
                              • API ID:
                              • String ID: $Iq
                              • API String ID: 0-312629932
                              • Opcode ID: e318b0b343bf38effdcc83628c4e52493f58fa10636253a2d108d8b4d4f0d907
                              • Instruction ID: 76b81125b9600577dfd39b2329edd03ac52bf8b39ef1abeed4f5585ba1b72300
                              • Opcode Fuzzy Hash: e318b0b343bf38effdcc83628c4e52493f58fa10636253a2d108d8b4d4f0d907
                              • Instruction Fuzzy Hash: 8DE2B434A11219DFDB24DF68C988AD9B7B2FF89304F5182E9D409AB355DB31AE81CF50
                              Function 04C97072 Relevance: 2.5, Strings: 1, Instructions: 1212COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 642 4c97072-4c97079 643 4c9707b-4c970ab 642->643 644 4c97043-4c99cba 642->644 645 4c970ad 643->645 646 4c970b2-4c97121 643->646 651 4c99cea-4c99cee 644->651 652 4c99cbc-4c99cd2 644->652 645->646 660 4c9712b-4c97137 call 4c96e48 646->660 652->651 657 4c99cd4-4c99ce9 652->657 663 4c9713c-4c971e9 call 4c96e58 call 4c96e48 call 4c96e58 660->663 677 4c971f3-4c971ff call 4c96e68 663->677 679 4c97204-4c9724d call 4c96e48 677->679 685 4c97257-4c97263 call 4c96e78 679->685 687 4c97268-4c97359 call 4c96e48 call 4c96e88 * 2 685->687 703 4c97364-4c97378 call 4c96e98 687->703 705 4c9737d-4c973b6 call 4c96ea8 703->705 708 4c973c0-4c973d4 call 4c96eb8 705->708 710 4c973d9-4c97667 call 4c96ec8 call 4c96e98 call 4c96ea8 call 4c96eb8 call 4c96ec8 call 4c96e98 call 4c96ea8 call 4c96eb8 708->710 739 4c97688-4c9769c 710->739 740 4c97669-4c97676 739->740 741 4c9769e-4c976a4 739->741 743 4c97678 740->743 744 4c9767d-4c97685 740->744 742 4c97786-4c9779a 741->742 745 4c976a9-4c976c1 742->745 746 4c977a0-4c977b4 742->746 743->744 744->739 753 4c976ce-4c976d1 745->753 754 4c976c3-4c976c5 745->754 747 4c97970-4c97987 746->747 748 4c97989 747->748 749 4c9798f-4c97991 747->749 751 4c9798b-4c9798d 748->751 752 4c97993 748->752 755 4c97998-4c979a7 749->755 751->749 751->752 752->755 760 4c976d8-4c976de 753->760 761 4c976d3 753->761 756 4c976cc 754->756 757 4c976c7 754->757 758 4c977b9-4c977d7 755->758 759 4c979ad-4c97cc0 call 4c96ec8 call 4c96e98 call 4c96ea8 call 4c96eb8 call 4c96ec8 call 4c96e98 call 4c96ea8 call 4c96eb8 call 4c96ec8 call 4c96ed8 call 4c96e98 call 4c96ea8 call 4c96eb8 call 4c96ec8 755->759 756->760 757->756 762 4c977d9 758->762 763 4c977de-4c977f8 758->763 844 4c97cc5-4c97cd9 call 4c96ee8 759->844 765 4c976e0 760->765 766 4c976e5-4c976ff 760->766 761->760 762->763 767 4c977fa 763->767 768 4c977ff-4c97812 763->768 765->766 770 4c97701 766->770 771 4c97706-4c97720 766->771 767->768 774 4c97819-4c9782f 768->774 775 4c97814 768->775 770->771 772 4c97722 771->772 773 4c97727-4c9773a 771->773 772->773 776 4c9773c 773->776 777 4c97741-4c97757 773->777 778 4c97831 774->778 779 4c97836-4c9784c 774->779 775->774 776->777 781 4c97759 777->781 782 4c9775e-4c97774 777->782 778->779 783 4c9784e 779->783 784 4c97853-4c9785f 779->784 781->782 787 4c9777b-4c97783 782->787 788 4c97776 782->788 783->784 785 4c9786e-4c97872 784->785 786 4c97861-4c97865 784->786 792 4c97879-4c9787f 785->792 793 4c97874 785->793 790 4c9786c 786->790 791 4c97867 786->791 787->742 788->787 790->792 791->790 795 4c97881 792->795 796 4c97886-4c9789a 792->796 793->792 795->796 799 4c9789c 796->799 800 4c978a1-4c978b1 796->800 799->800 802 4c978b8-4c978d7 800->802 803 4c978b3 800->803 804 4c978d9 802->804 805 4c978de-4c978f4 802->805 803->802 804->805 807 4c97903-4c97907 805->807 808 4c978f6-4c978fa 805->808 812 4c97909 807->812 813 4c9790e-4c97944 807->813 810 4c978fc 808->810 811 4c97901 808->811 810->811 811->813 812->813 818 4c9794b-4c9796f 813->818 819 4c97946 813->819 818->747 819->818 846 4c97cde-4c97e53 call 4c96e98 call 4c96ea8 call 4c96eb8 call 4c96ec8 844->846 862 4c97e5a-4c97e78 846->862 863 4c97e83-4c97e8f 862->863 864 4c97e99-4c97ea1 863->864 865 4c97ea7-4c97eb7 864->865 866 4c97eb9 865->866 867 4c97ebe-4c97ede 865->867 866->867 869 4c97ee0 867->869 870 4c97ee5-4c97fae 867->870 869->870 878 4c97fb8-4c97fd0 870->878 879 4c97fd7-4c986f2 call 4c96ef8 call 4c96e98 call 4c96ea8 call 4c96eb8 call 4c96ec8 call 4c96e98 call 4c96ea8 call 4c96eb8 call 4c96ec8 call 4c96ed8 call 4c96f08 call 4c96e98 call 4c96ea8 call 4c96eb8 call 4c96ec8 call 4c96ed8 call 4c96f08 call 4c96f18 call 4c96f28 call 4c96f38 call 4c96f48 * 10 call 4c96f58 call 4c96f68 call 4c96ea8 call 4c96f78 878->879
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1404483872.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c90000_rNuevoPedidoPO-00843.jbxd
                              Similarity
                              • API ID:
                              • String ID: $Iq
                              • API String ID: 0-312629932
                              • Opcode ID: c7b77fccbf8c0514e67e71af1c4d05cc825ce84c55c9b004d78b235031451296
                              • Instruction ID: a424370322f9f0d284379c99e5311acd51266e0a2a89b07cf7992dad5c717ef6
                              • Opcode Fuzzy Hash: c7b77fccbf8c0514e67e71af1c4d05cc825ce84c55c9b004d78b235031451296
                              • Instruction Fuzzy Hash: 31D29234A11219CFDB24DF64C998AD9B7B2FF8A304F5142E9D409AB365DB31AE85CF40
                              Function 046D0F48 Relevance: .1, Instructions: 67COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1403117702.00000000046D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_46d0000_rNuevoPedidoPO-00843.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6c727fbabba17cf7fcb341890620a0b87ca9edeca4ef83182afed8c076a84e66
                              • Instruction ID: ce84a30163b505715a07a1307cd54919470466a85a4d12c4cc56640e94bc0ea8
                              • Opcode Fuzzy Hash: 6c727fbabba17cf7fcb341890620a0b87ca9edeca4ef83182afed8c076a84e66
                              • Instruction Fuzzy Hash: B321EAB1D046198BEB18CFA7D9553EEFBF6AFC9300F14C06AD409A62A4EB741946CF50
                              Function 046D0F58 Relevance: .1, Instructions: 64COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1403117702.00000000046D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_46d0000_rNuevoPedidoPO-00843.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 3a1b6caecffe12e9c1267c78a9415c3fb38c03bf923ef468e818215763d1c193
                              • Instruction ID: e4dd244f27ffb616543c4f4615c1b396dff8c7546d43a7353fe1e4b885e19cff
                              • Opcode Fuzzy Hash: 3a1b6caecffe12e9c1267c78a9415c3fb38c03bf923ef468e818215763d1c193
                              • Instruction Fuzzy Hash: E621E7B0E046188BEB18CFA7D8553EEFAF6AFC9300F14C06AD40976254EBB419468F90
                              Function 046D6AAC Relevance: 1.7, APIs: 1, Instructions: 249processCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 980 46d6aac-46d6b4d 982 46d6b4f-46d6b59 980->982 983 46d6b86-46d6ba6 980->983 982->983 984 46d6b5b-46d6b5d 982->984 990 46d6bdf-46d6c0e 983->990 991 46d6ba8-46d6bb2 983->991 985 46d6b5f-46d6b69 984->985 986 46d6b80-46d6b83 984->986 988 46d6b6d-46d6b7c 985->988 989 46d6b6b 985->989 986->983 988->988 992 46d6b7e 988->992 989->988 997 46d6c47-46d6d01 CreateProcessA 990->997 998 46d6c10-46d6c1a 990->998 991->990 993 46d6bb4-46d6bb6 991->993 992->986 995 46d6bd9-46d6bdc 993->995 996 46d6bb8-46d6bc2 993->996 995->990 999 46d6bc4 996->999 1000 46d6bc6-46d6bd5 996->1000 1011 46d6d0a-46d6d90 997->1011 1012 46d6d03-46d6d09 997->1012 998->997 1001 46d6c1c-46d6c1e 998->1001 999->1000 1000->1000 1002 46d6bd7 1000->1002 1003 46d6c41-46d6c44 1001->1003 1004 46d6c20-46d6c2a 1001->1004 1002->995 1003->997 1006 46d6c2c 1004->1006 1007 46d6c2e-46d6c3d 1004->1007 1006->1007 1007->1007 1008 46d6c3f 1007->1008 1008->1003 1022 46d6da0-46d6da4 1011->1022 1023 46d6d92-46d6d96 1011->1023 1012->1011 1025 46d6db4-46d6db8 1022->1025 1026 46d6da6-46d6daa 1022->1026 1023->1022 1024 46d6d98 1023->1024 1024->1022 1027 46d6dc8-46d6dcc 1025->1027 1028 46d6dba-46d6dbe 1025->1028 1026->1025 1029 46d6dac 1026->1029 1031 46d6dde-46d6de5 1027->1031 1032 46d6dce-46d6dd4 1027->1032 1028->1027 1030 46d6dc0 1028->1030 1029->1025 1030->1027 1033 46d6dfc 1031->1033 1034 46d6de7-46d6df6 1031->1034 1032->1031 1036 46d6dfd 1033->1036 1034->1033 1036->1036
                              APIs
                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 046D6CEE
                              Memory Dump Source
                              • Source File: 00000000.00000002.1403117702.00000000046D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_46d0000_rNuevoPedidoPO-00843.jbxd
                              Similarity
                              • API ID: CreateProcess
                              • String ID:
                              • API String ID: 963392458-0
                              • Opcode ID: 98a7ca0c038aa52ce227872c9f54acb68d1cf729431f859923cddfdb566eec73
                              • Instruction ID: bab5711d8e5d6efdc7b7ae433a82acda00e5f3c030aebdc26c0bfe77b30f43fb
                              • Opcode Fuzzy Hash: 98a7ca0c038aa52ce227872c9f54acb68d1cf729431f859923cddfdb566eec73
                              • Instruction Fuzzy Hash: B1A13B71D00219DFEB24CF68C841BEDBBB2FF48314F14856AD859A7290EB74A985CF91
                              Function 046D6AB8 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1037 46d6ab8-46d6b4d 1039 46d6b4f-46d6b59 1037->1039 1040 46d6b86-46d6ba6 1037->1040 1039->1040 1041 46d6b5b-46d6b5d 1039->1041 1047 46d6bdf-46d6c0e 1040->1047 1048 46d6ba8-46d6bb2 1040->1048 1042 46d6b5f-46d6b69 1041->1042 1043 46d6b80-46d6b83 1041->1043 1045 46d6b6d-46d6b7c 1042->1045 1046 46d6b6b 1042->1046 1043->1040 1045->1045 1049 46d6b7e 1045->1049 1046->1045 1054 46d6c47-46d6d01 CreateProcessA 1047->1054 1055 46d6c10-46d6c1a 1047->1055 1048->1047 1050 46d6bb4-46d6bb6 1048->1050 1049->1043 1052 46d6bd9-46d6bdc 1050->1052 1053 46d6bb8-46d6bc2 1050->1053 1052->1047 1056 46d6bc4 1053->1056 1057 46d6bc6-46d6bd5 1053->1057 1068 46d6d0a-46d6d90 1054->1068 1069 46d6d03-46d6d09 1054->1069 1055->1054 1058 46d6c1c-46d6c1e 1055->1058 1056->1057 1057->1057 1059 46d6bd7 1057->1059 1060 46d6c41-46d6c44 1058->1060 1061 46d6c20-46d6c2a 1058->1061 1059->1052 1060->1054 1063 46d6c2c 1061->1063 1064 46d6c2e-46d6c3d 1061->1064 1063->1064 1064->1064 1065 46d6c3f 1064->1065 1065->1060 1079 46d6da0-46d6da4 1068->1079 1080 46d6d92-46d6d96 1068->1080 1069->1068 1082 46d6db4-46d6db8 1079->1082 1083 46d6da6-46d6daa 1079->1083 1080->1079 1081 46d6d98 1080->1081 1081->1079 1084 46d6dc8-46d6dcc 1082->1084 1085 46d6dba-46d6dbe 1082->1085 1083->1082 1086 46d6dac 1083->1086 1088 46d6dde-46d6de5 1084->1088 1089 46d6dce-46d6dd4 1084->1089 1085->1084 1087 46d6dc0 1085->1087 1086->1082 1087->1084 1090 46d6dfc 1088->1090 1091 46d6de7-46d6df6 1088->1091 1089->1088 1093 46d6dfd 1090->1093 1091->1090 1093->1093
                              APIs
                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 046D6CEE
                              Memory Dump Source
                              • Source File: 00000000.00000002.1403117702.00000000046D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_46d0000_rNuevoPedidoPO-00843.jbxd
                              Similarity
                              • API ID: CreateProcess
                              • String ID:
                              • API String ID: 963392458-0
                              • Opcode ID: f6a3212b180c1e532e281000d0435feb0e083858f71c8fbeca00057ea1e83d16
                              • Instruction ID: 19dd9047d8154edcea95f619d414d4a22b990b6f8285be46dbf2ea8809f8300c
                              • Opcode Fuzzy Hash: f6a3212b180c1e532e281000d0435feb0e083858f71c8fbeca00057ea1e83d16
                              • Instruction Fuzzy Hash: DD914B71D00219DFEB24CF68C841BEDBBB2FF48314F14856AD819A7240EB74A985CF91
                              Function 025044B4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1094 25044b4-25059d9 CreateActCtxA 1097 25059e2-2505a3c 1094->1097 1098 25059db-25059e1 1094->1098 1105 2505a4b-2505a4f 1097->1105 1106 2505a3e-2505a41 1097->1106 1098->1097 1107 2505a60 1105->1107 1108 2505a51-2505a5d 1105->1108 1106->1105 1110 2505a61 1107->1110 1108->1107 1110->1110
                              APIs
                              • CreateActCtxA.KERNEL32(?), ref: 025059C9
                              Memory Dump Source
                              • Source File: 00000000.00000002.1397814710.0000000002500000.00000040.00000800.00020000.00000000.sdmp, Offset: 02500000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2500000_rNuevoPedidoPO-00843.jbxd
                              Similarity
                              • API ID: Create
                              • String ID:
                              • API String ID: 2289755597-0
                              • Opcode ID: e39d4bd1c38d9793a238ecdc6f17243a9712b0eef7c9a23384d1d0d1c9acf9d9
                              • Instruction ID: 67329ca36e6e7bb325fca3c482a52b246fd93afa1b0da711b89db7c5921321a1
                              • Opcode Fuzzy Hash: e39d4bd1c38d9793a238ecdc6f17243a9712b0eef7c9a23384d1d0d1c9acf9d9
                              • Instruction Fuzzy Hash: B341D270D0071DCFEB24DFAAC885B8DBBB5BF49308F60846AD408AB251D7756949CF94
                              Function 04C943A0 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1111 4c943a0-4c943dc 1112 4c9448c-4c944ac 1111->1112 1113 4c943e2-4c943e7 1111->1113 1119 4c944af-4c944bc 1112->1119 1114 4c943e9-4c94420 1113->1114 1115 4c9443a-4c94472 CallWindowProcW 1113->1115 1122 4c94429-4c94438 1114->1122 1123 4c94422-4c94428 1114->1123 1116 4c9447b-4c9448a 1115->1116 1117 4c94474-4c9447a 1115->1117 1116->1119 1117->1116 1122->1119 1123->1122
                              APIs
                              • CallWindowProcW.USER32(?,?,?,?,?), ref: 04C94461
                              Memory Dump Source
                              • Source File: 00000000.00000002.1404483872.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c90000_rNuevoPedidoPO-00843.jbxd
                              Similarity
                              • API ID: CallProcWindow
                              • String ID:
                              • API String ID: 2714655100-0
                              • Opcode ID: 378196c871dc4721101092d87d04d5315089cecb246e6e15fb89d1488e8eeedf
                              • Instruction ID: 729e9a0b68366220706a8558b6884b6532dec386fbb247664f151a12a69a06bb
                              • Opcode Fuzzy Hash: 378196c871dc4721101092d87d04d5315089cecb246e6e15fb89d1488e8eeedf
                              • Instruction Fuzzy Hash: 27412BB5900305DFDB14CF99C448A9ABBF6FF88314F24C459D519AB321D374A941CFA4
                              Function 0250590D Relevance: 1.6, APIs: 1, Instructions: 92COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1125 250590d-25059d9 CreateActCtxA 1127 25059e2-2505a3c 1125->1127 1128 25059db-25059e1 1125->1128 1135 2505a4b-2505a4f 1127->1135 1136 2505a3e-2505a41 1127->1136 1128->1127 1137 2505a60 1135->1137 1138 2505a51-2505a5d 1135->1138 1136->1135 1140 2505a61 1137->1140 1138->1137 1140->1140
                              APIs
                              • CreateActCtxA.KERNEL32(?), ref: 025059C9
                              Memory Dump Source
                              • Source File: 00000000.00000002.1397814710.0000000002500000.00000040.00000800.00020000.00000000.sdmp, Offset: 02500000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2500000_rNuevoPedidoPO-00843.jbxd
                              Similarity
                              • API ID: Create
                              • String ID:
                              • API String ID: 2289755597-0
                              • Opcode ID: a49a90a08a752e5472d7d114a39cce28a55c5e6b632e84b64e967bd02290b24f
                              • Instruction ID: 94efff5033b7012ad81ec719aa7bf6e7aa789c6331615a8af439d18f1d155252
                              • Opcode Fuzzy Hash: a49a90a08a752e5472d7d114a39cce28a55c5e6b632e84b64e967bd02290b24f
                              • Instruction Fuzzy Hash: DD41F170D00719CFEB24DFA9C884B8DBBB2BF49304F60806AD408AB291DB75694ACF44
                              Function 046D6829 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1141 46d6829-46d687e 1143 46d688e-46d68cd WriteProcessMemory 1141->1143 1144 46d6880-46d688c 1141->1144 1146 46d68cf-46d68d5 1143->1146 1147 46d68d6-46d6906 1143->1147 1144->1143 1146->1147
                              APIs
                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 046D68C0
                              Memory Dump Source
                              • Source File: 00000000.00000002.1403117702.00000000046D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_46d0000_rNuevoPedidoPO-00843.jbxd
                              Similarity
                              • API ID: MemoryProcessWrite
                              • String ID:
                              • API String ID: 3559483778-0
                              • Opcode ID: 87a3240d2b23ebec565334ed46b25ad5ceeb182e4fd693c9cd6add2a8686b009
                              • Instruction ID: ddf89650706578552742852fa257ea3c1fc39153053a8ddcda9eed38e8f9b9f7
                              • Opcode Fuzzy Hash: 87a3240d2b23ebec565334ed46b25ad5ceeb182e4fd693c9cd6add2a8686b009
                              • Instruction Fuzzy Hash: 13215575D003088FDB14CFA9C980BEEBBF0FF48310F10842AE959A7250C738A544CBA4
                              Function 046D6830 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1151 46d6830-46d687e 1153 46d688e-46d68cd WriteProcessMemory 1151->1153 1154 46d6880-46d688c 1151->1154 1156 46d68cf-46d68d5 1153->1156 1157 46d68d6-46d6906 1153->1157 1154->1153 1156->1157
                              APIs
                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 046D68C0
                              Memory Dump Source
                              • Source File: 00000000.00000002.1403117702.00000000046D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_46d0000_rNuevoPedidoPO-00843.jbxd
                              Similarity
                              • API ID: MemoryProcessWrite
                              • String ID:
                              • API String ID: 3559483778-0
                              • Opcode ID: 56f9196a2b3a2392c7aa557ec6c071dffaf2dd3bb30d3097ed58423add34b5bb
                              • Instruction ID: 7544bb7db5b0a2bbef7fa68074b90fd0e092a2955ae9b7a0aa0ca6d8303cd841
                              • Opcode Fuzzy Hash: 56f9196a2b3a2392c7aa557ec6c071dffaf2dd3bb30d3097ed58423add34b5bb
                              • Instruction Fuzzy Hash: 8E211371D003499FDB14CFAAC885BEEBBF5FB48310F10842AE919A7240D778A944CBA5
                              Function 0250B7F0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1161 250b7f0-250d834 DuplicateHandle 1163 250d836-250d83c 1161->1163 1164 250d83d-250d85a 1161->1164 1163->1164
                              APIs
                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0250D766,?,?,?,?,?), ref: 0250D827
                              Memory Dump Source
                              • Source File: 00000000.00000002.1397814710.0000000002500000.00000040.00000800.00020000.00000000.sdmp, Offset: 02500000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2500000_rNuevoPedidoPO-00843.jbxd
                              Similarity
                              • API ID: DuplicateHandle
                              • String ID:
                              • API String ID: 3793708945-0
                              • Opcode ID: 5922bd180443dc01a1613e1ae70312c790ce299a5c3a457e42493e4f71c9581d
                              • Instruction ID: ae2cc138a455587fce1bee227dc05e802ee162d550f6c03c38a7303489900c4e
                              • Opcode Fuzzy Hash: 5922bd180443dc01a1613e1ae70312c790ce299a5c3a457e42493e4f71c9581d
                              • Instruction Fuzzy Hash: 3121E5B5D01248DFDB10CF9AD984AEEBBF4FB48310F14841AE914A7350D378A940CFA5
                              Function 046D6920 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                              Download Yara Rule
                              APIs
                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 046D69A0
                              Memory Dump Source
                              • Source File: 00000000.00000002.1403117702.00000000046D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_46d0000_rNuevoPedidoPO-00843.jbxd
                              Similarity
                              • API ID: MemoryProcessRead
                              • String ID:
                              • API String ID: 1726664587-0
                              • Opcode ID: 64f4a1f46f0813a0f3ddd9da8cde9c160e48900efba539cd884f6ef1fba4689c
                              • Instruction ID: 2fa1b412a2ffefc6d5b6ce7e0ee9e6042fd4e8a6971ffc796fd6aebb7f1b2fe3
                              • Opcode Fuzzy Hash: 64f4a1f46f0813a0f3ddd9da8cde9c160e48900efba539cd884f6ef1fba4689c
                              • Instruction Fuzzy Hash: F2212571C003499FDB14CFAAC880BEEBBF5FF48310F10842AE958A7240D739A900DBA5
                              Function 046D6919 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1187 46d6919-46d69ad ReadProcessMemory 1190 46d69af-46d69b5 1187->1190 1191 46d69b6-46d69e6 1187->1191 1190->1191
                              APIs
                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 046D69A0
                              Memory Dump Source
                              • Source File: 00000000.00000002.1403117702.00000000046D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_46d0000_rNuevoPedidoPO-00843.jbxd
                              Similarity
                              • API ID: MemoryProcessRead
                              • String ID:
                              • API String ID: 1726664587-0
                              • Opcode ID: 397257b090958f24b5b311298204e382281fc7882c6830dd765c5e11ddd9e3a4
                              • Instruction ID: 577750178d2427bd3232657d1014f73b74e880c404e1225db03f19661c5b5778
                              • Opcode Fuzzy Hash: 397257b090958f24b5b311298204e382281fc7882c6830dd765c5e11ddd9e3a4
                              • Instruction Fuzzy Hash: 80210375C003498FDB14CFAAC981BEEBBF5FF48310F14842AE959A7250C738A541DB65
                              Function 046D6698 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1177 46d6698-46d66e3 1179 46d66e5-46d66f1 1177->1179 1180 46d66f3-46d6723 Wow64SetThreadContext 1177->1180 1179->1180 1182 46d672c-46d675c 1180->1182 1183 46d6725-46d672b 1180->1183 1183->1182
                              APIs
                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 046D6716
                              Memory Dump Source
                              • Source File: 00000000.00000002.1403117702.00000000046D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_46d0000_rNuevoPedidoPO-00843.jbxd
                              Similarity
                              • API ID: ContextThreadWow64
                              • String ID:
                              • API String ID: 983334009-0
                              • Opcode ID: 7b6e38319ff82eb08953584e073cbaa71bc40407fc191251d983fe3c3db6fc05
                              • Instruction ID: 02b16c19dcaa330434cbf4481ef714f458cc5ba7a578134fc62964bca0dfe7d2
                              • Opcode Fuzzy Hash: 7b6e38319ff82eb08953584e073cbaa71bc40407fc191251d983fe3c3db6fc05
                              • Instruction Fuzzy Hash: 1F210471D003098FEB14DFAAC485BEEBBF4EB48310F14842AD559A7341DB78A945CBA5
                              Function 046D6694 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1167 46d6694-46d66e3 1169 46d66e5-46d66f1 1167->1169 1170 46d66f3-46d6723 Wow64SetThreadContext 1167->1170 1169->1170 1172 46d672c-46d675c 1170->1172 1173 46d6725-46d672b 1170->1173 1173->1172
                              APIs
                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 046D6716
                              Memory Dump Source
                              • Source File: 00000000.00000002.1403117702.00000000046D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_46d0000_rNuevoPedidoPO-00843.jbxd
                              Similarity
                              • API ID: ContextThreadWow64
                              • String ID:
                              • API String ID: 983334009-0
                              • Opcode ID: 0de6087ce1993f9bcf7da17a0012ba8643ad9b07107c39c00e17daf2256259f4
                              • Instruction ID: 6b2af7c15d31044d16adccfbee0d66b490ef5b3f1291acba641cbf191498235e
                              • Opcode Fuzzy Hash: 0de6087ce1993f9bcf7da17a0012ba8643ad9b07107c39c00e17daf2256259f4
                              • Instruction Fuzzy Hash: 5C212371D003098FEB14DFAAC4857EEBBF4EB48210F14842AD519A7240DB78A944CBA5
                              Function 0250D79F Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                              Download Yara Rule
                              APIs
                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0250D766,?,?,?,?,?), ref: 0250D827
                              Memory Dump Source
                              • Source File: 00000000.00000002.1397814710.0000000002500000.00000040.00000800.00020000.00000000.sdmp, Offset: 02500000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2500000_rNuevoPedidoPO-00843.jbxd
                              Similarity
                              • API ID: DuplicateHandle
                              • String ID:
                              • API String ID: 3793708945-0
                              • Opcode ID: a2a007172bfac4dc970c186f1c4f9d4f67b1a3761615ed63ee29945c8b080339
                              • Instruction ID: db82099599e9f6ac4ec4ec269e0cd040813980a92567628b11ada1414411ab70
                              • Opcode Fuzzy Hash: a2a007172bfac4dc970c186f1c4f9d4f67b1a3761615ed63ee29945c8b080339
                              • Instruction Fuzzy Hash: 5F21C4B5D01248DFDB10CF9AD984ADEBBF4FB48320F14841AE918A7350D379A944CFA5
                              Function 046D6768 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                              Download Yara Rule
                              APIs
                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 046D67DE
                              Memory Dump Source
                              • Source File: 00000000.00000002.1403117702.00000000046D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_46d0000_rNuevoPedidoPO-00843.jbxd
                              Similarity
                              • API ID: AllocVirtual
                              • String ID:
                              • API String ID: 4275171209-0
                              • Opcode ID: 1a2731fe0e992b493228c5818f4e0a25491c5da81bcd3bba2e61ea60153cd681
                              • Instruction ID: 4f36b1a0eae469a1b647f3a66a043709650ce77b63de6bb716e40311e4a0789e
                              • Opcode Fuzzy Hash: 1a2731fe0e992b493228c5818f4e0a25491c5da81bcd3bba2e61ea60153cd681
                              • Instruction Fuzzy Hash: F41147768003498FDB24CFA9C844BEFBBF5EB48310F248419E555A7250CB359541DBA5
                              Function 046D65E0 Relevance: 1.6, APIs: 1, Instructions: 55threadCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.1403117702.00000000046D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_46d0000_rNuevoPedidoPO-00843.jbxd
                              Similarity
                              • API ID: ResumeThread
                              • String ID:
                              • API String ID: 947044025-0
                              • Opcode ID: e8f4cc5f39c83eb1d4d9f60b2b58d49ae4a3f72636f21ca8a89dc7e6d34631ac
                              • Instruction ID: d3908a3533bbde6daf797dbe3b2d0081074ccb421b23c8eb5976b47f337c96bd
                              • Opcode Fuzzy Hash: e8f4cc5f39c83eb1d4d9f60b2b58d49ae4a3f72636f21ca8a89dc7e6d34631ac
                              • Instruction Fuzzy Hash: C01179B1D043488FEB24CFAAC8457EEFBF4EB48220F14841DD519A7340DB79A501CB95
                              Function 0250B428 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                              Download Yara Rule
                              APIs
                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0250B871,00000800,00000000,00000000), ref: 0250BA82
                              Memory Dump Source
                              • Source File: 00000000.00000002.1397814710.0000000002500000.00000040.00000800.00020000.00000000.sdmp, Offset: 02500000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2500000_rNuevoPedidoPO-00843.jbxd
                              Similarity
                              • API ID: LibraryLoad
                              • String ID:
                              • API String ID: 1029625771-0
                              • Opcode ID: 8f30f029cf6d0fcf135ed24e85d2ca4cbdada64bb05f4ba7616551d29f94658f
                              • Instruction ID: 06fff523aefa5060064724151fa006a3a5e7ebd844202d83ba1116100f0e7475
                              • Opcode Fuzzy Hash: 8f30f029cf6d0fcf135ed24e85d2ca4cbdada64bb05f4ba7616551d29f94658f
                              • Instruction Fuzzy Hash: 141103B6D003499FDB20CF9AC884ADEFBF5EB48214F10842AE419A7750C379A545CFA5
                              Function 046D6770 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                              Download Yara Rule
                              APIs
                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 046D67DE
                              Memory Dump Source
                              • Source File: 00000000.00000002.1403117702.00000000046D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_46d0000_rNuevoPedidoPO-00843.jbxd
                              Similarity
                              • API ID: AllocVirtual
                              • String ID:
                              • API String ID: 4275171209-0
                              • Opcode ID: 6241b58b082722b7c2d06ea9ec9cc074116f1c8634a29f4820facf0275ae238c
                              • Instruction ID: 658bf25d90b386651e658c97d6e3ee99d3ac4358da0fcefc54e4b064b9cd7007
                              • Opcode Fuzzy Hash: 6241b58b082722b7c2d06ea9ec9cc074116f1c8634a29f4820facf0275ae238c
                              • Instruction Fuzzy Hash: D5112676D003499FDB24DFAAC844BDEBBF5EB48310F148419E515A7250CB75A540CBA5
                              Function 0250BA17 Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON
                              Download Yara Rule
                              APIs
                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0250B871,00000800,00000000,00000000), ref: 0250BA82
                              Memory Dump Source
                              • Source File: 00000000.00000002.1397814710.0000000002500000.00000040.00000800.00020000.00000000.sdmp, Offset: 02500000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2500000_rNuevoPedidoPO-00843.jbxd
                              Similarity
                              • API ID: LibraryLoad
                              • String ID:
                              • API String ID: 1029625771-0
                              • Opcode ID: 1d3444f729c0b479a42cfe48b3f9f3e08bb98178dfa2f4086ebc065d46e4bca7
                              • Instruction ID: eaf1e6297474d591e0fefb23ef3a6612571bae0682479a1b8634f5fdf8aa20b8
                              • Opcode Fuzzy Hash: 1d3444f729c0b479a42cfe48b3f9f3e08bb98178dfa2f4086ebc065d46e4bca7
                              • Instruction Fuzzy Hash: 1311E2B6D002499FDB24CF9AD884ADEFBF4EB48314F10842AD419A7650C379A545CFA5
                              Function 046D9DD8 Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                              Download Yara Rule
                              APIs
                              • FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,046D9C91,?,?), ref: 046D9E38
                              Memory Dump Source
                              • Source File: 00000000.00000002.1403117702.00000000046D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_46d0000_rNuevoPedidoPO-00843.jbxd
                              Similarity
                              • API ID: ChangeCloseFindNotification
                              • String ID:
                              • API String ID: 2591292051-0
                              • Opcode ID: e3329f95c8da5cafde0a1ad7f6c9f00c2e58112ba3e1010c1ec67b31232ba7ff
                              • Instruction ID: 6b1d7e190b39ec5bae68d272b22712bfb71e57b6c0638c7edd00772dfb8af773
                              • Opcode Fuzzy Hash: e3329f95c8da5cafde0a1ad7f6c9f00c2e58112ba3e1010c1ec67b31232ba7ff
                              • Instruction Fuzzy Hash: D41143B5800248CFDB20DF9AC545BDEBBF4EB48320F108419D968A7350D339A549CFA5
                              Function 046D9020 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                              Download Yara Rule
                              APIs
                              • FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,046D9C91,?,?), ref: 046D9E38
                              Memory Dump Source
                              • Source File: 00000000.00000002.1403117702.00000000046D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_46d0000_rNuevoPedidoPO-00843.jbxd
                              Similarity
                              • API ID: ChangeCloseFindNotification
                              • String ID:
                              • API String ID: 2591292051-0
                              • Opcode ID: e42677dfd2962886fa39f4f3fc399995ffe4155dc9326af84dbd649dcad8b628
                              • Instruction ID: 8e273aa5dd150081fdbb0f62efb57aae17fe9ca46024087b9d991d219d580880
                              • Opcode Fuzzy Hash: e42677dfd2962886fa39f4f3fc399995ffe4155dc9326af84dbd649dcad8b628
                              • Instruction Fuzzy Hash: 6E1113B5800649CFEB20DF9AC445BEEBBF4EB48320F10841AD958A7750D338A945CFA5
                              Function 046D65E8 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.1403117702.00000000046D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_46d0000_rNuevoPedidoPO-00843.jbxd
                              Similarity
                              • API ID: ResumeThread
                              • String ID:
                              • API String ID: 947044025-0
                              • Opcode ID: fae389226a9e1e0b87357ed9bd2ea6229a6d2da77fd0ff1163806e1abb31adf3
                              • Instruction ID: 9dc7735fbdb8b3e54ff3bcadb803c3f733a90b1b88de1290c9f396c96355a159
                              • Opcode Fuzzy Hash: fae389226a9e1e0b87357ed9bd2ea6229a6d2da77fd0ff1163806e1abb31adf3
                              • Instruction Fuzzy Hash: 2D113A71D003488FDB24DFAAC8457DEFBF4EB48310F248419D519A7340CB79A540CB95
                              Function 046D4C18 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                              Download Yara Rule
                              APIs
                              • PostMessageW.USER32(?,00000010,00000000,?), ref: 046D9185
                              Memory Dump Source
                              • Source File: 00000000.00000002.1403117702.00000000046D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_46d0000_rNuevoPedidoPO-00843.jbxd
                              Similarity
                              • API ID: MessagePost
                              • String ID:
                              • API String ID: 410705778-0
                              • Opcode ID: c8a39e89ef4bc3b4c5695270a0c5d7d6595c81c0be5319b98a3196d05d1bade1
                              • Instruction ID: c74e63239439f8f770834348cafbc331b794e277ff5449deb5c80dd6bdfb9c13
                              • Opcode Fuzzy Hash: c8a39e89ef4bc3b4c5695270a0c5d7d6595c81c0be5319b98a3196d05d1bade1
                              • Instruction Fuzzy Hash: CD11E0B58003489FEB20DF9AC889BDEBBF8EB58310F108459E518A7250D375A944CFA5
                              Function 0250B390 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                              Download Yara Rule
                              APIs
                              • GetModuleHandleW.KERNELBASE(00000000), ref: 0250B3F6
                              Memory Dump Source
                              • Source File: 00000000.00000002.1397814710.0000000002500000.00000040.00000800.00020000.00000000.sdmp, Offset: 02500000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2500000_rNuevoPedidoPO-00843.jbxd
                              Similarity
                              • API ID: HandleModule
                              • String ID:
                              • API String ID: 4139908857-0
                              • Opcode ID: 3a97d0e96eb531955fae76b855ac13f60c7fc947c441c379d4c67239e9d79b04
                              • Instruction ID: 4e92e3e9626660a24d2a5b26e6b24d20b28caf37455a5e287181164810f61054
                              • Opcode Fuzzy Hash: 3a97d0e96eb531955fae76b855ac13f60c7fc947c441c379d4c67239e9d79b04
                              • Instruction Fuzzy Hash: 7811E0B6C00749CFDB24CF9AD884BDEFBF4EB88214F10851AD429A7650C379A545CFA5
                              Function 0250B38F Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                              Download Yara Rule
                              APIs
                              • GetModuleHandleW.KERNELBASE(00000000), ref: 0250B3F6
                              Memory Dump Source
                              • Source File: 00000000.00000002.1397814710.0000000002500000.00000040.00000800.00020000.00000000.sdmp, Offset: 02500000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2500000_rNuevoPedidoPO-00843.jbxd
                              Similarity
                              • API ID: HandleModule
                              • String ID:
                              • API String ID: 4139908857-0
                              • Opcode ID: f89296709976d155fea76a5ba71e9af4458df7b0e50ebb68ff7b39b558f86324
                              • Instruction ID: 62a2000e563ea74566f88fb866a5d368a6d0301a60ff24d60cc8ba827b90fb63
                              • Opcode Fuzzy Hash: f89296709976d155fea76a5ba71e9af4458df7b0e50ebb68ff7b39b558f86324
                              • Instruction Fuzzy Hash: 7311E0B6C00749CFDB24CF9AD884BDEFBF4EB88214F10851AD429A7650C379A545CFA5
                              Function 046D9121 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                              Download Yara Rule
                              APIs
                              • PostMessageW.USER32(?,00000010,00000000,?), ref: 046D9185
                              Memory Dump Source
                              • Source File: 00000000.00000002.1403117702.00000000046D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_46d0000_rNuevoPedidoPO-00843.jbxd
                              Similarity
                              • API ID: MessagePost
                              • String ID:
                              • API String ID: 410705778-0
                              • Opcode ID: 207681d53c90ced526e12014f277367fca03af477ef7b58ac482a0c821242be6
                              • Instruction ID: 0a5b90bb87779ebe1575970fb8ac3194daf5a97b45bb16c146baf1a508fa38a8
                              • Opcode Fuzzy Hash: 207681d53c90ced526e12014f277367fca03af477ef7b58ac482a0c821242be6
                              • Instruction Fuzzy Hash: 5B11F2B58003489FDB20CF9AC885BDEBBF4EB48314F108419E558A7650D375A944CFA1
                              Function 00A0D1FC Relevance: .1, Instructions: 76COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1397026141.0000000000A0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A0D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_a0d000_rNuevoPedidoPO-00843.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7f672de76214ce73ec15c5fabaf856820cb6291a5b993dbbe40182df4432627d
                              • Instruction ID: 10641e5006777fc7cb17a02dd8e5565b6a956882ac8c3b6a34043029e8a65c42
                              • Opcode Fuzzy Hash: 7f672de76214ce73ec15c5fabaf856820cb6291a5b993dbbe40182df4432627d
                              • Instruction Fuzzy Hash: A821F172504308EFDB15DF94E9C0B66BB65FB88314F208569E9090B296C336D816CBA2
                              Function 00A0D4C4 Relevance: .1, Instructions: 75COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1397026141.0000000000A0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A0D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_a0d000_rNuevoPedidoPO-00843.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 72ef7f2c021102d853e1a589c7fa8171d4b13fc59101ff6c15abed77225f2476
                              • Instruction ID: d8e8f69b3d94738fc1761b06805ca53f9dbb97d75c7ede6884ae87cd26913408
                              • Opcode Fuzzy Hash: 72ef7f2c021102d853e1a589c7fa8171d4b13fc59101ff6c15abed77225f2476
                              • Instruction Fuzzy Hash: 0721D372504248EFDB15DF54E9C0B26BF65FB88318F24C569ED090F296C336E856CAA2
                              Function 00A1D1D4 Relevance: .1, Instructions: 72COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1397112719.0000000000A1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A1D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_a1d000_rNuevoPedidoPO-00843.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6f4d3828acae065102ba6b8cc704e081564615d9e382ac21e94f06e57e3ff138
                              • Instruction ID: 94b03f9ee8765af5cc26ebfa1a39192eddcdff1ff1a852ad1a9aeab415624236
                              • Opcode Fuzzy Hash: 6f4d3828acae065102ba6b8cc704e081564615d9e382ac21e94f06e57e3ff138
                              • Instruction Fuzzy Hash: D2210771504300EFDB15DF14D5C0BA5BBA5FB84314F24C66DE8094F292C336D886CA61
                              Function 00A1D01C Relevance: .1, Instructions: 72COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1397112719.0000000000A1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A1D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_a1d000_rNuevoPedidoPO-00843.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 828085b284b92e83e1395ab2d132f1f41b0d976ea9347bcf56307a4c74438072
                              • Instruction ID: 07c6588c344e688a811610643bee336c0f7af834fb939ef5c359b407bd42725e
                              • Opcode Fuzzy Hash: 828085b284b92e83e1395ab2d132f1f41b0d976ea9347bcf56307a4c74438072
                              • Instruction Fuzzy Hash: 7221F275604300EFDB14DF24D9C4B66BB65FB88314F24C56DE80A4F296C33AD887CA62
                              Function 00A1D006 Relevance: .1, Instructions: 60COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1397112719.0000000000A1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A1D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_a1d000_rNuevoPedidoPO-00843.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 8f4a9a836fca453fd451ce5a5ba1aa429b4fe3abaec7b3849f8db14ca8f0306e
                              • Instruction ID: e12faf1d1de63218f269a54bf0603205280a7fa81a3e30c39372f9e0d3b8b9d9
                              • Opcode Fuzzy Hash: 8f4a9a836fca453fd451ce5a5ba1aa429b4fe3abaec7b3849f8db14ca8f0306e
                              • Instruction Fuzzy Hash: 51219F75509380DFCB16CF24D990B15BF71EB49314F28C5DAD8498F6A7C33A984ACB62
                              Function 00A0D1F7 Relevance: .1, Instructions: 57COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1397026141.0000000000A0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A0D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_a0d000_rNuevoPedidoPO-00843.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 63590c6d4b85089a62ccbb5b73be6abf778bad766966e0b930af7b7dfcf8d66b
                              • Instruction ID: 0aa4af5cad5aa26b294d26c4f982f3c507bb7e5d1470b2479bb542f95dd8221d
                              • Opcode Fuzzy Hash: 63590c6d4b85089a62ccbb5b73be6abf778bad766966e0b930af7b7dfcf8d66b
                              • Instruction Fuzzy Hash: BC21AF76504244DFDB16CF50E9C4B56BF72FB88314F24C5A9DD090B696C33AD826CBA2
                              Function 00A0D4BF Relevance: .1, Instructions: 56COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1397026141.0000000000A0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A0D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_a0d000_rNuevoPedidoPO-00843.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0d9143a8ff6c40554208124bd87d7ebbaad978752f52efe449982275cc027c51
                              • Instruction ID: c21e999bf4926dfce54065edd8bf9badd4ea141691cbd0f0154fa02d6ecea350
                              • Opcode Fuzzy Hash: 0d9143a8ff6c40554208124bd87d7ebbaad978752f52efe449982275cc027c51
                              • Instruction Fuzzy Hash: 9E11E172404284DFCB15CF50E9C0B16BF71FB88314F24C6A9DC090B696C336E85ACBA2
                              Function 00A1D1CF Relevance: .1, Instructions: 53COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1397112719.0000000000A1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A1D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_a1d000_rNuevoPedidoPO-00843.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 9e088ad8a07711d9d3566a887b1f888bc4d4e2f61ff705deeaaa2a632ac83149
                              • Instruction ID: e9ea79728d11969aeadd8281e051cac0beb460ab2047664220212b66cbc3d66c
                              • Opcode Fuzzy Hash: 9e088ad8a07711d9d3566a887b1f888bc4d4e2f61ff705deeaaa2a632ac83149
                              • Instruction Fuzzy Hash: A6118BB5904280DFDB15CF14D5C4B55FBA1FB84314F28C6A9D8494B696C33AD84ACB62
                              Function 00A0D759 Relevance: .0, Instructions: 45COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1397026141.0000000000A0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A0D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_a0d000_rNuevoPedidoPO-00843.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d3356f4b5267d660f8a1d0938f81a24495048e85031e9c4266a0a1946c49db31
                              • Instruction ID: 8eb4001bcef886052a3eb9985229c1c3a06db0a762f603e429ffb69c390be0f3
                              • Opcode Fuzzy Hash: d3356f4b5267d660f8a1d0938f81a24495048e85031e9c4266a0a1946c49db31
                              • Instruction Fuzzy Hash: CE01DB324043489FE7244B65ECC4B66FBE8EF41720F18C55AFD095E2C6C3799840CAB2
                              Function 00A0D758 Relevance: .0, Instructions: 36COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1397026141.0000000000A0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A0D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_a0d000_rNuevoPedidoPO-00843.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2e3449a08f5174db9155839ba5572e6cb48ed9dfb1141a5cd55d968a7042331c
                              • Instruction ID: e905da5fbe231467e85fe9a9389c97e0a6fbabbb90f007c5117b2afa4c99464a
                              • Opcode Fuzzy Hash: 2e3449a08f5174db9155839ba5572e6cb48ed9dfb1141a5cd55d968a7042331c
                              • Instruction Fuzzy Hash: F3F04F72405344AEE7248B16D984B62FBA8EB51734F18C55AED084E2D6C2799844CAA1

