Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Client.exe

Overview

General Information

Sample name:Client.exe
Analysis ID:1505598
MD5:3e8b57c2be9df63483a368b71ccb938b
SHA1:deb26a1b7f616c8d392ae55dd279140b034a4060
SHA256:c5cb97fbe4243df1a99a9c82f44ad555f283fad9f4b15b791faebe5048c8fc99
Tags:exeunpacked
Infos:

Detection

Quasar
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Quasar RAT
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to detect virtual machines (STR)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Client.exe (PID: 5196 cmdline: "C:\Users\user\Desktop\Client.exe" MD5: 3E8B57C2BE9DF63483A368B71CCB938B)
    • schtasks.exe (PID: 6720 cmdline: "schtasks" /create /tn "workbook" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\workbook.exe" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • conhost.exe (PID: 5156 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • workbook.exe (PID: 5480 cmdline: "C:\Users\user\AppData\Roaming\SubDir\workbook.exe" MD5: 3E8B57C2BE9DF63483A368B71CCB938B)
      • schtasks.exe (PID: 5820 cmdline: "schtasks" /create /tn "workbook" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\workbook.exe" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
        • conhost.exe (PID: 6268 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • workbook.exe (PID: 5056 cmdline: C:\Users\user\AppData\Roaming\SubDir\workbook.exe MD5: 3E8B57C2BE9DF63483A368B71CCB938B)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Quasar RAT, QuasarRATQuasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult.
  • APT33
  • Dropping Elephant
  • Stone Panda
  • The Gorgon Group
https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat

Malware Configuration

Threatname: Quasar

{"Version": "1.4.1", "Host:Port": "twart.myfirewall.org:9792;", "SubDirectory": "SubDir", "InstallName": "workbook.exe", "MutexName": "0235e291-5d04-4fa3-932c-869aeec51499", "StartupKey": "workbook", "Tag": "Long Leg", "LogDirectoryName": "Logs", "ServerSignature": "XBBvS+rvDQy/NRA7cnb+1Bf2zFbsUHBtrkbS5j0N0VYcCxHngz7kKbyn5Jk5bqDEI6eX9AB+bIEClKSPSVh4o0tmRTlCyQR8n6K5WidNbCUdY2+XqfpKSeeSe+/39iGrb9ZLHaZnA9ciC9yC4PwnmFUO4AD6c2tNeWgm2PU1ohA9OikWzIuh/ks9RkLPCX2N5NbpAd+AvnufkOJwDLDXLT4MfcZlD2s7folRvVMxMcO7qQh4qI3ucP90WFCEokdbM4Rp3wOtslDricIMAIkAmogGRz4B5aLGHo+UKGsYDeV1bWBtzFi1XTWQ/6q4qfqiD4xLJpDFMICIRPNdK9raQkGcTP03+NhWNSswQU59I2Ar9A0CAUdysw34N2Kjm/UbGRrW3+j9kbJxMldClUDkeN0cGmVyyaiGpPUQBlBuqH620bBOymsxD3XZ6Ouxl9MgjTV6Il/iiq/NSebMLiET2K09Tvpmc/8DD8KLeu+5NrJnmChJat6LR2NCPqv1vp8xPgJNCm4DSv6HB78QRq0Ni/oqW7UBnQR4da5/ckoEk+1ZyMZ/TftczNdKaLoyii2gXx3EzDhVEQy9OH8iNQqevGPW/pTYqLGAkH4hRs0+kir9p7nSGZpHvgHSJL7DbCzKlTEYyAlb4VFoR4L+DhJ0+A8JWxhOkfSCX2jo3RVCcPs=", "ServerCertificate": "MIIE9DCCAtygAwIBAgIQANqzkhOLx49IztAjuviKazANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI0MDgyMDEyNDQxNVoYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAgCzkFEuivKBaTsClmq/3wI2X1uYUZUxf0vEiobTv72lQBIu1jz/r6PADg+cpeGisY1MV3VsdWhecO8dT7LosHtl/FnpTjASkUp3LF0d6cPTgeLsKbK/xJ06uq5gaKvG8Q5zXq6Jbxv+STJdEgmxCf1SPAXViD1PIiGLt2B24qZyOtsSpTSnM5cQuLAvr/6xZG7GYkCU7PRADMGFUm3Xg6L3vRUU3h6vaddoMBAW9ENXVaym1eN5aax3x4tLNUp+kerM+kb/Ab/mi01+PfutPKTptP/dqEGZuKmVrGdX9A+s2Wo6sPtSl85NJT+HT+SSrROvGbx4GH3d6MSHx71JSzy+dph46LV3brBMzY/2xvLbIuPVHqniL/Y0bsUke6aD9cfXIa4UBi7TiKBuoKJYqoYa/VgdoqB4yDaczAnzzYXov7thvPL1Rwv5TueNsPSrQbXbvEJUDxRazlLIrGLuYzeGrnbFHOTM8KKpSVnE8uiXiSEW31DRNHXyLImklMHjwtGd4sjZD5EfkUcg1v9gVCu80ggT+/l7SflY07DOLFvS1ii2ZUPu3IjcbyPtlFj6pGUYjMbIZj8AdqIKyMh6IWtbsu6TMC2yEPSk5pwXrEf7M89nIfHtuhZio+mZ0MhGyHos3nv51/dDBKQnEtcJiODik24kI3JTMGnfQsp7IMjECAwEAAaMyMDAwHQYDVR0OBBYEFFUq5ihhM0we5AVYMhcmFpT6wUKMMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBAFQvpu2xTTenJ6N6YiRWxJ1cwH673yEt60lfsF/xncTeD79qdjD371b1GzQtcYZtYuSdgajGG4YZ8gBrwthm2fOcfuWK2VRDOe7/++mJVEvvsUzzexNeB5nZCYuu1N4UA7z8RHJy6ycPTTcelqyMKUjAGTCZa2BQhkxoFq+wBrEZrY975RcEe7bNNWg0S8YpvdKXxwy/gDZUoWyWXvgmDFQ6VjzDk3jJb0fonxnP/9F7sjd1uU2t5d6aQdPXzbzgWC/IKRXpfdIIZe15uHs1o1O909ymViRRsyy36cjwZ1M2snHWsU7vO//CptldBoV6k6bKkvXA23Cg1vUT0mj0MW554Vb20afxPhyWqHQa4ffHspH2HxViicHx9YaD+WjNAER0Skdo7/sxVR9Ozms2kb8Tyd18mwtVvwmlBNdtwsw8MX9PeW0AXlJUXkHkj47TVP+yyv1dKdUaGZq+ErPjiGoQGBCeHrrtGh+WryK38T7huLnpt++Q4U+CJ6+u9Mvd+C7MCZmgsO9sn0fTL/z54j3zBaWZoRcUZg8IZ7U+C5eGCrg9VjubVdYSar5CrCQnw8x2Rl63qjLVOwpiRoNnEXxmE23yyx1hkP8r27EcTbH7PpJHI22khScfDhf0X/99HEaBqcs+GI+YnC5dpPHY9koTdT5JckCfPJ9sprOn9Ble"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
Client.exeJoeSecurity_QuasarYara detected Quasar RATJoe Security
    Client.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
      Client.exeMAL_QuasarRAT_May19_1Detects QuasarRAT malwareFlorian Roth
      • 0x28ef4d:$x1: Quasar.Common.Messages
      • 0x29f276:$x1: Quasar.Common.Messages
      • 0x2ab83a:$x4: Uninstalling... good bye :-(
      • 0x2ad02f:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
      Client.exeINDICATOR_SUSPICIOUS_GENInfoStealerDetects executables containing common artifcats observed in infostealersditekSHen
      • 0x2aadec:$f1: FileZilla\recentservers.xml
      • 0x2aae2c:$f2: FileZilla\sitemanager.xml
      • 0x2aae6e:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions
      • 0x2ab0ba:$b1: Chrome\User Data\
      • 0x2ab110:$b1: Chrome\User Data\
      • 0x2ab3e8:$b2: Mozilla\Firefox\Profiles
      • 0x2ab4e4:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
      • 0x2fd440:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
      • 0x2ab63c:$b4: Opera Software\Opera Stable\Login Data
      • 0x2ab6f6:$b5: YandexBrowser\User Data\
      • 0x2ab764:$b5: YandexBrowser\User Data\
      • 0x2ab438:$s4: logins.json
      • 0x2ab16e:$a1: username_value
      • 0x2ab18c:$a2: password_value
      • 0x2ab478:$a3: encryptedUsername
      • 0x2fd384:$a3: encryptedUsername
      • 0x2ab49c:$a4: encryptedPassword
      • 0x2fd3a2:$a4: encryptedPassword
      • 0x2fd320:$a5: httpRealm
      Client.exeMALWARE_Win_QuasarStealerDetects Quasar infostealerditekshen
      • 0x164f16:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null
      • 0x2ab924:$s3: Process already elevated.
      • 0x28ec4c:$s4: get_PotentiallyVulnerablePasswords
      • 0x278d08:$s5: GetKeyloggerLogsDirectory
      • 0x29e9d5:$s5: GetKeyloggerLogsDirectory
      • 0x28ec6f:$s6: set_PotentiallyVulnerablePasswords
      • 0x2fea6e:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>