                              Non-executed Functions

                              Function 046D3A51 Relevance: .3, Instructions: 327COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1403117702.00000000046D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_46d0000_rNuevoPedidoPO-00843.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 562d119745bb6a1badb3c8e9b1f8f48998d393e6b12b1ab3e754585de0badef0
                              • Instruction ID: 04c55a259cc9788ff1e5a2ad4596fa10377ae6bb3c39ed8d09fca19e911622ea
                              • Opcode Fuzzy Hash: 562d119745bb6a1badb3c8e9b1f8f48998d393e6b12b1ab3e754585de0badef0
                              • Instruction Fuzzy Hash: 17E1FC74E002198FDB14DFA9C580AAEFBF2FF89305F248159D815AB359D731A942CF61
                              Function 04C90518 Relevance: .3, Instructions: 315COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1404483872.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c90000_rNuevoPedidoPO-00843.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 10a47b4270a7c2c24b2ae8a06ce52b13fd16195d9fe1b25c385f48339f7595ea
                              • Instruction ID: 0b1b4a9f00e395b3b7efdc0860a91f034bf3c2754cd49de2c3b2f0fe9fca5721
                              • Opcode Fuzzy Hash: 10a47b4270a7c2c24b2ae8a06ce52b13fd16195d9fe1b25c385f48339f7595ea
                              • Instruction Fuzzy Hash: 871284B0401745AAE330CFA7E95C5893AA1FBC131CB50860AD2611F3E5DBBC995ADF64
                              Function 046D571A Relevance: .3, Instructions: 313COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1403117702.00000000046D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_46d0000_rNuevoPedidoPO-00843.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b1569176eb2455d8488b81ce6592c02e3590f999eee2a3c75fc0407030c0ecfd
                              • Instruction ID: a54b0f63fb066426663ee35e882c7fb7bf1e6d1f47f13ff1ae3c8c9fa0e8891e
                              • Opcode Fuzzy Hash: b1569176eb2455d8488b81ce6592c02e3590f999eee2a3c75fc0407030c0ecfd
                              • Instruction Fuzzy Hash: EBD17D70E00225DFCB14CF59C584AADBBF2BF88315F24856AD41AAB755E731ED42CBA0
                              Function 046D5DC0 Relevance: .3, Instructions: 312COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1403117702.00000000046D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_46d0000_rNuevoPedidoPO-00843.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a413c553858f6a5d6ca0e86eeaa30850ae5ba79e00e06d4228aec01b3eba7b38
                              • Instruction ID: 572f7e9894e620795ce10376665aa82b96125c95198f23a0280a1b2df93fe858
                              • Opcode Fuzzy Hash: a413c553858f6a5d6ca0e86eeaa30850ae5ba79e00e06d4228aec01b3eba7b38
                              • Instruction Fuzzy Hash: D0E1EC74E002198FDB14DFA9C580AAEFBF2FF89305F248569D815AB35AD731A941CF60
                              Function 046D5988 Relevance: .3, Instructions: 312COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1403117702.00000000046D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_46d0000_rNuevoPedidoPO-00843.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2094a8987ec47d1cc5e7c12f5aa345f0b0a3a8ff2b2598adc894578a042b3c9d
                              • Instruction ID: 16af364b9470f670742acc1a059c24e0db261029eaea3487cdd9422853025122
                              • Opcode Fuzzy Hash: 2094a8987ec47d1cc5e7c12f5aa345f0b0a3a8ff2b2598adc894578a042b3c9d
                              • Instruction Fuzzy Hash: 88E1FA74E002199FDB14DFA9C584AAEFBF2FF89305F248169D815AB359D730A941CFA0
                              Function 046D42E0 Relevance: .3, Instructions: 312COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1403117702.00000000046D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_46d0000_rNuevoPedidoPO-00843.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: dd197a478e9c419abbc840094bcd3082bdd3bc42b7e620c5ba4cdf0662f25dcc
                              • Instruction ID: 38886159425700b1752a5f4b3e2fa4e4f44917ac3f36df63673dd65f64bd2e85
                              • Opcode Fuzzy Hash: dd197a478e9c419abbc840094bcd3082bdd3bc42b7e620c5ba4cdf0662f25dcc
                              • Instruction Fuzzy Hash: DEE1F974E002598FDB14DF99C580AAEFBB2FF89305F248169D515AB359DB30AD42CFA0
                              Function 046D3EA8 Relevance: .3, Instructions: 312COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1403117702.00000000046D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_46d0000_rNuevoPedidoPO-00843.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7da47c82c1c72b3c3dd439afafb43f3f9a3f55bacc2a1f40d49d70f41df38ab2
                              • Instruction ID: dcc12529888e3d97872777a6dd3f9611bd25c9b7e5675e01272ac032ebbcfde7
                              • Opcode Fuzzy Hash: 7da47c82c1c72b3c3dd439afafb43f3f9a3f55bacc2a1f40d49d70f41df38ab2
                              • Instruction Fuzzy Hash: D5E1FC74E002198FDB14DFA9C584AAEFBF2BF89305F248159D815AB359DB31AD41CFA0
                              Function 0250DE4C Relevance: .3, Instructions: 264COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1397814710.0000000002500000.00000040.00000800.00020000.00000000.sdmp, Offset: 02500000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_2500000_rNuevoPedidoPO-00843.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 82790e20eaa563f5bf39e4067017f51489a083ef0d3332bce019509d96312c40
                              • Instruction ID: b110f7a1313369ab716b5bd5987cd961b1b875aa9509a5ac6bac4ae2b385f39a
                              • Opcode Fuzzy Hash: 82790e20eaa563f5bf39e4067017f51489a083ef0d3332bce019509d96312c40
                              • Instruction Fuzzy Hash: 9AA16E36E0020A8FCF15DFB5C88059EBBB2FFC5304B1545AAE805AB2A5DB75E945CF80
                              Function 04C90508 Relevance: .2, Instructions: 224COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1404483872.0000000004C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_4c90000_rNuevoPedidoPO-00843.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d83fa9dcf3e5856ef63dd07c676af4823f50b00757c41c9befa266ad7c59f248
                              • Instruction ID: da2e8693ae65e4c372a18935f2e87a66dbd7cf4b665a14b6d5a1c69c02591a3a
                              • Opcode Fuzzy Hash: d83fa9dcf3e5856ef63dd07c676af4823f50b00757c41c9befa266ad7c59f248
                              • Instruction Fuzzy Hash: D1C1F8B0801745AAD720CFA7E8585897BB1FBC531CF50870AD2612F2D5DBBC988ADF64
                              Function 046D5DB1 Relevance: .1, Instructions: 134COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1403117702.00000000046D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_46d0000_rNuevoPedidoPO-00843.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d6ec047cf3bfac43b6b8d7b7377aca650053e1041aa9733cdf3b8714266a2dd3
                              • Instruction ID: 0aa4df1e3f7a38e0f1c3d2e4c287b0e5bf6d78760c7c904c29801d330e3f9b5e
                              • Opcode Fuzzy Hash: d6ec047cf3bfac43b6b8d7b7377aca650053e1041aa9733cdf3b8714266a2dd3
                              • Instruction Fuzzy Hash: 73510D71E002198FDB14DFA9C5805AEFBF2BF89300F24C569D419AB356D731A942CF61
                              Function 046D3E99 Relevance: .1, Instructions: 132COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1403117702.00000000046D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_46d0000_rNuevoPedidoPO-00843.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 395a9e214a73dc251f2317584eaa57400b67ccad0f9f66e6ca1fd47b7bb8b3c2
                              • Instruction ID: 6a0cea7b93e905064480ee6d9786ae66ed4cfe5d52f27d33afc4c5c61207c5a2
                              • Opcode Fuzzy Hash: 395a9e214a73dc251f2317584eaa57400b67ccad0f9f66e6ca1fd47b7bb8b3c2
                              • Instruction Fuzzy Hash: B751EB75E002198FDB14DFA9C5845AEFBF2BF89304F248169D418AB35AD731AD42CFA1
                              Function 046D5978 Relevance: .1, Instructions: 131COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1403117702.00000000046D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_46d0000_rNuevoPedidoPO-00843.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 15543c0cbfb1d4d01867f9f3e327ed1ecb4c430abe8dcdc1d7f1425aea84a5d1
                              • Instruction ID: d999f73759393843b879e23cd05ea609059aa3eeef2f2ada4aeab4d18ba506cb
                              • Opcode Fuzzy Hash: 15543c0cbfb1d4d01867f9f3e327ed1ecb4c430abe8dcdc1d7f1425aea84a5d1
                              • Instruction Fuzzy Hash: AD512D74E002198FDB18DFA9C5805AEFBF2BF89301F24C569D419AB359D730A942CFA1
                              Function 046D3A70 Relevance: .1, Instructions: 127COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1403117702.00000000046D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_46d0000_rNuevoPedidoPO-00843.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d7acc00249792915d339903542439897fea072ef3c32071b6cab679c30a38a8d
                              • Instruction ID: 2c492fae2f72b7f219ae81bb32103b502b4a6e4653bc2d63a278e9339827df39
                              • Opcode Fuzzy Hash: d7acc00249792915d339903542439897fea072ef3c32071b6cab679c30a38a8d
                              • Instruction Fuzzy Hash: 9951FA75E002198FDB14DFA9C5845AEFBF2BF89304F24C169D818AB359D731A942CFA1
                              Function 046D7DA3 Relevance: .0, Instructions: 24COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1403117702.00000000046D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 046D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_46d0000_rNuevoPedidoPO-00843.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d2b7deaf71dd99b3298ce164253036d59a0cef6022ff7576f36a40c775f354b6
                              • Instruction ID: 5e08f036703d65f1a26f78f9c1134db71c084773e49d2e2841416aa15d2217ae
                              • Opcode Fuzzy Hash: d2b7deaf71dd99b3298ce164253036d59a0cef6022ff7576f36a40c775f354b6
                              • Instruction Fuzzy Hash: 18E09A35E19114EBDB109F54E9495F8BB78AB4A311F00A4A6D42EA3251FB306A529B41

                              Execution Graph

                              Execution Coverage:11.1%
                              Dynamic/Decrypted Code Coverage:100%
                              Signature Coverage:0%
                              Total number of Nodes:476
                              Total number of Limit Nodes:33
                              execution_graph 24144 13cd01c 24145 13cd034 24144->24145 24146 13cd08e 24145->24146 24151 53c1f88 24145->24151 24156 53c1f77 24145->24156 24161 53c2f18 24145->24161 24170 53c2f28 24145->24170 24152 53c1fae 24151->24152 24154 53c2f28 12 API calls 24152->24154 24155 53c2f18 12 API calls 24152->24155 24153 53c1fcf 24153->24146 24154->24153 24155->24153 24157 53c1fae 24156->24157 24159 53c2f28 12 API calls 24157->24159 24160 53c2f18 12 API calls 24157->24160 24158 53c1fcf 24158->24146 24159->24158 24160->24158 24163 53c2f28 24161->24163 24162 53c2f89 24195 53c2b64 24162->24195 24163->24162 24165 53c2f79 24163->24165 24179 53c317c 24165->24179 24185 53c30a0 24165->24185 24190 53c30b0 24165->24190 24166 53c2f87 24173 53c2f55 24170->24173 24171 53c2f89 24172 53c2b64 CallWindowProcW 24171->24172 24175 53c2f87 24172->24175 24173->24171 24174 53c2f79 24173->24174 24176 53c317c 12 API calls 24174->24176 24177 53c30b0 12 API calls 24174->24177 24178 53c30a0 12 API calls 24174->24178 24176->24175 24177->24175 24178->24175 24180 53c318a 24179->24180 24181 53c313a 24179->24181 24199 53c3168 24181->24199 24204 53c3159 24181->24204 24182 53c3150 24182->24166 24186 53c30b0 24185->24186 24188 53c3168 12 API calls 24186->24188 24189 53c3159 12 API calls 24186->24189 24187 53c3150 24187->24166 24188->24187 24189->24187 24191 53c30c4 24190->24191 24193 53c3168 12 API calls 24191->24193 24194 53c3159 12 API calls 24191->24194 24192 53c3150 24192->24166 24193->24192 24194->24192 24196 53c2b6f 24195->24196 24197 53c43ea CallWindowProcW 24196->24197 24198 53c4399 24196->24198 24197->24198 24198->24166 24200 53c3179 24199->24200 24210 53c8270 24199->24210 24227 53c4320 24199->24227 24230 53c8260 24199->24230 24200->24182 24205 53c3168 24204->24205 24206 53c3179 24205->24206 24207 53c8270 12 API calls 24205->24207 24208 53c8260 12 API calls 24205->24208 24209 53c4320 CallWindowProcW 24205->24209 24206->24182 24207->24206 24208->24206 24209->24206 24211 53c8289 24210->24211 24218 53c829c 24210->24218 24212 53c828e 24211->24212 24213 53c82d0 24211->24213 24214 53c82aa 24212->24214 24215 53c8293 24212->24215 24217 53c855c 24213->24217 24213->24218 24214->24218 24221 53c84c8 24214->24221 24222 53c8524 24214->24222 24225 53c83d6 24214->24225 24216 53c84ba 24215->24216 24215->24218 24247 53c7ad8 24216->24247 24255 53c7b88 24217->24255 24218->24225 24261 53c8a00 24218->24261 24266 53c7ae8 24221->24266 24251 53c7b48 24222->24251 24225->24200 24228 53c2b64 CallWindowProcW 24227->24228 24229 53c433a 24228->24229 24229->24200 24231 53c8270 24230->24231 24232 53c828e 24231->24232 24233 53c82d0 24231->24233 24238 53c829c 24231->24238 24234 53c82aa 24232->24234 24235 53c8293 24232->24235 24237 53c855c 24233->24237 24233->24238 24234->24238 24241 53c84c8 24234->24241 24242 53c8524 24234->24242 24245 53c83d6 24234->24245 24236 53c84ba 24235->24236 24235->24238 24239 53c7ad8 12 API calls 24236->24239 24240 53c7b88 12 API calls 24237->24240 24238->24245 24246 53c8a00 12 API calls 24238->24246 24239->24245 24240->24245 24243 53c7ae8 11 API calls 24241->24243 24244 53c7b48 12 API calls 24242->24244 24243->24245 24244->24245 24245->24200 24246->24245 24248 53c7ae3 24247->24248 24249 53c8a00 12 API calls 24248->24249 24250 53c8c16 24249->24250 24250->24225 24252 53c7b53 24251->24252 24253 53c8a00 12 API calls 24252->24253 24254 53cd0fc 24253->24254 24254->24225 24256 53c7b93 24255->24256 24257 53c7ae8 11 API calls 24256->24257 24258 53cc980 24257->24258 24259 53c8a00 12 API calls 24258->24259 24260 53cc989 24259->24260 24260->24225 24262 53c8a12 24261->24262 24263 53c8a0b 24261->24263 24272 53c8a20 24262->24272 24263->24225 24264 53c8a18 24264->24225 24267 53c7af3 24266->24267 24268 53cbab7 24267->24268 24312 53c4630 24267->24312 24268->24225 24270 53cb8d4 24270->24268 24317 53c78bc 24270->24317 24273 53c8a3e 24272->24273 24274 53c8a60 24272->24274 24277 53c8a4c 24273->24277 24280 53c3720 24273->24280 24275 53c3720 12 API calls 24274->24275 24278 53c8a67 24275->24278 24277->24264 24278->24264 24279 53c8a88 24279->24264 24281 53c376c 24280->24281 24282 53c3edc 24281->24282 24285 53c37b0 24281->24285 24288 53c351c 24282->24288 24284 53c3a0c 24284->24279 24285->24284 24293 53c8a90 24285->24293 24297 53c8aa0 24285->24297 24289 53c3527 24288->24289 24290 53cd1cd 24289->24290 24301 2d4c4b8 24289->24301 24290->24284 24291 53cd198 24291->24291 24294 53c8aa0 24293->24294 24295 53c2b64 CallWindowProcW 24294->24295 24296 53c8b09 24294->24296 24295->24296 24296->24284 24298 53c8ae6 24297->24298 24299 53c2b64 CallWindowProcW 24298->24299 24300 53c8b09 24298->24300 24299->24300 24300->24284 24302 2d4c4c3 24301->24302 24305 2d4f104 24302->24305 24304 2d4fdcf 24304->24291 24306 2d4f10f 24305->24306 24307 2d4ff78 24306->24307 24308 2d4ff41 24306->24308 24309 2d4f104 11 API calls 24306->24309 24307->24304 24310 53cd260 11 API calls 24308->24310 24311 53cd250 11 API calls 24308->24311 24309->24306 24310->24307 24311->24307 24313 53c4640 24312->24313 24314 53c467d 24313->24314 24323 53c7cb0 24313->24323 24349 53c7cc0 24313->24349 24314->24270 24318 53c78c7 24317->24318 24319 53cb600 24318->24319 24320 53c4630 11 API calls 24318->24320 24319->24268 24321 53cb5ec 24320->24321 24465 53c9de8 24321->24465 24327 53c7cf9 24323->24327 24324 53c7df3 24325 53c7dc8 24324->24325 24326 53c0040 2 API calls 24324->24326 24381 53c78ac 24325->24381 24326->24325 24327->24324 24333 53c7d97 24327->24333 24331 53c7e0d 24332 53c78bc 11 API calls 24331->24332 24335 53c7e15 24332->24335 24375 53c0040 24333->24375 24337 53c7e3c 24335->24337 24401 53c78cc 24335->24401 24338 53c7f1f 24337->24338 24339 53c4630 11 API calls 24337->24339 24418 2d4f01c 24338->24418 24340 53c7ec5 24339->24340 24406 53c1fe8 24340->24406 24341 53c7f80 24422 53ccf80 24341->24422 24426 53ccf90 24341->24426 24342 53c7f94 24344 53c7ee8 24344->24338 24410 53c5a6c 24344->24410 24353 53c7cf9 24349->24353 24350 53c7df3 24351 53c7dc8 24350->24351 24352 53c0040 2 API calls 24350->24352 24354 53c78ac 11 API calls 24351->24354 24352->24351 24353->24350 24359 53c7d97 24353->24359 24355 53c7e03 24354->24355 24356 53c7030 11 API calls 24355->24356 24357 53c7e0d 24356->24357 24358 53c78bc 11 API calls 24357->24358 24361 53c7e15 24358->24361 24360 53c0040 2 API calls 24359->24360 24360->24351 24362 53c78cc 11 API calls 24361->24362 24363 53c7e3c 24361->24363 24362->24363 24364 53c7f1f 24363->24364 24365 53c4630 11 API calls 24363->24365 24372 2d4f01c 11 API calls 24364->24372 24366 53c7ec5 24365->24366 24369 53c1fe8 2 API calls 24366->24369 24367 53c7f80 24373 53ccf90 11 API calls 24367->24373 24374 53ccf80 11 API calls 24367->24374 24368 53c7f94 24370 53c7ee8 24369->24370 24370->24364 24371 53c5a6c 11 API calls 24370->24371 24371->24364 24372->24367 24373->24368 24374->24368 24377 53c0171 24375->24377 24378 53c0071 24375->24378 24376 53c007d 24376->24325 24378->24376 24430 53c0e98 24378->24430 24435 53c0e87 24378->24435 24383 53c78b7 24381->24383 24382 53c7e03 24387 53c7030 24382->24387 24383->24382 24384 53c4630 11 API calls 24383->24384 24385 53c96b8 24384->24385 24386 53c1fe8 2 API calls 24385->24386 24386->24382 24393 53c703b 24387->24393 24388 53c9868 24388->24331 24389 53c97e1 24390 53c981a 24389->24390 24391 53c5a6c 11 API calls 24389->24391 24392 53c5a6c 11 API calls 24390->24392 24395 53c980c 24391->24395 24396 53c9826 24392->24396 24393->24388 24393->24389 24394 53c9834 24393->24394 24449 53c8fe4 24393->24449 24394->24388 24399 53c4630 11 API calls 24394->24399 24453 53c8ff4 24395->24453 24398 53c8ff4 11 API calls 24396->24398 24398->24394 24399->24388 24404 53c78d7 24401->24404 24402 53cbcb6 24402->24337 24403 53c4630 11 API calls 24405 53cbd86 24403->24405 24404->24402 24404->24403 24405->24337 24458 53c2018 SetWindowLongW 24406->24458 24460 53c2010 24406->24460 24407 53c2000 24407->24344 24412 53c5a77 24410->24412 24411 53cb4ae 24411->24338 24412->24411 24413 53cb54b 24412->24413 24414 53cb4f3 24412->24414 24463 53cb561 SendMessageW 24413->24463 24416 53c4630 11 API calls 24414->24416 24417 53cb508 24416->24417 24417->24338 24419 2d4f027 24418->24419 24420 2d4c4b8 11 API calls 24419->24420 24421 2d4f8f5 24419->24421 24420->24421 24421->24341 24423 53ccf90 24422->24423 24424 53c78bc 11 API calls 24423->24424 24425 53ccfa4 24424->24425 24425->24342 24427 53ccf9d 24426->24427 24428 53c78bc 11 API calls 24427->24428 24429 53ccfa4 24428->24429 24429->24342 24431 53c0ec3 24430->24431 24432 53c0f72 24431->24432 24440 53c1d70 24431->24440 24445 53c1d80 24431->24445 24436 53c0ec3 24435->24436 24437 53c0f72 24436->24437 24438 53c1d70 2 API calls 24436->24438 24439 53c1d80 2 API calls 24436->24439 24438->24437 24439->24437 24441 53c1d80 24440->24441 24443 53c1dc4 CreateWindowExW 24441->24443 24444 53c1dd0 CreateWindowExW 24441->24444 24442 53c1db5 24442->24432 24443->24442 24444->24442 24447 53c1dc4 CreateWindowExW 24445->24447 24448 53c1dd0 CreateWindowExW 24445->24448 24446 53c1db5 24446->24432 24447->24446 24448->24446 24450 53c8fef 24449->24450 24457 53c9d94 11 API calls 24450->24457 24452 53cb35d 24452->24389 24454 53c8fff 24453->24454 24455 53c4630 11 API calls 24454->24455 24456 53cb508 24455->24456 24456->24390 24457->24452 24459 53c2084 24458->24459 24459->24407 24461 53c2018 SetWindowLongW 24460->24461 24462 53c2084 24461->24462 24462->24407 24464 53cb59c 24463->24464 24466 53c9df3 24465->24466 24467 53c7ae8 11 API calls 24466->24467 24468 53cb6d4 24467->24468 24468->24319 24469 2d4c1f0 24470 2d4c232 24469->24470 24471 2d4c238 GetModuleHandleW 24469->24471 24470->24471 24472 2d4c265 24471->24472 24473 53c44b8 24474 53c44c8 24473->24474 24478 53c8e08 24474->24478 24484 53c8df9 24474->24484 24475 53c44f1 24479 53c8e3d 24478->24479 24490 53c5c08 24479->24490 24481 53c8e92 24502 53c7c50 24481->24502 24483 53c8e99 24483->24475 24485 53c8e08 24484->24485 24486 53c5c08 11 API calls 24485->24486 24487 53c8e92 24486->24487 24488 53c7c50 11 API calls 24487->24488 24489 53c8e99 24488->24489 24489->24475 24491 53c5c34 24490->24491 24495 53c5e6c 24491->24495 24512 53c55fc 24491->24512 24493 53c6013 24493->24481 24494 53c5ced 24497 53c4630 11 API calls 24494->24497 24501 53c5d95 24494->24501 24495->24493 24496 53c4630 11 API calls 24495->24496 24496->24493 24498 53c5d5f 24497->24498 24499 53c4630 11 API calls 24498->24499 24499->24501 24500 53c4630 11 API calls 24500->24495 24501->24500 24503 53c7c5b 24502->24503 24504 53c93fd 24503->24504 24505 53c9435 24503->24505 24511 53c9404 24503->24511 24506 53c4630 11 API calls 24504->24506 24507 53c945a 24505->24507 24508 53c9486 24505->24508 24506->24511 24509 53c4630 11 API calls 24507->24509 24510 53c4630 11 API calls 24508->24510 24509->24511 24510->24511 24511->24483 24513 53c5607 24512->24513 24515 53c4630 11 API calls 24513->24515 24516 53c6169 24513->24516 24517 53c61a7 24513->24517 24514 53c4630 11 API calls 24514->24516 24515->24516 24516->24514 24516->24517 24517->24494 24532 53cc388 24533 53c4630 11 API calls 24532->24533 24534 53cc398 24533->24534 24535 53c1fe8 2 API calls 24534->24535 24536 53cc3aa 24535->24536 24537 53c99c8 24538 53c99d9 24537->24538 24541 53c9a43 24538->24541 24542 53c9068 24538->24542 24544 53c9073 24542->24544 24543 53c9a3c 24544->24543 24547 53cb168 24544->24547 24553 53cb159 24544->24553 24559 53c9d7c 24547->24559 24549 53cb18f 24549->24543 24551 53cb1b8 CreateIconFromResourceEx 24552 53cb236 24551->24552 24552->24543 24554 53cb182 24553->24554 24555 53c9d7c CreateIconFromResourceEx 24553->24555 24556 53cb18f 24554->24556 24557 53cb1b8 CreateIconFromResourceEx 24554->24557 24555->24554 24556->24543 24558 53cb236 24557->24558 24558->24543 24560 53cb1b8 CreateIconFromResourceEx 24559->24560 24561 53cb182 24560->24561 24561->24549 24561->24551 24562 2d46540 24563 2d46586 24562->24563 24567 2d46720 24563->24567 24571 2d4670f 24563->24571 24564 2d46673 24568 2d46745 24567->24568 24569 2d4674e 24568->24569 24575 2d4611c 24568->24575 24569->24564 24572 2d46713 24571->24572 24573 2d4674e 24572->24573 24574 2d4611c DuplicateHandle 24572->24574 24573->24564 24574->24573 24576 2d46788 DuplicateHandle 24575->24576 24577 2d4681e 24576->24577 24577->24569 24518 2d4c698 24519 2d4c6ac 24518->24519 24521 2d4c6d1 24519->24521 24522 2d4c294 24519->24522 24523 2d4c878 LoadLibraryExW 24522->24523 24525 2d4c8f1 24523->24525 24525->24521 24578 2d44668 24579 2d44676 24578->24579 24588 2d46de0 24579->24588 24582 2d44704 24597 53c6ad1 24582->24597 24602 53c6b00 24582->24602 24606 53c6b10 24582->24606 24583 2d4470c 24589 2d46e05 24588->24589 24610 2d46edf 24589->24610 24614 2d46ef0 24589->24614 24590 2d446e9 24593 2d4421c 24590->24593 24594 2d44227 24593->24594 24622 2d48560 24594->24622 24596 2d48806 24596->24582 24598 53c6b19 24597->24598 24599 53c6ada 24597->24599 24672 53c5ad8 24598->24672 24599->24583 24603 53c6b10 24602->24603 24604 53c5ad8 11 API calls 24603->24604 24605 53c6b42 24604->24605 24605->24583 24607 53c6b22 24606->24607 24608 53c5ad8 11 API calls 24607->24608 24609 53c6b42 24608->24609 24609->24583 24612 2d46f17 24610->24612 24611 2d46ff4 24611->24611 24612->24611 24618 2d46414 24612->24618 24616 2d46f17 24614->24616 24615 2d46ff4 24615->24615 24616->24615 24617 2d46414 CreateActCtxA 24616->24617 24617->24615 24619 2d47370 CreateActCtxA 24618->24619 24621 2d47433 24619->24621 24623 2d4856b 24622->24623 24626 2d48580 24623->24626 24625 2d488dd 24625->24596 24627 2d4858b 24626->24627 24630 2d485b0 24627->24630 24629 2d489ba 24629->24625 24631 2d485bb 24630->24631 24634 2d485e0 24631->24634 24633 2d48aad 24633->24629 24636 2d485eb 24634->24636 24635 2d49ed1 24635->24633 24636->24635 24638 2d4df70 24636->24638 24639 2d4df91 24638->24639 24640 2d4dfb5 24639->24640 24642 2d4e120 24639->24642 24640->24635 24644 2d4e12d 24642->24644 24645 2d4e166 24644->24645 24646 2d4c464 24644->24646 24645->24640 24648 2d4c46f 24646->24648 24647 2d4e1d8 24648->24647 24650 2d4c498 24648->24650 24651 2d4c4a3 24650->24651 24652 2d485e0 11 API calls 24651->24652 24653 2d4e247 24652->24653 24663 2d4e2c0 24653->24663 24654 2d4e256 24655 2d4c4a8 11 API calls 24654->24655 24656 2d4e270 24655->24656 24657 2d4c4b8 11 API calls 24656->24657 24658 2d4e277 24657->24658 24660 53c0006 CreateWindowExW CreateWindowExW 24658->24660 24661 53c0040 CreateWindowExW CreateWindowExW 24658->24661 24659 2d4e281 24659->24647 24660->24659 24661->24659 24665 2d4e2ee 24663->24665 24664 2d4e42b 24665->24664 24667 2d4e3bf 24665->24667 24670 53c461f 10 API calls 24665->24670 24671 53c4630 10 API calls 24665->24671 24666 2d4e366 24669 2d4e3ba KiUserCallbackDispatcher 24666->24669 24667->24664 24668 2d4c4b8 10 API calls 24667->24668 24668->24664 24669->24667 24670->24666 24671->24666 24673 53c5ae3 24672->24673 24676 53c5b14 24673->24676 24675 53c6c54 24680 53c5b1f 24676->24680 24677 53c716e 24678 53c6e00 11 API calls 24677->24678 24679 53c72c9 24677->24679 24678->24679 24679->24675 24680->24677 24680->24679 24682 53c6e00 24680->24682 24683 53c6e0b 24682->24683 24687 53c7518 24683->24687 24699 53c7507 24683->24699 24684 53c7504 24684->24677 24691 53c753e 24687->24691 24688 53c7552 24688->24684 24689 53c762f 24698 2d4e2c0 11 API calls 24689->24698 24690 53c763d 24692 53c4630 11 API calls 24690->24692 24693 53c7665 24690->24693 24691->24688 24691->24689 24694 53c7692 24691->24694 24692->24693 24693->24684 24694->24693 24695 53c4630 11 API calls 24694->24695 24696 53c7737 24695->24696 24696->24693 24697 53c7030 11 API calls 24696->24697 24697->24693 24698->24690 24702 53c7518 24699->24702 24700 53c7552 24700->24684 24701 53c762f 24710 2d4e2c0 11 API calls 24701->24710 24702->24700 24702->24701 24706 53c7692 24702->24706 24703 53c763d 24704 53c4630 11 API calls 24703->24704 24705 53c7665 24703->24705 24704->24705 24705->24684 24706->24705 24707 53c4630 11 API calls 24706->24707 24708 53c7737 24707->24708 24708->24705 24709 53c7030 11 API calls 24708->24709 24709->24705 24710->24703 24526 53c5eb3 24527 53c5ebc 24526->24527 24529 53c5eda 24526->24529 24528 53c4630 11 API calls 24527->24528 24527->24529 24528->24529 24530 53c4630 11 API calls 24529->24530 24531 53c6013 24529->24531 24530->24531