      Dropped Files

      SourceRuleDescriptionAuthorStrings
      C:\Users\user\AppData\Roaming\SubDir\workbook.exeJoeSecurity_QuasarYara detected Quasar RATJoe Security
        C:\Users\user\AppData\Roaming\SubDir\workbook.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
          C:\Users\user\AppData\Roaming\SubDir\workbook.exeMAL_QuasarRAT_May19_1Detects QuasarRAT malwareFlorian Roth
          • 0x28ef4d:$x1: Quasar.Common.Messages
          • 0x29f276:$x1: Quasar.Common.Messages
          • 0x2ab83a:$x4: Uninstalling... good bye :-(
          • 0x2ad02f:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
          C:\Users\user\AppData\Roaming\SubDir\workbook.exeINDICATOR_SUSPICIOUS_GENInfoStealerDetects executables containing common artifcats observed in infostealersditekSHen
          • 0x2aadec:$f1: FileZilla\recentservers.xml
          • 0x2aae2c:$f2: FileZilla\sitemanager.xml
          • 0x2aae6e:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions
          • 0x2ab0ba:$b1: Chrome\User Data\
          • 0x2ab110:$b1: Chrome\User Data\
          • 0x2ab3e8:$b2: Mozilla\Firefox\Profiles
          • 0x2ab4e4:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
          • 0x2fd440:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
          • 0x2ab63c:$b4: Opera Software\Opera Stable\Login Data
          • 0x2ab6f6:$b5: YandexBrowser\User Data\
          • 0x2ab764:$b5: YandexBrowser\User Data\
          • 0x2ab438:$s4: logins.json
          • 0x2ab16e:$a1: username_value
          • 0x2ab18c:$a2: password_value
          • 0x2ab478:$a3: encryptedUsername
          • 0x2fd384:$a3: encryptedUsername
          • 0x2ab49c:$a4: encryptedPassword
          • 0x2fd3a2:$a4: encryptedPassword
          • 0x2fd320:$a5: httpRealm
          C:\Users\user\AppData\Roaming\SubDir\workbook.exeMALWARE_Win_QuasarStealerDetects Quasar infostealerditekshen
          • 0x164f16:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null
          • 0x2ab924:$s3: Process already elevated.
          • 0x28ec4c:$s4: get_PotentiallyVulnerablePasswords
          • 0x278d08:$s5: GetKeyloggerLogsDirectory
          • 0x29e9d5:$s5: GetKeyloggerLogsDirectory
          • 0x28ec6f:$s6: set_PotentiallyVulnerablePasswords
          • 0x2fea6e:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          00000000.00000000.2209110258.0000000000AF0000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
            00000004.00000002.4675674769.0000000002FE4000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
              00000000.00000000.2208748611.00000000007D2000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
                Process Memory Space: Client.exe PID: 5196JoeSecurity_QuasarYara detected Quasar RATJoe Security
                  Process Memory Space: workbook.exe PID: 5480JoeSecurity_QuasarYara detected Quasar RATJoe Security

                    Unpacked PEs

                    SourceRuleDescriptionAuthorStrings
                    0.0.Client.exe.7d0000.0.unpackJoeSecurity_QuasarYara detected Quasar RATJoe Security
                      0.0.Client.exe.7d0000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                        0.0.Client.exe.7d0000.0.unpackMAL_QuasarRAT_May19_1Detects QuasarRAT malwareFlorian Roth
                        • 0x28ef4d:$x1: Quasar.Common.Messages
                        • 0x29f276:$x1: Quasar.Common.Messages
                        • 0x2ab83a:$x4: Uninstalling... good bye :-(
                        • 0x2ad02f:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
                        0.0.Client.exe.7d0000.0.unpackINDICATOR_SUSPICIOUS_GENInfoStealerDetects executables containing common artifcats observed in infostealersditekSHen
                        • 0x2aadec:$f1: FileZilla\recentservers.xml
                        • 0x2aae2c:$f2: FileZilla\sitemanager.xml
                        • 0x2aae6e:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions
                        • 0x2ab0ba:$b1: Chrome\User Data\
                        • 0x2ab110:$b1: Chrome\User Data\
                        • 0x2ab3e8:$b2: Mozilla\Firefox\Profiles
                        • 0x2ab4e4:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
                        • 0x2fd440:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
                        • 0x2ab63c:$b4: Opera Software\Opera Stable\Login Data
                        • 0x2ab6f6:$b5: YandexBrowser\User Data\
                        • 0x2ab764:$b5: YandexBrowser\User Data\
                        • 0x2ab438:$s4: logins.json
                        • 0x2ab16e:$a1: username_value
                        • 0x2ab18c:$a2: password_value
                        • 0x2ab478:$a3: encryptedUsername
                        • 0x2fd384:$a3: encryptedUsername
                        • 0x2ab49c:$a4: encryptedPassword
                        • 0x2fd3a2:$a4: encryptedPassword
                        • 0x2fd320:$a5: httpRealm
                        0.0.Client.exe.7d0000.0.unpackMALWARE_Win_QuasarStealerDetects Quasar infostealerditekshen
                        • 0x164f16:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null
                        • 0x2ab924:$s3: Process already elevated.
                        • 0x28ec4c:$s4: get_PotentiallyVulnerablePasswords
                        • 0x278d08:$s5: GetKeyloggerLogsDirectory
                        • 0x29e9d5:$s5: GetKeyloggerLogsDirectory
                        • 0x28ec6f:$s6: set_PotentiallyVulnerablePasswords
                        • 0x2fea6e:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>

                        Sigma Signatures

                        System Summary

                        barindex
                        Sigma detected: Suspicious Add Scheduled Task Parent
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "schtasks" /create /tn "workbook" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\workbook.exe" /rl HIGHEST /f, CommandLine: "schtasks" /create /tn "workbook" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\workbook.exe" /rl HIGHEST /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\SubDir\workbook.exe", ParentImage: C:\Users\user\AppData\Roaming\SubDir\workbook.exe, ParentProcessId: 5480, ParentProcessName: workbook.exe, ProcessCommandLine: "schtasks" /create /tn "workbook" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\workbook.exe" /rl HIGHEST /f, ProcessId: 5820, ProcessName: schtasks.exe
                        Sigma detected: Suspicious Schtasks From Env Var Folder
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "schtasks" /create /tn "workbook" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\workbook.exe" /rl HIGHEST /f, CommandLine: "schtasks" /create /tn "workbook" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\workbook.exe" /rl HIGHEST /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Client.exe", ParentImage: C:\Users\user\Desktop\Client.exe, ParentProcessId: 5196, ParentProcessName: Client.exe, ProcessCommandLine: "schtasks" /create /tn "workbook" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\workbook.exe" /rl HIGHEST /f, ProcessId: 6720, ProcessName: schtasks.exe

                        Suricata Signatures

                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-09-06T14:56:10.842995+020020355951Domain Observed Used for C2 Detected213.159.74.809792192.168.2.649712TCP
                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-09-06T14:56:10.842995+020020276191Domain Observed Used for C2 Detected213.159.74.809792192.168.2.649712TCP

                        Joe Sandbox Signatures

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Antivirus / Scanner detection for submitted sample
                        Source: Client.exeAvira: detected
                        Antivirus detection for dropped file
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeAvira: detection malicious, Label: HEUR/AGEN.1307453
                        Found malware configuration
                        Source: Client.exeMalware Configuration Extractor: Quasar {"Version": "1.4.1", "Host:Port": "twart.myfirewall.org:9792;", "SubDirectory": "SubDir", "InstallName": "workbook.exe", "MutexName": "0235e291-5d04-4fa3-932c-869aeec51499", "StartupKey": "workbook", "Tag": "Long Leg", "LogDirectoryName": "Logs", "ServerSignature": "XBBvS+rvDQy/NRA7cnb+1Bf2zFbsUHBtrkbS5j0N0VYcCxHngz7kKbyn5Jk5bqDEI6eX9AB+bIEClKSPSVh4o0tmRTlCyQR8n6K5WidNbCUdY2+XqfpKSeeSe+/39iGrb9ZLHaZnA9ciC9yC4PwnmFUO4AD6c2tNeWgm2PU1ohA9OikWzIuh/ks9RkLPCX2N5NbpAd+AvnufkOJwDLDXLT4MfcZlD2s7folRvVMxMcO7qQh4qI3ucP90WFCEokdbM4Rp3wOtslDricIMAIkAmogGRz4B5aLGHo+UKGsYDeV1bWBtzFi1XTWQ/6q4qfqiD4xLJpDFMICIRPNdK9raQkGcTP03+NhWNSswQU59I2Ar9A0CAUdysw34N2Kjm/UbGRrW3+j9kbJxMldClUDkeN0cGmVyyaiGpPUQBlBuqH620bBOymsxD3XZ6Ouxl9MgjTV6Il/iiq/NSebMLiET2K09Tvpmc/8DD8KLeu+5NrJnmChJat6LR2NCPqv1vp8xPgJNCm4DSv6HB78QRq0Ni/oqW7UBnQR4da5/ckoEk+1ZyMZ/TftczNdKaLoyii2gXx3EzDhVEQy9OH8iNQqevGPW/pTYqLGAkH4hRs0+kir9p7nSGZpHvgHSJL7DbCzKlTEYyAlb4VFoR4L+DhJ0+A8JWxhOkfSCX2jo3RVCcPs=", "ServerCertificate": "MIIE9DCCAtygAwIBAgIQANqzkhOLx49IztAjuviKazANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI0MDgyMDEyNDQxNVoYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAgCzkFEuivKBaTsClmq/3wI2X1uYUZUxf0vEiobTv72lQBIu1jz/r6PADg+cpeGisY1MV3VsdWhecO8dT7LosHtl/FnpTjASkUp3LF0d6cPTgeLsKbK/xJ06uq5gaKvG8Q5zXq6Jbxv+STJdEgmxCf1SPAXViD1PIiGLt2B24qZyOtsSpTSnM5cQuLAvr/6xZG7GYkCU7PRADMGFUm3Xg6L3vRUU3h6vaddoMBAW9ENXVaym1eN5aax3x4tLNUp+kerM+kb/Ab/mi01+PfutPKTptP/dqEGZuKmVrGdX9A+s2Wo6sPtSl85NJT+HT+SSrROvGbx4GH3d6MSHx71JSzy+dph46LV3brBMzY/2xvLbIuPVHqniL/Y0bsUke6aD9cfXIa4UBi7TiKBuoKJYqoYa/VgdoqB4yDaczAnzzYXov7thvPL1Rwv5TueNsPSrQbXbvEJUDxRazlLIrGLuYzeGrnbFHOTM8KKpSVnE8uiXiSEW31DRNHXyLImklMHjwtGd4sjZD5EfkUcg1v9gVCu80ggT+/l7SflY07DOLFvS1ii2ZUPu3IjcbyPtlFj6pGUYjMbIZj8AdqIKyMh6IWtbsu6TMC2yEPSk5pwXrEf7M89nIfHtuhZio+mZ0MhGyHos3nv51/dDBKQnEtcJiODik24kI3JTMGnfQsp7IMjECAwEAAaMyMDAwHQYDVR0OBBYEFFUq5ihhM0we5AVYMhcmFpT6wUKMMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBAFQvpu2xTTenJ6N6YiRWxJ1cwH673yEt60lfsF/xncTeD79qdjD371b1GzQtcYZtYuSdgajGG4YZ8gBrwthm2fOcfuWK2VRDOe7/++mJVEvvsUzzexNeB5nZCYuu1N4UA7z8RHJy6ycPTTcelqyMKUjAGTCZa2BQhkxoFq+wBrEZrY975RcEe7bNNWg0S8YpvdKXxwy/gDZUoWyWXvgmDFQ6VjzDk3jJb0fonxnP/9F7sjd1uU2t5d6aQdPXzbzgWC/IKRXpfdIIZe15uHs1o1O909ymViRRsyy36cjwZ1M2snHWsU7vO//CptldBoV6k6bKkvXA23Cg1vUT0mj0MW554Vb20afxPhyWqHQa4ffHspH2HxViicHx9YaD+WjNAER0Skdo7/sxVR9Ozms2kb8Tyd18mwtVvwmlBNdtwsw8MX9PeW0AXlJUXkHkj47TVP+yyv1dKdUaGZq+ErPjiGoQGBCeHrrtGh+WryK38T7huLnpt++Q4U+CJ6+u9Mvd+C7MCZmgsO9sn0fTL/z54j3zBaWZoRcUZg8IZ7U+C5eGCrg9VjubVdYSar5CrCQnw8x2Rl63qjLVOwpiRoNnEXxmE23yyx1hkP8r27EcTbH7PpJHI22khScfDhf0X/99HEaBqcs+GI+YnC5dpPHY9koTdT5JckCfPJ9sprOn9Ble"}
                        Multi AV Scanner detection for dropped file
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeReversingLabs: Detection: 71%
                        Multi AV Scanner detection for submitted file
                        Source: Client.exeReversingLabs: Detection: 71%
                        Yara detected Quasar RAT
                        Source: Yara matchFile source: Client.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.0.Client.exe.7d0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000000.2209110258.0000000000AF0000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.4675674769.0000000002FE4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000000.2208748611.00000000007D2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: Client.exe PID: 5196, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: workbook.exe PID: 5480, type: MEMORYSTR
                        Source: Yara matchFile source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe, type: DROPPED
                        AI detected suspicious sample
                        Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                        Machine Learning detection for dropped file
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeJoe Sandbox ML: detected
                        Machine Learning detection for sample
                        Source: Client.exeJoe Sandbox ML: detected
                        Source: Client.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: unknownHTTPS traffic detected: 195.201.57.90:443 -> 192.168.2.6:49714 version: TLS 1.2
                        Source: Client.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                        Networking

                        barindex
                        Suricata IDS alerts for network traffic
                        Source: Network trafficSuricata IDS: 2027619 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (Quasar CnC) : 213.159.74.80:9792 -> 192.168.2.6:49712
                        Source: Network trafficSuricata IDS: 2035595 - Severity 1 - ET MALWARE Generic AsyncRAT Style SSL Cert : 213.159.74.80:9792 -> 192.168.2.6:49712
                        C2 URLs / IPs found in malware configuration
                        Source: Malware configuration extractorURLs: twart.myfirewall.org
                        Yara detected Generic Downloader
                        Source: Yara matchFile source: Client.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.0.Client.exe.7d0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe, type: DROPPED
                        Source: global trafficTCP traffic: 192.168.2.6:49712 -> 213.159.74.80:9792
                        Source: Joe Sandbox ViewIP Address: 213.159.74.80 213.159.74.80
                        Source: Joe Sandbox ViewIP Address: 195.201.57.90 195.201.57.90
                        Source: Joe Sandbox ViewIP Address: 195.201.57.90 195.201.57.90
                        Source: Joe Sandbox ViewASN Name: CTINET-ASCTINETAutonomousSystemRU CTINET-ASCTINETAutonomousSystemRU
                        Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                        Source: unknownDNS query: name: ipwho.is
                        Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0Host: ipwho.isConnection: Keep-Alive
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0Host: ipwho.isConnection: Keep-Alive
                        Source: global trafficDNS traffic detected: DNS query: twart.myfirewall.org
                        Source: global trafficDNS traffic detected: DNS query: ipwho.is
                        Source: workbook.exe, 00000004.00000002.4682157776.000000001B7D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micros
                        Source: workbook.exe, 00000004.00000002.4682157776.000000001B7D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microscom/
                        Source: workbook.exe, 00000004.00000002.4682157776.000000001B8B5000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.4.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                        Source: workbook.exe, 00000004.00000002.4674814824.0000000000DDB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enK
                        Source: workbook.exe, 00000004.00000002.4675674769.0000000002F95000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ipwho.is
                        Source: workbook.exe, 00000004.00000002.4675674769.0000000002FE4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/
                        Source: Client.exe, 00000000.00000002.2228994181.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, workbook.exe, 00000004.00000002.4675674769.0000000002BE9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                        Source: Client.exe, workbook.exe.0.drString found in binary or memory: https://api.ipify.org/
                        Source: workbook.exe, 00000004.00000002.4675674769.0000000002F7B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ipwho.is
                        Source: Client.exe, workbook.exe.0.drString found in binary or memory: https://ipwho.is/
                        Source: Client.exe, workbook.exe.0.drString found in binary or memory: https://stackoverflow.com/q/11564914/23354;
                        Source: Client.exe, workbook.exe.0.drString found in binary or memory: https://stackoverflow.com/q/14436606/23354
                        Source: Client.exe, workbook.exe.0.drString found in binary or memory: https://stackoverflow.com/q/2152978/23354sCannot
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
                        Source: unknownHTTPS traffic detected: 195.201.57.90:443 -> 192.168.2.6:49714 version: TLS 1.2