                              Executed Functions

                              Function 053CC90C Relevance: 1.6, APIs: 1, Instructions: 117threadCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 559 53cc90c-53ce161 563 53ce16e 559->563 564 53ce163-53ce16c 559->564 565 53ce170-53ce175 563->565 564->565 566 53ce195-53ce22a 565->566 567 53ce177-53ce194 565->567 574 53ce22c-53ce234 566->574 575 53ce236-53ce266 EnumThreadWindows 566->575 574->575 576 53ce26f-53ce29c 575->576 577 53ce268-53ce26e 575->577 577->576
                              APIs
                              • EnumThreadWindows.USER32(?,00000000,?), ref: 053CE259
                              Memory Dump Source
                              • Source File: 00000003.00000002.1456290200.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_53c0000_rNuevoPedidoPO-00843.jbxd
                              Similarity
                              • API ID: EnumThreadWindows
                              • String ID:
                              • API String ID: 2941952884-0
                              • Opcode ID: 152bb3d85d9ae015176e041ead9307e56b7088086693e8b3cfb9c0865a5c9bd9
                              • Instruction ID: c9cf3a042a17df7245508ef12ddb341ad4f034392e5ca5fe213b163034b9070a
                              • Opcode Fuzzy Hash: 152bb3d85d9ae015176e041ead9307e56b7088086693e8b3cfb9c0865a5c9bd9
                              • Instruction Fuzzy Hash: CB419F72A04205DFDB14DF99C840BAEBBF9EF88310F14846EE419A7340CB789845DB65
                              Function 053C1DC4 Relevance: 1.6, APIs: 1, Instructions: 115COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 581 53c1dc4-53c1e36 582 53c1e38-53c1e3e 581->582 583 53c1e41-53c1e48 581->583 582->583 584 53c1e4a-53c1e50 583->584 585 53c1e53-53c1ef2 CreateWindowExW 583->585 584->585 587 53c1efb-53c1f33 585->587 588 53c1ef4-53c1efa 585->588 592 53c1f35-53c1f38 587->592 593 53c1f40 587->593 588->587 592->593 594 53c1f41 593->594 594->594
                              APIs
                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 053C1EE2
                              Memory Dump Source
                              • Source File: 00000003.00000002.1456290200.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_53c0000_rNuevoPedidoPO-00843.jbxd
                              Similarity
                              • API ID: CreateWindow
                              • String ID:
                              • API String ID: 716092398-0
                              • Opcode ID: ca7cd2dcf6bd1b1c6be0bf5ddbc93b394230b1be93e1654473a7d85dd3a92fc0
                              • Instruction ID: e6da8ec30230bab7c86ac28ce4e19967d9f49a6dae4623c38992953bd4f7ca0a
                              • Opcode Fuzzy Hash: ca7cd2dcf6bd1b1c6be0bf5ddbc93b394230b1be93e1654473a7d85dd3a92fc0
                              • Instruction Fuzzy Hash: 9E51BCB1D103499FDB14CFA9C884ADEBFB5BF48310F24826EE819AB211D775A845CF90
                              Function 053C1DD0 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 595 53c1dd0-53c1e36 596 53c1e38-53c1e3e 595->596 597 53c1e41-53c1e48 595->597 596->597 598 53c1e4a-53c1e50 597->598 599 53c1e53-53c1ef2 CreateWindowExW 597->599 598->599 601 53c1efb-53c1f33 599->601 602 53c1ef4-53c1efa 599->602 606 53c1f35-53c1f38 601->606 607 53c1f40 601->607 602->601 606->607 608 53c1f41 607->608 608->608
                              APIs
                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 053C1EE2
                              Memory Dump Source
                              • Source File: 00000003.00000002.1456290200.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_53c0000_rNuevoPedidoPO-00843.jbxd
                              Similarity
                              • API ID: CreateWindow
                              • String ID:
                              • API String ID: 716092398-0
                              • Opcode ID: a0ab1235192f874331cdbcf60f9c92311a3767c5152913c3578198d7d33f2ab2
                              • Instruction ID: 03e8e8d6a6bef00c53d7a311c8ce7ec99b20dfd4cff929c56eadd5e1ef110783
                              • Opcode Fuzzy Hash: a0ab1235192f874331cdbcf60f9c92311a3767c5152913c3578198d7d33f2ab2
                              • Instruction Fuzzy Hash: F641AEB1D103499FDB14CFA9C884ADEBFB5BF48310F24826EE819AB211D775A845CF90
                              Function 02D47364 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 609 2d47364-2d4736c 610 2d47370-2d47431 CreateActCtxA 609->610 612 2d47433-2d47439 610->612 613 2d4743a-2d47494 610->613 612->613 620 2d47496-2d47499 613->620 621 2d474a3-2d474a7 613->621 620->621 622 2d474b8 621->622 623 2d474a9-2d474b5 621->623 625 2d474b9 622->625 623->622 625->625
                              APIs
                              • CreateActCtxA.KERNEL32(?), ref: 02D47421
                              Memory Dump Source
                              • Source File: 00000003.00000002.1430914779.0000000002D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_2d40000_rNuevoPedidoPO-00843.jbxd
                              Similarity
                              • API ID: Create
                              • String ID:
                              • API String ID: 2289755597-0
                              • Opcode ID: b8fb2b3b3413866301636b67096a113acac28a47698ce511c10a87db770e7a31
                              • Instruction ID: f50f630294c8d8135c456c743ebf9020dc04a9f7080d3a35daf8ad7e4b6577dc
                              • Opcode Fuzzy Hash: b8fb2b3b3413866301636b67096a113acac28a47698ce511c10a87db770e7a31
                              • Instruction Fuzzy Hash: 3041CDB1C00719CBEB24CFA9C844B9EFBB5BF49304F60806AD408AB351DB756946CF90
                              Function 053C2B64 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 626 53c2b64-53c438c 630 53c443c-53c445c 626->630 631 53c4392-53c4397 626->631 637 53c445f-53c446c 630->637 632 53c4399-53c43d0 631->632 633 53c43ea-53c4422 CallWindowProcW 631->633 639 53c43d9-53c43e8 632->639 640 53c43d2-53c43d8 632->640 635 53c442b-53c443a 633->635 636 53c4424-53c442a 633->636 635->637 636->635 639->637 640->639
                              APIs
                              • CallWindowProcW.USER32(?,?,?,?,?), ref: 053C4411
                              Memory Dump Source
                              • Source File: 00000003.00000002.1456290200.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_53c0000_rNuevoPedidoPO-00843.jbxd
                              Similarity
                              • API ID: CallProcWindow
                              • String ID:
                              • API String ID: 2714655100-0
                              • Opcode ID: 7e0bbf963cbe0188b526b49e546236e2e6b236da3d0e071e8d87bac4d7f1be70
                              • Instruction ID: d5d930af248ce20919d7c38c199b1d8c6da70452d5d87065f75428e9f0621489
                              • Opcode Fuzzy Hash: 7e0bbf963cbe0188b526b49e546236e2e6b236da3d0e071e8d87bac4d7f1be70
                              • Instruction Fuzzy Hash: B14128B9900205DFDB14CF99C498AAABBF5FF88314F24C49DE519AB321D775A841CBA0
                              Function 02D46414 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 643 2d46414-2d47431 CreateActCtxA 646 2d47433-2d47439 643->646 647 2d4743a-2d47494 643->647 646->647 654 2d47496-2d47499 647->654 655 2d474a3-2d474a7 647->655 654->655 656 2d474b8 655->656 657 2d474a9-2d474b5 655->657 659 2d474b9 656->659 657->656 659->659
                              APIs
                              • CreateActCtxA.KERNEL32(?), ref: 02D47421
                              Memory Dump Source
                              • Source File: 00000003.00000002.1430914779.0000000002D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_2d40000_rNuevoPedidoPO-00843.jbxd
                              Similarity
                              • API ID: Create
                              • String ID:
                              • API String ID: 2289755597-0
                              • Opcode ID: e22335754a28178ff56af8b5291c01c3d2f442a81915b502b1b84c57657357af
                              • Instruction ID: edd73f5dd7047cb7fc61a6b7e5bd85263dd08b65f5446b4288339d891c98ba7f
                              • Opcode Fuzzy Hash: e22335754a28178ff56af8b5291c01c3d2f442a81915b502b1b84c57657357af
                              • Instruction Fuzzy Hash: 6F41AEB0D00719CBEB28DFA9C844B9EFBB5BF49304F60806AD418AB351DB756946CF90
                              Function 053CB168 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 660 53cb168-53cb18d call 53c9d7c 663 53cb18f-53cb19f call 53cac28 660->663 664 53cb1a2-53cb234 CreateIconFromResourceEx 660->664 669 53cb23d-53cb25a 664->669 670 53cb236-53cb23c 664->670 670->669
                              Memory Dump Source
                              • Source File: 00000003.00000002.1456290200.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_53c0000_rNuevoPedidoPO-00843.jbxd
                              Similarity
                              • API ID: CreateFromIconResource
                              • String ID:
                              • API String ID: 3668623891-0
                              • Opcode ID: c95b0252254267eee10a3bcb0dceec5d27f58166eced8b9a40c65c27cc6f0c3a
                              • Instruction ID: 6aa0edebaf7d58767ef4febcbc47b3598e85706bf84d69180801c4518ca48d7e
                              • Opcode Fuzzy Hash: c95b0252254267eee10a3bcb0dceec5d27f58166eced8b9a40c65c27cc6f0c3a
                              • Instruction Fuzzy Hash: 2C317A72900349DFCB11DFA9D844AEEBFF8EF09250F14805AE954AB221C335A854DBA1
                              Function 02D46780 Relevance: 1.6, APIs: 1, Instructions: 74COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 673 2d46780-2d46783 675 2d46788-2d4681c DuplicateHandle 673->675 676 2d46825-2d46842 675->676 677 2d4681e-2d46824 675->677 677->676
                              APIs
                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02D4674E,?,?,?,?,?), ref: 02D4680F
                              Memory Dump Source
                              • Source File: 00000003.00000002.1430914779.0000000002D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_2d40000_rNuevoPedidoPO-00843.jbxd
                              Similarity
                              • API ID: DuplicateHandle
                              • String ID:
                              • API String ID: 3793708945-0
                              • Opcode ID: 2d835e6388803d66af068cfe398d9c1728d089d6707c21df32f1768820adc7bb
                              • Instruction ID: 26a092d3ee16304e3b5eff2e52e12832f818661d5ef31aae2f8c9afdc5099219
                              • Opcode Fuzzy Hash: 2d835e6388803d66af068cfe398d9c1728d089d6707c21df32f1768820adc7bb
                              • Instruction Fuzzy Hash: 863114B5C00248EFDB10CFAAC884AEEBBF4EB09310F14851AE954A7351D334A944CFA0
                              Function 02D4611C Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 680 2d4611c-2d4681c DuplicateHandle 682 2d46825-2d46842 680->682 683 2d4681e-2d46824 680->683 683->682
                              APIs
                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02D4674E,?,?,?,?,?), ref: 02D4680F
                              Memory Dump Source
                              • Source File: 00000003.00000002.1430914779.0000000002D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_2d40000_rNuevoPedidoPO-00843.jbxd
                              Similarity
                              • API ID: DuplicateHandle
                              • String ID:
                              • API String ID: 3793708945-0
                              • Opcode ID: c80768aad54ca6a3cc07a1c54b90c48c19a20f325ede56b0328996e4d03d3697
                              • Instruction ID: d406e287fe988fefa33403a03a39a3da5694dd6a5dd9e55282bbecf244d0cb6b
                              • Opcode Fuzzy Hash: c80768aad54ca6a3cc07a1c54b90c48c19a20f325ede56b0328996e4d03d3697
                              • Instruction Fuzzy Hash: 8D2116B5D00208DFDB10CF9AD884ADEBBF8FB48310F14801AE954A7350D378A940CFA1
                              Function 053CC91C Relevance: 1.6, APIs: 1, Instructions: 62threadCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 686 53cc91c-53ce22a 688 53ce22c-53ce234 686->688 689 53ce236-53ce266 EnumThreadWindows 686->689 688->689 690 53ce26f-53ce29c 689->690 691 53ce268-53ce26e 689->691 691->690
                              APIs
                              • EnumThreadWindows.USER32(?,00000000,?), ref: 053CE259
                              Memory Dump Source
                              • Source File: 00000003.00000002.1456290200.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_53c0000_rNuevoPedidoPO-00843.jbxd
                              Similarity
                              • API ID: EnumThreadWindows
                              • String ID:
                              • API String ID: 2941952884-0
                              • Opcode ID: 42a28630abe83c591c70673e22db5556695a9a74e095997cd83d81db3b9f6cc7
                              • Instruction ID: 29be7566d3d7229b1d8f2d03d7bf30c31c434b22b8a4bbaa96b750a9b1131b8d
                              • Opcode Fuzzy Hash: 42a28630abe83c591c70673e22db5556695a9a74e095997cd83d81db3b9f6cc7
                              • Instruction Fuzzy Hash: 36210475904209CFDB14DF9AC844BAEFBF9FB88320F14842AE419A7250D778A945CFA5
                              Function 053C9D7C Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 695 53c9d7c-53cb234 CreateIconFromResourceEx 697 53cb23d-53cb25a 695->697 698 53cb236-53cb23c 695->698 698->697
                              APIs
                              • CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?,?,?,?,053CB182,?,?,?,?,?), ref: 053CB227
                              Memory Dump Source
                              • Source File: 00000003.00000002.1456290200.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_53c0000_rNuevoPedidoPO-00843.jbxd
                              Similarity
                              • API ID: CreateFromIconResource
                              • String ID:
                              • API String ID: 3668623891-0
                              • Opcode ID: f89dfd8fc3e91982445c10668039e1f55467685138cd481fc59fe08972362014
                              • Instruction ID: c7c6a08bbe9c2afa569b2f5ad18d57fcd5b9b9e5832def92fa59ae57c878dd9f
                              • Opcode Fuzzy Hash: f89dfd8fc3e91982445c10668039e1f55467685138cd481fc59fe08972362014
                              • Instruction Fuzzy Hash: 6C1159B5800249DFDB10CF9AD844BEEBFF8EB48310F14841AE955A7210C375A950CFA5
                              Function 02D4C294 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 701 2d4c294-2d4c8b8 703 2d4c8c0-2d4c8ef LoadLibraryExW 701->703 704 2d4c8ba-2d4c8bd 701->704 705 2d4c8f1-2d4c8f7 703->705 706 2d4c8f8-2d4c915 703->706 704->703 705->706
                              APIs
                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02D4C6D1,00000800,00000000,00000000), ref: 02D4C8E2
                              Memory Dump Source
                              • Source File: 00000003.00000002.1430914779.0000000002D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_2d40000_rNuevoPedidoPO-00843.jbxd
                              Similarity
                              • API ID: LibraryLoad
                              • String ID:
                              • API String ID: 1029625771-0
                              • Opcode ID: 4bc8263156f37ee8842ba2f2a000f58c06977084e55cd108bc81b3887bb7f459
                              • Instruction ID: 769a3a1d7f6bda7e3a0eb2819c6d86f7878bce38885b1b684e95466306c97c1a
                              • Opcode Fuzzy Hash: 4bc8263156f37ee8842ba2f2a000f58c06977084e55cd108bc81b3887bb7f459
                              • Instruction Fuzzy Hash: 041103B6D003499FDB24CF9AD444A9EFBF4EB48310F10842AE419A7300C779A945CFA5
                              Function 02D4C1F0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                              Download Yara Rule
                              APIs
                              • GetModuleHandleW.KERNELBASE(00000000), ref: 02D4C256
                              Memory Dump Source
                              • Source File: 00000003.00000002.1430914779.0000000002D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_2d40000_rNuevoPedidoPO-00843.jbxd
                              Similarity
                              • API ID: HandleModule
                              • String ID:
                              • API String ID: 4139908857-0
                              • Opcode ID: 12e36ea4e05d2a8dc84d129479e8521bada9cca9799ebc693a5796e74b243c7e
                              • Instruction ID: c09543bd0baf1a93f0687c9591e17f1b3c56b1e4cd6ed0df389d494530e802d0
                              • Opcode Fuzzy Hash: 12e36ea4e05d2a8dc84d129479e8521bada9cca9799ebc693a5796e74b243c7e
                              • Instruction Fuzzy Hash: 021102B6C002498FDB14CF9AC444ADEFBF4EB88614F14851AD819A7310C375A545CFA1
                              Function 053C2010 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                              Download Yara Rule
                              APIs
                              • SetWindowLongW.USER32(?,?,?), ref: 053C2075
                              Memory Dump Source
                              • Source File: 00000003.00000002.1456290200.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_53c0000_rNuevoPedidoPO-00843.jbxd
                              Similarity
                              • API ID: LongWindow
                              • String ID:
                              • API String ID: 1378638983-0
                              • Opcode ID: 1b3fd5b2f69d5afca80f106cc057dd651625a6835ab9df3d4e8d4b5874e916e6
                              • Instruction ID: 5170c77683649c40d8321fa7b854bdfa6b8dbd1d72416c189976592f64066f86
                              • Opcode Fuzzy Hash: 1b3fd5b2f69d5afca80f106cc057dd651625a6835ab9df3d4e8d4b5874e916e6
                              • Instruction Fuzzy Hash: 3F11E3B58002499FDB10CF9AD485BEBBFF8EB48310F24845AE959A7240C375A944CFA5
                              Function 053C2018 Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                              Download Yara Rule
                              APIs
                              • SetWindowLongW.USER32(?,?,?), ref: 053C2075
                              Memory Dump Source
                              • Source File: 00000003.00000002.1456290200.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_53c0000_rNuevoPedidoPO-00843.jbxd
                              Similarity
                              • API ID: LongWindow
                              • String ID:
                              • API String ID: 1378638983-0
                              • Opcode ID: 426df1bab1e97085e76486e14d82e3d97df82e0f5cb627f69c4e920ac9365522
                              • Instruction ID: c55cd5fbaeae2e77948798636bc966e9bcf16f1a2b6e187178c2611bd39c6136
                              • Opcode Fuzzy Hash: 426df1bab1e97085e76486e14d82e3d97df82e0f5cb627f69c4e920ac9365522
                              • Instruction Fuzzy Hash: C11103B5800249DFDB20CF9AC484BDFBBF8EB48320F10841AE959A7340C375A944CFA5
                              Function 053CB561 Relevance: 1.5, APIs: 1, Instructions: 30windowCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000003.00000002.1456290200.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_53c0000_rNuevoPedidoPO-00843.jbxd
                              Similarity
                              • API ID: MessageSend
                              • String ID:
                              • API String ID: 3850602802-0
                              • Opcode ID: 4aaffbb2920831d387caecd3aac3033e06297fdec6e23a1fbb838603b0f8ee84
                              • Instruction ID: 1db9f30bb288ff2b769fc0b7901c16952d8fb922b7d1e45afd3ed0411cf6e238
                              • Opcode Fuzzy Hash: 4aaffbb2920831d387caecd3aac3033e06297fdec6e23a1fbb838603b0f8ee84
                              • Instruction Fuzzy Hash: 68F0C4B6800309DFDB10CF89D445BDEFBF4EB48314F10845AE559A7250C375A544CFA1
                              Function 013CD01C Relevance: .1, Instructions: 72COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.1430539491.00000000013CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013CD000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_13cd000_rNuevoPedidoPO-00843.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f167e6c0a02fe572ae99695ba179ca1986f7353b2126612011d1d184a292f300
                              • Instruction ID: 25e0b9f7d27c36bb158019e28557f445a6c1d67e0d7443c6e27a5606aa6d3408
                              • Opcode Fuzzy Hash: f167e6c0a02fe572ae99695ba179ca1986f7353b2126612011d1d184a292f300
                              • Instruction Fuzzy Hash: 30210071604204EFDB15DF68D9C0B26BBA5FB84718F20C57DE80A0B696C336D807CBA2
                              Function 013CD006 Relevance: .1, Instructions: 63COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000003.00000002.1430539491.00000000013CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013CD000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_3_2_13cd000_rNuevoPedidoPO-00843.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6f5e573c3865048c247a474b1f290030e4c8806c3af45bbc67eadda8f2f91048
                              • Instruction ID: f5f4e27f20aec912da62dc6a6801b8c22c56ae6d0531b1968dbc173f81958745
                              • Opcode Fuzzy Hash: 6f5e573c3865048c247a474b1f290030e4c8806c3af45bbc67eadda8f2f91048
                              • Instruction Fuzzy Hash: E12180755083809FCB02CF58D994711BF71EB46214F28C5EAD8498F6A7C33A9806CBA2

                              Execution Graph

                              Execution Coverage:10.3%
                              Dynamic/Decrypted Code Coverage:100%
                              Signature Coverage:0%
                              Total number of Nodes:314
                              Total number of Limit Nodes:12
                              execution_graph 30378 4c1a100 30379 4c1a11e 30378->30379 30380 4c1a128 30378->30380 30383 4c1a161 30379->30383 30387 4c1a168 30379->30387 30380->30380 30384 4c1a184 30383->30384 30392 4c18e58 30384->30392 30388 4c1a176 30387->30388 30391 4c1a195 30387->30391 30389 4c18e58 FindCloseChangeNotification 30388->30389 30390 4c1a191 30389->30390 30390->30380 30391->30380 30393 4c1a2e0 FindCloseChangeNotification 30392->30393 30394 4c1a191 30393->30394 30394->30380 30498 4c137d3 30499 4c137e3 30498->30499 30503 4c161e9 30499->30503 30507 4c161f8 30499->30507 30500 4c13816 30504 4c1622b 30503->30504 30505 4c16299 30504->30505 30511 4c165e3 30504->30511 30505->30500 30508 4c1622b 30507->30508 30509 4c16299 30508->30509 30510 4c165e3 ResumeThread 30508->30510 30509->30500 30510->30509 30512 4c165a7 30511->30512 30513 4c165e7 ResumeThread 30511->30513 30512->30505 30515 4c16657 30513->30515 30515->30505 30516 5139580 30517 5139590 30516->30517 30520 5136fd4 30517->30520 30519 513959f 30521 5136fdf 30520->30521 30522 51395d2 30521->30522 30523 127722c 2 API calls 30521->30523 30525 12786d8 30521->30525 30522->30519 30523->30522 30526 12786d9 30525->30526 30528 12789cb 30526->30528 30531 127b071 2 API calls 30526->30531 30527 1278a09 30527->30522 30528->30527 30529 127d160 2 API calls 30528->30529 30530 127d170 2 API calls 30528->30530 30529->30527 30530->30527 30531->30528 30532 5137080 30533 513708d 30532->30533 30546 5136e48 30533->30546 30535 513713c 30551 5136e58 30535->30551 30538 5136e48 2 API calls 30539 51371a0 30538->30539 30540 5136e58 2 API calls 30539->30540 30541 51371d2 30540->30541 30542 5136e48 2 API calls 30541->30542 30543 5137236 30542->30543 30544 5136e48 2 API calls 30543->30544 30545 513729a 30544->30545 30547 5136e53 30546->30547 30549 127722c 2 API calls 30547->30549 30550 12786d8 2 API calls 30547->30550 30548 513872b 30548->30535 30549->30548 30550->30548 30552 5136e63 30551->30552 30553 5136fd4 2 API calls 30552->30553 30554 513716e 30553->30554 30554->30538 30555 4c13496 30556 4c134a6 30555->30556 30558 4c161e9 ResumeThread 30556->30558 30559 4c161f8 ResumeThread 30556->30559 30557 4c133df 30558->30557 30559->30557 30761 4c18fa8 30762 4c19133 30761->30762 30764 4c18fce 30761->30764 30764->30762 30765 4c18ae8 30764->30765 30766 4c19228 PostMessageW 30765->30766 30767 4c19294 30766->30767 30767->30764 30560 4c1705b 30561 4c16f31 30560->30561 30562 4c17052 30561->30562 30567 4c178e5 30561->30567 30580 4c178e8 30561->30580 30593 4c178d8 30561->30593 30563 4c17300 30563->30563 30568 4c17902 30567->30568 30573 4c17926 30568->30573 30606 4c17df6 30568->30606 30611 4c17e57 30568->30611 30616 4c18244 30568->30616 30621 4c17e13 30568->30621 30626 4c180b0 30568->30626 30631 4c17d80 30568->30631 30636 4c17d11 30568->30636 30640 4c17e9b 30568->30640 30645 4c1820b 30568->30645 30649 4c17e26 30568->30649 30573->30563 30581 4c17902 30580->30581 30582 4c17926 30581->30582 30583 4c17d11 2 API calls 30581->30583 30584 4c17d80 2 API calls 30581->30584 30585 4c180b0 2 API calls 30581->30585 30586 4c17e13 2 API calls 30581->30586 30587 4c18244 2 API calls 30581->30587 30588 4c17e57 2 API calls 30581->30588 30589 4c17df6 2 API calls 30581->30589 30590 4c17e26 2 API calls 30581->30590 30591 4c1820b 2 API calls 30581->30591 30592 4c17e9b 2 API calls 30581->30592 30582->30563 30583->30582 30584->30582 30585->30582 30586->30582 30587->30582 30588->30582 30589->30582 30590->30582 30591->30582 30592->30582 30594 4c178e2 30593->30594 30595 4c17926 30594->30595 30596 4c17d11 2 API calls 30594->30596 30597 4c17d80 2 API calls 30594->30597 30598 4c180b0 2 API calls 30594->30598 30599 4c17e13 2 API calls 30594->30599 30600 4c18244 2 API calls 30594->30600 30601 4c17e57 2 API calls 30594->30601 30602 4c17df6 2 API calls 30594->30602 30603 4c17e26 2 API calls 30594->30603 30604 4c1820b 2 API calls 30594->30604 30605 4c17e9b 2 API calls 30594->30605 30595->30563 30596->30595 30597->30595 30598->30595 30599->30595 30600->30595 30601->30595 30602->30595 30603->30595 30604->30595 30605->30595 30607 4c17e08 30606->30607 30654 4c18947 30607->30654 30659 4c18958 30607->30659 30608 4c186d4 30612 4c182a8 30611->30612 30672 4c16693 30612->30672 30677 4c16698 30612->30677 30613 4c17fe1 30613->30573 30617 4c18267 30616->30617 30681 4c16830 30617->30681 30685 4c1682b 30617->30685 30618 4c183e8 30623 4c17e20 30621->30623 30622 4c1813a 30624 4c16830 WriteProcessMemory 30623->30624 30625 4c1682b WriteProcessMemory 30623->30625 30624->30622 30625->30622 30627 4c1830a 30626->30627 30689 4c16920 30627->30689 30693 4c1691b 30627->30693 30628 4c1832f 30628->30573 30632 4c17d8a 30631->30632 30634 4c16830 WriteProcessMemory 30632->30634 30635 4c1682b WriteProcessMemory 30632->30635 30633 4c17d6c 30633->30573 30634->30633 30635->30633 30697 4c16ab3 30636->30697 30701 4c16ab8 30636->30701 30641 4c17e08 30640->30641 30643 4c18947 2 API calls 30641->30643 30644 4c18958 2 API calls 30641->30644 30642 4c186d4 30643->30642 30644->30642 30647 4c16693 Wow64SetThreadContext 30645->30647 30648 4c16698 Wow64SetThreadContext 30645->30648 30646 4c18228 30647->30646 30648->30646 30650 4c17e33 30649->30650 30652 4c165e3 ResumeThread 30650->30652 30705 4c165e8 30650->30705 30651 4c18054 30652->30651 30655 4c1896d 30654->30655 30664 4c16770 30655->30664 30668 4c1676b 30655->30668 30656 4c1898c 30656->30608 30660 4c1896d 30659->30660 30662 4c16770 VirtualAllocEx 30660->30662 30663 4c1676b VirtualAllocEx 30660->30663 30661 4c1898c 30661->30608 30662->30661 30663->30661 30665 4c167b0 VirtualAllocEx 30664->30665 30667 4c167ed 30665->30667 30667->30656 30669 4c16770 VirtualAllocEx 30668->30669 30671 4c167ed 30669->30671 30671->30656 30673 4c16657 30672->30673 30674 4c16697 Wow64SetThreadContext 30672->30674 30673->30613 30676 4c16725 30674->30676 30676->30613 30678 4c166dd Wow64SetThreadContext 30677->30678 30680 4c16725 30678->30680 30680->30613 30682 4c16878 WriteProcessMemory 30681->30682 30684 4c168cf 30682->30684 30684->30618 30686 4c16878 WriteProcessMemory 30685->30686 30688 4c168cf 30686->30688 30688->30618 30690 4c1696b ReadProcessMemory 30689->30690 30692 4c169af 30690->30692 30692->30628 30694 4c1696b ReadProcessMemory 30693->30694 30696 4c169af 30694->30696 30696->30628 30698 4c16ab8 CreateProcessA 30697->30698 30700 4c16d03 30698->30700 30702 4c16b41 CreateProcessA 30701->30702 30704 4c16d03 30702->30704 30706 4c16628 ResumeThread 30705->30706 30708 4c16657 30706->30708 30708->30651 30709 107d01c 30710 107d034 30709->30710 30711 107d08e 30710->30711 30714 5132cea 30710->30714 30720 5132cf8 30710->30720 30715 5132cf8 30714->30715 30716 5132d57 30715->30716 30726 5132e70 30715->30726 30731 5132f4c 30715->30731 30737 5132e80 30715->30737 30721 5132d25 30720->30721 30722 5132d57 30721->30722 30723 5132e70 2 API calls 30721->30723 30724 5132e80 2 API calls 30721->30724 30725 5132f4c 2 API calls 30721->30725 30723->30722 30724->30722 30725->30722 30728 5132e94 30726->30728 30727 5132f20 30727->30716 30742 5132f38 30728->30742 30745 5132f28 30728->30745 30732 5132f5a 30731->30732 30733 5132f0a 30731->30733 30735 5132f38 2 API calls 30733->30735 30736 5132f28 2 API calls 30733->30736 30734 5132f20 30734->30716 30735->30734 30736->30734 30739 5132e94 30737->30739 30738 5132f20 30738->30716 30740 5132f38 2 API calls 30739->30740 30741 5132f28 2 API calls 30739->30741 30740->30738 30741->30738 30743 5132f49 30742->30743 30749 5134370 30742->30749 30743->30727 30746 5132f38 30745->30746 30747 5134370 2 API calls 30746->30747 30748 5132f49 30746->30748 30747->30748 30748->30727 30753 51343a0 30749->30753 30757 5134391 30749->30757 30750 513438a 30750->30743 30754 51343e2 30753->30754 30756 51343e9 30753->30756 30755 513443a CallWindowProcW 30754->30755 30754->30756 30755->30756 30756->30750 30758 51343a0 30757->30758 30759 513443a CallWindowProcW 30758->30759 30760 51343e9 30758->30760 30759->30760 30760->30750 30395 1274668 30396 127467a 30395->30396 30397 1274686 30396->30397 30401 1274778 30396->30401 30406 1273e34 30397->30406 30399 12746a5 30402 127479d 30401->30402 30410 1274877 30402->30410 30414 1274888 30402->30414 30407 1273e3f 30406->30407 30422 1275e08 30407->30422 30409 127741e 30409->30399 30412 1274888 30410->30412 30411 127498c 30411->30411 30412->30411 30418 12744b4 30412->30418 30415 12748af 30414->30415 30416 127498c 30415->30416 30417 12744b4 CreateActCtxA 30415->30417 30416->30416 30417->30416 30419 1275918 CreateActCtxA 30418->30419 30421 12759db 30419->30421 30423 1275e13 30422->30423 30426 1275e48 30423->30426 30425 12774f5 30425->30409 30427 1275e53 30426->30427 30430 1275e78 30427->30430 30429 12775da 30429->30425 30431 1275e83 30430->30431 30434 127722c 30431->30434 30433 12776cd 30433->30429 30435 1277237 30434->30435 30437 12789cb 30435->30437 30441 127b071 30435->30441 30436 1278a09 30436->30433 30437->30436 30445 127d160 30437->30445 30451 127d170 30437->30451 30456 127b099 30441->30456 30459 127b0a8 30441->30459 30442 127b086 30442->30437 30446 127d125 30445->30446 30447 127d166 30445->30447 30446->30436 30448 127d1b5 30447->30448 30482 127d432 30447->30482 30486 127d440 30447->30486 30448->30436 30452 127d17b 30451->30452 30453 127d1b5 30452->30453 30454 127d432 2 API calls 30452->30454 30455 127d440 2 API calls 30452->30455 30453->30436 30454->30453 30455->30453 30457 127b0b7 30456->30457 30462 127b18f 30456->30462 30457->30442 30461 127b18f 2 API calls 30459->30461 30460 127b0b7 30460->30442 30461->30460 30463 127b1b1 30462->30463 30464 127b1d4 30462->30464 30463->30464 30470 127b829 30463->30470 30474 127b838 30463->30474 30464->30457 30465 127b1cc 30465->30464 30466 127b3d8 GetModuleHandleW 30465->30466 30467 127b405 30466->30467 30467->30457 30471 127b838 30470->30471 30472 127b871 30471->30472 30478 127b428 30471->30478 30472->30465 30475 127b84c 30474->30475 30476 127b871 30475->30476 30477 127b428 LoadLibraryExW 30475->30477 30476->30465 30477->30476 30480 127ba18 LoadLibraryExW 30478->30480 30481 127ba91 30480->30481 30481->30472 30483 127d440 30482->30483 30485 127d487 30483->30485 30490 127b728 30483->30490 30485->30448 30487 127d44d 30486->30487 30488 127b728 2 API calls 30487->30488 30489 127d487 30487->30489 30488->30489 30489->30448 30491 127b733 30490->30491 30492 127e1a0 30491->30492 30494 127b80c 30491->30494 30495 127b817 30494->30495 30496 127722c 2 API calls 30495->30496 30497 127e20f 30496->30497 30497->30492 30773 127d558 30774 127d59e 30773->30774 30775 127d68b 30774->30775 30778 127d727 30774->30778 30782 127d738 30774->30782 30779 127d738 30778->30779 30785 127b7f0 30779->30785 30783 127b7f0 DuplicateHandle 30782->30783 30784 127d766 30783->30784 30784->30775 30786 127d7a0 DuplicateHandle 30785->30786 30787 127d766 30786->30787 30787->30775

                              Executed Functions

                              Function 04C16AB3 Relevance: 1.7, APIs: 1, Instructions: 245processCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 973 4c16ab3-4c16b4d 976 4c16b86-4c16ba6 973->976 977 4c16b4f-4c16b59 973->977 984 4c16ba8-4c16bb2 976->984 985 4c16bdf-4c16c0e 976->985 977->976 978 4c16b5b-4c16b5d 977->978 979 4c16b80-4c16b83 978->979 980 4c16b5f-4c16b69 978->980 979->976 982 4c16b6b 980->982 983 4c16b6d-4c16b7c 980->983 982->983 983->983 986 4c16b7e 983->986 984->985 987 4c16bb4-4c16bb6 984->987 993 4c16c10-4c16c1a 985->993 994 4c16c47-4c16d01 CreateProcessA 985->994 986->979 989 4c16bd9-4c16bdc 987->989 990 4c16bb8-4c16bc2 987->990 989->985 991 4c16bc4 990->991 992 4c16bc6-4c16bd5 990->992 991->992 992->992 995 4c16bd7 992->995 993->994 996 4c16c1c-4c16c1e 993->996 1005 4c16d03-4c16d09 994->1005 1006 4c16d0a-4c16d90 994->1006 995->989 998 4c16c41-4c16c44 996->998 999 4c16c20-4c16c2a 996->999 998->994 1000 4c16c2c 999->1000 1001 4c16c2e-4c16c3d 999->1001 1000->1001 1001->1001 1003 4c16c3f 1001->1003 1003->998 1005->1006 1016 4c16da0-4c16da4 1006->1016 1017 4c16d92-4c16d96 1006->1017 1019 4c16db4-4c16db8 1016->1019 1020 4c16da6-4c16daa 1016->1020 1017->1016 1018 4c16d98 1017->1018 1018->1016 1022 4c16dc8-4c16dcc 1019->1022 1023 4c16dba-4c16dbe 1019->1023 1020->1019 1021 4c16dac 1020->1021 1021->1019 1024 4c16dde-4c16de5 1022->1024 1025 4c16dce-4c16dd4 1022->1025 1023->1022 1026 4c16dc0 1023->1026 1027 4c16de7-4c16df6 1024->1027 1028 4c16dfc 1024->1028 1025->1024 1026->1022 1027->1028 1030 4c16dfd 1028->1030 1030->1030
                              APIs
                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 04C16CEE
                              Memory Dump Source
                              • Source File: 00000006.00000002.1501644793.0000000004C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C10000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_4c10000_workbook.jbxd
                              Similarity
                              • API ID: CreateProcess
                              • String ID:
                              • API String ID: 963392458-0
                              • Opcode ID: e00b40b0a0cd61ea76161611d27c13c6e4ed97a88b99aa203c44a421706fa91f
                              • Instruction ID: 17c6bd033214d3af151bfd5548cfe35f0b3592003de56a0a0ee028f2c600c283
                              • Opcode Fuzzy Hash: e00b40b0a0cd61ea76161611d27c13c6e4ed97a88b99aa203c44a421706fa91f
                              • Instruction Fuzzy Hash: E2915A71E00319DFEF24DF68C841BEDBBB2EB49314F048569E808A7250DB74AA85DF91
                              Function 04C16AB8 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1031 4c16ab8-4c16b4d 1033 4c16b86-4c16ba6 1031->1033 1034 4c16b4f-4c16b59 1031->1034 1041 4c16ba8-4c16bb2 1033->1041 1042 4c16bdf-4c16c0e 1033->1042 1034->1033 1035 4c16b5b-4c16b5d 1034->1035 1036 4c16b80-4c16b83 1035->1036 1037 4c16b5f-4c16b69 1035->1037 1036->1033 1039 4c16b6b 1037->1039 1040 4c16b6d-4c16b7c 1037->1040 1039->1040 1040->1040 1043 4c16b7e 1040->1043 1041->1042 1044 4c16bb4-4c16bb6 1041->1044 1050 4c16c10-4c16c1a 1042->1050 1051 4c16c47-4c16d01 CreateProcessA 1042->1051 1043->1036 1046 4c16bd9-4c16bdc 1044->1046 1047 4c16bb8-4c16bc2 1044->1047 1046->1042 1048 4c16bc4 1047->1048 1049 4c16bc6-4c16bd5 1047->1049 1048->1049 1049->1049 1052 4c16bd7 1049->1052 1050->1051 1053 4c16c1c-4c16c1e 1050->1053 1062 4c16d03-4c16d09 1051->1062 1063 4c16d0a-4c16d90 1051->1063 1052->1046 1055 4c16c41-4c16c44 1053->1055 1056 4c16c20-4c16c2a 1053->1056 1055->1051 1057 4c16c2c 1056->1057 1058 4c16c2e-4c16c3d 1056->1058 1057->1058 1058->1058 1060 4c16c3f 1058->1060 1060->1055 1062->1063 1073 4c16da0-4c16da4 1063->1073 1074 4c16d92-4c16d96 1063->1074 1076 4c16db4-4c16db8 1073->1076 1077 4c16da6-4c16daa 1073->1077 1074->1073 1075 4c16d98 1074->1075 1075->1073 1079 4c16dc8-4c16dcc 1076->1079 1080 4c16dba-4c16dbe 1076->1080 1077->1076 1078 4c16dac 1077->1078 1078->1076 1081 4c16dde-4c16de5 1079->1081 1082 4c16dce-4c16dd4 1079->1082 1080->1079 1083 4c16dc0 1080->1083 1084 4c16de7-4c16df6 1081->1084 1085 4c16dfc 1081->1085 1082->1081 1083->1079 1084->1085 1087 4c16dfd 1085->1087 1087->1087
                              APIs
                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 04C16CEE
                              Memory Dump Source
                              • Source File: 00000006.00000002.1501644793.0000000004C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C10000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_4c10000_workbook.jbxd
                              Similarity
                              • API ID: CreateProcess
                              • String ID:
                              • API String ID: 963392458-0
                              • Opcode ID: 0e9d5f62cd3857df5a4012efaf28d6b1b7c8894ef0c91b2f59952ca661017d9e
                              • Instruction ID: 6953c7a4641c7dd19a1d6926608f75f32079de0fcfed14ea3c8e495e2ec29e60
                              • Opcode Fuzzy Hash: 0e9d5f62cd3857df5a4012efaf28d6b1b7c8894ef0c91b2f59952ca661017d9e
                              • Instruction Fuzzy Hash: 33914A71E00319DFEF24DF68C841BEDBBB2AF49314F148569E808A7250DB74AA85DF91
                              Function 0127B18F Relevance: 1.7, APIs: 1, Instructions: 202COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1088 127b18f-127b1af 1089 127b1b1-127b1be call 127a0f0 1088->1089 1090 127b1db-127b1df 1088->1090 1095 127b1d4 1089->1095 1096 127b1c0 1089->1096 1092 127b1f3-127b234 1090->1092 1093 127b1e1-127b1eb 1090->1093 1099 127b236-127b23e 1092->1099 1100 127b241-127b24f 1092->1100 1093->1092 1095->1090 1144 127b1c6 call 127b829 1096->1144 1145 127b1c6 call 127b838 1096->1145 1099->1100 1101 127b273-127b275 1100->1101 1102 127b251-127b256 1100->1102 1107 127b278-127b27f 1101->1107 1104 127b261 1102->1104 1105 127b258-127b25f call 127a0fc 1102->1105 1103 127b1cc-127b1ce 1103->1095 1106 127b310-127b3d0 1103->1106 1109 127b263-127b271 1104->1109 1105->1109 1139 127b3d2-127b3d5 1106->1139 1140 127b3d8-127b403 GetModuleHandleW 1106->1140 1110 127b281-127b289 1107->1110 1111 127b28c-127b293 1107->1111 1109->1107 1110->1111 1113 127b295-127b29d 1111->1113 1114 127b2a0-127b2a9 call 127a10c 1111->1114 1113->1114 1119 127b2b6-127b2bb 1114->1119 1120 127b2ab-127b2b3 1114->1120 1121 127b2bd-127b2c4 1119->1121 1122 127b2d9-127b2e6 1119->1122 1120->1119 1121->1122 1124 127b2c6-127b2d6 call 127a11c call 127a12c 1121->1124 1129 127b309-127b30f 1122->1129 1130 127b2e8-127b306 1122->1130 1124->1122 1130->1129 1139->1140 1141 127b405-127b40b 1140->1141 1142 127b40c-127b420 1140->1142 1141->1142 1144->1103 1145->1103
                              APIs
                              • GetModuleHandleW.KERNELBASE(00000000), ref: 0127B3F6
                              Memory Dump Source
                              • Source File: 00000006.00000002.1459274428.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1270000_workbook.jbxd
                              Similarity
                              • API ID: HandleModule
                              • String ID:
                              • API String ID: 4139908857-0
                              • Opcode ID: e2990a5d420c127331014feb233414b875e1140e933c0a33f139e39f9efb5580
                              • Instruction ID: b40e1fc785c4c4db20315019c6b2d340f7806bbcfc217a1714ae0727fbb07886
                              • Opcode Fuzzy Hash: e2990a5d420c127331014feb233414b875e1140e933c0a33f139e39f9efb5580
                              • Instruction Fuzzy Hash: 36814870A10B068FE724DF6AD44579BBBF1FF88200F00892EE58ADBA50D774E945CB90
                              Function 012744B4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1146 12744b4-12759d9 CreateActCtxA 1149 12759e2-1275a3c 1146->1149 1150 12759db-12759e1 1146->1150 1157 1275a3e-1275a41 1149->1157 1158 1275a4b-1275a4f 1149->1158 1150->1149 1157->1158 1159 1275a51-1275a5d 1158->1159 1160 1275a60 1158->1160 1159->1160 1162 1275a61 1160->1162 1162->1162
                              APIs
                              • CreateActCtxA.KERNEL32(?), ref: 012759C9
                              Memory Dump Source
                              • Source File: 00000006.00000002.1459274428.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1270000_workbook.jbxd
                              Similarity
                              • API ID: Create
                              • String ID:
                              • API String ID: 2289755597-0
                              • Opcode ID: 23bd211441c85e317f3e60b2e90007b5f262de715a427ccfbfbc95990b0b4f09
                              • Instruction ID: fd19d5de628e5c26527ea9e217ec166fb0f8d49154d6e9cf702a1aa5b4aa880c
                              • Opcode Fuzzy Hash: 23bd211441c85e317f3e60b2e90007b5f262de715a427ccfbfbc95990b0b4f09
                              • Instruction Fuzzy Hash: D841B071D10729CBEB24DFA9C884BDEBBB5BF49304F20806AD508AB251D7B55946CF90
                              Function 0127590D Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1163 127590d-12759d9 CreateActCtxA 1165 12759e2-1275a3c 1163->1165 1166 12759db-12759e1 1163->1166 1173 1275a3e-1275a41 1165->1173 1174 1275a4b-1275a4f 1165->1174 1166->1165 1173->1174 1175 1275a51-1275a5d 1174->1175 1176 1275a60 1174->1176 1175->1176 1178 1275a61 1176->1178 1178->1178
                              APIs
                              • CreateActCtxA.KERNEL32(?), ref: 012759C9
                              Memory Dump Source
                              • Source File: 00000006.00000002.1459274428.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1270000_workbook.jbxd
                              Similarity
                              • API ID: Create
                              • String ID:
                              • API String ID: 2289755597-0
                              • Opcode ID: 113f394a41df5f73fd1be4f11a63ab199b65d249c763d3f76614360d01cbbe8a
                              • Instruction ID: 1edbf0a8357e464ee49e6259ddcec65fd9b30e95fd02007d165ca217b70c4a82
                              • Opcode Fuzzy Hash: 113f394a41df5f73fd1be4f11a63ab199b65d249c763d3f76614360d01cbbe8a
                              • Instruction Fuzzy Hash: DC41D0B1C10729CFEB24DFA9C884BCEBBB1BF49304F20846AD408AB255DB755946CF50
                              Function 051343A0 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1179 51343a0-51343dc 1180 51343e2-51343e7 1179->1180 1181 513448c-51344ac 1179->1181 1182 513443a-5134472 CallWindowProcW 1180->1182 1183 51343e9-5134420 1180->1183 1188 51344af-51344bc 1181->1188 1184 5134474-513447a 1182->1184 1185 513447b-513448a 1182->1185 1190 5134422-5134428 1183->1190 1191 5134429-5134438 1183->1191 1184->1185 1185->1188 1190->1191 1191->1188
                              APIs
                              • CallWindowProcW.USER32(?,?,?,?,?), ref: 05134461
                              Memory Dump Source
                              • Source File: 00000006.00000002.1502492910.0000000005130000.00000040.00000800.00020000.00000000.sdmp, Offset: 05130000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_5130000_workbook.jbxd
                              Similarity
                              • API ID: CallProcWindow
                              • String ID:
                              • API String ID: 2714655100-0
                              • Opcode ID: 9b3753c42cb84df85fc93c80d1125ddff9054aed517a1ae574e236f0d67bce46
                              • Instruction ID: c9793a685b686c60af5d4ece7f306d1e2bac6092bbc72a6dad08d15fc7ba0575
                              • Opcode Fuzzy Hash: 9b3753c42cb84df85fc93c80d1125ddff9054aed517a1ae574e236f0d67bce46
                              • Instruction Fuzzy Hash: B04118B5900305DFDB14CF99C889AAABBF5FF88314F24C459E519AB321E775A841CFA0
                              Function 04C16693 Relevance: 1.6, APIs: 1, Instructions: 83threadCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1193 4c16693-4c16695 1194 4c16657 1193->1194 1195 4c16697-4c166e3 1193->1195 1196 4c16660-4c16685 1194->1196 1197 4c16659-4c1665f 1194->1197 1201 4c166f3-4c16723 Wow64SetThreadContext 1195->1201 1202 4c166e5-4c166f1 1195->1202 1197->1196 1205 4c16725-4c1672b 1201->1205 1206 4c1672c-4c1675c 1201->1206 1202->1201 1205->1206
                              APIs
                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 04C16716
                              Memory Dump Source
                              • Source File: 00000006.00000002.1501644793.0000000004C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C10000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_4c10000_workbook.jbxd
                              Similarity
                              • API ID: ContextThreadWow64
                              • String ID:
                              • API String ID: 983334009-0
                              • Opcode ID: ae8cbf409c2db5c2bb76e812abb7d87d06a952f5a8fa0252f7b25cd1de8bb1ac
                              • Instruction ID: 95a4eb4c2ef8335c0feeaa2e678e1c8675e82cbc772cc4a1d44f631f2666ae78
                              • Opcode Fuzzy Hash: ae8cbf409c2db5c2bb76e812abb7d87d06a952f5a8fa0252f7b25cd1de8bb1ac
                              • Instruction Fuzzy Hash: 9D313C76D003088FDB10DFAAC4457EEFBF5EF49320F14842AD559A7240CB79AA45CB95
                              Function 04C1682B Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1210 4c1682b-4c1687e 1212 4c16880-4c1688c 1210->1212 1213 4c1688e-4c168cd WriteProcessMemory 1210->1213 1212->1213 1215 4c168d6-4c16906 1213->1215 1216 4c168cf-4c168d5 1213->1216 1216->1215
                              APIs
                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 04C168C0
                              Memory Dump Source
                              • Source File: 00000006.00000002.1501644793.0000000004C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C10000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_4c10000_workbook.jbxd
                              Similarity
                              • API ID: MemoryProcessWrite
                              • String ID:
                              • API String ID: 3559483778-0
                              • Opcode ID: d4f45bd13cc87c84c4d15c96f0293b9043bf68623989a74bc679fd82eb6c0caf
                              • Instruction ID: 984f3d41c92c60c106b9e38516af6401206b1c9119b79195896a93f26ab1a17b
                              • Opcode Fuzzy Hash: d4f45bd13cc87c84c4d15c96f0293b9043bf68623989a74bc679fd82eb6c0caf
                              • Instruction Fuzzy Hash: EA213572D003199FDB10CFA9C980BDEBBF1FF48310F10842AE958A7250C778A655DB60
                              Function 04C16830 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1220 4c16830-4c1687e 1222 4c16880-4c1688c 1220->1222 1223 4c1688e-4c168cd WriteProcessMemory 1220->1223 1222->1223 1225 4c168d6-4c16906 1223->1225 1226 4c168cf-4c168d5 1223->1226 1226->1225
                              APIs
                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 04C168C0
                              Memory Dump Source
                              • Source File: 00000006.00000002.1501644793.0000000004C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C10000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_4c10000_workbook.jbxd
                              Similarity
                              • API ID: MemoryProcessWrite
                              • String ID:
                              • API String ID: 3559483778-0
                              • Opcode ID: 7e3b4b1254a8c0d6f4699dd1e2cd658ed61d12a859f97bba54c4532c8d781c85
                              • Instruction ID: 2e0844ff9d5554153d732cab605293118a375dcb4c7e05453c4165fe6493d263
                              • Opcode Fuzzy Hash: 7e3b4b1254a8c0d6f4699dd1e2cd658ed61d12a859f97bba54c4532c8d781c85
                              • Instruction Fuzzy Hash: 7C214471D003199FDB10CFAAC880BEEBBF5FF48310F10842AE918A7240C778A945DBA5
                              Function 04C165E3 Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1230 4c165e3-4c165e5 1231 4c165a7-4c165b7 1230->1231 1232 4c165e7-4c16650 ResumeThread 1230->1232 1233 4c165b9 1231->1233 1234 4c165be-4c165c1 1231->1234 1238 4c16657 1232->1238 1233->1234 1236 4c165c9-4c165d2 1234->1236 1239 4c16660-4c16685 1238->1239 1240 4c16659-4c1665f 1238->1240 1240->1239
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.1501644793.0000000004C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C10000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_4c10000_workbook.jbxd
                              Similarity
                              • API ID: ResumeThread
                              • String ID:
                              • API String ID: 947044025-0
                              • Opcode ID: dada803a7772b1c8a0f0469bcb758e9c2d80355c38583529e753f094ed54bcb3
                              • Instruction ID: 79c4b1715287ef0aa5ca8bea4f8dd6e13ad8f58e21881464f0a596f10c9808c4
                              • Opcode Fuzzy Hash: dada803a7772b1c8a0f0469bcb758e9c2d80355c38583529e753f094ed54bcb3
                              • Instruction Fuzzy Hash: 572168B5E002488FEB20CFAAC4447EEFBF5EB48310F208419D419A7350CA35AA42CFA5
                              Function 0127B7F0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1244 127b7f0-127d834 DuplicateHandle 1246 127d836-127d83c 1244->1246 1247 127d83d-127d85a 1244->1247 1246->1247
                              APIs
                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0127D766,?,?,?,?,?), ref: 0127D827
                              Memory Dump Source
                              • Source File: 00000006.00000002.1459274428.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1270000_workbook.jbxd
                              Similarity
                              • API ID: DuplicateHandle
                              • String ID:
                              • API String ID: 3793708945-0
                              • Opcode ID: ce290830d4adc0a9d0432b0fda30d68ac0d182308246470c583a2c436945e37b
                              • Instruction ID: 1eaab4b77dba05da0c4fb478927427295582a10241459e15e3bfab09172d632f
                              • Opcode Fuzzy Hash: ce290830d4adc0a9d0432b0fda30d68ac0d182308246470c583a2c436945e37b
                              • Instruction Fuzzy Hash: 8F21D4B5910248DFDB10CF9AD884ADEFBF4EB48310F14841AE958A7350D375A945CFA5
                              Function 0127D79A Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                              Download Yara Rule
                              APIs
                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0127D766,?,?,?,?,?), ref: 0127D827
                              Memory Dump Source
                              • Source File: 00000006.00000002.1459274428.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1270000_workbook.jbxd
                              Similarity
                              • API ID: DuplicateHandle
                              • String ID:
                              • API String ID: 3793708945-0
                              • Opcode ID: bc1a51269cb081a4321bd89ff463fd5d51fdd99e4eca04de5554df89b6b6fb29
                              • Instruction ID: 79579d68ff40dd3f7b2f104cd98c9250b240aa5425ff406034a62f192e900d00
                              • Opcode Fuzzy Hash: bc1a51269cb081a4321bd89ff463fd5d51fdd99e4eca04de5554df89b6b6fb29
                              • Instruction Fuzzy Hash: 1521E5B5D00248DFDB10CF9AD484ADEBFF4EB48310F14801AE958A7350C379A945CF65
                              Function 04C1691B Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                              Download Yara Rule
                              APIs
                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 04C169A0
                              Memory Dump Source
                              • Source File: 00000006.00000002.1501644793.0000000004C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C10000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_4c10000_workbook.jbxd
                              Similarity
                              • API ID: MemoryProcessRead
                              • String ID:
                              • API String ID: 1726664587-0
                              • Opcode ID: 545465e9e3e797cdd1809b03b00d88b300cb1ab60217ff963d97ae6af1b2fa5f
                              • Instruction ID: 9c1c3a600fe3665836a85d55d7222539b0579dd446c8dfa612332960267f48d4
                              • Opcode Fuzzy Hash: 545465e9e3e797cdd1809b03b00d88b300cb1ab60217ff963d97ae6af1b2fa5f
                              • Instruction Fuzzy Hash: 062116B1D003599FDB10DFAAC980BEEBBF1FF48310F14842AE558A7250C739A545DB65
                              Function 04C16920 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                              Download Yara Rule
                              APIs
                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 04C169A0
                              Memory Dump Source
                              • Source File: 00000006.00000002.1501644793.0000000004C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C10000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_4c10000_workbook.jbxd
                              Similarity
                              • API ID: MemoryProcessRead
                              • String ID:
                              • API String ID: 1726664587-0
                              • Opcode ID: e5caa9399dfcb1f565ac5c45a05b45decd6674b44a8d434dcc4ac0737f0e79fa
                              • Instruction ID: 9dbc7301b21dc71d452a657ddd845299cdf2eb0a5afb9c7199977af80a90228e
                              • Opcode Fuzzy Hash: e5caa9399dfcb1f565ac5c45a05b45decd6674b44a8d434dcc4ac0737f0e79fa
                              • Instruction Fuzzy Hash: 89211671D003599FDB10DFAAC840BEEBBF5FF48310F10842AE958A7250C739A505DBA5
                              Function 04C16698 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                              Download Yara Rule
                              APIs
                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 04C16716
                              Memory Dump Source
                              • Source File: 00000006.00000002.1501644793.0000000004C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C10000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_4c10000_workbook.jbxd
                              Similarity
                              • API ID: ContextThreadWow64
                              • String ID:
                              • API String ID: 983334009-0
                              • Opcode ID: 06989f6a736cb757bdaa6418d0f0551e7060a910c8ed02b34d185aaebf494952
                              • Instruction ID: 0c464315eac24959adf69e805fa8b98694e5d189beae7a115f55d8102d164d1e
                              • Opcode Fuzzy Hash: 06989f6a736cb757bdaa6418d0f0551e7060a910c8ed02b34d185aaebf494952
                              • Instruction Fuzzy Hash: 66213471D003088FDB14DFAAC484BEEBBF5EF49310F14842AD559A7240CB78AA45CBA5
                              Function 0127B428 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                              Download Yara Rule
                              APIs
                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0127B871,00000800,00000000,00000000), ref: 0127BA82
                              Memory Dump Source
                              • Source File: 00000006.00000002.1459274428.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1270000_workbook.jbxd
                              Similarity
                              • API ID: LibraryLoad
                              • String ID:
                              • API String ID: 1029625771-0
                              • Opcode ID: c2bc8ef3788ea0e30824651d077072b05d865af058712c27aa7b45dce2d26abb
                              • Instruction ID: 8c829607e7ef62678f985627f018886040c0d500d7445d3528822e62eb63d81e
                              • Opcode Fuzzy Hash: c2bc8ef3788ea0e30824651d077072b05d865af058712c27aa7b45dce2d26abb
                              • Instruction Fuzzy Hash: 991114B6C003499FDB20DF9AC444ADEFBF5EB48310F10842AE519A7700C375A545CFA5
                              Function 04C1676B Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                              Download Yara Rule
                              APIs
                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 04C167DE
                              Memory Dump Source
                              • Source File: 00000006.00000002.1501644793.0000000004C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C10000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_4c10000_workbook.jbxd
                              Similarity
                              • API ID: AllocVirtual
                              • String ID:
                              • API String ID: 4275171209-0
                              • Opcode ID: 54851610dcea9bad657f2361e6c67155a8ce575ddca0a2baff711f68a8309969
                              • Instruction ID: 3b392c5fad94b925d81df3c89046caa1cb79f6a03cf11bacadc1160704296364
                              • Opcode Fuzzy Hash: 54851610dcea9bad657f2361e6c67155a8ce575ddca0a2baff711f68a8309969
                              • Instruction Fuzzy Hash: 07115672900348DFDB20CFAAC844BDEBBF5EF48320F108419E619A7250CB39A505CBA5
                              Function 0127BA10 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                              Download Yara Rule
                              APIs
                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0127B871,00000800,00000000,00000000), ref: 0127BA82
                              Memory Dump Source
                              • Source File: 00000006.00000002.1459274428.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1270000_workbook.jbxd
                              Similarity
                              • API ID: LibraryLoad
                              • String ID:
                              • API String ID: 1029625771-0
                              • Opcode ID: adc5e234166789bcfad209c6bace0912b7e9ad605eaf1de8c9356b60bb40417d
                              • Instruction ID: 0d6d1ec65c588494f7a2494a7c81eeb1a7e24cb977d7d848f142ce69a27c01fd
                              • Opcode Fuzzy Hash: adc5e234166789bcfad209c6bace0912b7e9ad605eaf1de8c9356b60bb40417d
                              • Instruction Fuzzy Hash: 261114B6C003499FDB20DF9AD444ADEFBF4EB48310F14842EE559A7600C379A545CFA5
                              Function 04C16770 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                              Download Yara Rule
                              APIs
                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 04C167DE
                              Memory Dump Source
                              • Source File: 00000006.00000002.1501644793.0000000004C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C10000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_4c10000_workbook.jbxd
                              Similarity
                              • API ID: AllocVirtual
                              • String ID:
                              • API String ID: 4275171209-0
                              • Opcode ID: be720a38200a3a807c63bb669bcc4ac1c19e5d97e9a7240e46bb7a354956a88f
                              • Instruction ID: 23062493f422eabcfa7bc550026cd1eb581707ec68e6b7806bb06d9bcc0ecc01
                              • Opcode Fuzzy Hash: be720a38200a3a807c63bb669bcc4ac1c19e5d97e9a7240e46bb7a354956a88f
                              • Instruction Fuzzy Hash: 081156729003489FDB20CFAAC844BDEBBF5EF48310F108419E519A7250CB35A505CBA1
                              Function 04C1A2D8 Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                              Download Yara Rule
                              APIs
                              • FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,04C1A191,?,?), ref: 04C1A338
                              Memory Dump Source
                              • Source File: 00000006.00000002.1501644793.0000000004C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C10000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_4c10000_workbook.jbxd
                              Similarity
                              • API ID: ChangeCloseFindNotification
                              • String ID:
                              • API String ID: 2591292051-0
                              • Opcode ID: 4fd4ccbef0608fc096c2bcd227a58c00ec8e0d459f8e10d197da7e4033c68819
                              • Instruction ID: 47e37d3eb35ac8372c735efcb136e3c730cdaac2c8b94d4f243d5819e8912b51
                              • Opcode Fuzzy Hash: 4fd4ccbef0608fc096c2bcd227a58c00ec8e0d459f8e10d197da7e4033c68819
                              • Instruction Fuzzy Hash: 151125B5C00249CFDB20CFAAC544BDEBBF5EB48320F20841AD558A7340D739A64ACFA5
                              Function 04C18E58 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                              Download Yara Rule
                              APIs
                              • FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,04C1A191,?,?), ref: 04C1A338
                              Memory Dump Source
                              • Source File: 00000006.00000002.1501644793.0000000004C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C10000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_4c10000_workbook.jbxd
                              Similarity
                              • API ID: ChangeCloseFindNotification
                              • String ID:
                              • API String ID: 2591292051-0
                              • Opcode ID: ff9b4f4fcd720daf509f0058fca2bc149307b3f005334fa56f6af674a55240dc
                              • Instruction ID: c5fa0f46f943269186873db943b555a92747cb191fbfeb08ad58795c10ac5581
                              • Opcode Fuzzy Hash: ff9b4f4fcd720daf509f0058fca2bc149307b3f005334fa56f6af674a55240dc
                              • Instruction Fuzzy Hash: 541125B5904349CFDB20DF9AC445BEEBBF5EB48320F20841AD958A7340D379A945CFA5
                              Function 04C165E8 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.1501644793.0000000004C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C10000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_4c10000_workbook.jbxd
                              Similarity
                              • API ID: ResumeThread
                              • String ID:
                              • API String ID: 947044025-0
                              • Opcode ID: 655e2bc0f12b5ac95a1cb687716efc2505f0f42d693617aef9fd3aaaaf1c9f36
                              • Instruction ID: 6a8489a977b1d41ec8156081a448a05f6c7b7ae8dde7e9d6b56f0c11679c6a8a
                              • Opcode Fuzzy Hash: 655e2bc0f12b5ac95a1cb687716efc2505f0f42d693617aef9fd3aaaaf1c9f36
                              • Instruction Fuzzy Hash: F61128B1D003488FDB24DFAAC4447DEFBF5EB48310F248419D519A7340CA79A545CBA5
                              Function 0127B390 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                              Download Yara Rule
                              APIs
                              • GetModuleHandleW.KERNELBASE(00000000), ref: 0127B3F6
                              Memory Dump Source
                              • Source File: 00000006.00000002.1459274428.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_1270000_workbook.jbxd
                              Similarity
                              • API ID: HandleModule
                              • String ID:
                              • API String ID: 4139908857-0
                              • Opcode ID: b72e6147c66b748e82a1e650c0fcfb87f210149283626c56282120432f174276
                              • Instruction ID: 3033bdba2cdf1e89ba0c2aca7b30f26cb953d019c4ad6f5bc6f4eb898ccd639e
                              • Opcode Fuzzy Hash: b72e6147c66b748e82a1e650c0fcfb87f210149283626c56282120432f174276
                              • Instruction Fuzzy Hash: 2811DFB6C00749CFDB24CF9AC448ADEFBF4EB88210F10841AD969A7610C379A546CFA5
                              Function 04C18AE8 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                              Download Yara Rule
                              APIs
                              • PostMessageW.USER32(?,00000010,00000000,?), ref: 04C19285
                              Memory Dump Source
                              • Source File: 00000006.00000002.1501644793.0000000004C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C10000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_4c10000_workbook.jbxd
                              Similarity
                              • API ID: MessagePost
                              • String ID:
                              • API String ID: 410705778-0
                              • Opcode ID: c9052623b7e371d64c3e8d09d26db2333b163289244915fce1d47400ee32484a
                              • Instruction ID: c8a6ee9665e4122f8b51bf288eff9b01038feaa42744b3c0877ff56caa6cfbfb
                              • Opcode Fuzzy Hash: c9052623b7e371d64c3e8d09d26db2333b163289244915fce1d47400ee32484a
                              • Instruction Fuzzy Hash: FF11F2B5800348DFDB20CF9AD884BEEBBF8EB48310F108419E958A7210C375A944CFA6
                              Function 04C19223 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                              Download Yara Rule
                              APIs
                              • PostMessageW.USER32(?,00000010,00000000,?), ref: 04C19285
                              Memory Dump Source
                              • Source File: 00000006.00000002.1501644793.0000000004C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C10000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_4c10000_workbook.jbxd
                              Similarity
                              • API ID: MessagePost
                              • String ID:
                              • API String ID: 410705778-0
                              • Opcode ID: 668878c8bbd524ded82cef581dcefc28bacb99c5b65e6ac0de2a648dbc78adbc
                              • Instruction ID: b80b87b1596406eb1dfbde6c031f3f2bc35628ca0f5d14dcb0042a817d778c10
                              • Opcode Fuzzy Hash: 668878c8bbd524ded82cef581dcefc28bacb99c5b65e6ac0de2a648dbc78adbc
                              • Instruction Fuzzy Hash: 2D1103B5800349DFDB20CF9AC484BDEFBF8EB48310F108419E958A7211C375A545CFA1
                              Function 0106D4C4 Relevance: .1, Instructions: 75COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.1456678780.000000000106D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0106D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_106d000_workbook.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a8b5b077ee17ce03c13e68e341ab641f21f1c54db60a14dc14ae3c51ab2800fc
                              • Instruction ID: eef3fb468bf4f0592b7ba53e7370761004c0ff6d3b21a8e2edc30877a5a5c8c7
                              • Opcode Fuzzy Hash: a8b5b077ee17ce03c13e68e341ab641f21f1c54db60a14dc14ae3c51ab2800fc
                              • Instruction Fuzzy Hash: CD210672600240DFDB15DF54D9C0B2ABFA9FB88318F24C5A9E9850F656C336D456CBA2
                              Function 0106D3D8 Relevance: .1, Instructions: 75COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.1456678780.000000000106D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0106D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_106d000_workbook.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a7f846f4b92a72f96802f3910c9682ee4f329687ffbdd6c84d5975438be9bb3b
                              • Instruction ID: 243374fd42d1667df7067f3897cdc4a3a6496355eb7da2f5662c33cb39a8bfe7
                              • Opcode Fuzzy Hash: a7f846f4b92a72f96802f3910c9682ee4f329687ffbdd6c84d5975438be9bb3b
                              • Instruction Fuzzy Hash: 66214872600244DFDB15DF54D9C0B5ABBA9FB88314F20C1ADE9890F256C736E846CBA2
                              Function 0107D1D4 Relevance: .1, Instructions: 72COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.1456999639.000000000107D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0107D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_107d000_workbook.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c9406702bbef260cfda3dc7c9d77bdfa15eab87e85f877bd12fbabc690e0dfc4
                              • Instruction ID: d53f09a708a06c5faf1889b11c28232ef0efd3ab51b3f0b74b4483c07ff28d43
                              • Opcode Fuzzy Hash: c9406702bbef260cfda3dc7c9d77bdfa15eab87e85f877bd12fbabc690e0dfc4
                              • Instruction Fuzzy Hash: B5210371A04200EFDB15DF94D5C0B25BBA1FF84324F20C5ADE9894B292C336D407CB65
                              Function 0107D01C Relevance: .1, Instructions: 72COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.1456999639.000000000107D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0107D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_107d000_workbook.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1f94b33ddb0a7f6c4ed5b8d3dbee66f261fdb90ceab3fc0ff00095aadd421660
                              • Instruction ID: 5daaa07aaebdc40761a6eefeffa320e67a04f3f29b393c9a64ca7dbf24ed834f
                              • Opcode Fuzzy Hash: 1f94b33ddb0a7f6c4ed5b8d3dbee66f261fdb90ceab3fc0ff00095aadd421660
                              • Instruction Fuzzy Hash: CA210371A04300DFDB16DF64D980B16BBA1EF84314F20C5ADE98A0B292C336D407CBA6
                              Function 0107D006 Relevance: .1, Instructions: 62COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.1456999639.000000000107D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0107D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_107d000_workbook.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 4121f828973d0ec1d96ef78074f6d8980b19db889450a99a264aa651e1ca7a99
                              • Instruction ID: 2dd29b1c132f048145583906aedbdd8f5cf529d46c1a281584aca1f6edc970ae
                              • Opcode Fuzzy Hash: 4121f828973d0ec1d96ef78074f6d8980b19db889450a99a264aa651e1ca7a99
                              • Instruction Fuzzy Hash: 192183755093809FDB13CF64D590715BFB1EF46214F28C5DAD8898F6A7C33A980ACBA2
                              Function 0106D3D3 Relevance: .1, Instructions: 56COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.1456678780.000000000106D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0106D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_106d000_workbook.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0d9143a8ff6c40554208124bd87d7ebbaad978752f52efe449982275cc027c51
                              • Instruction ID: cead0a2b08b8ba93be7332aebb087b2e700dfcb7013a8696b7ffe12dc71a0af8
                              • Opcode Fuzzy Hash: 0d9143a8ff6c40554208124bd87d7ebbaad978752f52efe449982275cc027c51
                              • Instruction Fuzzy Hash: 9C11E1B2504240DFDB16CF44D5C0B56BFB1FB84324F24C6A9D9890B657C33AE856CBA2
                              Function 0106D4BF Relevance: .1, Instructions: 56COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.1456678780.000000000106D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0106D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_106d000_workbook.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0d9143a8ff6c40554208124bd87d7ebbaad978752f52efe449982275cc027c51
                              • Instruction ID: be6f7e9f9c90b900127bd9a25d882bd018147a75ead8db15fd1f57e2d653f0fd
                              • Opcode Fuzzy Hash: 0d9143a8ff6c40554208124bd87d7ebbaad978752f52efe449982275cc027c51
                              • Instruction Fuzzy Hash: 4E11E172904280DFCB16CF54D5C0B16BFB1FB84314F24C6A9D8890BA57C336D456CBA2
                              Function 0107D1CF Relevance: .1, Instructions: 53COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.1456999639.000000000107D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0107D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_107d000_workbook.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 9e088ad8a07711d9d3566a887b1f888bc4d4e2f61ff705deeaaa2a632ac83149
                              • Instruction ID: 878e87c4fa595f437b6423d83318874de744e7985a3d2cd6360897507a450462
                              • Opcode Fuzzy Hash: 9e088ad8a07711d9d3566a887b1f888bc4d4e2f61ff705deeaaa2a632ac83149
                              • Instruction Fuzzy Hash: 9F11A975904280DFDB16CF54D5C0B15BFA1FF84224F28C6A9D8894B696C33AD40BCB62
                              Function 0106D759 Relevance: .0, Instructions: 45COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.1456678780.000000000106D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0106D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_106d000_workbook.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6d7f673ff4543b4d06feb9247c5f3fae704f01b0d1552e74d8c230f62aae404e
                              • Instruction ID: 20c910a188729b5709c15820447e863f42f8b99cfaaf78514e65fd54db627d91
                              • Opcode Fuzzy Hash: 6d7f673ff4543b4d06feb9247c5f3fae704f01b0d1552e74d8c230f62aae404e
                              • Instruction Fuzzy Hash: EA01A7316043849EE7604E69CC84B66BBDCFF41624F18859AEDC94E286D27D9444CBB3
                              Function 0106D758 Relevance: .0, Instructions: 36COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.1456678780.000000000106D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0106D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_106d000_workbook.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: cddf1394c37bc9816ed70b6d7f4758fad8991d2cb889e12a3f91da67442005f0
                              • Instruction ID: 55c6487ec9776f4ebab1f46a9a862875616c261eeae2bc8150e02b79d6bf2969
                              • Opcode Fuzzy Hash: cddf1394c37bc9816ed70b6d7f4758fad8991d2cb889e12a3f91da67442005f0
                              • Instruction Fuzzy Hash: E0F0C831504384AEE7208E0ACC84B62FFDCEF40624F14C49AED884F287C2799844CB72