                        Key, Mouse, Clipboard, Microphone and Screen Capturing

                        barindex
                        Installs a global keyboard hook
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\SubDir\workbook.exeJump to behavior

                        E-Banking Fraud

                        barindex
                        Yara detected Quasar RAT
                        Source: Yara matchFile source: Client.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.0.Client.exe.7d0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000000.2209110258.0000000000AF0000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.4675674769.0000000002FE4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000000.2208748611.00000000007D2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: Client.exe PID: 5196, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: workbook.exe PID: 5480, type: MEMORYSTR
                        Source: Yara matchFile source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe, type: DROPPED

                        System Summary

                        barindex
                        Malicious sample detected (through community Yara rule)
                        Source: Client.exe, type: SAMPLEMatched rule: Detects QuasarRAT malware Author: Florian Roth
                        Source: Client.exe, type: SAMPLEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                        Source: Client.exe, type: SAMPLEMatched rule: Detects Quasar infostealer Author: ditekshen
                        Source: 0.0.Client.exe.7d0000.0.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
                        Source: 0.0.Client.exe.7d0000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                        Source: 0.0.Client.exe.7d0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Quasar infostealer Author: ditekshen
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe, type: DROPPEDMatched rule: Detects QuasarRAT malware Author: Florian Roth
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe, type: DROPPEDMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe, type: DROPPEDMatched rule: Detects Quasar infostealer Author: ditekshen
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 4_2_00007FFD347DB7FB4_2_00007FFD347DB7FB
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 4_2_00007FFD347D5FA74_2_00007FFD347D5FA7
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 4_2_00007FFD347DB9F24_2_00007FFD347DB9F2
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 4_2_00007FFD347D63D34_2_00007FFD347D63D3
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 4_2_00007FFD34A455D64_2_00007FFD34A455D6
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 4_2_00007FFD34A515B04_2_00007FFD34A515B0
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 4_2_00007FFD34A5FE904_2_00007FFD34A5FE90
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 4_2_00007FFD34A4AFDD4_2_00007FFD34A4AFDD
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 4_2_00007FFD34A49FD04_2_00007FFD34A49FD0
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 4_2_00007FFD34A5B8614_2_00007FFD34A5B861
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 4_2_00007FFD34A58A1F4_2_00007FFD34A58A1F
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 4_2_00007FFD34A63B094_2_00007FFD34A63B09
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 4_2_00007FFD34A5CAE54_2_00007FFD34A5CAE5
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 4_2_00007FFD34A492714_2_00007FFD34A49271
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 4_2_00007FFD34A57C264_2_00007FFD34A57C26
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 4_2_00007FFD34A421FA4_2_00007FFD34A421FA
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 4_2_00007FFD34A4621F4_2_00007FFD34A4621F
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 4_2_00007FFD34B623214_2_00007FFD34B62321
                        Source: Client.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: Client.exe, type: SAMPLEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                        Source: Client.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                        Source: Client.exe, type: SAMPLEMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
                        Source: 0.0.Client.exe.7d0000.0.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                        Source: 0.0.Client.exe.7d0000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                        Source: 0.0.Client.exe.7d0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe, type: DROPPEDMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe, type: DROPPEDMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe, type: DROPPEDMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
                        Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@10/5@2/2
                        Source: C:\Users\user\Desktop\Client.exeFile created: C:\Users\user\AppData\Roaming\SubDirJump to behavior
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6268:120:WilError_03
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeMutant created: NULL
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeMutant created: \Sessions\1\BaseNamedObjects\Local\0235e291-5d04-4fa3-932c-869aeec51499
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5156:120:WilError_03
                        Source: Client.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: Client.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Users\user\Desktop\Client.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: Client.exeReversingLabs: Detection: 71%
                        Source: Client.exeString found in binary or memory: HasSubValue3Conflicting item/add type
                        Source: C:\Users\user\Desktop\Client.exeFile read: C:\Users\user\Desktop\Client.exeJump to behavior
                        Source: unknownProcess created: C:\Users\user\Desktop\Client.exe "C:\Users\user\Desktop\Client.exe"
                        Source: C:\Users\user\Desktop\Client.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "workbook" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\workbook.exe" /rl HIGHEST /f
                        Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\Client.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\workbook.exe "C:\Users\user\AppData\Roaming\SubDir\workbook.exe"
                        Source: unknownProcess created: C:\Users\user\AppData\Roaming\SubDir\workbook.exe C:\Users\user\AppData\Roaming\SubDir\workbook.exe
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "workbook" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\workbook.exe" /rl HIGHEST /f
                        Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\Client.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "workbook" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\workbook.exe" /rl HIGHEST /fJump to behavior
                        Source: C:\Users\user\Desktop\Client.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\workbook.exe "C:\Users\user\AppData\Roaming\SubDir\workbook.exe"Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "workbook" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\workbook.exe" /rl HIGHEST /fJump to behavior
                        Source: C:\Users\user\Desktop\Client.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Users\user\Desktop\Client.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\Desktop\Client.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\Desktop\Client.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\Client.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\Client.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\Client.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\Desktop\Client.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\Desktop\Client.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\Desktop\Client.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\Client.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\Desktop\Client.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\Desktop\Client.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\Desktop\Client.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Users\user\Desktop\Client.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\Desktop\Client.exeSection loaded: ntmarta.dllJump to behavior
                        Source: C:\Users\user\Desktop\Client.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                        Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: dnsapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: rasadhlp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: fwpuclnt.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: secur32.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: schannel.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: mskeyprotect.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: ntasn1.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: ncrypt.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: ncryptsslp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: cryptnet.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: winnsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: winhttp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: dhcpcsvc6.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: dhcpcsvc.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: webio.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: cabinet.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: rasapi32.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: rasman.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: rtutils.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                        Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                        Source: Client.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                        Source: Client.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                        Source: Client.exeStatic file information: File size 3266048 > 1048576
                        Source: Client.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x31c600
                        Source: Client.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                        Source: C:\Users\user\Desktop\Client.exeCode function: 0_2_00007FFD34800553 pushad ; iretd 0_2_00007FFD3480055A
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 4_2_00007FFD346BD2A5 pushad ; iretd 4_2_00007FFD346BD2A6
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 4_2_00007FFD347D0553 pushad ; iretd 4_2_00007FFD347D055A
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 4_2_00007FFD34A5DBB0 push ss; retn FFD7h4_2_00007FFD34A5DD1F
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 4_2_00007FFD34A433A0 push eax; ret 4_2_00007FFD34A4340C
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 4_2_00007FFD34B62321 push edx; retf 5F21h4_2_00007FFD34B65A3B
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 5_2_00007FFD34800553 pushad ; iretd 5_2_00007FFD3480055A
                        Source: C:\Users\user\Desktop\Client.exeFile created: C:\Users\user\AppData\Roaming\SubDir\workbook.exeJump to dropped file

                        Boot Survival

                        barindex
                        Uses schtasks.exe or at.exe to add and modify task schedules
                        Source: C:\Users\user\Desktop\Client.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "workbook" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\workbook.exe" /rl HIGHEST /f