                              Execution Graph

                              Execution Coverage:11.6%
                              Dynamic/Decrypted Code Coverage:100%
                              Signature Coverage:0%
                              Total number of Nodes:239
                              Total number of Limit Nodes:13
                              execution_graph 29308 cbd558 29309 cbd59e 29308->29309 29312 cbd738 29309->29312 29315 cbb7f0 29312->29315 29316 cbd7a0 DuplicateHandle 29315->29316 29317 cbd68b 29316->29317 29568 cb4668 29569 cb467a 29568->29569 29570 cb4686 29569->29570 29574 cb4778 29569->29574 29579 cb3e34 29570->29579 29572 cb46a5 29575 cb479d 29574->29575 29583 cb4888 29575->29583 29587 cb4877 29575->29587 29580 cb3e3f 29579->29580 29595 cb5e08 29580->29595 29582 cb741e 29582->29572 29585 cb48af 29583->29585 29584 cb498c 29584->29584 29585->29584 29591 cb44b4 29585->29591 29589 cb48af 29587->29589 29588 cb498c 29588->29588 29589->29588 29590 cb44b4 CreateActCtxA 29589->29590 29590->29588 29592 cb5918 CreateActCtxA 29591->29592 29594 cb59db 29592->29594 29596 cb5e13 29595->29596 29599 cb5e48 29596->29599 29598 cb74f5 29598->29582 29600 cb5e53 29599->29600 29603 cb5e78 29600->29603 29602 cb75da 29602->29598 29604 cb5e83 29603->29604 29605 cb722c 2 API calls 29604->29605 29606 cb76cd 29605->29606 29606->29602 29614 cbb838 29615 cbb84c 29614->29615 29616 cbb871 29615->29616 29618 cbb428 29615->29618 29619 cbba18 LoadLibraryExW 29618->29619 29621 cbba91 29619->29621 29621->29616 29318 24e705b 29319 24e6f31 29318->29319 29321 24e7052 29319->29321 29325 24e78d8 29319->29325 29338 24e7946 29319->29338 29352 24e78e8 29319->29352 29320 24e7300 29326 24e78e2 29325->29326 29333 24e7926 29326->29333 29365 24e7df6 29326->29365 29370 24e820b 29326->29370 29374 24e7d11 29326->29374 29378 24e80b0 29326->29378 29383 24e7e13 29326->29383 29388 24e8412 29326->29388 29394 24e7e94 29326->29394 29399 24e8244 29326->29399 29404 24e7e57 29326->29404 29409 24e7e26 29326->29409 29333->29320 29339 24e78d4 29338->29339 29340 24e7949 29338->29340 29341 24e7926 29339->29341 29342 24e820b 2 API calls 29339->29342 29343 24e7df6 2 API calls 29339->29343 29344 24e7e26 2 API calls 29339->29344 29345 24e7e57 2 API calls 29339->29345 29346 24e8244 2 API calls 29339->29346 29347 24e7e94 2 API calls 29339->29347 29348 24e8412 2 API calls 29339->29348 29349 24e7e13 2 API calls 29339->29349 29350 24e80b0 2 API calls 29339->29350 29351 24e7d11 2 API calls 29339->29351 29340->29320 29341->29320 29342->29341 29343->29341 29344->29341 29345->29341 29346->29341 29347->29341 29348->29341 29349->29341 29350->29341 29351->29341 29353 24e7902 29352->29353 29354 24e7926 29353->29354 29355 24e820b 2 API calls 29353->29355 29356 24e7df6 2 API calls 29353->29356 29357 24e7e26 2 API calls 29353->29357 29358 24e7e57 2 API calls 29353->29358 29359 24e8244 2 API calls 29353->29359 29360 24e7e94 2 API calls 29353->29360 29361 24e8412 2 API calls 29353->29361 29362 24e7e13 2 API calls 29353->29362 29363 24e80b0 2 API calls 29353->29363 29364 24e7d11 2 API calls 29353->29364 29354->29320 29355->29354 29356->29354 29357->29354 29358->29354 29359->29354 29360->29354 29361->29354 29362->29354 29363->29354 29364->29354 29366 24e7e08 29365->29366 29414 24e8958 29366->29414 29419 24e8947 29366->29419 29367 24e86d4 29432 24e6698 29370->29432 29436 24e6690 29370->29436 29371 24e8228 29440 24e6aac 29374->29440 29444 24e6ab8 29374->29444 29379 24e830a 29378->29379 29448 24e6919 29379->29448 29452 24e6920 29379->29452 29380 24e832f 29380->29333 29384 24e7e20 29383->29384 29456 24e6829 29384->29456 29460 24e6830 29384->29460 29385 24e813a 29389 24e8419 29388->29389 29390 24e83e0 29388->29390 29392 24e6829 WriteProcessMemory 29390->29392 29393 24e6830 WriteProcessMemory 29390->29393 29391 24e83e8 29392->29391 29393->29391 29395 24e7e08 29394->29395 29397 24e8958 2 API calls 29395->29397 29398 24e8947 2 API calls 29395->29398 29396 24e86d4 29397->29396 29398->29396 29400 24e8267 29399->29400 29402 24e6829 WriteProcessMemory 29400->29402 29403 24e6830 WriteProcessMemory 29400->29403 29401 24e83e8 29402->29401 29403->29401 29405 24e82a8 29404->29405 29407 24e6698 Wow64SetThreadContext 29405->29407 29408 24e6690 Wow64SetThreadContext 29405->29408 29406 24e7fe1 29406->29333 29407->29406 29408->29406 29410 24e7e33 29409->29410 29464 24e65e8 29410->29464 29468 24e65e0 29410->29468 29411 24e8054 29415 24e896d 29414->29415 29424 24e6768 29415->29424 29428 24e6770 29415->29428 29416 24e898c 29416->29367 29420 24e896d 29419->29420 29422 24e6768 VirtualAllocEx 29420->29422 29423 24e6770 VirtualAllocEx 29420->29423 29421 24e898c 29421->29367 29422->29421 29423->29421 29425 24e67b0 VirtualAllocEx 29424->29425 29427 24e67ed 29425->29427 29427->29416 29429 24e67b0 VirtualAllocEx 29428->29429 29431 24e67ed 29429->29431 29431->29416 29433 24e66dd Wow64SetThreadContext 29432->29433 29435 24e6725 29433->29435 29435->29371 29437 24e66dd Wow64SetThreadContext 29436->29437 29439 24e6725 29437->29439 29439->29371 29441 24e6b41 CreateProcessA 29440->29441 29443 24e6d03 29441->29443 29445 24e6b41 CreateProcessA 29444->29445 29447 24e6d03 29445->29447 29449 24e696b ReadProcessMemory 29448->29449 29451 24e69af 29449->29451 29451->29380 29453 24e696b ReadProcessMemory 29452->29453 29455 24e69af 29453->29455 29455->29380 29457 24e6878 WriteProcessMemory 29456->29457 29459 24e68cf 29457->29459 29459->29385 29461 24e6878 WriteProcessMemory 29460->29461 29463 24e68cf 29461->29463 29463->29385 29465 24e6628 ResumeThread 29464->29465 29467 24e6659 29465->29467 29467->29411 29469 24e6628 ResumeThread 29468->29469 29471 24e6659 29469->29471 29471->29411 29607 24e8fa8 29608 24e9133 29607->29608 29610 24e8fce 29607->29610 29610->29608 29611 24e8ae8 29610->29611 29612 24e9228 PostMessageW 29611->29612 29613 24e9294 29612->29613 29613->29610 29472 4d87080 29473 4d870ad 29472->29473 29486 4d86e48 29473->29486 29475 4d8713c 29492 4d86e58 29475->29492 29478 4d86e48 2 API calls 29479 4d871a0 29478->29479 29480 4d86e58 2 API calls 29479->29480 29481 4d871d2 29480->29481 29482 4d86e48 2 API calls 29481->29482 29483 4d87236 29482->29483 29484 4d86e48 2 API calls 29483->29484 29485 4d8729a 29484->29485 29487 4d86e53 29486->29487 29488 4d8872b 29487->29488 29496 cb86d8 29487->29496 29500 cb722c 29487->29500 29504 cb8708 29487->29504 29488->29475 29493 4d86e63 29492->29493 29558 4d86fd4 29493->29558 29495 4d8716e 29495->29478 29498 cb86d9 29496->29498 29497 cb86f0 29497->29488 29498->29497 29508 cbd170 29498->29508 29501 cb7237 29500->29501 29502 cb8a09 29501->29502 29503 cbd170 2 API calls 29501->29503 29502->29488 29503->29502 29506 cb8743 29504->29506 29505 cb8a09 29505->29488 29506->29505 29507 cbd170 2 API calls 29506->29507 29507->29505 29509 cbd191 29508->29509 29510 cbd1b5 29509->29510 29512 cbd440 29509->29512 29510->29497 29513 cbd44d 29512->29513 29515 cbd487 29513->29515 29516 cbb728 29513->29516 29515->29510 29518 cbb733 29516->29518 29517 cbe1a0 29518->29517 29520 cbb80c 29518->29520 29521 cbb817 29520->29521 29522 cb722c 2 API calls 29521->29522 29523 cbe20f 29522->29523 29526 4d8006c 29523->29526 29527 cbe249 29526->29527 29528 4d80085 29526->29528 29527->29517 29532 4d80e98 29528->29532 29537 4d80e90 29528->29537 29533 4d80ec3 29532->29533 29534 4d80f72 29533->29534 29542 4d81d80 29533->29542 29546 4d81c70 29533->29546 29538 4d80ec3 29537->29538 29539 4d80f72 29538->29539 29540 4d81c70 2 API calls 29538->29540 29541 4d81d80 2 API calls 29538->29541 29540->29539 29541->29539 29543 4d81db5 29542->29543 29550 4d81dd0 29542->29550 29554 4d81dc4 29542->29554 29543->29534 29548 4d81dd0 CreateWindowExW 29546->29548 29549 4d81dc4 CreateWindowExW 29546->29549 29547 4d81db5 29547->29534 29548->29547 29549->29547 29551 4d81e38 CreateWindowExW 29550->29551 29553 4d81ef4 29551->29553 29555 4d81e38 CreateWindowExW 29554->29555 29557 4d81ef4 29555->29557 29559 4d86fdf 29558->29559 29560 4d895d2 29559->29560 29561 cb86d8 2 API calls 29559->29561 29562 cb8708 2 API calls 29559->29562 29563 cb722c 2 API calls 29559->29563 29560->29495 29561->29560 29562->29560 29563->29560 29622 4d843a0 29623 4d843e2 29622->29623 29625 4d843e9 29622->29625 29624 4d8443a CallWindowProcW 29623->29624 29623->29625 29624->29625 29564 cbb390 29565 cbb3d8 GetModuleHandleW 29564->29565 29566 cbb3d2 29564->29566 29567 cbb405 29565->29567 29566->29565

                              Executed Functions

                              Function 024E6AAC Relevance: 1.7, APIs: 1, Instructions: 249processCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1213 24e6aac-24e6b4d 1215 24e6b4f-24e6b59 1213->1215 1216 24e6b86-24e6ba6 1213->1216 1215->1216 1217 24e6b5b-24e6b5d 1215->1217 1223 24e6bdf-24e6c0e 1216->1223 1224 24e6ba8-24e6bb2 1216->1224 1219 24e6b5f-24e6b69 1217->1219 1220 24e6b80-24e6b83 1217->1220 1221 24e6b6d-24e6b7c 1219->1221 1222 24e6b6b 1219->1222 1220->1216 1221->1221 1225 24e6b7e 1221->1225 1222->1221 1230 24e6c47-24e6d01 CreateProcessA 1223->1230 1231 24e6c10-24e6c1a 1223->1231 1224->1223 1226 24e6bb4-24e6bb6 1224->1226 1225->1220 1228 24e6bb8-24e6bc2 1226->1228 1229 24e6bd9-24e6bdc 1226->1229 1232 24e6bc6-24e6bd5 1228->1232 1233 24e6bc4 1228->1233 1229->1223 1244 24e6d0a-24e6d90 1230->1244 1245 24e6d03-24e6d09 1230->1245 1231->1230 1234 24e6c1c-24e6c1e 1231->1234 1232->1232 1235 24e6bd7 1232->1235 1233->1232 1236 24e6c20-24e6c2a 1234->1236 1237 24e6c41-24e6c44 1234->1237 1235->1229 1239 24e6c2e-24e6c3d 1236->1239 1240 24e6c2c 1236->1240 1237->1230 1239->1239 1241 24e6c3f 1239->1241 1240->1239 1241->1237 1255 24e6d92-24e6d96 1244->1255 1256 24e6da0-24e6da4 1244->1256 1245->1244 1255->1256 1257 24e6d98 1255->1257 1258 24e6da6-24e6daa 1256->1258 1259 24e6db4-24e6db8 1256->1259 1257->1256 1258->1259 1260 24e6dac 1258->1260 1261 24e6dba-24e6dbe 1259->1261 1262 24e6dc8-24e6dcc 1259->1262 1260->1259 1261->1262 1263 24e6dc0 1261->1263 1264 24e6dde-24e6de5 1262->1264 1265 24e6dce-24e6dd4 1262->1265 1263->1262 1266 24e6dfc 1264->1266 1267 24e6de7-24e6df6 1264->1267 1265->1264 1269 24e6dfd 1266->1269 1267->1266 1269->1269
                              APIs
                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 024E6CEE
                              Memory Dump Source
                              • Source File: 00000007.00000002.1536024368.00000000024E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_24e0000_workbook.jbxd
                              Similarity
                              • API ID: CreateProcess
                              • String ID:
                              • API String ID: 963392458-0
                              • Opcode ID: f62beaf6447f2ccacfaa0b075d30c4b3a0eb35e37949c63136ddb2fcc932ba99
                              • Instruction ID: c1ab5515104b067a369b55f63dd3c71732fbfee523c02fb51d022c3beda2bacd
                              • Opcode Fuzzy Hash: f62beaf6447f2ccacfaa0b075d30c4b3a0eb35e37949c63136ddb2fcc932ba99
                              • Instruction Fuzzy Hash: 6DA17A71D00229CFEF24CF68C840BEEBBB6EF48315F15856AE859A7240DB749985CF91
                              Function 024E6AB8 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1270 24e6ab8-24e6b4d 1272 24e6b4f-24e6b59 1270->1272 1273 24e6b86-24e6ba6 1270->1273 1272->1273 1274 24e6b5b-24e6b5d 1272->1274 1280 24e6bdf-24e6c0e 1273->1280 1281 24e6ba8-24e6bb2 1273->1281 1276 24e6b5f-24e6b69 1274->1276 1277 24e6b80-24e6b83 1274->1277 1278 24e6b6d-24e6b7c 1276->1278 1279 24e6b6b 1276->1279 1277->1273 1278->1278 1282 24e6b7e 1278->1282 1279->1278 1287 24e6c47-24e6d01 CreateProcessA 1280->1287 1288 24e6c10-24e6c1a 1280->1288 1281->1280 1283 24e6bb4-24e6bb6 1281->1283 1282->1277 1285 24e6bb8-24e6bc2 1283->1285 1286 24e6bd9-24e6bdc 1283->1286 1289 24e6bc6-24e6bd5 1285->1289 1290 24e6bc4 1285->1290 1286->1280 1301 24e6d0a-24e6d90 1287->1301 1302 24e6d03-24e6d09 1287->1302 1288->1287 1291 24e6c1c-24e6c1e 1288->1291 1289->1289 1292 24e6bd7 1289->1292 1290->1289 1293 24e6c20-24e6c2a 1291->1293 1294 24e6c41-24e6c44 1291->1294 1292->1286 1296 24e6c2e-24e6c3d 1293->1296 1297 24e6c2c 1293->1297 1294->1287 1296->1296 1298 24e6c3f 1296->1298 1297->1296 1298->1294 1312 24e6d92-24e6d96 1301->1312 1313 24e6da0-24e6da4 1301->1313 1302->1301 1312->1313 1314 24e6d98 1312->1314 1315 24e6da6-24e6daa 1313->1315 1316 24e6db4-24e6db8 1313->1316 1314->1313 1315->1316 1317 24e6dac 1315->1317 1318 24e6dba-24e6dbe 1316->1318 1319 24e6dc8-24e6dcc 1316->1319 1317->1316 1318->1319 1320 24e6dc0 1318->1320 1321 24e6dde-24e6de5 1319->1321 1322 24e6dce-24e6dd4 1319->1322 1320->1319 1323 24e6dfc 1321->1323 1324 24e6de7-24e6df6 1321->1324 1322->1321 1326 24e6dfd 1323->1326 1324->1323 1326->1326
                              APIs
                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 024E6CEE
                              Memory Dump Source
                              • Source File: 00000007.00000002.1536024368.00000000024E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_24e0000_workbook.jbxd
                              Similarity
                              • API ID: CreateProcess
                              • String ID:
                              • API String ID: 963392458-0
                              • Opcode ID: b511ae0573d348688c5a79420dc52d1b32027e0d1b5df9e5a88d0204245bc33e
                              • Instruction ID: cc2365ed9d9fa024b7b990f4360ece18cdfcee93e127ddf6777915c3543b7fb8
                              • Opcode Fuzzy Hash: b511ae0573d348688c5a79420dc52d1b32027e0d1b5df9e5a88d0204245bc33e
                              • Instruction Fuzzy Hash: A0916971D00329CFEF24CF69C840BEEBBB6EB48315F15856AE819A7240DB749985CF91
                              Function 04D81DC4 Relevance: 1.6, APIs: 1, Instructions: 117COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1327 4d81dc4-4d81e36 1328 4d81e38-4d81e3e 1327->1328 1329 4d81e41-4d81e48 1327->1329 1328->1329 1330 4d81e4a-4d81e50 1329->1330 1331 4d81e53-4d81ef2 CreateWindowExW 1329->1331 1330->1331 1333 4d81efb-4d81f33 1331->1333 1334 4d81ef4-4d81efa 1331->1334 1338 4d81f40 1333->1338 1339 4d81f35-4d81f38 1333->1339 1334->1333 1340 4d81f41 1338->1340 1339->1338 1340->1340
                              APIs
                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04D81EE2
                              Memory Dump Source
                              • Source File: 00000007.00000002.1603270632.0000000004D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D80000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_4d80000_workbook.jbxd
                              Similarity
                              • API ID: CreateWindow
                              • String ID:
                              • API String ID: 716092398-0
                              • Opcode ID: 950bf30af60d40010ada95c9e3dffb08fa9a6303c202847dba0241c278bb544a
                              • Instruction ID: 926e7a2cfd19e4700af22d11a0a71e4271d13e2540c37a76e0794fc9e53d9d65
                              • Opcode Fuzzy Hash: 950bf30af60d40010ada95c9e3dffb08fa9a6303c202847dba0241c278bb544a
                              • Instruction Fuzzy Hash: 9E51CEB1D10349DFDB15DF99C884ADEBBB5BF48310F24822AE818AB254D775A846CF90
                              Function 04D81DD0 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1341 4d81dd0-4d81e36 1342 4d81e38-4d81e3e 1341->1342 1343 4d81e41-4d81e48 1341->1343 1342->1343 1344 4d81e4a-4d81e50 1343->1344 1345 4d81e53-4d81ef2 CreateWindowExW 1343->1345 1344->1345 1347 4d81efb-4d81f33 1345->1347 1348 4d81ef4-4d81efa 1345->1348 1352 4d81f40 1347->1352 1353 4d81f35-4d81f38 1347->1353 1348->1347 1354 4d81f41 1352->1354 1353->1352 1354->1354
                              APIs
                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04D81EE2
                              Memory Dump Source
                              • Source File: 00000007.00000002.1603270632.0000000004D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D80000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_4d80000_workbook.jbxd
                              Similarity
                              • API ID: CreateWindow
                              • String ID:
                              • API String ID: 716092398-0
                              • Opcode ID: 851a944ff807edebdd1907a46944689ce60d298a423e2f402e804dd1cf457df7
                              • Instruction ID: cabd2d2d1b30a58abc64e3dc943538dc1115cd98860b5891d8e71ec0a52c88aa
                              • Opcode Fuzzy Hash: 851a944ff807edebdd1907a46944689ce60d298a423e2f402e804dd1cf457df7
                              • Instruction Fuzzy Hash: 8741ADB1D10349DFDB15DF9AC884ADEBBB5BF48310F24812AE818AB214DB75A845CF90
                              Function 00CB44B4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1355 cb44b4-cb59d9 CreateActCtxA 1358 cb59db-cb59e1 1355->1358 1359 cb59e2-cb5a3c 1355->1359 1358->1359 1366 cb5a4b-cb5a4f 1359->1366 1367 cb5a3e-cb5a41 1359->1367 1368 cb5a51-cb5a5d 1366->1368 1369 cb5a60 1366->1369 1367->1366 1368->1369 1371 cb5a61 1369->1371 1371->1371
                              APIs
                              • CreateActCtxA.KERNEL32(?), ref: 00CB59C9
                              Memory Dump Source
                              • Source File: 00000007.00000002.1534938394.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_cb0000_workbook.jbxd
                              Similarity
                              • API ID: Create
                              • String ID:
                              • API String ID: 2289755597-0
                              • Opcode ID: f136c0a218a07befb63c0f4807b88899699896081a1afbbfd67fcd21bb6cc9ec
                              • Instruction ID: cbeab4de0a0b1a4945901e7350827e770335a08f119089113cc53e76476e2626
                              • Opcode Fuzzy Hash: f136c0a218a07befb63c0f4807b88899699896081a1afbbfd67fcd21bb6cc9ec
                              • Instruction Fuzzy Hash: 3041D0B0D0071DCBEB24DFA9C884BDEBBB5BF49304F20856AD408AB251DB756946CF94
                              Function 00CB590D Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1372 cb590d-cb59d9 CreateActCtxA 1374 cb59db-cb59e1 1372->1374 1375 cb59e2-cb5a3c 1372->1375 1374->1375 1382 cb5a4b-cb5a4f 1375->1382 1383 cb5a3e-cb5a41 1375->1383 1384 cb5a51-cb5a5d 1382->1384 1385 cb5a60 1382->1385 1383->1382 1384->1385 1387 cb5a61 1385->1387 1387->1387
                              APIs
                              • CreateActCtxA.KERNEL32(?), ref: 00CB59C9
                              Memory Dump Source
                              • Source File: 00000007.00000002.1534938394.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_cb0000_workbook.jbxd
                              Similarity
                              • API ID: Create
                              • String ID:
                              • API String ID: 2289755597-0
                              • Opcode ID: f6494b04ba7fc95673f5d344c45de6f95fb5a634ebf49d8a1d68a44527b18111
                              • Instruction ID: 2a48fc4968847a1f1fad059c774138f62ed653886742a39d92a4c2ac6d618a36
                              • Opcode Fuzzy Hash: f6494b04ba7fc95673f5d344c45de6f95fb5a634ebf49d8a1d68a44527b18111
                              • Instruction Fuzzy Hash: 6541C471D0072DCBEB24DFA9C884BDDBBB1BF48304F20855AD408AB255DB75594ACF50
                              Function 04D843A0 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1388 4d843a0-4d843dc 1389 4d8448c-4d844ac 1388->1389 1390 4d843e2-4d843e7 1388->1390 1396 4d844af-4d844bc 1389->1396 1391 4d843e9-4d84420 1390->1391 1392 4d8443a-4d84472 CallWindowProcW 1390->1392 1398 4d84429-4d84438 1391->1398 1399 4d84422-4d84428 1391->1399 1394 4d8447b-4d8448a 1392->1394 1395 4d84474-4d8447a 1392->1395 1394->1396 1395->1394 1398->1396 1399->1398
                              APIs
                              • CallWindowProcW.USER32(?,?,?,?,?), ref: 04D84461
                              Memory Dump Source
                              • Source File: 00000007.00000002.1603270632.0000000004D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D80000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_4d80000_workbook.jbxd
                              Similarity
                              • API ID: CallProcWindow
                              • String ID:
                              • API String ID: 2714655100-0
                              • Opcode ID: e7467436845869611636f6f66432d85697206ba684dc5c1b1bc4a770f217206a
                              • Instruction ID: 8f856303032637a3b64d88d2e0332cdd840bc403cfa2007679202ef30193e0a8
                              • Opcode Fuzzy Hash: e7467436845869611636f6f66432d85697206ba684dc5c1b1bc4a770f217206a
                              • Instruction Fuzzy Hash: C54108B9A00309DFDB14DF99C448AAABBF5FF88318F24C45DD519AB321D375A841CBA1
                              Function 024E6829 Relevance: 1.6, APIs: 1, Instructions: 73injectionCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1402 24e6829-24e687e 1404 24e688e-24e68cd WriteProcessMemory 1402->1404 1405 24e6880-24e688c 1402->1405 1407 24e68cf-24e68d5 1404->1407 1408 24e68d6-24e6906 1404->1408 1405->1404 1407->1408
                              APIs
                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 024E68C0
                              Memory Dump Source
                              • Source File: 00000007.00000002.1536024368.00000000024E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_24e0000_workbook.jbxd
                              Similarity
                              • API ID: MemoryProcessWrite
                              • String ID:
                              • API String ID: 3559483778-0
                              • Opcode ID: 585152718e7fe49aaa5d90a1078c23dbe5f572231ba9bcbf25ad568305fbc5c1
                              • Instruction ID: 77d86eba754ba6182a9b6e6c8060e54e3932c1ceb71675b9c3abf9f3a4676b53
                              • Opcode Fuzzy Hash: 585152718e7fe49aaa5d90a1078c23dbe5f572231ba9bcbf25ad568305fbc5c1
                              • Instruction Fuzzy Hash: 7C212371D003499FDB24CFA9C884BEEBBF5FF48310F10842AE959A7241C7799955CBA4
                              Function 024E6830 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1412 24e6830-24e687e 1414 24e688e-24e68cd WriteProcessMemory 1412->1414 1415 24e6880-24e688c 1412->1415 1417 24e68cf-24e68d5 1414->1417 1418 24e68d6-24e6906 1414->1418 1415->1414 1417->1418
                              APIs
                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 024E68C0
                              Memory Dump Source
                              • Source File: 00000007.00000002.1536024368.00000000024E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_24e0000_workbook.jbxd
                              Similarity
                              • API ID: MemoryProcessWrite
                              • String ID:
                              • API String ID: 3559483778-0
                              • Opcode ID: 2fdbd00dbe58f213477003a6b45594bb48f38260049711ce8ce3481c0bea3fb5
                              • Instruction ID: 25ab6bd3165e6cf7e500936ff6b3aa7133bf06b38b7d9555b1d662a936ad6dc3
                              • Opcode Fuzzy Hash: 2fdbd00dbe58f213477003a6b45594bb48f38260049711ce8ce3481c0bea3fb5
                              • Instruction Fuzzy Hash: F4211372D003499FDB14CFAAC884BEEBBF5FB48310F10842AE959A7240C7799954CBA5
                              Function 024E6690 Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1422 24e6690-24e66e3 1424 24e66e5-24e66f1 1422->1424 1425 24e66f3-24e6723 Wow64SetThreadContext 1422->1425 1424->1425 1427 24e672c-24e675c 1425->1427 1428 24e6725-24e672b 1425->1428 1428->1427
                              APIs
                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 024E6716
                              Memory Dump Source
                              • Source File: 00000007.00000002.1536024368.00000000024E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_24e0000_workbook.jbxd
                              Similarity
                              • API ID: ContextThreadWow64
                              • String ID:
                              • API String ID: 983334009-0
                              • Opcode ID: ffc2071d97f5a10e7705a5be7819119ed79fa7f5f3dee680f65b373a108382cf
                              • Instruction ID: 80642a8fec9e1fad7c01f6824922fd8ec5453c3a3766c178e08dd4d0f548bf8e
                              • Opcode Fuzzy Hash: ffc2071d97f5a10e7705a5be7819119ed79fa7f5f3dee680f65b373a108382cf
                              • Instruction Fuzzy Hash: 73214571D007098FEB14CFAAC485BEEBBF4EF48224F14842AD459A7241CB789944CBA1
                              Function 00CBB7F0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                              Download Yara Rule
                              APIs
                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00CBD766,?,?,?,?,?), ref: 00CBD827
                              Memory Dump Source
                              • Source File: 00000007.00000002.1534938394.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_cb0000_workbook.jbxd
                              Similarity
                              • API ID: DuplicateHandle
                              • String ID:
                              • API String ID: 3793708945-0
                              • Opcode ID: f5e64a1e4b755d6eaa1a9d42b0dc77ef2c24e1e073ac98420964da357bac5aad
                              • Instruction ID: 65e5562a4e00556c0878956ba2ee7eb98bfb26790a8d6fe012dbb74c5ac728c2
                              • Opcode Fuzzy Hash: f5e64a1e4b755d6eaa1a9d42b0dc77ef2c24e1e073ac98420964da357bac5aad
                              • Instruction Fuzzy Hash: 652103B5D00248EFDB10CF9AD484AEEBBF4EB48310F10842AE919A7350D379A950CFA5
                              Function 024E6919 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                              Download Yara Rule
                              APIs
                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 024E69A0
                              Memory Dump Source
                              • Source File: 00000007.00000002.1536024368.00000000024E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_24e0000_workbook.jbxd
                              Similarity
                              • API ID: MemoryProcessRead
                              • String ID:
                              • API String ID: 1726664587-0
                              • Opcode ID: d73f3714f79fcfbb840dc233e67403f3dce9e134e01d61ab47e01abab5a3a310
                              • Instruction ID: c646ce453f84ae63b5b28a4148970246adc73e48eaef0faa836a6748413750bd
                              • Opcode Fuzzy Hash: d73f3714f79fcfbb840dc233e67403f3dce9e134e01d61ab47e01abab5a3a310
                              • Instruction Fuzzy Hash: B72105B1D003499FDB14CFA9C941BEEBBF5FF48310F10882AE959A7240CB3999458BA5
                              Function 024E6698 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                              Download Yara Rule
                              APIs
                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 024E6716
                              Memory Dump Source
                              • Source File: 00000007.00000002.1536024368.00000000024E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_24e0000_workbook.jbxd
                              Similarity
                              • API ID: ContextThreadWow64
                              • String ID:
                              • API String ID: 983334009-0
                              • Opcode ID: 04e7073e9ab20bea970f3ed3a69acbbcf6aef3b0163a3e4397e00dd949114e19
                              • Instruction ID: 03b641567c156bde7408b2a4e7c942e0f718d53b1e0f262a2d6b094137b3333c
                              • Opcode Fuzzy Hash: 04e7073e9ab20bea970f3ed3a69acbbcf6aef3b0163a3e4397e00dd949114e19
                              • Instruction Fuzzy Hash: 31213771D003098FEB14DFAAC485BEEBBF4EB48214F14842AD559A7240CB789945CFA5
                              Function 024E6920 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                              Download Yara Rule
                              APIs
                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 024E69A0
                              Memory Dump Source
                              • Source File: 00000007.00000002.1536024368.00000000024E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_24e0000_workbook.jbxd
                              Similarity
                              • API ID: MemoryProcessRead
                              • String ID:
                              • API String ID: 1726664587-0
                              • Opcode ID: 39d7242ad23780b0fb3c5f70216ff426bee15b0bc9aa1028a6023eee3ee94ae9
                              • Instruction ID: 7606697344ee63a06f32af2a7ccbc046d126b67a8486eccbeb45fe0ca6053bb9
                              • Opcode Fuzzy Hash: 39d7242ad23780b0fb3c5f70216ff426bee15b0bc9aa1028a6023eee3ee94ae9
                              • Instruction Fuzzy Hash: B5211671C003499FDB14CFAAC940BEEBBF5FF48310F10842AE959A7240C7399500CBA5
                              Function 024E6768 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                              Download Yara Rule
                              APIs
                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 024E67DE
                              Memory Dump Source
                              • Source File: 00000007.00000002.1536024368.00000000024E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_24e0000_workbook.jbxd
                              Similarity
                              • API ID: AllocVirtual
                              • String ID:
                              • API String ID: 4275171209-0
                              • Opcode ID: afb6e28b9ad996cbc80bdd97a668bc968224ede3af283daf1e618b0cc95e3c45
                              • Instruction ID: db7479c2ca84270e5f733a2354f1ea0aa650180e4c02f769142e0542ec4d7517
                              • Opcode Fuzzy Hash: afb6e28b9ad996cbc80bdd97a668bc968224ede3af283daf1e618b0cc95e3c45
                              • Instruction Fuzzy Hash: 0B2136729002499FDB20CFA9C845BEEBBF5EF88314F14841AE555A7250CB369955CBA0
                              Function 00CBB428 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                              Download Yara Rule
                              APIs
                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00CBB871,00000800,00000000,00000000), ref: 00CBBA82
                              Memory Dump Source
                              • Source File: 00000007.00000002.1534938394.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_cb0000_workbook.jbxd
                              Similarity
                              • API ID: LibraryLoad
                              • String ID:
                              • API String ID: 1029625771-0
                              • Opcode ID: e6c885715e04350d622ff9d250b688b753d6758faab3b601bc986660ba4c7a91
                              • Instruction ID: 54b4604b3002e3928bdd455302d412c07fd4108635a914ed3eea0c5a6ebbe241
                              • Opcode Fuzzy Hash: e6c885715e04350d622ff9d250b688b753d6758faab3b601bc986660ba4c7a91
                              • Instruction Fuzzy Hash: 451114B6C00349DFDB20CF9AC444ADEFBF5EB48310F10842AE819A7600C3B5A945CFA5
                              Function 024E65E0 Relevance: 1.6, APIs: 1, Instructions: 54threadCOMMON
                              Download Yara Rule
                              APIs
                              • ResumeThread.KERNELBASE(?), ref: 024E664A
                              Memory Dump Source
                              • Source File: 00000007.00000002.1536024368.00000000024E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_24e0000_workbook.jbxd
                              Similarity
                              • API ID: ResumeThread
                              • String ID:
                              • API String ID: 947044025-0
                              • Opcode ID: ba99d555d3fe2e8ce05ce5249920651526326da58cac441dd1a562b0cb7b1741
                              • Instruction ID: 70f64a29a75e400e660f2220fda6265244925fe60e1e959710bc8529864a5a5c
                              • Opcode Fuzzy Hash: ba99d555d3fe2e8ce05ce5249920651526326da58cac441dd1a562b0cb7b1741
                              • Instruction Fuzzy Hash: C61167B1D003498FDB20CFAAC444BEEBBF5EF88210F24841AD455A7240CB35A905CB94
                              Function 024E6770 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                              Download Yara Rule
                              APIs
                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 024E67DE
                              Memory Dump Source
                              • Source File: 00000007.00000002.1536024368.00000000024E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_24e0000_workbook.jbxd
                              Similarity
                              • API ID: AllocVirtual
                              • String ID:
                              • API String ID: 4275171209-0
                              • Opcode ID: f73160ed2f3f737e7fc3de66250a650ce9049d83d82c8245f70b5b5901f53671
                              • Instruction ID: ece030f5feb33c4ec965efc2e17b6edacf4fd3bcf2ecba4d4501539d319f6f02
                              • Opcode Fuzzy Hash: f73160ed2f3f737e7fc3de66250a650ce9049d83d82c8245f70b5b5901f53671
                              • Instruction Fuzzy Hash: 23115672C00349DFDB20CFAAC844BDFBBF5EB48310F10841AE515A7250CB35A540CBA1
                              Function 024E65E8 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                              Download Yara Rule
                              APIs
                              • ResumeThread.KERNELBASE(?), ref: 024E664A
                              Memory Dump Source
                              • Source File: 00000007.00000002.1536024368.00000000024E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_24e0000_workbook.jbxd
                              Similarity
                              • API ID: ResumeThread
                              • String ID:
                              • API String ID: 947044025-0
                              • Opcode ID: 4e0257b62cec1240a814f34452a69c074188a5d40cfc5bbc522a200d09cb801b
                              • Instruction ID: 8ad2b6a9bd8e0fc4ab156b14b7863bb197c37b26c354587c8f37289931274b63
                              • Opcode Fuzzy Hash: 4e0257b62cec1240a814f34452a69c074188a5d40cfc5bbc522a200d09cb801b
                              • Instruction Fuzzy Hash: C61128B1D003498FDB24DFAAC444BDFFBF4EB48214F24841AD519A7340CB79A540CB95
                              Function 00CBB390 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                              Download Yara Rule
                              APIs
                              • GetModuleHandleW.KERNELBASE(00000000), ref: 00CBB3F6
                              Memory Dump Source
                              • Source File: 00000007.00000002.1534938394.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_cb0000_workbook.jbxd
                              Similarity
                              • API ID: HandleModule
                              • String ID:
                              • API String ID: 4139908857-0
                              • Opcode ID: 2b707a78bd6f5f86fd68404a1ebe29f7bd62246fab15dee5c81b272d653c6817
                              • Instruction ID: 269339ecabc281e309e37d64051cb5ef093ca40b87a83a1ab0896f2fd055f745
                              • Opcode Fuzzy Hash: 2b707a78bd6f5f86fd68404a1ebe29f7bd62246fab15dee5c81b272d653c6817
                              • Instruction Fuzzy Hash: CF11DFB6C00749CFDB24CF9AD444ADEFBF4EB88310F10842AD469A7611C3B9A945CFA5
                              Function 024E8AE8 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                              Download Yara Rule
                              APIs
                              • PostMessageW.USER32(?,00000010,00000000,?), ref: 024E9285
                              Memory Dump Source
                              • Source File: 00000007.00000002.1536024368.00000000024E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_24e0000_workbook.jbxd
                              Similarity
                              • API ID: MessagePost
                              • String ID:
                              • API String ID: 410705778-0
                              • Opcode ID: e39afc6c2b003d3e57a5e6359e47d1a0cd2f2154bf5023ffeaaf47095d60b881
                              • Instruction ID: cc514ab4468c5fe253bcce6592d62ebc6520e04ed51dc0ee7da79e3a2c7fcba7
                              • Opcode Fuzzy Hash: e39afc6c2b003d3e57a5e6359e47d1a0cd2f2154bf5023ffeaaf47095d60b881
                              • Instruction Fuzzy Hash: 4F1103B5800349DFEB20CF9AD445BDEBBF8EB48314F10885AE959A7340C375A944CFA5
                              Function 024E9221 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                              Download Yara Rule
                              APIs
                              • PostMessageW.USER32(?,00000010,00000000,?), ref: 024E9285
                              Memory Dump Source
                              • Source File: 00000007.00000002.1536024368.00000000024E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_24e0000_workbook.jbxd
                              Similarity
                              • API ID: MessagePost
                              • String ID:
                              • API String ID: 410705778-0
                              • Opcode ID: c60cbadba69a0de2a922853750d9604f7de8044cec544add8cdf215df7b2d1e9
                              • Instruction ID: 74cc916c3fef636c01f004840197685f916510b2f0644c606b9a8ca7e6cf0637
                              • Opcode Fuzzy Hash: c60cbadba69a0de2a922853750d9604f7de8044cec544add8cdf215df7b2d1e9
                              • Instruction Fuzzy Hash: 3D11F5B5800349DFDB20CF99D585BDEBBF4EB88314F10881AE458A7640C375A944CFA1
                              Function 0090D3D8 Relevance: .1, Instructions: 75COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000007.00000002.1528698018.000000000090D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0090D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_90d000_workbook.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 92d439c33e51cc36a41b2bc45258d15b099f05dcfecba9985b9b1f956217c7c4
                              • Instruction ID: fd21bb3dcb33a4c67079e7b5dab3d6b01fc1fb9a9feac155545a0fb20e818cb1
                              • Opcode Fuzzy Hash: 92d439c33e51cc36a41b2bc45258d15b099f05dcfecba9985b9b1f956217c7c4
                              • Instruction Fuzzy Hash: 5E212872500204DFDB14DF54D9C0B26BB65FB94324F20C56DE9090F2E6C33AE856CAA2
                              Function 0090D4C4 Relevance: .1, Instructions: 75COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000007.00000002.1528698018.000000000090D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0090D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_90d000_workbook.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 4a696c709d0346707f8090d5e9e826b93bb9ce6d50639689edd0caf90b5a5544
                              • Instruction ID: d4d7b51d264a6fab97d6ccfd25ccd9f236a2c7a2d8a9f1630a745125aa7b93f4
                              • Opcode Fuzzy Hash: 4a696c709d0346707f8090d5e9e826b93bb9ce6d50639689edd0caf90b5a5544
                              • Instruction Fuzzy Hash: E621D372505240EFDB15DF54D9C0B26BF65FB88318F24C569ED090F29AC33AD856CAA2
                              Function 00BED01C Relevance: .1, Instructions: 72COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000007.00000002.1533988071.0000000000BED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BED000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_bed000_workbook.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6f55081b73d1f9d5c8647da0db7c44542973cc222f9da89ed287c894f31754b7
                              • Instruction ID: ff19c3e2a90845672e35c7e5841cb7267d7157094aef81ce81bb9d5f7a389a7b
                              • Opcode Fuzzy Hash: 6f55081b73d1f9d5c8647da0db7c44542973cc222f9da89ed287c894f31754b7
                              • Instruction Fuzzy Hash: 4621D371504280DFDB14DF25D5D4B16BBA5FB84314F28C5ADE80A4B297C376D847CA62
                              Function 00BED1D4 Relevance: .1, Instructions: 72COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000007.00000002.1533988071.0000000000BED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BED000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_bed000_workbook.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c841be9e6d2e7d113a4a592ef65c7a95426bb6daf28ac7088f59f4f9b19a106c
                              • Instruction ID: faced2359aeecb010f5ad2b9b2f956c4e863ad50c36af781c03ef0ed5d562025
                              • Opcode Fuzzy Hash: c841be9e6d2e7d113a4a592ef65c7a95426bb6daf28ac7088f59f4f9b19a106c
                              • Instruction Fuzzy Hash: 9A212975A04380EFDB15DF25D5C0B25BBE5FB84314F20C5ADEA094F292C376D846CA62
                              Function 00BED006 Relevance: .1, Instructions: 60COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000007.00000002.1533988071.0000000000BED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BED000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_bed000_workbook.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: fa422caf254f2aa701cc2d11649f8687af3d2fb011ec84ba296a99d4b2902f31
                              • Instruction ID: 238fdcc14fdad08bf19bb9edd4496f3fd35310105330bb4ece27b239709dd9c1
                              • Opcode Fuzzy Hash: fa422caf254f2aa701cc2d11649f8687af3d2fb011ec84ba296a99d4b2902f31
                              • Instruction Fuzzy Hash: 482192755093C09FCB16CF20D590715BFB1EB45314F28C5EAD8498B697C33A980ACB62
                              Function 0090D3D3 Relevance: .1, Instructions: 56COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000007.00000002.1528698018.000000000090D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0090D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_90d000_workbook.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0d9143a8ff6c40554208124bd87d7ebbaad978752f52efe449982275cc027c51
                              • Instruction ID: 168e95a3edbf2736ef04e2fc505076c431525388222c8ff933ac61261b70b641
                              • Opcode Fuzzy Hash: 0d9143a8ff6c40554208124bd87d7ebbaad978752f52efe449982275cc027c51
                              • Instruction Fuzzy Hash: 8D1103B2404240DFDB15CF40D5C0B16BF72FB94324F24C6A9D8090B6A6C33AE856CBA2
                              Function 0090D4BF Relevance: .1, Instructions: 56COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000007.00000002.1528698018.000000000090D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0090D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_90d000_workbook.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0d9143a8ff6c40554208124bd87d7ebbaad978752f52efe449982275cc027c51
                              • Instruction ID: d0ade165dc9a66faa792762bb97ef14b2d04bde6ee3e60031778ea086b16dd07
                              • Opcode Fuzzy Hash: 0d9143a8ff6c40554208124bd87d7ebbaad978752f52efe449982275cc027c51
                              • Instruction Fuzzy Hash: 7E110372404280DFCB15CF50D9C0B16BF71FB88314F24C6A9EC090B69AC336D85ACBA2
                              Function 00BED1CF Relevance: .1, Instructions: 53COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000007.00000002.1533988071.0000000000BED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BED000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_bed000_workbook.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 9e088ad8a07711d9d3566a887b1f888bc4d4e2f61ff705deeaaa2a632ac83149
                              • Instruction ID: deec4be3574f0f3cc4f9f0116076a79add94e4984f2d2d5dece8e9bf374a0792
                              • Opcode Fuzzy Hash: 9e088ad8a07711d9d3566a887b1f888bc4d4e2f61ff705deeaaa2a632ac83149
                              • Instruction Fuzzy Hash: 50118B75904280DFDB15CF10D6C4B15FBA1FB84314F24C6A9D9494B696C37AD84ACB62
                              Function 0090D759 Relevance: .0, Instructions: 45COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000007.00000002.1528698018.000000000090D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0090D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_90d000_workbook.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2a9ca85665a29c14aa7a5c3c21f4cf1d7353431009e182517f51485b814ab134
                              • Instruction ID: fc14e833ff9d0e1548741902643cfa6f4445bfb6ca7ad522037a63aa4f4eb354
                              • Opcode Fuzzy Hash: 2a9ca85665a29c14aa7a5c3c21f4cf1d7353431009e182517f51485b814ab134
                              • Instruction Fuzzy Hash: B401DBB1405344DEE7204B65CC84B66FBDCEF41770F18C95AED094E2C6C3799840CAB2
                              Function 0090D758 Relevance: .0, Instructions: 36COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000007.00000002.1528698018.000000000090D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0090D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_90d000_workbook.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: fe8b6d5ce0ad3f96fc8ec924c0e0be187f845d0211ed67bd0c148ced7ff950c0
                              • Instruction ID: caf3a230b53ec43fcb6fca0ab83dcf00228780f8c6d263749e947fc1e554259b
                              • Opcode Fuzzy Hash: fe8b6d5ce0ad3f96fc8ec924c0e0be187f845d0211ed67bd0c148ced7ff950c0
                              • Instruction Fuzzy Hash: 32F06272405344AEEB248A16DD84BA6FFACEF51734F18C55AED084F2C6C279A844CAB1

                              Execution Graph

                              Execution Coverage:10.3%
                              Dynamic/Decrypted Code Coverage:100%
                              Signature Coverage:0%
                              Total number of Nodes:95
                              Total number of Limit Nodes:11
                              execution_graph 24236 1bcbf08 24240 1bcc000 24236->24240 24249 1bcbff0 24236->24249 24237 1bcbf17 24241 1bcc011 24240->24241 24244 1bcc034 24240->24244 24258 1bcaf60 24241->24258 24244->24237 24245 1bcc02c 24245->24244 24246 1bcc238 GetModuleHandleW 24245->24246 24247 1bcc265 24246->24247 24247->24237 24250 1bcc011 24249->24250 24253 1bcc034 24249->24253 24251 1bcaf60 GetModuleHandleW 24250->24251 24252 1bcc01c 24251->24252 24252->24253 24257 1bcc698 2 API calls 24252->24257 24253->24237 24254 1bcc02c 24254->24253 24255 1bcc238 GetModuleHandleW 24254->24255 24256 1bcc265 24255->24256 24256->24237 24257->24254 24260 1bcc1f0 GetModuleHandleW 24258->24260 24261 1bcc01c 24260->24261 24261->24244 24262 1bcc698 24261->24262 24263 1bcaf60 GetModuleHandleW 24262->24263 24264 1bcc6ac 24263->24264 24266 1bcc6d1 24264->24266 24267 1bcc294 24264->24267 24266->24245 24268 1bcc878 LoadLibraryExW 24267->24268 24270 1bcc8f1 24268->24270 24270->24266 24271 1bc4668 24276 1bc4676 24271->24276 24274 1bc4704 24277 1bc6de0 24276->24277 24278 1bc6e05 24277->24278 24286 1bc6edf 24278->24286 24290 1bc6ef0 24278->24290 24279 1bc46e9 24282 1bc421c 24279->24282 24283 1bc4227 24282->24283 24298 1bc8560 24283->24298 24285 1bc8806 24285->24274 24288 1bc6f17 24286->24288 24287 1bc6ff4 24287->24287 24288->24287 24294 1bc6414 24288->24294 24291 1bc6f17 24290->24291 24292 1bc6ff4 24291->24292 24293 1bc6414 CreateActCtxA 24291->24293 24293->24292 24295 1bc7370 CreateActCtxA 24294->24295 24297 1bc7433 24295->24297 24299 1bc856b 24298->24299 24302 1bc8580 24299->24302 24301 1bc88dd 24301->24285 24303 1bc858b 24302->24303 24306 1bc85b0 24303->24306 24305 1bc89ba 24305->24301 24307 1bc85bb 24306->24307 24310 1bc85e0 24307->24310 24309 1bc8aad 24309->24305 24311 1bc85eb 24310->24311 24312 1bc9ed1 24311->24312 24314 1bcdf70 24311->24314 24312->24309 24315 1bcdf91 24314->24315 24316 1bcdfb5 24315->24316 24318 1bce120 24315->24318 24316->24312 24319 1bce12d 24318->24319 24320 1bce166 24319->24320 24322 1bcc464 24319->24322 24320->24316 24323 1bcc46f 24322->24323 24324 1bce1d8 24323->24324 24326 1bcc498 24323->24326 24327 1bcc4a3 24326->24327 24328 1bc85e0 KiUserCallbackDispatcher 24327->24328 24329 1bce247 24328->24329 24332 1bce2c0 24329->24332 24330 1bce256 24330->24324 24333 1bce2ee 24332->24333 24334 1bce3ba KiUserCallbackDispatcher 24333->24334 24335 1bce3bf 24333->24335 24334->24335 24336 1bc6540 24337 1bc6586 24336->24337 24342 1bc670f 24337->24342 24347 1bc6720 24337->24347 24350 1bc6780 24337->24350 24338 1bc6673 24343 1bc6713 24342->24343 24346 1bc66ce 24342->24346 24344 1bc674e 24343->24344 24357 1bc611c 24343->24357 24344->24338 24346->24338 24348 1bc674e 24347->24348 24349 1bc611c DuplicateHandle 24347->24349 24348->24338 24349->24348 24351 1bc673e 24350->24351 24352 1bc6783 DuplicateHandle 24350->24352 24353 1bc611c DuplicateHandle 24351->24353 24356 1bc681e 24352->24356 24355 1bc674e 24353->24355 24355->24338 24356->24338 24358 1bc6788 DuplicateHandle 24357->24358 24359 1bc681e 24358->24359 24359->24344