                        Hooking and other Techniques for Hiding and Protection

                        barindex
                        Hides that the sample has been downloaded from the Internet (zone.identifier)
                        Source: C:\Users\user\Desktop\Client.exeFile opened: C:\Users\user\Desktop\Client.exe:Zone.Identifier read attributes | deleteJump to behavior
                        Source: C:\Users\user\Desktop\Client.exeFile opened: C:\Users\user\AppData\Roaming\SubDir\workbook.exe:Zone.Identifier read attributes | deleteJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeFile opened: C:\Users\user\AppData\Roaming\SubDir\workbook.exe:Zone.Identifier read attributes | deleteJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                        Source: C:\Users\user\Desktop\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Client.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Client.exeMemory allocated: 1220000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\Client.exeMemory allocated: 1AE90000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeMemory allocated: 1180000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeMemory allocated: 1ABB0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeMemory allocated: F30000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeMemory allocated: 1A980000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 4_2_00007FFD347DF1F2 str ax4_2_00007FFD347DF1F2
                        Source: C:\Users\user\Desktop\Client.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeWindow / User API: threadDelayed 2452Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeWindow / User API: threadDelayed 7293Jump to behavior
                        Source: C:\Users\user\Desktop\Client.exe TID: 5932Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe TID: 616Thread sleep time: -13835058055282155s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe TID: 6188Thread sleep count: 2452 > 30Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe TID: 6188Thread sleep count: 7293 > 30Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe TID: 6276Thread sleep time: -30000s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe TID: 4396Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BaseBoard
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BIOS
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Users\user\Desktop\Client.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: workbook.exe, 00000004.00000002.4682157776.000000001B8EF000.00000004.00000020.00020000.00000000.sdmp, workbook.exe, 00000004.00000002.4681421117.000000001B739000.00000004.00000020.00020000.00000000.sdmp, workbook.exe, 00000004.00000002.4681421117.000000001B72B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                        Source: C:\Users\user\Desktop\Client.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Users\user\Desktop\Client.exeMemory allocated: page read and write | page guardJump to behavior
                        Source: C:\Users\user\Desktop\Client.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "workbook" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\workbook.exe" /rl HIGHEST /fJump to behavior
                        Source: C:\Users\user\Desktop\Client.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\workbook.exe "C:\Users\user\AppData\Roaming\SubDir\workbook.exe"Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks" /create /tn "workbook" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\workbook.exe" /rl HIGHEST /fJump to behavior
                        Source: C:\Users\user\Desktop\Client.exeQueries volume information: C:\Users\user\Desktop\Client.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeQueries volume information: C:\Users\user\AppData\Roaming\SubDir\workbook.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeQueries volume information: C:\Users\user\AppData\Roaming\SubDir\workbook.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Client.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                        Stealing of Sensitive Information

                        barindex
                        Yara detected Quasar RAT
                        Source: Yara matchFile source: Client.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.0.Client.exe.7d0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000000.2209110258.0000000000AF0000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.4675674769.0000000002FE4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000000.2208748611.00000000007D2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: Client.exe PID: 5196, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: workbook.exe PID: 5480, type: MEMORYSTR
                        Source: Yara matchFile source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe, type: DROPPED

                        Remote Access Functionality

                        barindex
                        Yara detected Quasar RAT
                        Source: Yara matchFile source: Client.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.0.Client.exe.7d0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000000.2209110258.0000000000AF0000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.4675674769.0000000002FE4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000000.2208748611.00000000007D2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: Client.exe PID: 5196, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: workbook.exe PID: 5480, type: MEMORYSTR
                        Source: Yara matchFile source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe, type: DROPPED

                        Mitre Att&ck Matrix

                        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                        Gather Victim Identity InformationAcquire InfrastructureValid Accounts21
                        Windows Management Instrumentation                        		1
                        Scheduled Task/Job                        		11
                        Process Injection                        		1
                        Masquerading                        		11
                        Input Capture                        		1
                        Query Registry                        		Remote Services11
                        Input Capture                        		11
                        Encrypted Channel                        		Exfiltration Over Other Network MediumAbuse Accessibility Features
                        CredentialsDomainsDefault Accounts2
                        Command and Scripting Interpreter                        		1
                        DLL Side-Loading                        		1
                        Scheduled Task/Job                        		1
                        Disable or Modify Tools                        		LSASS Memory111
                        Security Software Discovery                        		Remote Desktop Protocol1
                        Archive Collected Data                        		1
                        Non-Standard Port                        		Exfiltration Over BluetoothNetwork Denial of Service
                        Email AddressesDNS ServerDomain Accounts1
                        Scheduled Task/Job                        		Logon Script (Windows)1
                        DLL Side-Loading                        		51
                        Virtualization/Sandbox Evasion                        		Security Account Manager51
                        Virtualization/Sandbox Evasion                        		SMB/Windows Admin SharesData from Network Shared Drive1
                        Ingress Tool Transfer                        		Automated ExfiltrationData Encrypted for Impact
                        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                        Process Injection                        		NTDS1
                        Application Window Discovery                        		Distributed Component Object ModelInput Capture2
                        Non-Application Layer Protocol                        		Traffic DuplicationData Destruction
                        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                        Hidden Files and Directories                        		LSA Secrets1
                        System Network Configuration Discovery                        		SSHKeylogging113
                        Application Layer Protocol                        		Scheduled TransferData Encrypted for Impact
                        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                        Obfuscated Files or Information                        		Cached Domain Credentials23
                        System Information Discovery                        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                        DLL Side-Loading                        		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet
                        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1505598 Sample: Client.exe Startdate: 06/09/2024 Architecture: WINDOWS Score: 100 31 twart.myfirewall.org 2->31 33 ipwho.is 2->33 35 bg.microsoft.map.fastly.net 2->35 49 Suricata IDS alerts for network traffic 2->49 51 Found malware configuration 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 7 other signatures 2->55 9 Client.exe 5 2->9         started        13 workbook.exe 3 2->13         started        signatures3 process4 file5 27 C:\Users\user\AppData\...\workbook.exe, PE32 9->27 dropped 29 C:\Users\user\AppData\...\Client.exe.log, CSV 9->29 dropped 57 Uses schtasks.exe or at.exe to add and modify task schedules 9->57 59 Hides that the sample has been downloaded from the Internet (zone.identifier) 9->59 15 workbook.exe 14 2 9->15         started        19 schtasks.exe 1 9->19         started        signatures6 process7 dnsIp8 37 twart.myfirewall.org 213.159.74.80, 49712, 9792 CTINET-ASCTINETAutonomousSystemRU Russian Federation 15->37 39 ipwho.is 195.201.57.90, 443, 49714 HETZNER-ASDE Germany 15->39 41 Antivirus detection for dropped file 15->41 43 Multi AV Scanner detection for dropped file 15->43 45 Machine Learning detection for dropped file 15->45 47 2 other signatures 15->47 21 schtasks.exe 1 15->21         started        23 conhost.exe 19->23         started        signatures9 process10 process11 25 conhost.exe 21->25         started       

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                        windows-stand

                        Antivirus, Machine Learning and Genetic Malware Detection

                        Initial Sample

                        SourceDetectionScannerLabelLink
                        Client.exe71%ReversingLabsByteCode-MSIL.Backdoor.Quasar
                        Client.exe100%AviraHEUR/AGEN.1307453
                        Client.exe100%Joe Sandbox ML

                        Dropped Files

                        SourceDetectionScannerLabelLink
                        C:\Users\user\AppData\Roaming\SubDir\workbook.exe100%AviraHEUR/AGEN.1307453
                        C:\Users\user\AppData\Roaming\SubDir\workbook.exe100%Joe Sandbox ML
                        C:\Users\user\AppData\Roaming\SubDir\workbook.exe71%ReversingLabsByteCode-MSIL.Backdoor.Quasar

                        Unpacked PE Files

                        No Antivirus matches

                        Domains

                        No Antivirus matches

                        URLs

                        SourceDetectionScannerLabelLink
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                        http://crl.microscom/0%Avira URL Cloudsafe
                        https://stackoverflow.com/q/14436606/233540%Avira URL Cloudsafe
                        twart.myfirewall.org0%Avira URL Cloudsafe
                        https://api.ipify.org/0%Avira URL Cloudsafe
                        http://ipwho.is0%Avira URL Cloudsafe
                        https://stackoverflow.com/q/11564914/23354;0%Avira URL Cloudsafe
                        http://schemas.datacontract.org/2004/07/0%Avira URL Cloudsafe
                        https://stackoverflow.com/q/2152978/23354sCannot0%Avira URL Cloudsafe
                        https://ipwho.is/0%Avira URL Cloudsafe
                        https://ipwho.is0%Avira URL Cloudsafe
                        http://crl.micros0%Avira URL Cloudsafe