                              Executed Functions

                              Function 0859B2C0 Relevance: 1.0, Instructions: 1020COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000C.00000002.3882202142.0000000008590000.00000040.00000800.00020000.00000000.sdmp, Offset: 08590000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_8590000_workbook.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1ef30bcb86131cc2e962e1fd23d3a0800eb365af1259fff328c9d8a7e28790d7
                              • Instruction ID: 08861404b53293d3ed90d83d2c7effae0fce7b1ccae93907d7714a8f9594d2fc
                              • Opcode Fuzzy Hash: 1ef30bcb86131cc2e962e1fd23d3a0800eb365af1259fff328c9d8a7e28790d7
                              • Instruction Fuzzy Hash: 2D829F75B007158FDB15CF69D49462EBBF2BF89321F14856DE59A8B391CB30E802CB92
                              Function 08591C9F Relevance: 2.9, Strings: 2, Instructions: 358COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 326 8591c9f-8591ca3 327 8591d0f-8591d13 326->327 328 8591ca5-8591cb3 326->328 329 8591d7f-8591d8e 327->329 330 8591d15-8591d16 327->330 335 8591d1f-8591d23 328->335 336 8591cb5-8591cb6 328->336 344 8591d95-8591d9e 329->344 331 8591d18 330->331 332 8591d1a-8591d1e 330->332 331->332 332->335 340 8591d8f-8591d91 335->340 341 8591d25-8591d29 335->341 338 8591cb8-8591cbe 336->338 339 8591cc6-8591ccb 336->339 342 8591ccd-8591cd1 338->342 352 8591cc0-8591cc5 338->352 339->342 343 8591d37-8591d41 339->343 340->344 345 8591d2b-8591d36 341->345 342->327 343->345 347 8591dae-8591db3 344->347 348 8591da0 344->348 345->343 354 8591e1f-8591e23 347->354 355 8591db5-8591db9 347->355 356 8591da5-8591da6 348->356 352->339 366 8591e8f-8591e95 354->366 367 8591e25-8591e26 354->367 358 8591dbb 355->358 359 8591da3 355->359 356->355 360 8591da8-8591dad 356->360 363 8591dbd-8591dcb 358->363 364 8591e27-8591e2b 358->364 359->356 365 8591e0f-8591e11 359->365 360->347 369 8591dcd-8591de3 363->369 370 8591e37-8591e4b 363->370 381 8591e2d-8591e36 364->381 382 8591e97-8591e99 364->382 371 8591e13-8591e1e 365->371 372 8591df7-8591dfb 365->372 386 8591e96 366->386 367->364 397 8591e4f-8591e5b 369->397 401 8591de5-8591dee 369->401 392 8591e4d-8591e4e 370->392 393 8591eb7-8591eb9 370->393 371->354 374 8591dfd-8591dfe 372->374 375 8591e67-8591e69 372->375 379 8591e00 374->379 380 8591e02-8591e0b 374->380 379->380 402 8591e0d-8591e0e 380->402 403 8591e77-8591e7b 380->403 381->370 387 8591e9a-8591e9c 382->387 386->382 388 8591e9d-8591ea1 387->388 394 8591ea2-8591ea3 388->394 392->397 393->394 400 8591ebb 393->400 398 8591f0f-8591f13 394->398 399 8591ea4-8591eae 394->399 406 8591e5d-8591e61 397->406 407 8591ec7-8591ecb 397->407 404 8591f7f-8591f8e 398->404 405 8591f15-8591f18 398->405 408 8591eaf-8591eb1 399->408 411 8591ebd-8591ec6 400->411 412 8591f27-8591f36 400->412 402->365 409 8591e7d-8591e86 403->409 410 8591ee7-8591eee 403->410 417 8591f8f-8591fe9 404->417 405->408 413 8591f1a-8591f1e 405->413 424 8591f37-8591f40 407->424 426 8591ecd-8591ed6 407->426 408->387 415 8591eb3 408->415 409->386 416 8591e88-8591e8e 409->416 411->407 412->424 418 8591f1f-8591f23 413->418 415->418 419 8591eb5-8591eb6 415->419 416->366 416->388 435 8591feb-8592007 417->435 436 859200c-85920b1 call 8590788 417->436 418->417 429 8591f25-8591f26 418->429 419->393 429->412 443 85920b6-85920ba 435->443 436->443 463 85920bc call 85921a1 443->463 464 85920bc call 85921b0 443->464 445 85920c2-85920cd 449 85920d8-8592104 445->449 450 85920cf-85920d1 445->450 458 859210f 449->458 459 8592106 449->459 450->449 460 8592110 458->460 459->458 460->460 463->445 464->445
                              Strings
                              Memory Dump Source
                              • Source File: 0000000C.00000002.3882202142.0000000008590000.00000040.00000800.00020000.00000000.sdmp, Offset: 08590000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_8590000_workbook.jbxd
                              Similarity
                              • API ID:
                              • String ID: 4'q$j^
                              • API String ID: 0-4293944153
                              • Opcode ID: ac7404cd6fa8d3b61524a886385e0e5dc2d15d091bde720b50cc608538ef88a2
                              • Instruction ID: 3d790ab8694ee320c6b6667c0dd170f6e6a61bf25dadf3ea21559709521df75d
                              • Opcode Fuzzy Hash: ac7404cd6fa8d3b61524a886385e0e5dc2d15d091bde720b50cc608538ef88a2
                              • Instruction Fuzzy Hash: D1A15911D48BB69BFF227B7C58203DA3B55EF86162F18016BD1D1CF2A1EA58444B83D7
                              Function 08597920 Relevance: 2.8, Strings: 2, Instructions: 295COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 465 8597920-85979c1 474 85979ca-8597a0c 465->474 475 85979c3-85979c8 465->475 476 8597a0f-8597a19 474->476 475->476 478 8597a1f-8597b0d call 8590a20 * 2 call 8590dc8 * 2 call 8590a20 call 8590dc8 476->478 479 8597b15-8597bfa call 8590788 * 2 476->479 478->479 525 8597bfc-8597c31 479->525 526 8597c3e-8597ca9 call 8590788 479->526 525->526 538 8597c33-8597c36 525->538 541 8597cab 526->541 542 8597cb4 526->542 538->526 541->542 543 8597cb5 542->543 543->543
                              Strings
                              Memory Dump Source
                              • Source File: 0000000C.00000002.3882202142.0000000008590000.00000040.00000800.00020000.00000000.sdmp, Offset: 08590000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_8590000_workbook.jbxd
                              Similarity
                              • API ID:
                              • String ID: 4'q$4'q
                              • API String ID: 0-1467158625
                              • Opcode ID: c8eb12d5def2e50be2825853517f8f47584230992732493ad93042a0ffc89b66
                              • Instruction ID: 9df713b5203748da81d30d199266e42190873318cefea4dedf061d6751f7490e
                              • Opcode Fuzzy Hash: c8eb12d5def2e50be2825853517f8f47584230992732493ad93042a0ffc89b66
                              • Instruction Fuzzy Hash: 5DC1D875B10218CFDB44EFA8C994AADB7B6FF89301F104569E506AB3A5DB31EC42CB50
                              Function 08597912 Relevance: 2.8, Strings: 2, Instructions: 279COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 544 8597912-85979c1 553 85979ca-8597a0c 544->553 554 85979c3-85979c8 544->554 555 8597a0f-8597a19 553->555 554->555 557 8597a1f-8597b0d call 8590a20 * 2 call 8590dc8 * 2 call 8590a20 call 8590dc8 555->557 558 8597b15-8597bfa call 8590788 * 2 555->558 557->558 604 8597bfc-8597c31 558->604 605 8597c3e-8597ca9 call 8590788 558->605 604->605 617 8597c33-8597c36 604->617 620 8597cab 605->620 621 8597cb4 605->621 617->605 620->621 622 8597cb5 621->622 622->622
                              Strings
                              Memory Dump Source
                              • Source File: 0000000C.00000002.3882202142.0000000008590000.00000040.00000800.00020000.00000000.sdmp, Offset: 08590000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_8590000_workbook.jbxd
                              Similarity
                              • API ID:
                              • String ID: 4'q$4'q
                              • API String ID: 0-1467158625
                              • Opcode ID: 13b39be71b69910a99ea1279e1d723730cb097a5ff3f804e5e4eeffe4fc938d9
                              • Instruction ID: 42d79fe42ec864c5116e3da0d8038080adf01714e82e56873dcf8abd57d70f3a
                              • Opcode Fuzzy Hash: 13b39be71b69910a99ea1279e1d723730cb097a5ff3f804e5e4eeffe4fc938d9
                              • Instruction Fuzzy Hash: 8AC1EB75B10218CFDB44EFA4C994AAEB7B6FF89301F104569E506AB3A5DB70EC42CB50
                              Function 01BCC000 Relevance: 1.7, APIs: 1, Instructions: 196COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 623 1bcc000-1bcc00f 624 1bcc03b-1bcc03f 623->624 625 1bcc011-1bcc01e call 1bcaf60 623->625 627 1bcc041-1bcc04b 624->627 628 1bcc053-1bcc094 624->628 631 1bcc034 625->631 632 1bcc020-1bcc02e call 1bcc698 625->632 627->628 634 1bcc096-1bcc09e 628->634 635 1bcc0a1-1bcc0af 628->635 631->624 632->631 641 1bcc170-1bcc230 632->641 634->635 636 1bcc0b1-1bcc0b6 635->636 637 1bcc0d3-1bcc0d5 635->637 639 1bcc0b8-1bcc0bf call 1bcaf6c 636->639 640 1bcc0c1 636->640 642 1bcc0d8-1bcc0df 637->642 644 1bcc0c3-1bcc0d1 639->644 640->644 673 1bcc238-1bcc263 GetModuleHandleW 641->673 674 1bcc232-1bcc235 641->674 645 1bcc0ec-1bcc0f3 642->645 646 1bcc0e1-1bcc0e9 642->646 644->642 647 1bcc0f5-1bcc0fd 645->647 648 1bcc100-1bcc109 call 1bcaf7c 645->648 646->645 647->648 654 1bcc10b-1bcc113 648->654 655 1bcc116-1bcc11b 648->655 654->655 656 1bcc11d-1bcc124 655->656 657 1bcc139-1bcc146 655->657 656->657 659 1bcc126-1bcc136 call 1bcaf8c call 1bcaf9c 656->659 664 1bcc148-1bcc166 657->664 665 1bcc169-1bcc16f 657->665 659->657 664->665 675 1bcc26c-1bcc280 673->675 676 1bcc265-1bcc26b 673->676 674->673 676->675
                              Memory Dump Source
                              • Source File: 0000000C.00000002.3851157677.0000000001BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01BC0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_1bc0000_workbook.jbxd
                              Similarity
                              • API ID: HandleModule
                              • String ID:
                              • API String ID: 4139908857-0
                              • Opcode ID: b226f23f50e14a1a6c77d3d7c48da7d4a456e5101d2bf36bc86e306602b2853d
                              • Instruction ID: f6029d78157228cd2cd59e0d834234ef368dcad773b2e57127f1760852a1da25
                              • Opcode Fuzzy Hash: b226f23f50e14a1a6c77d3d7c48da7d4a456e5101d2bf36bc86e306602b2853d
                              • Instruction Fuzzy Hash: C2715970A00B058FDB28DF6AD54475ABBF1FF88600F10896ED58ADBA40DB75E845CB91
                              Function 01BC6414 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 679 1bc6414-1bc7431 CreateActCtxA 682 1bc743a-1bc7494 679->682 683 1bc7433-1bc7439 679->683 690 1bc7496-1bc7499 682->690 691 1bc74a3-1bc74a7 682->691 683->682 690->691 692 1bc74b8 691->692 693 1bc74a9-1bc74b5 691->693 695 1bc74b9 692->695 693->692 695->695
                              APIs
                              • CreateActCtxA.KERNEL32(?), ref: 01BC7421
                              Memory Dump Source
                              • Source File: 0000000C.00000002.3851157677.0000000001BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01BC0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_1bc0000_workbook.jbxd
                              Similarity
                              • API ID: Create
                              • String ID:
                              • API String ID: 2289755597-0
                              • Opcode ID: 1e7034f0661c6170bf5ec512f075a8b90418e1c5a2c4b2ee4e20d335b9d6612b
                              • Instruction ID: f52b7322d6e9a5977a6e9a12e252c0ad105296011497d7a461ee12ef9d7f05c5
                              • Opcode Fuzzy Hash: 1e7034f0661c6170bf5ec512f075a8b90418e1c5a2c4b2ee4e20d335b9d6612b
                              • Instruction Fuzzy Hash: 3141E070C00718CFEB28CFA9C845B8DBBB5BF49704F20809ED408AB251DB756945CF94
                              Function 01BC7364 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 696 1bc7364-1bc736b 697 1bc7370-1bc7431 CreateActCtxA 696->697 699 1bc743a-1bc7494 697->699 700 1bc7433-1bc7439 697->700 707 1bc7496-1bc7499 699->707 708 1bc74a3-1bc74a7 699->708 700->699 707->708 709 1bc74b8 708->709 710 1bc74a9-1bc74b5 708->710 712 1bc74b9 709->712 710->709 712->712
                              APIs
                              • CreateActCtxA.KERNEL32(?), ref: 01BC7421
                              Memory Dump Source
                              • Source File: 0000000C.00000002.3851157677.0000000001BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01BC0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_1bc0000_workbook.jbxd
                              Similarity
                              • API ID: Create
                              • String ID:
                              • API String ID: 2289755597-0
                              • Opcode ID: 3d1f0ac015b2920f4d76f4384196156e375577cfc6c4f6deb10e91d531080313
                              • Instruction ID: 97e23ec20a9da76ff700ae063e3c05ce9ca57a47a120278958374b1e010eaced
                              • Opcode Fuzzy Hash: 3d1f0ac015b2920f4d76f4384196156e375577cfc6c4f6deb10e91d531080313
                              • Instruction Fuzzy Hash: 0341EFB1C00719CFEB28CFAAC845B8DBBB5BF49305F20809ED408AB251DB756946CF90
                              Function 01BC6780 Relevance: 1.6, APIs: 1, Instructions: 84COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 713 1bc6780-1bc6781 714 1bc673e-1bc6749 call 1bc611c 713->714 715 1bc6783-1bc681c DuplicateHandle 713->715 720 1bc674e-1bc6774 714->720 718 1bc681e-1bc6824 715->718 719 1bc6825-1bc6842 715->719 718->719
                              APIs
                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,01BC674E,?,?,?,?,?), ref: 01BC680F
                              Memory Dump Source
                              • Source File: 0000000C.00000002.3851157677.0000000001BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01BC0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_1bc0000_workbook.jbxd
                              Similarity
                              • API ID: DuplicateHandle
                              • String ID:
                              • API String ID: 3793708945-0
                              • Opcode ID: b12478146c4d2581d226ad7a28bfdf91cb89576f7ba89c3a12af041ef7de453b
                              • Instruction ID: 9aa171720c835f1c7d10d172e02daa37d36d40033d699aa9c610cbb071e05d47
                              • Opcode Fuzzy Hash: b12478146c4d2581d226ad7a28bfdf91cb89576f7ba89c3a12af041ef7de453b
                              • Instruction Fuzzy Hash: 883148B6A002489FDF11CF9AD485ADEBFF5FB88320F14806AE914A7341D735A911CFA5
                              Function 01BC611C Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 725 1bc611c-1bc681c DuplicateHandle 727 1bc681e-1bc6824 725->727 728 1bc6825-1bc6842 725->728 727->728
                              APIs
                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,01BC674E,?,?,?,?,?), ref: 01BC680F
                              Memory Dump Source
                              • Source File: 0000000C.00000002.3851157677.0000000001BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01BC0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_1bc0000_workbook.jbxd
                              Similarity
                              • API ID: DuplicateHandle
                              • String ID:
                              • API String ID: 3793708945-0
                              • Opcode ID: 9a91eac271ba746409ed85cb0981e2da10efaf126b91299c87de9af0f9ded7fe
                              • Instruction ID: 29b28cda3b4ae0dcd96d4447dc46ed5a7ff99c36022a63f7f07d48000f12cba2
                              • Opcode Fuzzy Hash: 9a91eac271ba746409ed85cb0981e2da10efaf126b91299c87de9af0f9ded7fe
                              • Instruction Fuzzy Hash: D921E3B5D00248EFDB11CF9AD884ADEFBF4EB48310F14845AE954A7350D378A940CFA5
                              Function 08596680 Relevance: 1.6, Strings: 1, Instructions: 309COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 731 8596680-8596701 740 859670a-8596718 731->740 741 8596703-8596708 731->741 742 859671b-8596796 call 8592fc8 740->742 741->742 826 8596799 call 8596b48 742->826 827 8596799 call 8596b38 742->827 828 8596799 call 8596b14 742->828 752 859679f-85967a6 753 85967a8-85967ad 752->753 754 85967af-85967ec 752->754 755 85967ef-859685c 753->755 754->755 767 859696d-85969cb call 8590788 call 8590950 call 8590788 755->767 768 8596862-859696b call 85963c8 call 8590788 call 8590950 call 8596360 call 85919d0 call 8590a20 755->768 790 85969d2-85969fa 767->790 791 85969cd call 8590a20 767->791 768->790 798 85969fc-8596a34 790->798 799 8596a36-8596a5b 790->799 791->790 798->799 806 8596a5d 799->806 807 8596a66-8596a95 799->807 806->807 813 8596a53-8596a64 807->813 814 8596a97-8596aa3 807->814 813->807 820 8596aa4 814->820 820->820 826->752 827->752 828->752
                              Strings
                              Memory Dump Source
                              • Source File: 0000000C.00000002.3882202142.0000000008590000.00000040.00000800.00020000.00000000.sdmp, Offset: 08590000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_8590000_workbook.jbxd
                              Similarity
                              • API ID:
                              • String ID: Plq
                              • API String ID: 0-3623438852
                              • Opcode ID: 844582c4ec54073ec7a218ff523c20213e742dd6561c5b9c508a2fc1d211124d
                              • Instruction ID: d0d811ccf54bbec0786e1dfb5faf4ee79e725dd5babf14af0873358d12e60abf
                              • Opcode Fuzzy Hash: 844582c4ec54073ec7a218ff523c20213e742dd6561c5b9c508a2fc1d211124d
                              • Instruction Fuzzy Hash: 73D1FC34B102189FDB44EFA8D994E9EB7F6FF89710F248458E505AB3A5CA34EC46CB50
                              Function 01BCC294 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 829 1bcc294-1bcc8b8 831 1bcc8ba-1bcc8bd 829->831 832 1bcc8c0-1bcc8ef LoadLibraryExW 829->832 831->832 833 1bcc8f8-1bcc915 832->833 834 1bcc8f1-1bcc8f7 832->834 834->833
                              APIs
                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,01BCC6D1,00000800,00000000,00000000), ref: 01BCC8E2
                              Memory Dump Source
                              • Source File: 0000000C.00000002.3851157677.0000000001BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01BC0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_1bc0000_workbook.jbxd
                              Similarity
                              • API ID: LibraryLoad
                              • String ID:
                              • API String ID: 1029625771-0
                              • Opcode ID: b370a349d57785fe1914d161b03d54891951a5e658226e042f62027592cf5bdf
                              • Instruction ID: c0cbd3ba9dec779787aa00f383c92f700ff66264e53f3db8cd8f1320c46b1a59
                              • Opcode Fuzzy Hash: b370a349d57785fe1914d161b03d54891951a5e658226e042f62027592cf5bdf
                              • Instruction Fuzzy Hash: 9E11F2B6C003499FDB24CF9AD444AABBBF4EB98720F10846EE919A7600C375A545CFA5
                              Function 01BCAF60 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 837 1bcaf60-1bcc230 839 1bcc238-1bcc263 GetModuleHandleW 837->839 840 1bcc232-1bcc235 837->840 841 1bcc26c-1bcc280 839->841 842 1bcc265-1bcc26b 839->842 840->839 842->841
                              APIs
                              • GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,01BCC01C), ref: 01BCC256
                              Memory Dump Source
                              • Source File: 0000000C.00000002.3851157677.0000000001BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01BC0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_1bc0000_workbook.jbxd
                              Similarity
                              • API ID: HandleModule
                              • String ID:
                              • API String ID: 4139908857-0
                              • Opcode ID: 8ac0aafd73d39d288259c24163370a4d8cc1b833144733b27c87f1d0088f52fa
                              • Instruction ID: 4523a3fa5ef6c01a45b8c0310818c9fbad89292c5027d35f3224aedba678a411
                              • Opcode Fuzzy Hash: 8ac0aafd73d39d288259c24163370a4d8cc1b833144733b27c87f1d0088f52fa
                              • Instruction Fuzzy Hash: 4311EFB6C006498FDB24DF9AC444A9EFBF5EB88610F10855AD919AB200C375A545CFA5
                              Function 08596650 Relevance: 1.5, Strings: 1, Instructions: 272COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 844 8596650-8596675 845 85966ae-85966b1 844->845 846 8596677-8596679 844->846 848 85966b2-8596701 845->848 847 859667b-85966ab 846->847 846->848 847->845 856 859670a-8596718 848->856 857 8596703-8596708 848->857 858 859671b-8596796 call 8592fc8 856->858 857->858 942 8596799 call 8596b48 858->942 943 8596799 call 8596b38 858->943 944 8596799 call 8596b14 858->944 868 859679f-85967a6 869 85967a8-85967ad 868->869 870 85967af-85967ec 868->870 871 85967ef-859685c 869->871 870->871 883 859696d-85969cb call 8590788 call 8590950 call 8590788 871->883 884 8596862-859696b call 85963c8 call 8590788 call 8590950 call 8596360 call 85919d0 call 8590a20 871->884 906 85969d2-85969fa 883->906 907 85969cd call 8590a20 883->907 884->906 914 85969fc-8596a34 906->914 915 8596a36-8596a5b 906->915 907->906 914->915 922 8596a5d 915->922 923 8596a66-8596a95 915->923 922->923 929 8596a53-8596a64 923->929 930 8596a97-8596aa3 923->930 929->923 936 8596aa4 930->936 936->936 942->868 943->868 944->868
                              Strings
                              Memory Dump Source
                              • Source File: 0000000C.00000002.3882202142.0000000008590000.00000040.00000800.00020000.00000000.sdmp, Offset: 08590000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_8590000_workbook.jbxd
                              Similarity
                              • API ID:
                              • String ID: Plq
                              • API String ID: 0-3623438852
                              • Opcode ID: e74d5f6ca01338f459b9db229c51250f68066f111ad0826dd48acc1cc81ebb21
                              • Instruction ID: df054f89c07e397b2fd2fc2edcd5dc205a5070b42dd5a51489c5586ec5df3ab0
                              • Opcode Fuzzy Hash: e74d5f6ca01338f459b9db229c51250f68066f111ad0826dd48acc1cc81ebb21
                              • Instruction Fuzzy Hash: A4B13F34B102189FDB44EFA8D994E9EBBF6FF89710F144458E445AB3A5CA30EC46CB90
                              Function 08591F70 Relevance: 1.4, Strings: 1, Instructions: 134COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 0000000C.00000002.3882202142.0000000008590000.00000040.00000800.00020000.00000000.sdmp, Offset: 08590000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_8590000_workbook.jbxd
                              Similarity
                              • API ID:
                              • String ID: 4'q
                              • API String ID: 0-1807707664
                              • Opcode ID: 46c73457dcaaf8ee3813221df234a2dc2c8dc8a53d75e64b25bf22c46f5e3e2c
                              • Instruction ID: 00cdc9750ddd8bf5657be65f6825f206f509d5b91dc243fe836b97fe21467edc
                              • Opcode Fuzzy Hash: 46c73457dcaaf8ee3813221df234a2dc2c8dc8a53d75e64b25bf22c46f5e3e2c
                              • Instruction Fuzzy Hash: 62419230B106149FDB44BB68C894A6EB7BBBFC9700F50482DE112AB394DF749C46CB91
                              Function 08593CD9 Relevance: 1.4, Strings: 1, Instructions: 113COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 0000000C.00000002.3882202142.0000000008590000.00000040.00000800.00020000.00000000.sdmp, Offset: 08590000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_8590000_workbook.jbxd
                              Similarity
                              • API ID:
                              • String ID: 4'q
                              • API String ID: 0-1807707664
                              • Opcode ID: a06a1cecd1cace93d736fe460f5869e301d05d6612f81afa0b394229b4d40d26
                              • Instruction ID: b09914564db9437f61d0510c5bac48db627200b4e5999b2333391f46d8fbc770
                              • Opcode Fuzzy Hash: a06a1cecd1cace93d736fe460f5869e301d05d6612f81afa0b394229b4d40d26
                              • Instruction Fuzzy Hash: 6F416B317006009FD718EB69C954B2A77EAAFC9614F1044A8E24ACF3A1CE75EC02C790
                              Function 08593CE8 Relevance: 1.4, Strings: 1, Instructions: 109COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 0000000C.00000002.3882202142.0000000008590000.00000040.00000800.00020000.00000000.sdmp, Offset: 08590000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_8590000_workbook.jbxd
                              Similarity
                              • API ID:
                              • String ID: 4'q
                              • API String ID: 0-1807707664
                              • Opcode ID: eec426cb402b393992bdb0e5f0a43dc2f303e2f78b3bcf5e6e49748a624555a8
                              • Instruction ID: daa5333031a10030ade8903baa45a1fd3782bd237ef99c2a53fb152fec729b6d
                              • Opcode Fuzzy Hash: eec426cb402b393992bdb0e5f0a43dc2f303e2f78b3bcf5e6e49748a624555a8
                              • Instruction Fuzzy Hash: 9B312A757006109FD758EB69C894F2A77EAFFC9754F204468E20A8B3A1CE75EC42CB90
                              Function 08591F59 Relevance: 1.3, Strings: 1, Instructions: 91COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 0000000C.00000002.3882202142.0000000008590000.00000040.00000800.00020000.00000000.sdmp, Offset: 08590000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_8590000_workbook.jbxd
                              Similarity
                              • API ID:
                              • String ID: 4'q
                              • API String ID: 0-1807707664
                              • Opcode ID: 025bbca22e2585ff543e1ab07c41ddc5c38b48337a35d6e814b831ecba3d51f7
                              • Instruction ID: 64cdcd60979ee17ab5bd19dd5e12d1e594aea3667b6e09c4d2e8d54f08df829f
                              • Opcode Fuzzy Hash: 025bbca22e2585ff543e1ab07c41ddc5c38b48337a35d6e814b831ecba3d51f7
                              • Instruction Fuzzy Hash: 4231D130B003449BDB55BB698C54A7EBBBABFCA600F14046EE016DB395CF749C46C7A1
                              Function 08599700 Relevance: .7, Instructions: 729COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000C.00000002.3882202142.0000000008590000.00000040.00000800.00020000.00000000.sdmp, Offset: 08590000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_8590000_workbook.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5d2564832d0e7c217dde6900cbff4ad15f46fe87967fababd01e069789dfbd8b
                              • Instruction ID: 2bf612d670bd2229c49e5b653fa7673c3bc88501313c5624d64f3db39fc0a9e1
                              • Opcode Fuzzy Hash: 5d2564832d0e7c217dde6900cbff4ad15f46fe87967fababd01e069789dfbd8b
                              • Instruction Fuzzy Hash: 2442E330A04606CFDB15CBA8D484A6EBFF2FF85226B54865ED486CB355DB34EC42CB91
                              Function 085921B0 Relevance: .4, Instructions: 437COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000C.00000002.3882202142.0000000008590000.00000040.00000800.00020000.00000000.sdmp, Offset: 08590000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_8590000_workbook.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f3fc7e0db893caa0e5668759c850238cd0fb5bc79468471b9701354a3e932a98
                              • Instruction ID: 278e80503e8dd043c94169557875978de1687bbe3fee361da22331ef949fdab0
                              • Opcode Fuzzy Hash: f3fc7e0db893caa0e5668759c850238cd0fb5bc79468471b9701354a3e932a98
                              • Instruction Fuzzy Hash: 2B121A34A002198FDB54EF68C894B9DB7B2BF89301F5085A8E55AAB355DF30ED86CF50
                              Function 085928A0 Relevance: .4, Instructions: 366COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000C.00000002.3882202142.0000000008590000.00000040.00000800.00020000.00000000.sdmp, Offset: 08590000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_8590000_workbook.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c8f82cd352d369c490e8fd3c4551278ccd19c17d380cd28352c87f573506372b
                              • Instruction ID: 6741276e0f8ec560adaa323e5cb0326ed6caf4a75bf470da4b29dc0f354dc4c4
                              • Opcode Fuzzy Hash: c8f82cd352d369c490e8fd3c4551278ccd19c17d380cd28352c87f573506372b
                              • Instruction Fuzzy Hash: 03E15334A00209DFDB54EFA4D4949AEBBB6FF89310F108569E415AB364DF34EC86CB91
                              Function 08592E38 Relevance: .3, Instructions: 289COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000C.00000002.3882202142.0000000008590000.00000040.00000800.00020000.00000000.sdmp, Offset: 08590000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_8590000_workbook.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 9219c5816bd3b8f43042c71980bfef625f0289d25aaa4813d1dc30f80bbe44d2
                              • Instruction ID: 599af7be1a0e41d138e8dd829e9c3cc6e4a081811859588d65f08b10b0797ab2
                              • Opcode Fuzzy Hash: 9219c5816bd3b8f43042c71980bfef625f0289d25aaa4813d1dc30f80bbe44d2
                              • Instruction Fuzzy Hash: C4A19235304200DFDB199F68D894A2A7BB3FFC9311B1585A9E2458F3A2CB35EC46DB90
                              Function 08596B38 Relevance: .3, Instructions: 263COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000C.00000002.3882202142.0000000008590000.00000040.00000800.00020000.00000000.sdmp, Offset: 08590000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_8590000_workbook.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1d80442b7faf461ee83fa925f157aa4633717009929555478fd145275a33c398
                              • Instruction ID: 7eed3b3f7e52ddf7ab868d415dd9e43329d3b056ce199cf10ca2343af2599e9f
                              • Opcode Fuzzy Hash: 1d80442b7faf461ee83fa925f157aa4633717009929555478fd145275a33c398
                              • Instruction Fuzzy Hash: 38A15A347006148FCB44EFA8C854AAE77B6BFC9700F504A68E5569B3A4EF70ED46CB91
                              Function 08596B48 Relevance: .3, Instructions: 256COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000C.00000002.3882202142.0000000008590000.00000040.00000800.00020000.00000000.sdmp, Offset: 08590000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_8590000_workbook.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 20f8efed90c33d509f2c1880f57298eece997b194728fff3e007442cfcea6de0
                              • Instruction ID: 7dd5c3358749f64757b88a767a4e3bee2c819c890d95e8682d535c04ba0d8e3a
                              • Opcode Fuzzy Hash: 20f8efed90c33d509f2c1880f57298eece997b194728fff3e007442cfcea6de0
                              • Instruction Fuzzy Hash: B6A14C34B006148FCB44EFA8C850A6E77B6BFC9700F508A68E5569B3A4DF70ED46CB91
                              Function 08596B14 Relevance: .3, Instructions: 255COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000C.00000002.3882202142.0000000008590000.00000040.00000800.00020000.00000000.sdmp, Offset: 08590000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_8590000_workbook.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6deb073656117ef597fa073c68914ddee71895e2c0ab0ffabf39441b680279a2
                              • Instruction ID: f386901056a0fad428882e7bf6c9c93be957b65a6a82a971504045567aa53725
                              • Opcode Fuzzy Hash: 6deb073656117ef597fa073c68914ddee71895e2c0ab0ffabf39441b680279a2
                              • Instruction Fuzzy Hash: F1A159347006148FCB44EFA8C890A6E77F6BFC9700B508A68E5569B3A4DF74ED46CB91
                              Function 08593170 Relevance: .2, Instructions: 226COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000C.00000002.3882202142.0000000008590000.00000040.00000800.00020000.00000000.sdmp, Offset: 08590000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_8590000_workbook.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 94b625885de39c6d54c26207e78c9ea4aae54df7fd15981d1e0774ed3df812dc
                              • Instruction ID: 56e904ae555acc4b352a6522ba39d083ce5c12c949e667e7ce96840846a58156
                              • Opcode Fuzzy Hash: 94b625885de39c6d54c26207e78c9ea4aae54df7fd15981d1e0774ed3df812dc
                              • Instruction Fuzzy Hash: 70916C34740204CFDB45EF68C894AADBBB6BF89611F1440A9E54ADB3A1CF34EC42CB90
                              Function 08590E88 Relevance: .2, Instructions: 218COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000C.00000002.3882202142.0000000008590000.00000040.00000800.00020000.00000000.sdmp, Offset: 08590000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_8590000_workbook.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c9b46364e7abb2dbb9fc99b90d9b77e5fde7d776c2870b32c42d1f5347618571
                              • Instruction ID: 220f7e59090ec6cf154bb640e5ca776d13cdb97d187d7a43dcb7740c54bd5a38
                              • Opcode Fuzzy Hash: c9b46364e7abb2dbb9fc99b90d9b77e5fde7d776c2870b32c42d1f5347618571
                              • Instruction Fuzzy Hash: 9471E370B006158FCB44EBA8C554A6EBBB6FFC9301B1045AAE505DB3A1DF34DD06C7A1
                              Function 08595AC8 Relevance: .2, Instructions: 204COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000C.00000002.3882202142.0000000008590000.00000040.00000800.00020000.00000000.sdmp, Offset: 08590000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_8590000_workbook.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a5dac92c684435084836333968744f9d0c9ac7b1f71aa16b19c4496289d0791c
                              • Instruction ID: eeac6f38bcc316d13a318549fb716850d4d732fa27cc9185aada13bb38c9fcd2
                              • Opcode Fuzzy Hash: a5dac92c684435084836333968744f9d0c9ac7b1f71aa16b19c4496289d0791c
                              • Instruction Fuzzy Hash: 3E817A74B006159BDB49EF64D494BAEB7B6FF88701F204568E402AB390DF74AD42CBD4
                              Function 0859A6CB Relevance: .2, Instructions: 199COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000C.00000002.3882202142.0000000008590000.00000040.00000800.00020000.00000000.sdmp, Offset: 08590000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_8590000_workbook.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b8c56b41bc98274cba5eb95e3b2cd2cea4df68cf5e303aeb8af1f1a6e825168c
                              • Instruction ID: 75fb69e45b1a3e8625c22365951b81f7a6b8fd1e089f981da46e9bd851fb7a53
                              • Opcode Fuzzy Hash: b8c56b41bc98274cba5eb95e3b2cd2cea4df68cf5e303aeb8af1f1a6e825168c
                              • Instruction Fuzzy Hash: 5281F174A21228EFDB15CF98E980EADB7B2FF88310F164559E945AB361E731EC41CB50
                              Function 0859AE38 Relevance: .2, Instructions: 170COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000C.00000002.3882202142.0000000008590000.00000040.00000800.00020000.00000000.sdmp, Offset: 08590000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_8590000_workbook.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 51e072ed9a51044df9f1d624d14cbaa5dcffad33ed286fffa482bcfc0ee1d25e
                              • Instruction ID: c513387708c6df2c30e7a75afe38840b65f776d41f0678cebe381d57b5279b0b
                              • Opcode Fuzzy Hash: 51e072ed9a51044df9f1d624d14cbaa5dcffad33ed286fffa482bcfc0ee1d25e
                              • Instruction Fuzzy Hash: 1851E2313007518FEB25DF29D88075A77F2FF84320F10892EE5968B3A0DB79E8458B61
                              Function 08593161 Relevance: .2, Instructions: 167COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000C.00000002.3882202142.0000000008590000.00000040.00000800.00020000.00000000.sdmp, Offset: 08590000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_8590000_workbook.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 3ac6586e67cb64c8e61dcb79e83666d0bc8d4d94de68aa48779bb3c811f4aa62
                              • Instruction ID: ad56a9bbc81b5960543824201b897aaae738233eff6e6dda7ca420677eab2a8c
                              • Opcode Fuzzy Hash: 3ac6586e67cb64c8e61dcb79e83666d0bc8d4d94de68aa48779bb3c811f4aa62
                              • Instruction Fuzzy Hash: 71615D34710204DFDB44EF68C894AADB7B6FF89711F1485A9E8469B3A5CB30EC42CB90
                              Function 08597238 Relevance: .2, Instructions: 162COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000C.00000002.3882202142.0000000008590000.00000040.00000800.00020000.00000000.sdmp, Offset: 08590000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_8590000_workbook.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 97220f78c8d12729438cc84b9d196e0632d1c35878685fd400a5daa57fbf97d3
                              • Instruction ID: d6c008d7c1cb84c43056e3983c94ec8748b46b32abfb316f63cfbdcd55497c2f
                              • Opcode Fuzzy Hash: 97220f78c8d12729438cc84b9d196e0632d1c35878685fd400a5daa57fbf97d3
                              • Instruction Fuzzy Hash: C641D2327001596F8F119EEA9C509FFBBEAEF8C111B14406BFA45D3241DA39C92597B0
                              Function 08595AB8 Relevance: .2, Instructions: 157COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000C.00000002.3882202142.0000000008590000.00000040.00000800.00020000.00000000.sdmp, Offset: 08590000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_8590000_workbook.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0aa3e3751c5deccb7b2345384c54aa2861a2537adc9efc3ff02f347102e87b55
                              • Instruction ID: 0361e90ac3a7a5ade687f3067ed5551413c97ef346ab2f248692812d40a93e1e
                              • Opcode Fuzzy Hash: 0aa3e3751c5deccb7b2345384c54aa2861a2537adc9efc3ff02f347102e87b55
                              • Instruction Fuzzy Hash: D5519C74B006059BDF19EF64D454BAEBBB7BF88701F204568E442AB390DB74AD42CBD4
                              Function 0859B158 Relevance: .1, Instructions: 128COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000C.00000002.3882202142.0000000008590000.00000040.00000800.00020000.00000000.sdmp, Offset: 08590000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_8590000_workbook.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 66d6a4fd90e63fa6007d4183eac7b0dd56d210bb18321ba5ee9478583578bc6f
                              • Instruction ID: ac91269c0fb1996e7ed184b942e4c9dcdeef8a49991e52570bde4710b0b5d098
                              • Opcode Fuzzy Hash: 66d6a4fd90e63fa6007d4183eac7b0dd56d210bb18321ba5ee9478583578bc6f
                              • Instruction Fuzzy Hash: 3341A331B007148FDF60DB68E54025EBBF1FF84621B54496ED19ACBA54EA34E841CB81
                              Function 0859AA70 Relevance: .1, Instructions: 123COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000C.00000002.3882202142.0000000008590000.00000040.00000800.00020000.00000000.sdmp, Offset: 08590000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_8590000_workbook.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 59323a5df63ce02f57bf119c119d733aaaa7760d57265b34e507efdf57c96044
                              • Instruction ID: 979b4d030689cf912a7da9b1348ee1a71c30a219ddc53202b9d304f2f7d5114e
                              • Opcode Fuzzy Hash: 59323a5df63ce02f57bf119c119d733aaaa7760d57265b34e507efdf57c96044
                              • Instruction Fuzzy Hash: 9C41AE31B002149FCB15DB69D854A9EBBF6FFC9320B2585AAE509DB361DB35EC01CB90
                              Function 08595E11 Relevance: .1, Instructions: 96COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000C.00000002.3882202142.0000000008590000.00000040.00000800.00020000.00000000.sdmp, Offset: 08590000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_8590000_workbook.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0eeb146d63d57fc83cf9794843fb25603c35d04c770625e80c85947c1ba59578
                              • Instruction ID: 9342a20eb7f0271c7b6f05f2af0f3bdedf2ef8c848a0acd99f43d0b18746b796
                              • Opcode Fuzzy Hash: 0eeb146d63d57fc83cf9794843fb25603c35d04c770625e80c85947c1ba59578
                              • Instruction Fuzzy Hash: A1318B34B106048FCB45EF78C854A6E7BBABFCA700B10856AD5029B3A5DF349D46CBE1
                              Function 085934A0 Relevance: .1, Instructions: 94COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000C.00000002.3882202142.0000000008590000.00000040.00000800.00020000.00000000.sdmp, Offset: 08590000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_8590000_workbook.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f66986e0f6b0baf304c14a26fae733b5f283a5bbef171dfc41d7bb3a65eafa21
                              • Instruction ID: db1ef5f8b56d84af692817db272ac6a55c8f746bce79016053cc34b271d1730c
                              • Opcode Fuzzy Hash: f66986e0f6b0baf304c14a26fae733b5f283a5bbef171dfc41d7bb3a65eafa21
                              • Instruction Fuzzy Hash: B6311935A00118DBDF14EB64D855AEEB7B6FF88352F108069E901B7394CB35AD05CBA0
                              Function 08595E28 Relevance: .1, Instructions: 93COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000C.00000002.3882202142.0000000008590000.00000040.00000800.00020000.00000000.sdmp, Offset: 08590000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_8590000_workbook.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 301e63e60e931fbe08e4fb0f8fafedd8d296be735f72f4f8edf7d94af3475688
                              • Instruction ID: 78ccf1d51802ac067df46c0a1055bba05a5753226d5ce8fcd62174e0586ea765
                              • Opcode Fuzzy Hash: 301e63e60e931fbe08e4fb0f8fafedd8d296be735f72f4f8edf7d94af3475688
                              • Instruction Fuzzy Hash: 4B316034B106158FCB44FF68C894A6EB7BABFC9700F10856AD5069B394DF749D428BE1
                              Function 01AFD01C Relevance: .1, Instructions: 72COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000C.00000002.3850693507.0000000001AFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 01AFD000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_1afd000_workbook.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d6b934becbbfd090066717cb5fca85624b2cacddc72d1436a16aed6205871657
                              • Instruction ID: 4b84e70e44839c85b11ffaa7708ecbd38b400a13a4d9fd91a0b58d464d85c0b5
                              • Opcode Fuzzy Hash: d6b934becbbfd090066717cb5fca85624b2cacddc72d1436a16aed6205871657
                              • Instruction Fuzzy Hash: 4E21D371504200EFDB16DFA4D584B16BB65FB84364F24C56DEA0A4B296C336D847CA62
                              Function 01AFD1D4 Relevance: .1, Instructions: 72COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000C.00000002.3850693507.0000000001AFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 01AFD000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_1afd000_workbook.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1c589751b61297228e347d19655d99ee407d9a329aefe0fce070c9c573376702
                              • Instruction ID: 157bc78030027fd61d80b2d8f10a064be51dda1c2cb65d0a20def7d3a6cb53f3
                              • Opcode Fuzzy Hash: 1c589751b61297228e347d19655d99ee407d9a329aefe0fce070c9c573376702
                              • Instruction Fuzzy Hash: 5221F575504300EFDB16DF94D5C0B26BB65FB84324F24C56DFA094F292C336D446CAA1
                              Function 0859ABB8 Relevance: .1, Instructions: 71COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000C.00000002.3882202142.0000000008590000.00000040.00000800.00020000.00000000.sdmp, Offset: 08590000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_8590000_workbook.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: cce96b84c302c08e79543520e2f84f7bb110b7a40c386019778a3b0a81f102cc
                              • Instruction ID: acc456a0782112d11f6a718a4519626f58c08e71e42c0958fc9888091fe3cdda
                              • Opcode Fuzzy Hash: cce96b84c302c08e79543520e2f84f7bb110b7a40c386019778a3b0a81f102cc
                              • Instruction Fuzzy Hash: 17217C31A00219DFDF169FA8C444AEE7FB6FF8D320F144129E415AB390DB319846CBA1
                              Function 0859ABC8 Relevance: .1, Instructions: 67COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000C.00000002.3882202142.0000000008590000.00000040.00000800.00020000.00000000.sdmp, Offset: 08590000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_8590000_workbook.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c4215d48343b6136f0d951350d4e68dbcdec480bf0318fae94890074129c5c08
                              • Instruction ID: 16675d202714e84e04afecf721e35b326afdc82b633511de42193d85569cfd35
                              • Opcode Fuzzy Hash: c4215d48343b6136f0d951350d4e68dbcdec480bf0318fae94890074129c5c08
                              • Instruction Fuzzy Hash: 50216A31A002189FDF159FA8C844AEE7FB6FF8D320F145129F415AB390DB319842CBA0
                              Function 08592D78 Relevance: .1, Instructions: 65COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000C.00000002.3882202142.0000000008590000.00000040.00000800.00020000.00000000.sdmp, Offset: 08590000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_8590000_workbook.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1e192edcf70476ca152d2e4829b02bbfd89ae0f165eeac730039947efadfe15b
                              • Instruction ID: e99608428d07e1a42bb53e99cadcaa416bcef1c777a4086d239e5a8993bad10d
                              • Opcode Fuzzy Hash: 1e192edcf70476ca152d2e4829b02bbfd89ae0f165eeac730039947efadfe15b
                              • Instruction Fuzzy Hash: 3421C030B002048FCB55EF68D984A6EBBF6BF89310F14456AE4069B3A1DB70ED46CB61
                              Function 01AFD006 Relevance: .1, Instructions: 62COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000C.00000002.3850693507.0000000001AFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 01AFD000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_1afd000_workbook.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1b3aaacc7c93e1275794e1553cad76c1196450fa17a5eed5fee5673ed4a7c5db
                              • Instruction ID: e67ff48b86486bad493f3528c55445beec9033248708953fbf2f07d9e26acfa6
                              • Opcode Fuzzy Hash: 1b3aaacc7c93e1275794e1553cad76c1196450fa17a5eed5fee5673ed4a7c5db
                              • Instruction Fuzzy Hash: 4521BE755093808FCB03CF64D990715BF71EB46224F28C5EAD9498F6A7C33A980ACB62
                              Function 08592D88 Relevance: .1, Instructions: 59COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000C.00000002.3882202142.0000000008590000.00000040.00000800.00020000.00000000.sdmp, Offset: 08590000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_8590000_workbook.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 21212244bf3d08bd3c86df6e92137e14d8d4516c42f7ea9fde7c097db3034154
                              • Instruction ID: 64f256316658e8549fcd2b90e9b4a7c78f77563af85d89a04378c8cf4c813243
                              • Opcode Fuzzy Hash: 21212244bf3d08bd3c86df6e92137e14d8d4516c42f7ea9fde7c097db3034154
                              • Instruction Fuzzy Hash: EE117934B006048FCB54EF68D984A6EB7BABF88310F144969E5169B3A0DB70AD45CBA1
                              Function 01AFD1CF Relevance: .1, Instructions: 53COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000C.00000002.3850693507.0000000001AFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 01AFD000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_1afd000_workbook.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 9e088ad8a07711d9d3566a887b1f888bc4d4e2f61ff705deeaaa2a632ac83149
                              • Instruction ID: 4799ff15ef1b68d949c2a673766a2ee3250a38d3060e8bde2aa6c6e60383fbfe
                              • Opcode Fuzzy Hash: 9e088ad8a07711d9d3566a887b1f888bc4d4e2f61ff705deeaaa2a632ac83149
                              • Instruction Fuzzy Hash: 9311BE79504240DFDB16CF94D5C0B15FF61FB84324F24C6AEE9494B696C33AD40ACB91
                              Function 085935D9 Relevance: .0, Instructions: 47COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000C.00000002.3882202142.0000000008590000.00000040.00000800.00020000.00000000.sdmp, Offset: 08590000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_8590000_workbook.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ca3893877b191a3c7be390a9235342757660a1ce3ea7bb28a55acd1ca35f802f
                              • Instruction ID: 5b3f2a729957c2810175ff507a8a089010ab17921dc56c777c5260d09b2d7a1a
                              • Opcode Fuzzy Hash: ca3893877b191a3c7be390a9235342757660a1ce3ea7bb28a55acd1ca35f802f
                              • Instruction Fuzzy Hash: A501C4353047809FCB26DB34D494A76BBA2BFC5321F1449ADE5968B791CB31EC06DB81
                              Function 08590E51 Relevance: .0, Instructions: 45COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000C.00000002.3882202142.0000000008590000.00000040.00000800.00020000.00000000.sdmp, Offset: 08590000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_8590000_workbook.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e47b06e7b083b16163548c5021440e81c8c81ee8c6304dc3d4347ac809553ae3
                              • Instruction ID: cce24d6e50ceb88993e9c4baf0f6b5bccf28bdf7d30e38aa563946ecd658ef87
                              • Opcode Fuzzy Hash: e47b06e7b083b16163548c5021440e81c8c81ee8c6304dc3d4347ac809553ae3
                              • Instruction Fuzzy Hash: 7FF0F672304B214BDB06623C59106AF3B6AAFC7652B18486BD580CF3D1DE79DD43C3A5
                              Function 085935E8 Relevance: .0, Instructions: 44COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000C.00000002.3882202142.0000000008590000.00000040.00000800.00020000.00000000.sdmp, Offset: 08590000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_8590000_workbook.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7341469c231c394fe986f5efe2ba162a66d71124f1c5c7671176cdc873d4f075
                              • Instruction ID: b58bead8f6235e5cc748d1a9941b3e82a5b395b628f9779249acfc3bf24ebf79
                              • Opcode Fuzzy Hash: 7341469c231c394fe986f5efe2ba162a66d71124f1c5c7671176cdc873d4f075
                              • Instruction Fuzzy Hash: 6D019E353007009FCB25AA34D444A6BB7A6FBC8321F14896CE5964B790CB71EC02DB80
                              Function 08590991 Relevance: .0, Instructions: 44COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000C.00000002.3882202142.0000000008590000.00000040.00000800.00020000.00000000.sdmp, Offset: 08590000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_8590000_workbook.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: cf9cae81b0c5df33471dc95a9d6fa0c222b78e86e1ee619bcbf79a2137ccfb75
                              • Instruction ID: ce199cff279c9dcc6c74c5acc2c54da6ca47904bee416ffdff411653f8c2bcd6
                              • Opcode Fuzzy Hash: cf9cae81b0c5df33471dc95a9d6fa0c222b78e86e1ee619bcbf79a2137ccfb75
                              • Instruction Fuzzy Hash: CB0171753016409FC706EB24D45496EBBB2EFC971171085AEE946CB395CF35EC12CB91
                              Function 0859B6D0 Relevance: .0, Instructions: 44COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000C.00000002.3882202142.0000000008590000.00000040.00000800.00020000.00000000.sdmp, Offset: 08590000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_8590000_workbook.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f144ca00521dc68f2db66e6237c9d76c15b88248af65e7f3ccc832a8b71ef24c
                              • Instruction ID: 843d649c78f395d7a151daa406c5f31c1a11b7d1481fb175ff12c662fd59144e
                              • Opcode Fuzzy Hash: f144ca00521dc68f2db66e6237c9d76c15b88248af65e7f3ccc832a8b71ef24c
                              • Instruction Fuzzy Hash: ED019235E006199FCB01DFA8D4445ADBFF5BF89311B1186AEE085E7320DB309A08CB52
                              Function 085909A0 Relevance: .0, Instructions: 39COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000C.00000002.3882202142.0000000008590000.00000040.00000800.00020000.00000000.sdmp, Offset: 08590000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_8590000_workbook.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 8b59aa7a030509a05b1e35d007bd06bb475eaa2b2484b3a3b204c1abec459b09
                              • Instruction ID: 28889eae4a3de93057964b00d8e6baa1c577af2058856404a0052ab3be6f03ec
                              • Opcode Fuzzy Hash: 8b59aa7a030509a05b1e35d007bd06bb475eaa2b2484b3a3b204c1abec459b09
                              • Instruction Fuzzy Hash: E9016D753006109BC705AB25D454A6EB7A7EFCD711B208569EA0687394CF35EC02CBD0
                              Function 0859B6E0 Relevance: .0, Instructions: 39COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000C.00000002.3882202142.0000000008590000.00000040.00000800.00020000.00000000.sdmp, Offset: 08590000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_8590000_workbook.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 799babdbc47a8b63fd7c839487a7684c5d7d7d10e95f3e27852c0de9fccc20ae
                              • Instruction ID: b5e26d2686c1487c4a2242304ef15145d0e7758c798a570c68ee42de6cb1370b
                              • Opcode Fuzzy Hash: 799babdbc47a8b63fd7c839487a7684c5d7d7d10e95f3e27852c0de9fccc20ae
                              • Instruction Fuzzy Hash: 6C016235E00619DFCB00DFA9D54499EBBF9FF89711F108569E559A7310EB30AA08CF91
                              Function 08590718 Relevance: .0, Instructions: 39COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000C.00000002.3882202142.0000000008590000.00000040.00000800.00020000.00000000.sdmp, Offset: 08590000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_8590000_workbook.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: bf0ca9809b15626623917cdf0c1f717468e01a975d392eaefa73ca5ac6832cae
                              • Instruction ID: b563d7eb171393209bbfadb8d2406b41e9254a671aa59c55c2131132749af9b1
                              • Opcode Fuzzy Hash: bf0ca9809b15626623917cdf0c1f717468e01a975d392eaefa73ca5ac6832cae
                              • Instruction Fuzzy Hash: 5CF0AF353003009FC705AB28D854D2B7BB6EFCA720B1545AAE946CB371CA35EC42CB60
                              Function 01AED603 Relevance: .0, Instructions: 37COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000C.00000002.3850623985.0000000001AED000.00000040.00000800.00020000.00000000.sdmp, Offset: 01AED000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_1aed000_workbook.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1a3ad13b6a01e9bfb9d51f8af568c1b90ec8d7fe0419d92c15482d42079b4f78
                              • Instruction ID: 66bcb1814216f9f1a16b52b82e43f2978221713ebf313f2ed212fd7a3d34135b
                              • Opcode Fuzzy Hash: 1a3ad13b6a01e9bfb9d51f8af568c1b90ec8d7fe0419d92c15482d42079b4f78
                              • Instruction Fuzzy Hash: 47F0F9B6600610AF97258F0AD885C23FBEDFBD4770719C59AF84A4B612C672FC41CEA0
                              Function 08590E78 Relevance: .0, Instructions: 37COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000C.00000002.3882202142.0000000008590000.00000040.00000800.00020000.00000000.sdmp, Offset: 08590000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_8590000_workbook.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1e5808720e03163254871dd60bbacebfd1322cc33a46c0c98ccbe2800564c585
                              • Instruction ID: bd71f4854a6f07e7f0d6a5422efc6cd444875bae1174c227f9b10931d8b442a0
                              • Opcode Fuzzy Hash: 1e5808720e03163254871dd60bbacebfd1322cc33a46c0c98ccbe2800564c585
                              • Instruction Fuzzy Hash: 11F02E6130565047CB02726C451477F2A6E5FC2552F0844AFD581CF3D2CE79CD0283A1
                              Function 01AED5F4 Relevance: .0, Instructions: 35COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000C.00000002.3850623985.0000000001AED000.00000040.00000800.00020000.00000000.sdmp, Offset: 01AED000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_1aed000_workbook.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 00afdd35eb964f6c59b8a1c1982185eecb8b2277baf861abeda7b24fee011511
                              • Instruction ID: a6911aee32f44be147282464cc9d453886eb2a0f4a7e9edd9745712b07fd217a
                              • Opcode Fuzzy Hash: 00afdd35eb964f6c59b8a1c1982185eecb8b2277baf861abeda7b24fee011511
                              • Instruction Fuzzy Hash: 9CF0C475104680AFD726CF1AC985C22BFF9EB897607198489E85A9B662C671FC42CF60
                              Function 08590728 Relevance: .0, Instructions: 32COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000C.00000002.3882202142.0000000008590000.00000040.00000800.00020000.00000000.sdmp, Offset: 08590000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_8590000_workbook.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: bdb9d7496077e28934e8497c315129903d7e20bc138b3c534f8dcc754e9ce209
                              • Instruction ID: 6228794889d440075043a3f392d9ea8cf90bbb540b989fbc087be4cdebc3a7e2
                              • Opcode Fuzzy Hash: bdb9d7496077e28934e8497c315129903d7e20bc138b3c534f8dcc754e9ce209
                              • Instruction Fuzzy Hash: CFF0FE353007009FC714EB59D854D2A77AAEFC9721B154569FA568B360CE75EC42CB90
                              Function 0859388F Relevance: .0, Instructions: 27COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000C.00000002.3882202142.0000000008590000.00000040.00000800.00020000.00000000.sdmp, Offset: 08590000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_8590000_workbook.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7788384ba5c7d7bc03b7eb45ccbdd45a3457c5be1141bef3e91473766a25499f
                              • Instruction ID: 6cd30d9297cac7e5308b639907d30924035e254c24e2ec60349b6e3030dd8fdb
                              • Opcode Fuzzy Hash: 7788384ba5c7d7bc03b7eb45ccbdd45a3457c5be1141bef3e91473766a25499f
                              • Instruction Fuzzy Hash: 0DE04F2504E3C29FD303AB24C929141BF30BE17250B6940DBD88A8F433D726842AC725
                              Function 0859A551 Relevance: .0, Instructions: 27COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000C.00000002.3882202142.0000000008590000.00000040.00000800.00020000.00000000.sdmp, Offset: 08590000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_8590000_workbook.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 209d374263b5285c50697b45e1edf74c5eba1ff5e658e0c783695f3fdca183ea
                              • Instruction ID: 1256c11010e67f8e4203774cf616f97b01f18dba943e46ee84090db0ca63c6ec
                              • Opcode Fuzzy Hash: 209d374263b5285c50697b45e1edf74c5eba1ff5e658e0c783695f3fdca183ea
                              • Instruction Fuzzy Hash: 81F030357001149FDB04CB58D945A69BBF5FF89224F158199E509AF362D672FC028B50
                              Function 0859AA20 Relevance: .0, Instructions: 19COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000C.00000002.3882202142.0000000008590000.00000040.00000800.00020000.00000000.sdmp, Offset: 08590000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_8590000_workbook.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: eed5c586cef17bd0b9e1bfd5eded6c52a784e1e0e49cbf9e82e57da6315ab677
                              • Instruction ID: ae010b519cd43833b13894b01a99708d2a806cd1c2bbf5b9df419bc2cf197423
                              • Opcode Fuzzy Hash: eed5c586cef17bd0b9e1bfd5eded6c52a784e1e0e49cbf9e82e57da6315ab677
                              • Instruction Fuzzy Hash: 88E0C2713093904FE789A274686019A7A9B9BC6210314819FE546C7786CD718C028758
                              Function 0859AA30 Relevance: .0, Instructions: 16COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000C.00000002.3882202142.0000000008590000.00000040.00000800.00020000.00000000.sdmp, Offset: 08590000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_8590000_workbook.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5e909d8176f2a610c2ed4fd031fa4c0341c961333b1bb80ef9390870f42d65b1
                              • Instruction ID: b7a3008fb71be01672ddccb1521b17a0344b8a28a08971fe27376b0f25a64e01
                              • Opcode Fuzzy Hash: 5e909d8176f2a610c2ed4fd031fa4c0341c961333b1bb80ef9390870f42d65b1
                              • Instruction Fuzzy Hash: F0D0123530431447D748B6BAA8105AFB6DFDBC9351B15802AEA0AC3B84CD70EC0247ED
                              Function 085906F1 Relevance: .0, Instructions: 16COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000C.00000002.3882202142.0000000008590000.00000040.00000800.00020000.00000000.sdmp, Offset: 08590000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_8590000_workbook.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a0859b3826ea111bb2baaf011175393dadbdce6100b2f905225fd06182851f0b
                              • Instruction ID: 4019c2546448724c85697afe4e5bd0aad6b42382b78f20e3d06021820a60948b
                              • Opcode Fuzzy Hash: a0859b3826ea111bb2baaf011175393dadbdce6100b2f905225fd06182851f0b
                              • Instruction Fuzzy Hash: EBD092766496808FC703AB28E8598957FB19B5626132A41E3E888CF672C2258855D772
                              Function 0859B120 Relevance: .0, Instructions: 14COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000C.00000002.3882202142.0000000008590000.00000040.00000800.00020000.00000000.sdmp, Offset: 08590000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_8590000_workbook.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 84add73a5a732dc160402635db92a9c17ac7e6c5b8341b1b5d5368a7d6200cf8
                              • Instruction ID: 08778bf928b74bd2afc0567df398cd94f2a6b4001a74ac8581229e8233ade251
                              • Opcode Fuzzy Hash: 84add73a5a732dc160402635db92a9c17ac7e6c5b8341b1b5d5368a7d6200cf8
                              • Instruction Fuzzy Hash: 01D0926400E3C05FC703DB288850806BF64AE4721471984DBA894DE266C666CD0AD762
                              Function 0859AA43 Relevance: .0, Instructions: 11COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000C.00000002.3882202142.0000000008590000.00000040.00000800.00020000.00000000.sdmp, Offset: 08590000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_8590000_workbook.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ae2e8fd04506332be5bb4a1c5ee80712deac757cded9680a5c17ba602ddc95a3
                              • Instruction ID: fbd15b7be7a87474e02ea146d31eb13c22c66585772508da49e741c8a1f8eb14
                              • Opcode Fuzzy Hash: ae2e8fd04506332be5bb4a1c5ee80712deac757cded9680a5c17ba602ddc95a3
                              • Instruction Fuzzy Hash: F1B092B35919185B69111EB478089CE2717EA342A9B580172F28DC22119A0AC6038A94
                              Function 08598F08 Relevance: .0, Instructions: 9COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000C.00000002.3882202142.0000000008590000.00000040.00000800.00020000.00000000.sdmp, Offset: 08590000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_8590000_workbook.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 4e072403177d196cbaefd4b85e5eb5c099a1d67143a162b578d900aaef26ec66
                              • Instruction ID: bf4dad349e633d6fa53291cd413141fa0e8bf4b173bba39236ffe122d78730c9
                              • Opcode Fuzzy Hash: 4e072403177d196cbaefd4b85e5eb5c099a1d67143a162b578d900aaef26ec66
                              • Instruction Fuzzy Hash: CFD0C9F440C2405BC221CA10C954811BFA0ABD2705B0884AAAC858A157D626D912D751
                              Function 08590700 Relevance: .0, Instructions: 8COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000C.00000002.3882202142.0000000008590000.00000040.00000800.00020000.00000000.sdmp, Offset: 08590000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_8590000_workbook.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 9145439845d19ed285ef8ed2e2731e53e84310996d3e08af64ba1494253e8755
                              • Instruction ID: a5ced1602b898661de329531365079a034e3d75a808f59c5ffcbefa728424f66
                              • Opcode Fuzzy Hash: 9145439845d19ed285ef8ed2e2731e53e84310996d3e08af64ba1494253e8755
                              • Instruction Fuzzy Hash: 58C0927A140208EFC700DF69E848C85BBB8EF1977171180A1FA088B332C732EC60DA94
                              Function 085938C0 Relevance: .0, Instructions: 7COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000C.00000002.3882202142.0000000008590000.00000040.00000800.00020000.00000000.sdmp, Offset: 08590000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_8590000_workbook.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 9b91d43a7415e5afd5858e8b9312c752c96a96e657e84eed476c34bfe3ce4c1f
                              • Instruction ID: a541e257c2606f18a9454f407b3f4512fdda3bdc54786bde47e3302ce1b57717
                              • Opcode Fuzzy Hash: 9b91d43a7415e5afd5858e8b9312c752c96a96e657e84eed476c34bfe3ce4c1f
                              • Instruction Fuzzy Hash: E7B09232004208AB8601AA84E904855BB69AB686407008025F609061118B32A822DB94

                              Non-executed Functions

                              Function 08591108 Relevance: 5.2, Strings: 4, Instructions: 185COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 0000000C.00000002.3882202142.0000000008590000.00000040.00000800.00020000.00000000.sdmp, Offset: 08590000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_12_2_8590000_workbook.jbxd
                              Similarity
                              • API ID:
                              • String ID: (_q$(_q$(_q$(_q
                              • API String ID: 0-1088526261
                              • Opcode ID: d8a9105ae0ee6084c9b77a8d4d86192629a96f90c6fc017ecfc86a7848890aa3
                              • Instruction ID: 4887dd16266c41699278ce1c31507c56a542f74085cb63604f6a79b17d9e08fb
                              • Opcode Fuzzy Hash: d8a9105ae0ee6084c9b77a8d4d86192629a96f90c6fc017ecfc86a7848890aa3
                              • Instruction Fuzzy Hash: E6612134B057458FCB09DF78C85056EBBB2BF8A21072444ADE4869B3A2DF35DC86CB90