                        Domains and IPs

                        Contacted Domains

                        NameIPActiveMaliciousAntivirus DetectionReputation
                        bg.microsoft.map.fastly.net
                        		199.232.210.172
                        		truefalse
                          		unknown
                          ipwho.is
                          		195.201.57.90
                          		truefalse
                            		unknown
                            twart.myfirewall.org
                            		213.159.74.80
                            		truetrue
                              		unknown

                              Contacted URLs

                              NameMaliciousAntivirus DetectionReputation
                              https://ipwho.is/false
                              • Avira URL Cloud: safe
                              		unknown
                              twart.myfirewall.orgtrue
                              • Avira URL Cloud: safe
                              		unknown

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              https://api.ipify.org/Client.exe, workbook.exe.0.drfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://crl.microscom/workbook.exe, 00000004.00000002.4682157776.000000001B7D5000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://stackoverflow.com/q/14436606/23354Client.exe, workbook.exe.0.drfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://stackoverflow.com/q/2152978/23354sCannotClient.exe, workbook.exe.0.drfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://schemas.datacontract.org/2004/07/workbook.exe, 00000004.00000002.4675674769.0000000002FE4000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameClient.exe, 00000000.00000002.2228994181.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, workbook.exe, 00000004.00000002.4675674769.0000000002BE9000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://ipwho.isworkbook.exe, 00000004.00000002.4675674769.0000000002F95000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://stackoverflow.com/q/11564914/23354;Client.exe, workbook.exe.0.drfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://ipwho.isworkbook.exe, 00000004.00000002.4675674769.0000000002F7B000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://crl.microsworkbook.exe, 00000004.00000002.4682157776.000000001B7D5000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown

                              World Map of Contacted IPs

                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs

                              Public IPs

                              IPDomainCountryFlagASNASN NameMalicious
                              213.159.74.80
                              		twart.myfirewall.orgRussian Federation
                              		13078CTINET-ASCTINETAutonomousSystemRUtrue
                              195.201.57.90
                              		ipwho.isGermany
                              		24940HETZNER-ASDEfalse

                              General Information

                              Joe Sandbox version:40.0.0 Tourmaline
                              Analysis ID:1505598
                              Start date and time:2024-09-06 14:55:02 +02:00
                              Joe Sandbox product:CloudBasic
                              Overall analysis duration:0h 8m 14s
                              Hypervisor based Inspection enabled:false
                              Report type:full
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                              Number of analysed new started processes analysed:11
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Sample name:Client.exe
                              Detection:MAL
                              Classification:mal100.troj.spyw.evad.winEXE@10/5@2/2
                              EGA Information:
                              • Successful, ratio: 66.7%
                              HCA Information:
                              • Successful, ratio: 92%
                              • Number of executed functions: 60
                              • Number of non-executed functions: 6
                              Cookbook Comments:
                              • Found application associated with file extension: .exe
                              • Override analysis time to 240000 for current running targets taking high CPU consumption

                              Warnings

                              • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                              • Excluded IPs from analysis (whitelisted): 199.232.210.172
                              • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                              • Execution Graph export aborted for target workbook.exe, PID 5056 because it is empty
                              • Not all processes where analyzed, report is missing behavior information
                              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                              • Report size getting too big, too many NtOpenKeyEx calls found.
                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                              • Report size getting too big, too many NtQueryValueKey calls found.
                              • Report size getting too big, too many NtReadVirtualMemory calls found.
                              • VT rate limit hit for: Client.exe

                              Simulations

                              Behavior and APIs

                              TimeTypeDescription
                              08:56:10API Interceptor14656538x Sleep call for process: workbook.exe modified
                              14:56:07Task SchedulerRun new task: workbook path: C:\Users\user\AppData\Roaming\SubDir\workbook.exe

                              Joe Sandbox View / Context

                              IPs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              213.159.74.80rNuevoPedidoPO-00843.pdf.com.exeGet hashmaliciousQuasarBrowse
                                rVAKIFBANK-#U00d6demeonaymakbuzu20240826.pdf.exeGet hashmaliciousQuasarBrowse
                                  ZKB - Zahlungsbest#U00e4tigung an 20240828.pdf.exeGet hashmaliciousQuasarBrowse
                                    Vak#U0131fBank - #U00d6deme onay makbuzu 20240826.pdf.exeGet hashmaliciousQuasarBrowse
                                      4dALKsHYFM.exeGet hashmaliciousAgentTesla, AsyncRAT, PureLog Stealer, zgRATBrowse
                                        195.201.57.90SPt4FUjZMt.exeGet hashmaliciousAsyncRAT, Luca Stealer, MicroClip, PythonCryptoHijacker, RedLineBrowse
                                        • /?output=json
                                        765iYbgWn9.exeGet hashmaliciousLuca StealerBrowse
                                        • /?output=json
                                        765iYbgWn9.exeGet hashmaliciousLuca StealerBrowse
                                        • /?output=json
                                        WfKynArKjH.exeGet hashmaliciousAsyncRAT, Luca Stealer, MicroClip, RedLineBrowse
                                        • /?output=json
                                        ubes6SC7Vd.exeGet hashmaliciousUnknownBrowse
                                        • ipwhois.app/xml/
                                        cOQD62FceM.exeGet hashmaliciousLuca Stealer, Rusty StealerBrowse
                                        • /?output=json
                                        Clipper.exeGet hashmaliciousUnknownBrowse
                                        • /?output=json
                                        cOQD62FceM.exeGet hashmaliciousLuca StealerBrowse
                                        • /?output=json
                                        Cryptor.exeGet hashmaliciousLuca StealerBrowse
                                        • /?output=json
                                        Cryptor.exeGet hashmaliciousLuca Stealer, Rusty StealerBrowse
                                        • /?output=json

                                        Domains

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        ipwho.isAdjustLoader.exeGet hashmaliciousUnknownBrowse
                                        • 195.201.57.90
                                        rNuevoPedidoPO-00843.pdf.com.exeGet hashmaliciousQuasarBrowse
                                        • 195.201.57.90
                                        rVAKIFBANK-#U00d6demeonaymakbuzu20240826.pdf.exeGet hashmaliciousQuasarBrowse
                                        • 108.181.98.179
                                        ZKB - Zahlungsbest#U00e4tigung an 20240828.pdf.exeGet hashmaliciousQuasarBrowse
                                        • 195.201.57.90
                                        Vak#U0131fBank - #U00d6deme onay makbuzu 20240826.pdf.exeGet hashmaliciousQuasarBrowse
                                        • 195.201.57.90
                                        SenditIllrunitinmyvirtualmachineinsidemyvirtualmachine.batGet hashmaliciousUnknownBrowse
                                        • 195.201.57.90
                                        i.batGet hashmaliciousUnknownBrowse
                                        • 195.201.57.90
                                        lnk.batGet hashmaliciousUnknownBrowse
                                        • 195.201.57.90
                                        saving.exeGet hashmaliciousNjratBrowse
                                        • 195.201.57.90
                                        98.exeGet hashmaliciousUnknownBrowse
                                        • 195.201.57.90
                                        bg.microsoft.map.fastly.netExternal.exeGet hashmaliciousAdes Stealer, BlackGuard, VEGA StealerBrowse
                                        • 199.232.210.172
                                        https://rznfilarmonia.ru/bitrix/redirect.php?event1&event2&event3&goto=https://agroserviceica.com/rkos/distGet hashmaliciousUnknownBrowse
                                        • 199.232.214.172
                                        https://zoomzle.comGet hashmaliciousUnknownBrowse
                                        • 199.232.210.172
                                        https://emyoo.com.au/wp-includes/Text/Diff/Renderer/Get hashmaliciousHTMLPhisherBrowse
                                        • 199.232.214.172
                                        https://hye.com.mx/Get hashmaliciousUnknownBrowse
                                        • 199.232.210.172
                                        ZWlwrTM9HK.exeGet hashmaliciousRemcosBrowse
                                        • 199.232.210.172
                                        http://hikmaa.com/Get hashmaliciousUnknownBrowse
                                        • 199.232.214.172
                                        https://www.tiktok.com/link/v2?aid=1988&lang=en&scene=bio_url&target=google.com.////amp/s/%E2%80%8Bt%C2%ADab%C2%ADleg%C2%ADen%C2%ADie%E2%80%8B.%C2%ADi%C2%ADo/dayo/1iuzr/ecqi-resource-center@hhs.govGet hashmaliciousHTMLPhisherBrowse
                                        • 199.232.210.172
                                        IDR-500000000.pdfGet hashmaliciousUnknownBrowse
                                        • 199.232.210.172
                                        PO#100600574.vbsGet hashmaliciousGuLoaderBrowse
                                        • 199.232.210.172
                                        twart.myfirewall.orgrNuevoPedidoPO-00843.pdf.com.exeGet hashmaliciousQuasarBrowse
                                        • 213.159.74.80
                                        rVAKIFBANK-#U00d6demeonaymakbuzu20240826.pdf.exeGet hashmaliciousQuasarBrowse
                                        • 213.159.74.80
                                        ZKB - Zahlungsbest#U00e4tigung an 20240828.pdf.exeGet hashmaliciousQuasarBrowse
                                        • 213.159.74.80
                                        Vak#U0131fBank - #U00d6deme onay makbuzu 20240826.pdf.exeGet hashmaliciousQuasarBrowse
                                        • 213.159.74.80
                                        4dALKsHYFM.exeGet hashmaliciousAgentTesla, AsyncRAT, PureLog Stealer, zgRATBrowse
                                        • 213.159.74.80
                                        doc_RFQ NEW ORDER #2400228341.pdf.exeGet hashmaliciousAsyncRATBrowse
                                        • 41.151.251.119
                                        doc_Rfq_TNTM #U00daj rend TM00002916620 exp_pdf.exeGet hashmaliciousXWormBrowse
                                        • 103.35.191.158
                                        6KfY269eO6.exeGet hashmaliciousLodaRATBrowse
                                        • 103.35.191.158
                                        #U00daj megrendel#U00e9s - 00905173088 CPTL #U00e1raj#U00e1nlat - egyenk#U00e9nt 100.exeGet hashmaliciousMailPassView, XpertRATBrowse
                                        • 103.35.191.158
                                        Enquiry_300522_PDF.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                        • 2.56.57.193

                                        ASNs

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        HETZNER-ASDEz3bqnf1WvW.exeGet hashmaliciousRedLine, SectopRATBrowse
                                        • 178.63.51.126
                                        file.exeGet hashmaliciousLummaC, VidarBrowse
                                        • 5.75.214.132
                                        http://e95lq1vmgxojxrxkv7.pages.dev/Get hashmaliciousUnknownBrowse
                                        • 195.201.57.90
                                        https://infognition.com/ScreenPressor/ScreenPressor4.zipGet hashmaliciousUnknownBrowse
                                        • 78.47.156.184
                                        bot_library.exeGet hashmaliciousUnknownBrowse
                                        • 144.76.166.199
                                        bot_library.exeGet hashmaliciousUnknownBrowse
                                        • 159.69.63.226
                                        http://beonlineboo.comGet hashmaliciousUnknownBrowse
                                        • 116.203.55.214
                                        firmware.armv4l.elfGet hashmaliciousUnknownBrowse
                                        • 135.181.180.74
                                        firmware.armv5l.elfGet hashmaliciousUnknownBrowse
                                        • 135.181.180.74
                                        firmware.sh4.elfGet hashmaliciousUnknownBrowse
                                        • 195.201.106.177
                                        CTINET-ASCTINETAutonomousSystemRUrNuevoPedidoPO-00843.pdf.com.exeGet hashmaliciousQuasarBrowse
                                        • 213.159.74.80
                                        rVAKIFBANK-#U00d6demeonaymakbuzu20240826.pdf.exeGet hashmaliciousQuasarBrowse
                                        • 213.159.74.80
                                        ZKB - Zahlungsbest#U00e4tigung an 20240828.pdf.exeGet hashmaliciousQuasarBrowse
                                        • 213.159.74.80
                                        Vak#U0131fBank - #U00d6deme onay makbuzu 20240826.pdf.exeGet hashmaliciousQuasarBrowse
                                        • 213.159.74.80
                                        4dALKsHYFM.exeGet hashmaliciousAgentTesla, AsyncRAT, PureLog Stealer, zgRATBrowse
                                        • 213.159.74.80
                                        yEL4yMV0s4.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                        • 213.159.64.146
                                        AGREEMENT AND APPROVAL REPORT FECRWY RN & FR OF 2024-501144_6.5.24.pdfGet hashmaliciousHTMLPhisherBrowse
                                        • 213.159.64.109

                                        JA3 Fingerprints

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        3b5074b1b5d032e5620f69f9f700ff0eExternal.exeGet hashmaliciousAdes Stealer, BlackGuard, VEGA StealerBrowse
                                        • 195.201.57.90
                                        newvideozones.click.ps1Get hashmaliciousLummaCBrowse
                                        • 195.201.57.90
                                        human-verification5.b-cdn.net.ps1Get hashmaliciousUnknownBrowse
                                        • 195.201.57.90
                                        YzvChS4FPi.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                        • 195.201.57.90
                                        scan_documet_027839.vbsGet hashmaliciousUnknownBrowse
                                        • 195.201.57.90
                                        Request for Quotation_1.jsGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                                        • 195.201.57.90
                                        Distributrnets.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • 195.201.57.90
                                        WindowTop.5.23.3.-.setup.exeGet hashmaliciousUnknownBrowse
                                        • 195.201.57.90
                                        SecuriteInfo.com.Win32.RATX-gen.1669.23340.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • 195.201.57.90
                                        Quote Order.exeGet hashmaliciousFormBookBrowse
                                        • 195.201.57.90

                                        Dropped Files

                                        No context

                                        Created / dropped Files

                                        C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                                        Download File
                                        Process:C:\Users\user\AppData\Roaming\SubDir\workbook.exe
                                        File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                                        Category:dropped
                                        Size (bytes):71954
                                        Entropy (8bit):7.996617769952133
                                        Encrypted:true
                                        SSDEEP:1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
                                        MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
                                        SHA1:1723BE06719828DDA65AD804298D0431F6AFF976
                                        SHA-256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
                                        SHA-512:BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
                                        Malicious:false
                                        Reputation:high, very likely benign file
                                        Preview:MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..*Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=*....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.|.c.&>?..^t. ..;..X.d.E.0G....[Q.*,*......#.Dp..L.o|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

                                        C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                                        Download File
                                        Process:C:\Users\user\AppData\Roaming\SubDir\workbook.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):328
                                        Entropy (8bit):3.2265530073076
                                        Encrypted:false
                                        SSDEEP:6:kK12N/99UswD8HGsL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:UqDImsLNkPlE99SNxAhUe/3
                                        MD5:16CFD1C3F7148EBE8B63E8202317D0F7
                                        SHA1:B4EA3A26E4A2FB73161B5E56C4F78C852D395586
                                        SHA-256:EEAE9AE99E4164616644B3239900E04B7A1217F046482906D252D713C94C7D1C
                                        SHA-512:0B313C1F62ED1DCD915FF427493188727EFF69DB0845E6FE661B504B04584A08F4DC4CD98D42CBF391D19B7D5E05EC5CABD60AFC86EAF3F873BFB4A8B64A75F8
                                        Malicious:false
                                        Reputation:low
                                        Preview:p...... ...........Z\...(....................................................... ........G..@.......&......X........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log

                                        Download File
                                        Process:C:\Users\user\Desktop\Client.exe
                                        File Type:CSV text
                                        Category:dropped
                                        Size (bytes):1281
                                        Entropy (8bit):5.370111951859942
                                        Encrypted:false
                                        SSDEEP:24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
                                        MD5:12C61586CD59AA6F2A21DF30501F71BD
                                        SHA1:E6B279DC134544867C868E3FF3C267A06CE340C7
                                        SHA-256:EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
                                        SHA-512:B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
                                        Malicious:true
                                        Reputation:moderate, very likely benign file
                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\workbook.exe.log

                                        Download File
                                        Process:C:\Users\user\AppData\Roaming\SubDir\workbook.exe
                                        File Type:CSV text
                                        Category:dropped
                                        Size (bytes):1281
                                        Entropy (8bit):5.370111951859942
                                        Encrypted:false
                                        SSDEEP:24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
                                        MD5:12C61586CD59AA6F2A21DF30501F71BD
                                        SHA1:E6B279DC134544867C868E3FF3C267A06CE340C7
                                        SHA-256:EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
                                        SHA-512:B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
                                        Malicious:false
                                        Reputation:moderate, very likely benign file
                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