                              Execution Graph

                              Execution Coverage:9.2%
                              Dynamic/Decrypted Code Coverage:100%
                              Signature Coverage:0%
                              Total number of Nodes:427
                              Total number of Limit Nodes:22
                              execution_graph 26095 2ea4668 26096 2ea4676 26095->26096 26105 2ea6de0 26096->26105 26099 2ea4704 26114 5456b00 26099->26114 26118 5456ad1 26099->26118 26123 5456b10 26099->26123 26100 2ea470c 26106 2ea6e05 26105->26106 26127 2ea6edf 26106->26127 26131 2ea6ef0 26106->26131 26107 2ea46e9 26110 2ea421c 26107->26110 26111 2ea4227 26110->26111 26139 2ea8560 26111->26139 26113 2ea8806 26113->26099 26115 5456b10 26114->26115 26186 5455ad8 26115->26186 26119 5456b19 26118->26119 26120 5456ada 26118->26120 26121 5455ad8 9 API calls 26119->26121 26120->26100 26122 5456b42 26121->26122 26122->26100 26124 5456b22 26123->26124 26125 5455ad8 9 API calls 26124->26125 26126 5456b42 26125->26126 26126->26100 26128 2ea6f17 26127->26128 26130 2ea6ff4 26128->26130 26135 2ea6414 26128->26135 26132 2ea6f17 26131->26132 26133 2ea6414 CreateActCtxA 26132->26133 26134 2ea6ff4 26132->26134 26133->26134 26136 2ea7370 CreateActCtxA 26135->26136 26138 2ea7433 26136->26138 26140 2ea856b 26139->26140 26143 2ea8580 26140->26143 26142 2ea88dd 26142->26113 26144 2ea858b 26143->26144 26147 2ea85b0 26144->26147 26146 2ea89ba 26146->26142 26148 2ea85bb 26147->26148 26151 2ea85e0 26148->26151 26150 2ea8aad 26150->26146 26153 2ea85eb 26151->26153 26152 2ea9ed1 26152->26150 26153->26152 26155 2eadf70 26153->26155 26156 2eadf91 26155->26156 26157 2eadfb5 26156->26157 26159 2eae120 26156->26159 26157->26152 26160 2eae12d 26159->26160 26161 2eae166 26160->26161 26163 2eac464 26160->26163 26161->26157 26164 2eac46f 26163->26164 26165 2eae1d8 26164->26165 26167 2eac498 26164->26167 26168 2eac4a3 26167->26168 26169 2ea85e0 9 API calls 26168->26169 26170 2eae247 26169->26170 26177 2eae2c0 26170->26177 26171 2eae256 26172 2eac4a8 9 API calls 26171->26172 26173 2eae270 26172->26173 26174 2eac4b8 9 API calls 26173->26174 26175 2eae277 26174->26175 26175->26165 26179 2eae2ee 26177->26179 26178 2eae3bf 26180 2eac4b8 8 API calls 26178->26180 26183 2eae42b 26178->26183 26179->26178 26179->26183 26184 5454630 8 API calls 26179->26184 26185 545461f 8 API calls 26179->26185 26180->26183 26181 2eae366 26182 2eae3ba KiUserCallbackDispatcher 26181->26182 26182->26178 26184->26181 26185->26181 26187 5455ae3 26186->26187 26190 5455b14 26187->26190 26189 5456c54 26191 5455b1f 26190->26191 26194 545716e 26191->26194 26195 54572c9 26191->26195 26196 5456e00 26191->26196 26192 5456e00 9 API calls 26192->26195 26194->26192 26194->26195 26195->26189 26197 5456e0b 26196->26197 26201 5457507 26197->26201 26213 5457518 26197->26213 26198 5457504 26198->26194 26202 5457518 26201->26202 26203 5457552 26202->26203 26204 545762f 26202->26204 26208 5457692 26202->26208 26203->26198 26212 2eae2c0 9 API calls 26204->26212 26205 545763d 26207 5457665 26205->26207 26225 5454630 26205->26225 26207->26198 26208->26207 26209 5454630 9 API calls 26208->26209 26210 5457737 26209->26210 26210->26207 26230 5457030 26210->26230 26212->26205 26217 545753e 26213->26217 26214 5457552 26214->26198 26215 545762f 26224 2eae2c0 9 API calls 26215->26224 26216 545763d 26218 5454630 9 API calls 26216->26218 26219 5457665 26216->26219 26217->26214 26217->26215 26220 5457692 26217->26220 26218->26219 26219->26198 26220->26219 26221 5454630 9 API calls 26220->26221 26222 5457737 26221->26222 26222->26219 26223 5457030 9 API calls 26222->26223 26223->26219 26224->26216 26226 5454640 26225->26226 26227 545467d 26226->26227 26244 5457cc0 26226->26244 26263 5457cb0 26226->26263 26227->26207 26231 545703b 26230->26231 26233 5459834 26231->26233 26242 5459868 26231->26242 26243 54597e1 26231->26243 26344 5458fe4 26231->26344 26232 545981a 26235 5455a6c 9 API calls 26232->26235 26238 5454630 9 API calls 26233->26238 26233->26242 26234 5455a6c 9 API calls 26236 545980c 26234->26236 26237 5459826 26235->26237 26348 5458ff4 26236->26348 26240 5458ff4 9 API calls 26237->26240 26238->26242 26240->26233 26242->26207 26243->26232 26243->26234 26248 5457cf9 26244->26248 26246 5457e03 26247 5457030 9 API calls 26246->26247 26249 5457e0d 26247->26249 26282 54578ac 26248->26282 26286 54578bc 26249->26286 26253 5457e3c 26254 5454630 9 API calls 26253->26254 26255 5457f1f 26253->26255 26258 5457ec5 26254->26258 26307 2eaf01c 26255->26307 26256 5457f80 26311 545cf80 26256->26311 26315 545cf90 26256->26315 26257 5457f94 26258->26255 26297 5455a6c 26258->26297 26267 5457cf9 26263->26267 26264 54578ac 9 API calls 26265 5457e03 26264->26265 26266 5457030 9 API calls 26265->26266 26268 5457e0d 26266->26268 26267->26264 26269 54578bc 9 API calls 26268->26269 26270 5457e15 26269->26270 26271 54578cc 9 API calls 26270->26271 26272 5457e3c 26270->26272 26271->26272 26273 5454630 9 API calls 26272->26273 26274 5457f1f 26272->26274 26277 5457ec5 26273->26277 26279 2eaf01c 9 API calls 26274->26279 26275 5457f80 26280 545cf80 9 API calls 26275->26280 26281 545cf90 9 API calls 26275->26281 26276 5457f94 26277->26274 26278 5455a6c 9 API calls 26277->26278 26278->26274 26279->26275 26280->26276 26281->26276 26283 54578b7 26282->26283 26284 5454630 9 API calls 26283->26284 26285 54596b8 26283->26285 26284->26285 26285->26246 26287 54578c7 26286->26287 26288 5457e15 26287->26288 26289 5454630 9 API calls 26287->26289 26288->26253 26292 54578cc 26288->26292 26290 545b5ec 26289->26290 26319 5459de8 26290->26319 26293 54578d7 26292->26293 26294 545bcb6 26293->26294 26295 5454630 9 API calls 26293->26295 26294->26253 26296 545bd86 26295->26296 26296->26253 26299 5455a77 26297->26299 26298 545b4ae 26298->26255 26299->26298 26300 545b554 SendMessageW 26299->26300 26301 545b4f3 26299->26301 26302 545b59c 26300->26302 26303 5454630 8 API calls 26301->26303 26302->26255 26304 545b508 26303->26304 26329 5459dc0 26304->26329 26308 2eaf027 26307->26308 26310 2eaf8f5 26308->26310 26333 2eac4b8 26308->26333 26310->26256 26312 545cf90 26311->26312 26313 54578bc 9 API calls 26312->26313 26314 545cfa4 26313->26314 26314->26257 26316 545cf9d 26315->26316 26317 54578bc 9 API calls 26316->26317 26318 545cfa4 26317->26318 26318->26257 26320 5459df3 26319->26320 26323 5457ae8 26320->26323 26322 545b6d4 26322->26288 26325 5457af3 26323->26325 26324 545bab7 26324->26322 26325->26324 26326 5454630 9 API calls 26325->26326 26327 545b8d4 26326->26327 26327->26324 26328 54578bc 9 API calls 26327->26328 26328->26324 26330 545b530 SendMessageW 26329->26330 26332 545b519 26330->26332 26332->26255 26334 2eac4c3 26333->26334 26337 2eaf104 26334->26337 26336 2eafdcf 26336->26310 26340 2eaf10f 26337->26340 26338 2eaff78 26338->26336 26339 2eaff41 26342 545d250 9 API calls 26339->26342 26343 545d260 9 API calls 26339->26343 26340->26338 26340->26339 26341 2eaf104 9 API calls 26340->26341 26341->26340 26342->26338 26343->26338 26345 5458fef 26344->26345 26354 5459d94 9 API calls 26345->26354 26347 545b35d 26347->26243 26349 5458fff 26348->26349 26350 5454630 9 API calls 26349->26350 26351 545b508 26350->26351 26352 5459dc0 SendMessageW 26351->26352 26353 545b519 26352->26353 26353->26232 26354->26347 26355 2eabf08 26356 2eabf17 26355->26356 26358 2eabff0 26355->26358 26359 2eac011 26358->26359 26360 2eac034 26358->26360 26359->26360 26365 2eac698 26359->26365 26360->26356 26361 2eac238 GetModuleHandleW 26363 2eac265 26361->26363 26362 2eac02c 26362->26360 26362->26361 26363->26356 26366 2eac6ac 26365->26366 26368 2eac6d1 26366->26368 26369 2eac294 26366->26369 26368->26362 26370 2eac878 LoadLibraryExW 26369->26370 26372 2eac8f1 26370->26372 26372->26368 26373 5455eb3 26374 5455ebc 26373->26374 26376 5455eda 26373->26376 26375 5454630 9 API calls 26374->26375 26374->26376 26375->26376 26377 5454630 9 API calls 26376->26377 26378 5456013 26376->26378 26377->26378 26379 2ea6540 26380 2ea6586 26379->26380 26384 2ea670f 26380->26384 26388 2ea6720 26380->26388 26381 2ea6673 26385 2ea6713 26384->26385 26386 2ea674e 26385->26386 26391 2ea611c 26385->26391 26386->26381 26389 2ea611c DuplicateHandle 26388->26389 26390 2ea674e 26389->26390 26390->26381 26392 2ea6788 DuplicateHandle 26391->26392 26393 2ea681e 26392->26393 26393->26386 26394 147d01c 26395 147d034 26394->26395 26396 147d08e 26395->26396 26399 5452f18 26395->26399 26408 5452f28 26395->26408 26400 5452f28 26399->26400 26401 5452f89 26400->26401 26404 5452f79 26400->26404 26403 5452f87 26401->26403 26433 5452b64 26401->26433 26417 54530a0 26404->26417 26422 545317c 26404->26422 26428 54530b0 26404->26428 26411 5452f55 26408->26411 26409 5452f89 26410 5452b64 CallWindowProcW 26409->26410 26413 5452f87 26409->26413 26410->26413 26411->26409 26412 5452f79 26411->26412 26414 54530a0 10 API calls 26412->26414 26415 54530b0 10 API calls 26412->26415 26416 545317c 10 API calls 26412->26416 26413->26413 26414->26413 26415->26413 26416->26413 26418 54530c4 26417->26418 26437 5453159 26418->26437 26442 5453168 26418->26442 26419 5453150 26419->26403 26423 545313a 26422->26423 26424 545318a 26422->26424 26426 5453159 10 API calls 26423->26426 26427 5453168 10 API calls 26423->26427 26425 5453150 26425->26403 26426->26425 26427->26425 26429 54530c4 26428->26429 26431 5453159 10 API calls 26429->26431 26432 5453168 10 API calls 26429->26432 26430 5453150 26430->26403 26431->26430 26432->26430 26434 5452b6f 26433->26434 26435 5454399 26434->26435 26436 54543ea CallWindowProcW 26434->26436 26435->26403 26436->26435 26438 5453179 26437->26438 26447 5458260 26437->26447 26464 5454320 26437->26464 26467 5458270 26437->26467 26438->26419 26443 5453179 26442->26443 26444 5458260 10 API calls 26442->26444 26445 5458270 10 API calls 26442->26445 26446 5454320 CallWindowProcW 26442->26446 26443->26419 26444->26443 26445->26443 26446->26443 26448 5458270 26447->26448 26449 54582d0 26448->26449 26450 545828e 26448->26450 26461 545829c 26448->26461 26452 545855c 26449->26452 26449->26461 26451 5458293 26450->26451 26454 54582aa 26450->26454 26453 54584ba 26451->26453 26451->26461 26492 5457b88 26452->26492 26484 5457ad8 26453->26484 26457 5458524 26454->26457 26458 54584c8 26454->26458 26454->26461 26462 54583d6 26454->26462 26488 5457b48 26457->26488 26459 5457ae8 9 API calls 26458->26459 26459->26462 26461->26462 26498 5458a00 26461->26498 26462->26438 26465 5452b64 CallWindowProcW 26464->26465 26466 545433a 26465->26466 26466->26438 26468 5458289 26467->26468 26471 545829c 26467->26471 26469 54582d0 26468->26469 26470 545828e 26468->26470 26469->26471 26474 545855c 26469->26474 26472 5458293 26470->26472 26473 54582aa 26470->26473 26482 54583d6 26471->26482 26483 5458a00 10 API calls 26471->26483 26472->26471 26475 54584ba 26472->26475 26473->26471 26478 5458524 26473->26478 26479 54584c8 26473->26479 26473->26482 26477 5457b88 10 API calls 26474->26477 26476 5457ad8 10 API calls 26475->26476 26476->26482 26477->26482 26481 5457b48 10 API calls 26478->26481 26480 5457ae8 9 API calls 26479->26480 26480->26482 26481->26482 26482->26438 26483->26482 26485 5457ae3 26484->26485 26486 5458a00 10 API calls 26485->26486 26487 5458c16 26486->26487 26487->26462 26489 5457b53 26488->26489 26490 5458a00 10 API calls 26489->26490 26491 545d0fc 26490->26491 26491->26462 26493 5457b93 26492->26493 26494 5457ae8 9 API calls 26493->26494 26495 545c980 26494->26495 26496 5458a00 10 API calls 26495->26496 26497 545c989 26496->26497 26497->26462 26499 5458a12 26498->26499 26500 5458a0b 26498->26500 26503 5458a20 26499->26503 26500->26462 26501 5458a18 26501->26462 26504 5458a60 26503->26504 26505 5458a3e 26503->26505 26507 5453720 10 API calls 26504->26507 26506 5458a4c 26505->26506 26511 5453720 26505->26511 26506->26501 26510 5458a67 26507->26510 26509 5458a88 26509->26501 26510->26501 26513 545376c 26511->26513 26512 54537b0 26515 54537bd 26512->26515 26524 5458aa0 26512->26524 26528 5458a90 26512->26528 26513->26512 26514 5453edc 26513->26514 26519 545351c 26514->26519 26515->26509 26515->26515 26520 5453527 26519->26520 26521 545d1cd 26520->26521 26523 2eac4b8 9 API calls 26520->26523 26521->26515 26522 545d198 26522->26522 26523->26522 26525 5458ae6 26524->26525 26526 5452b64 CallWindowProcW 26525->26526 26527 5458b09 26525->26527 26526->26527 26527->26515 26529 5458aa0 26528->26529 26530 5452b64 CallWindowProcW 26529->26530 26531 5458b09 26529->26531 26530->26531 26531->26515 26532 5452018 SetWindowLongW 26533 5452084 26532->26533 26534 54599c8 26535 54599d9 26534->26535 26538 5459a43 26535->26538 26539 5459068 26535->26539 26540 5459073 26539->26540 26541 5459a3c 26540->26541 26544 545b159 26540->26544 26550 545b168 26540->26550 26556 5459d7c 26544->26556 26547 545b18f 26547->26541 26548 545b1b8 CreateIconFromResourceEx 26549 545b236 26548->26549 26549->26541 26551 545b182 26550->26551 26552 5459d7c CreateIconFromResourceEx 26550->26552 26553 545b18f 26551->26553 26554 545b1b8 CreateIconFromResourceEx 26551->26554 26552->26551 26553->26541 26555 545b236 26554->26555 26555->26541 26557 545b1b8 CreateIconFromResourceEx 26556->26557 26558 545b182 26557->26558 26558->26547 26558->26548 26559 545c388 26560 5454630 9 API calls 26559->26560 26561 545c398 26560->26561 26562 54544b8 26563 54544c8 26562->26563 26567 5458df9 26563->26567 26573 5458e08 26563->26573 26564 54544f1 26568 5458e08 26567->26568 26579 5455c08 26568->26579 26570 5458e92 26591 5457c50 26570->26591 26572 5458e99 26572->26564 26574 5458e3d 26573->26574 26575 5455c08 9 API calls 26574->26575 26576 5458e92 26575->26576 26577 5457c50 9 API calls 26576->26577 26578 5458e99 26577->26578 26578->26564 26583 5455c34 26579->26583 26581 5454630 9 API calls 26582 5456013 26581->26582 26582->26570 26590 5455e6c 26583->26590 26601 54555fc 26583->26601 26584 5455ced 26585 5454630 9 API calls 26584->26585 26589 5455d95 26584->26589 26586 5455d5f 26585->26586 26587 5454630 9 API calls 26586->26587 26587->26589 26588 5454630 9 API calls 26588->26590 26589->26588 26590->26581 26590->26582 26592 5457c5b 26591->26592 26593 54593fd 26592->26593 26595 5459435 26592->26595 26600 5459404 26592->26600 26594 5454630 9 API calls 26593->26594 26594->26600 26596 5459486 26595->26596 26597 545945a 26595->26597 26598 5454630 9 API calls 26596->26598 26599 5454630 9 API calls 26597->26599 26598->26600 26599->26600 26600->26572 26603 5455607 26601->26603 26602 5454630 9 API calls 26605 5456169 26602->26605 26604 5454630 9 API calls 26603->26604 26603->26605 26606 54561a7 26603->26606 26604->26605 26605->26602 26605->26606 26606->26584

                              Executed Functions

                              Function 02EABFF0 Relevance: 1.7, APIs: 1, Instructions: 198COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 559 2eabff0-2eac00f 560 2eac03b-2eac03f 559->560 561 2eac011-2eac01e call 2eaaf60 559->561 562 2eac053-2eac094 560->562 563 2eac041-2eac04b 560->563 568 2eac020-2eac02e call 2eac698 561->568 569 2eac034 561->569 570 2eac0a1-2eac0af 562->570 571 2eac096-2eac09e 562->571 563->562 568->569 575 2eac170-2eac230 568->575 569->560 573 2eac0d3-2eac0d5 570->573 574 2eac0b1-2eac0b6 570->574 571->570 576 2eac0d8-2eac0df 573->576 577 2eac0b8-2eac0bf call 2eaaf6c 574->577 578 2eac0c1 574->578 609 2eac238-2eac263 GetModuleHandleW 575->609 610 2eac232-2eac235 575->610 580 2eac0ec-2eac0f3 576->580 581 2eac0e1-2eac0e9 576->581 579 2eac0c3-2eac0d1 577->579 578->579 579->576 583 2eac100-2eac109 call 2eaaf7c 580->583 584 2eac0f5-2eac0fd 580->584 581->580 590 2eac10b-2eac113 583->590 591 2eac116-2eac11b 583->591 584->583 590->591 592 2eac139-2eac146 591->592 593 2eac11d-2eac124 591->593 599 2eac148-2eac166 592->599 600 2eac169-2eac16f 592->600 593->592 595 2eac126-2eac136 call 2eaaf8c call 2eaaf9c 593->595 595->592 599->600 611 2eac26c-2eac280 609->611 612 2eac265-2eac26b 609->612 610->609 612->611
                              APIs
                              • GetModuleHandleW.KERNELBASE(00000000), ref: 02EAC256
                              Memory Dump Source
                              • Source File: 00000011.00000002.1557266601.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_17_2_2ea0000_workbook.jbxd
                              Similarity
                              • API ID: HandleModule
                              • String ID:
                              • API String ID: 4139908857-0
                              • Opcode ID: 75bc230240b676f8273d2543cd176133d8614e3674f60730833c366b001c354d
                              • Instruction ID: c3838bc6bc4cb084a21c554b08268242d96359d26df5ea2492bf70c903506f47
                              • Opcode Fuzzy Hash: 75bc230240b676f8273d2543cd176133d8614e3674f60730833c366b001c354d
                              • Instruction Fuzzy Hash: 768135B0A00B458FD724DF69D45175ABBF2BF48208F10992EE08ADBB50DB35F846CB91
                              Function 0545C90C Relevance: 1.6, APIs: 1, Instructions: 118threadCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 615 545c90c-545e161 619 545e163-545e16c 615->619 620 545e16e 615->620 621 545e170-545e175 619->621 620->621 622 545e195-545e22a 621->622 623 545e177-545e194 621->623 630 545e236-545e266 EnumThreadWindows 622->630 631 545e22c-545e234 622->631 632 545e26f-545e29c 630->632 633 545e268-545e26e 630->633 631->630 633->632
                              APIs
                              • EnumThreadWindows.USER32(?,00000000,?), ref: 0545E259
                              Memory Dump Source
                              • Source File: 00000011.00000002.1577519993.0000000005450000.00000040.00000800.00020000.00000000.sdmp, Offset: 05450000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_17_2_5450000_workbook.jbxd
                              Similarity
                              • API ID: EnumThreadWindows
                              • String ID:
                              • API String ID: 2941952884-0
                              • Opcode ID: ea9c4ac818fea8322e90fbd799b32bf103499152d1f475ef0dc047bb8528ffe9
                              • Instruction ID: c3c1218925d8069ebf47426f109c96b21ed25298ccae42986c1715f084ff995a
                              • Opcode Fuzzy Hash: ea9c4ac818fea8322e90fbd799b32bf103499152d1f475ef0dc047bb8528ffe9
                              • Instruction Fuzzy Hash: AC41B271A04205CFDB14DF9AC8407EEBBF9EF88320F14846AE419E7351CB389901CB65
                              Function 05452B64 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 637 5452b64-545438c 641 5454392-5454397 637->641 642 545443c-545445c 637->642 643 5454399-54543d0 641->643 644 54543ea-5454422 CallWindowProcW 641->644 648 545445f-545446c 642->648 651 54543d2-54543d8 643->651 652 54543d9-54543e8 643->652 645 5454424-545442a 644->645 646 545442b-545443a 644->646 645->646 646->648 651->652 652->648
                              APIs
                              • CallWindowProcW.USER32(?,?,?,?,?), ref: 05454411
                              Memory Dump Source
                              • Source File: 00000011.00000002.1577519993.0000000005450000.00000040.00000800.00020000.00000000.sdmp, Offset: 05450000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_17_2_5450000_workbook.jbxd
                              Similarity
                              • API ID: CallProcWindow
                              • String ID:
                              • API String ID: 2714655100-0
                              • Opcode ID: 6d8fc3cd8cdd1c0df0170b2de34c93653cd4ded0cb3554f13a6b65dbdc3a66cc
                              • Instruction ID: 7ad2c365f4cc3cc5611990b23ce1e3b608b2a578aeda47514fd40637d90265c7
                              • Opcode Fuzzy Hash: 6d8fc3cd8cdd1c0df0170b2de34c93653cd4ded0cb3554f13a6b65dbdc3a66cc
                              • Instruction Fuzzy Hash: 13412B79900205DFDB14CF95C448AAAFBF5FF88314F14C459E519AB322D375A841CFA0
                              Function 02EA6414 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 654 2ea6414-2ea7431 CreateActCtxA 657 2ea743a-2ea7494 654->657 658 2ea7433-2ea7439 654->658 665 2ea74a3-2ea74a7 657->665 666 2ea7496-2ea7499 657->666 658->657 667 2ea74b8 665->667 668 2ea74a9-2ea74b5 665->668 666->665 670 2ea74b9 667->670 668->667 670->670
                              APIs
                              • CreateActCtxA.KERNEL32(?), ref: 02EA7421
                              Memory Dump Source
                              • Source File: 00000011.00000002.1557266601.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_17_2_2ea0000_workbook.jbxd
                              Similarity
                              • API ID: Create
                              • String ID:
                              • API String ID: 2289755597-0
                              • Opcode ID: d52d9ebe55718a1031100f4868ef55ce6d9f8cdaa93e631d8b7793e499cb7c31
                              • Instruction ID: dcf09328571155c9f88d8573d8221cf1de89c151a157aa7ff145ea20ce161095
                              • Opcode Fuzzy Hash: d52d9ebe55718a1031100f4868ef55ce6d9f8cdaa93e631d8b7793e499cb7c31
                              • Instruction Fuzzy Hash: 5441DDB1C00719CFEB24CFA9C854B8EFBB5BF49308F20806AD408AB251DB756946CF90
                              Function 02EA7364 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 671 2ea7364-2ea736c 672 2ea7370-2ea7431 CreateActCtxA 671->672 674 2ea743a-2ea7494 672->674 675 2ea7433-2ea7439 672->675 682 2ea74a3-2ea74a7 674->682 683 2ea7496-2ea7499 674->683 675->674 684 2ea74b8 682->684 685 2ea74a9-2ea74b5 682->685 683->682 687 2ea74b9 684->687 685->684 687->687
                              APIs
                              • CreateActCtxA.KERNEL32(?), ref: 02EA7421
                              Memory Dump Source
                              • Source File: 00000011.00000002.1557266601.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_17_2_2ea0000_workbook.jbxd
                              Similarity
                              • API ID: Create
                              • String ID:
                              • API String ID: 2289755597-0
                              • Opcode ID: d67fcc474f8ac0c21664c4c7cd2c26c0d89a1f25018fa7f888768c856d3b49cb
                              • Instruction ID: bf04ea75dd7d0216733ea48b73510907d9247af3bbd100c87b34a6847e666526
                              • Opcode Fuzzy Hash: d67fcc474f8ac0c21664c4c7cd2c26c0d89a1f25018fa7f888768c856d3b49cb
                              • Instruction Fuzzy Hash: 4F41BF75D00729CFEB24CFA9C854B8EFBB5BF49308F20805AD418AB255DB756946CF90
                              Function 05455A6C Relevance: 1.6, APIs: 1, Instructions: 90COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 688 5455a6c-545b4ac 691 545b4b2-545b4f1 688->691 692 545b4ae-545b4b1 688->692 699 545b554-545b59a SendMessageW 691->699 700 545b4f3-545b514 call 5454630 call 5459dc0 691->700 702 545b5a3-545b5b7 699->702 703 545b59c-545b5a2 699->703 708 545b519-545b51c 700->708 703->702
                              Memory Dump Source
                              • Source File: 00000011.00000002.1577519993.0000000005450000.00000040.00000800.00020000.00000000.sdmp, Offset: 05450000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_17_2_5450000_workbook.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b54f1272e1659ac103c69a8791fc9ded232609970eaf3c700352a96331bac261
                              • Instruction ID: 95f3d1c2bedc58c415d9224a902facb8b0fac25bcd1c6f3ea6bd9c5ee6f65aa9
                              • Opcode Fuzzy Hash: b54f1272e1659ac103c69a8791fc9ded232609970eaf3c700352a96331bac261
                              • Instruction Fuzzy Hash: 39319172A043089FDB14DF59D844BEEBBF9EF89320F10845AE409E7351CB34A945CBA1
                              Function 0545B168 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 709 545b168-545b17a 710 545b182-545b18d 709->710 711 545b17d call 5459d7c 709->711 712 545b1a2-545b234 CreateIconFromResourceEx 710->712 713 545b18f-545b19f call 545ac28 710->713 711->710 718 545b236-545b23c 712->718 719 545b23d-545b25a 712->719 718->719
                              Memory Dump Source
                              • Source File: 00000011.00000002.1577519993.0000000005450000.00000040.00000800.00020000.00000000.sdmp, Offset: 05450000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_17_2_5450000_workbook.jbxd
                              Similarity
                              • API ID: CreateFromIconResource
                              • String ID:
                              • API String ID: 3668623891-0
                              • Opcode ID: aa0b1c038a508392aafcb5f1f7de8a3a7b1280e000b0c8123f56dd20facc768b
                              • Instruction ID: 8305276f197621fc4e1e64ebedf781b98bc4a9fca07d374d3da11f0cc6c8b1aa
                              • Opcode Fuzzy Hash: aa0b1c038a508392aafcb5f1f7de8a3a7b1280e000b0c8123f56dd20facc768b
                              • Instruction Fuzzy Hash: A2319C72900348DFCB11DFAAD844AEEBFF8EF09260F14805AF954AB261C3359854DBA1
                              Function 02EA6780 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 722 2ea6780-2ea6783 724 2ea6788-2ea681c DuplicateHandle 722->724 725 2ea681e-2ea6824 724->725 726 2ea6825-2ea6842 724->726 725->726
                              APIs
                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02EA674E,?,?,?,?,?), ref: 02EA680F
                              Memory Dump Source
                              • Source File: 00000011.00000002.1557266601.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_17_2_2ea0000_workbook.jbxd
                              Similarity
                              • API ID: DuplicateHandle
                              • String ID:
                              • API String ID: 3793708945-0
                              • Opcode ID: f09e75952372f6cf49590c07959670c958dd4de6f4edc05f28389bda565fc1ee
                              • Instruction ID: fdbd16746c05598e00c9b595443db483e948c534db3c52a88bf6a4cbcbfdc46a
                              • Opcode Fuzzy Hash: f09e75952372f6cf49590c07959670c958dd4de6f4edc05f28389bda565fc1ee
                              • Instruction Fuzzy Hash: C321E5B5D00248DFDB10CFAAD984ADEFBF8EB48310F14801AE954A7350D778A944CF65
                              Function 02EA611C Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 729 2ea611c-2ea681c DuplicateHandle 731 2ea681e-2ea6824 729->731 732 2ea6825-2ea6842 729->732 731->732
                              APIs
                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02EA674E,?,?,?,?,?), ref: 02EA680F
                              Memory Dump Source
                              • Source File: 00000011.00000002.1557266601.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_17_2_2ea0000_workbook.jbxd
                              Similarity
                              • API ID: DuplicateHandle
                              • String ID:
                              • API String ID: 3793708945-0
                              • Opcode ID: 88d80b4c52d5cfe9ab42e6db3db2b6419444a8edc0222ef5d833491e6c8a1c9c
                              • Instruction ID: fadd07d0b11302ff42390840f52a74160c1f9d90285c251f6d2b4a207404caca
                              • Opcode Fuzzy Hash: 88d80b4c52d5cfe9ab42e6db3db2b6419444a8edc0222ef5d833491e6c8a1c9c
                              • Instruction Fuzzy Hash: B821B5B5D00248DFDB10CF9AD584ADEBBF8EB48310F14841AE954A7350D375A954CFA5
                              Function 0545C91C Relevance: 1.6, APIs: 1, Instructions: 62threadCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 735 545c91c-545e22a 737 545e236-545e266 EnumThreadWindows 735->737 738 545e22c-545e234 735->738 739 545e26f-545e29c 737->739 740 545e268-545e26e 737->740 738->737 740->739
                              APIs
                              • EnumThreadWindows.USER32(?,00000000,?), ref: 0545E259
                              Memory Dump Source
                              • Source File: 00000011.00000002.1577519993.0000000005450000.00000040.00000800.00020000.00000000.sdmp, Offset: 05450000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_17_2_5450000_workbook.jbxd
                              Similarity
                              • API ID: EnumThreadWindows
                              • String ID:
                              • API String ID: 2941952884-0
                              • Opcode ID: 8ccfc1e0388309f8452f50102eb30cf5a019b5280776691c756d4b436b7dbf15
                              • Instruction ID: 78906643a0647b97b87a370f8d64381e03655cf0a3888f27d972048119784bc6
                              • Opcode Fuzzy Hash: 8ccfc1e0388309f8452f50102eb30cf5a019b5280776691c756d4b436b7dbf15
                              • Instruction Fuzzy Hash: 3B2125719042098FDB14CF9AC844BEEFBF9EB88320F14846AE815A7351D774A944CF65
                              Function 05459D7C Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 744 5459d7c-545b234 CreateIconFromResourceEx 746 545b236-545b23c 744->746 747 545b23d-545b25a 744->747 746->747
                              APIs
                              • CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?,?,?,?,0545B182,?,?,?,?,?), ref: 0545B227
                              Memory Dump Source
                              • Source File: 00000011.00000002.1577519993.0000000005450000.00000040.00000800.00020000.00000000.sdmp, Offset: 05450000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_17_2_5450000_workbook.jbxd
                              Similarity
                              • API ID: CreateFromIconResource
                              • String ID:
                              • API String ID: 3668623891-0
                              • Opcode ID: 7b1db78d0b9bca84d3019e533aea25568ba796ceab124077d50b13aa72ac7647
                              • Instruction ID: 80c45721ba7c882465347001c18521876ba0ed0eb1f288496dd1e537d88822f4
                              • Opcode Fuzzy Hash: 7b1db78d0b9bca84d3019e533aea25568ba796ceab124077d50b13aa72ac7647
                              • Instruction Fuzzy Hash: A0113A75800349DFDB20CF9AD844BEEBFF8EB48320F14841AE955A7251C375A950CFA5
                              Function 02EAC294 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 750 2eac294-2eac8b8 752 2eac8ba-2eac8bd 750->752 753 2eac8c0-2eac8ef LoadLibraryExW 750->753 752->753 754 2eac8f8-2eac915 753->754 755 2eac8f1-2eac8f7 753->755 755->754
                              APIs
                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02EAC6D1,00000800,00000000,00000000), ref: 02EAC8E2
                              Memory Dump Source
                              • Source File: 00000011.00000002.1557266601.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_17_2_2ea0000_workbook.jbxd
                              Similarity
                              • API ID: LibraryLoad
                              • String ID:
                              • API String ID: 1029625771-0
                              • Opcode ID: c52b2b0e206c896a3a795b8cd4325c62bd146a7df77ac7169f3f6bae8cdf2fa5
                              • Instruction ID: 0731b7f70e47b1fd4d278c7fe252efcfdb7bc0032db6fcecd32f46dcdf17e8ed
                              • Opcode Fuzzy Hash: c52b2b0e206c896a3a795b8cd4325c62bd146a7df77ac7169f3f6bae8cdf2fa5
                              • Instruction Fuzzy Hash: BF11D3B6D003499FDB20CF9AD444ADEFBF4FB48314F10842AE519AB600C779A545CFA5
                              Function 02EAC870 Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON
                              Download Yara Rule
                              APIs
                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02EAC6D1,00000800,00000000,00000000), ref: 02EAC8E2
                              Memory Dump Source
                              • Source File: 00000011.00000002.1557266601.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_17_2_2ea0000_workbook.jbxd
                              Similarity
                              • API ID: LibraryLoad
                              • String ID:
                              • API String ID: 1029625771-0
                              • Opcode ID: 4f86c77dca2838204f57e12b376181d9abc83b54fd810cacb11bde7bbdfec6ca
                              • Instruction ID: 3383fd53bc503147f3eebcf205a277aa1e61dae1d8b87e21e6511294e7d205d7
                              • Opcode Fuzzy Hash: 4f86c77dca2838204f57e12b376181d9abc83b54fd810cacb11bde7bbdfec6ca
                              • Instruction Fuzzy Hash: 2F11D0B6D002499FDB20CF9AD544BDEFBF4BB48314F14842AD529AB600C379A545CFA5
                              Function 02EAC1F0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                              Download Yara Rule
                              APIs
                              • GetModuleHandleW.KERNELBASE(00000000), ref: 02EAC256
                              Memory Dump Source
                              • Source File: 00000011.00000002.1557266601.0000000002EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EA0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_17_2_2ea0000_workbook.jbxd
                              Similarity
                              • API ID: HandleModule
                              • String ID:
                              • API String ID: 4139908857-0
                              • Opcode ID: fa7939428e7757851c60f6bdafc8c841d9d622424f64c048424599d519eef73f
                              • Instruction ID: 220660a1fba57e8b4e8bef2b6d9210e8c346969f66236f90172945b6fd783f5b
                              • Opcode Fuzzy Hash: fa7939428e7757851c60f6bdafc8c841d9d622424f64c048424599d519eef73f
                              • Instruction Fuzzy Hash: 051110B6C006498FDB20CF9AC444BDEFBF8EB88714F20841AD429AB710C379A545CFA5
                              Function 05452010 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                              Download Yara Rule
                              APIs
                              • SetWindowLongW.USER32(?,?,?), ref: 05452075
                              Memory Dump Source
                              • Source File: 00000011.00000002.1577519993.0000000005450000.00000040.00000800.00020000.00000000.sdmp, Offset: 05450000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_17_2_5450000_workbook.jbxd
                              Similarity
                              • API ID: LongWindow
                              • String ID:
                              • API String ID: 1378638983-0
                              • Opcode ID: ce6ae0da28a34c1e5b9f21fd8ad8ac1a2b7b94b7f4bbecf1822f6f50c2c59467
                              • Instruction ID: fdf6a0f48f66d74aae27042aa435720fb17994c2f5fb8511c04e3c7f3cf66d4d
                              • Opcode Fuzzy Hash: ce6ae0da28a34c1e5b9f21fd8ad8ac1a2b7b94b7f4bbecf1822f6f50c2c59467
                              • Instruction Fuzzy Hash: E91148B5800209DFDB20CF89C584BEEBBF8EB48320F10840AD955A7740C374A544CFA5
                              Function 05459DC0 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                              Download Yara Rule
                              APIs
                              • SendMessageW.USER32(?,?,?,?), ref: 0545B58D
                              Memory Dump Source
                              • Source File: 00000011.00000002.1577519993.0000000005450000.00000040.00000800.00020000.00000000.sdmp, Offset: 05450000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_17_2_5450000_workbook.jbxd
                              Similarity
                              • API ID: MessageSend
                              • String ID:
                              • API String ID: 3850602802-0
                              • Opcode ID: 2a895a3d92877bc09e67e93be39fa0af507797721ad63e961394882963bf3869
                              • Instruction ID: 05959561937aa0976939e54af535ac73def27bc2ae2f1a6e29988b966b5554f7
                              • Opcode Fuzzy Hash: 2a895a3d92877bc09e67e93be39fa0af507797721ad63e961394882963bf3869
                              • Instruction Fuzzy Hash: 1311E0B5800348DFDB20DF9AD484BEEBBF8EB48324F10845AE959A7701C375A944CFA5
                              Function 0545B52A Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                              Download Yara Rule
                              APIs
                              • SendMessageW.USER32(?,?,?,?), ref: 0545B58D
                              Memory Dump Source
                              • Source File: 00000011.00000002.1577519993.0000000005450000.00000040.00000800.00020000.00000000.sdmp, Offset: 05450000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_17_2_5450000_workbook.jbxd
                              Similarity
                              • API ID: MessageSend
                              • String ID:
                              • API String ID: 3850602802-0
                              • Opcode ID: 385209fef6e98e4ef41719ac7333ea778a44c734b5a573b40a2ac1b8ee314bf1
                              • Instruction ID: b1b5c6cfc3b919127655cccf430c074a1fcd611e820dcf026db4e6f66966aa12
                              • Opcode Fuzzy Hash: 385209fef6e98e4ef41719ac7333ea778a44c734b5a573b40a2ac1b8ee314bf1
                              • Instruction Fuzzy Hash: 2011F5B5800349DFDB10CF9AD485BDEBBF8EB48324F20841AE555A7741C375A544CFA5
                              Function 05452018 Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                              Download Yara Rule
                              APIs
                              • SetWindowLongW.USER32(?,?,?), ref: 05452075
                              Memory Dump Source
                              • Source File: 00000011.00000002.1577519993.0000000005450000.00000040.00000800.00020000.00000000.sdmp, Offset: 05450000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_17_2_5450000_workbook.jbxd
                              Similarity
                              • API ID: LongWindow
                              • String ID:
                              • API String ID: 1378638983-0
                              • Opcode ID: ca21dc83ea99e0a78ece30031a9dbc3e37fac1a874281cbb63f2774481ae9db5
                              • Instruction ID: 916f9587b8706847beac8a204603d228051fb969180cb74606d3a5755a418e0b
                              • Opcode Fuzzy Hash: ca21dc83ea99e0a78ece30031a9dbc3e37fac1a874281cbb63f2774481ae9db5
                              • Instruction Fuzzy Hash: 231100B5800249DFDB20CF9AD484BDEBBF8EB48320F20841AE919A7751C375A944CFA5
                              Function 0147D01C Relevance: .1, Instructions: 72COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000011.00000002.1556618814.000000000147D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0147D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_17_2_147d000_workbook.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5aef20b682d67a30e0559c66e20e99746ae8d65c31f604f3254956cbcf0deb27
                              • Instruction ID: 3e92446416af50016304b8691be2e10606d0d6ab99abd41846b74bade134407b
                              • Opcode Fuzzy Hash: 5aef20b682d67a30e0559c66e20e99746ae8d65c31f604f3254956cbcf0deb27
                              • Instruction Fuzzy Hash: A82103B1914280DFDB16DF64D980B56BB61EF84318F20C56EE90A0B3A6C336D407CA62
                              Function 0147D006 Relevance: .1, Instructions: 62COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000011.00000002.1556618814.000000000147D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0147D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_17_2_147d000_workbook.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 36285c4c802431c91de7f0729bb286cc9af21d0df6fb4ab6a04cd805484d49be
                              • Instruction ID: 36f86cbcdc7535502a396b17f330d1f32d7dee05263fcaa8d7e9febca79aae7c
                              • Opcode Fuzzy Hash: 36285c4c802431c91de7f0729bb286cc9af21d0df6fb4ab6a04cd805484d49be
                              • Instruction Fuzzy Hash: 67219D755093C08FCB03CF24D990716BF71AF46218F28C5DAD8498B6A3C33A980ACB62