                                        C:\Users\user\AppData\Roaming\SubDir\workbook.exe

                                        Download File
                                        Process:C:\Users\user\Desktop\Client.exe
                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                        Category:dropped
                                        Size (bytes):3266048
                                        Entropy (8bit):6.082206941534059
                                        Encrypted:false
                                        SSDEEP:49152:Dvwt62XlaSFNWPjljiFa2RoUYIMIW+sWvoGdBNZTHHB72eh2NT:Dv862XlaSFNWPjljiFXRoUYIjW+s6
                                        MD5:3E8B57C2BE9DF63483A368B71CCB938B
                                        SHA1:DEB26A1B7F616C8D392AE55DD279140B034A4060
                                        SHA-256:C5CB97FBE4243DF1A99A9C82F44AD555F283FAD9F4B15B791FAEBE5048C8FC99
                                        SHA-512:C7D646C84531B6F182820A3CEBC1779EF87BD0C92AEABCCB922B685F040371D251B0DA15FD5ECAA54DFE315560BBA807A87AED2F44DBC0FCE9703B5C0F4EE7E5
                                        Malicious:true
                                        Yara Hits:
                                        • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe, Author: Joe Security
                                        • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe, Author: Joe Security
                                        • Rule: MAL_QuasarRAT_May19_1, Description: Detects QuasarRAT malware, Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe, Author: Florian Roth
                                        • Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe, Author: ditekSHen
                                        • Rule: MALWARE_Win_QuasarStealer, Description: Detects Quasar infostealer, Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe, Author: ditekshen
                                        Antivirus:
                                        • Antivirus: Avira, Detection: 100%
                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                        • Antivirus: ReversingLabs, Detection: 71%
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d..................1...........1.. ........@.. .......................@2...........@...................................1.S.....2...................... 2...................................................... ............... ..H............text.....1.. ....1................. ..`.rsrc.........2.......1.............@..@.reloc....... 2.......1.............@..B..................1.....H........................k..p............................................0..M....... ....(.....(...........s....(....(...........s....o....(.....(....s....(....*....0..8.......(....(0....s....%.o....%.o....%.o....(....&..&...(.....*........--..........00.......0..@........o....,7(....(0....s....%.o....%.o....%.o....(....&..&...(.....*........-5..........08......f~w...,.~....(....(....*.*v.(.....s....}.....s....}....*r..(......(.....(......(....*....0..L........{....r...po....

                                        Static File Info

                                        General

                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                        Entropy (8bit):6.082206941534059
                                        TrID:
                                        • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                        • Win32 Executable (generic) a (10002005/4) 49.75%
                                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                        • Windows Screen Saver (13104/52) 0.07%
                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                        File name:Client.exe
                                        File size:3'266'048 bytes
                                        MD5:3e8b57c2be9df63483a368b71ccb938b
                                        SHA1:deb26a1b7f616c8d392ae55dd279140b034a4060
                                        SHA256:c5cb97fbe4243df1a99a9c82f44ad555f283fad9f4b15b791faebe5048c8fc99
                                        SHA512:c7d646c84531b6f182820a3cebc1779ef87bd0c92aeabccb922b685f040371d251b0da15fd5ecaa54dfe315560bba807a87aed2f44dbc0fce9703b5c0f4ee7e5
                                        SSDEEP:49152:Dvwt62XlaSFNWPjljiFa2RoUYIMIW+sWvoGdBNZTHHB72eh2NT:Dv862XlaSFNWPjljiFXRoUYIjW+s6
                                        TLSH:D1E56B0537F85E32E16BD7B3E5B0501263F1F82AF363EB0B5181A77A5C93B5488426A7
                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d..................1...........1.. ........@.. .......................@2...........@................................

                                        File Icon

                                        Icon Hash:00928e8e8686b000

                                        Static PE Info

                                        General

                                        Entrypoint:0x71e3fe
                                        Entrypoint Section:.text
                                        Digitally signed:false
                                        Imagebase:0x400000
                                        Subsystem:windows gui
                                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                        Time Stamp:0x640DFAE7 [Sun Mar 12 16:16:39 2023 UTC]
                                        TLS Callbacks:
                                        CLR (.Net) Version:
                                        OS Version Major:4
                                        OS Version Minor:0
                                        File Version Major:4
                                        File Version Minor:0
                                        Subsystem Version Major:4
                                        Subsystem Version Minor:0
                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                        Entrypoint Preview

                                        Instruction
                                        jmp dword ptr [00402000h]
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al

                                        Data Directories

                                        NameVirtual AddressVirtual Size Is in Section
                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x31e3a80x53.text
                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x3200000xa93.rsrc
                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x3220000xc.reloc
                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                        Sections

                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                        .text0x20000x31c4040x31c600c737de7b55bf63c7b99ed353ca3347edunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                        .rsrc0x3200000xa930xc00cdeae95ac72e9e58017d2bcc89d2fbeaFalse0.36328125data4.653972105845318IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                        .reloc0x3220000xc0x200e7d4f7d5c6a56813a995215f35c1a9ceFalse0.041015625data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                        Resources

                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                        RT_VERSION0x3200a00x31cdata0.4484924623115578
                                        RT_MANIFEST0x3203bc0x6d7XML 1.0 document, Unicode text, UTF-8 (with BOM) text0.40319817247287265

                                        Imports

                                        DLLImport
                                        mscoree.dll_CorExeMain

                                        Network Behavior

                                        Suricata IDS Alerts

                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                        2024-09-06T14:56:10.842995+02002027619ET MALWARE Observed Malicious SSL Cert (Quasar CnC)1213.159.74.809792192.168.2.649712TCP
                                        2024-09-06T14:56:10.842995+02002035595ET MALWARE Generic AsyncRAT Style SSL Cert1213.159.74.809792192.168.2.649712TCP

                                        Network Port Distribution

                                        TCP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Sep 6, 2024 14:56:10.353904009 CEST497129792192.168.2.6213.159.74.80
                                        Sep 6, 2024 14:56:10.358920097 CEST979249712213.159.74.80192.168.2.6
                                        Sep 6, 2024 14:56:10.358990908 CEST497129792192.168.2.6213.159.74.80
                                        Sep 6, 2024 14:56:10.387475014 CEST497129792192.168.2.6213.159.74.80
                                        Sep 6, 2024 14:56:10.392311096 CEST979249712213.159.74.80192.168.2.6
                                        Sep 6, 2024 14:56:10.834604025 CEST979249712213.159.74.80192.168.2.6
                                        Sep 6, 2024 14:56:10.834820032 CEST979249712213.159.74.80192.168.2.6
                                        Sep 6, 2024 14:56:10.834887028 CEST497129792192.168.2.6213.159.74.80
                                        Sep 6, 2024 14:56:10.838047981 CEST497129792192.168.2.6213.159.74.80
                                        Sep 6, 2024 14:56:10.842994928 CEST979249712213.159.74.80192.168.2.6
                                        Sep 6, 2024 14:56:10.945895910 CEST979249712213.159.74.80192.168.2.6
                                        Sep 6, 2024 14:56:11.000020027 CEST497129792192.168.2.6213.159.74.80
                                        Sep 6, 2024 14:56:11.801935911 CEST49714443192.168.2.6195.201.57.90
                                        Sep 6, 2024 14:56:11.801965952 CEST44349714195.201.57.90192.168.2.6
                                        Sep 6, 2024 14:56:11.802037001 CEST49714443192.168.2.6195.201.57.90
                                        Sep 6, 2024 14:56:11.802948952 CEST49714443192.168.2.6195.201.57.90
                                        Sep 6, 2024 14:56:11.802962065 CEST44349714195.201.57.90192.168.2.6
                                        Sep 6, 2024 14:56:12.683546066 CEST44349714195.201.57.90192.168.2.6
                                        Sep 6, 2024 14:56:12.683667898 CEST49714443192.168.2.6195.201.57.90
                                        Sep 6, 2024 14:56:12.687711000 CEST49714443192.168.2.6195.201.57.90
                                        Sep 6, 2024 14:56:12.687725067 CEST44349714195.201.57.90192.168.2.6
                                        Sep 6, 2024 14:56:12.688107967 CEST44349714195.201.57.90192.168.2.6
                                        Sep 6, 2024 14:56:12.692301035 CEST49714443192.168.2.6195.201.57.90
                                        Sep 6, 2024 14:56:12.736510992 CEST44349714195.201.57.90192.168.2.6
                                        Sep 6, 2024 14:56:12.891335011 CEST44349714195.201.57.90192.168.2.6
                                        Sep 6, 2024 14:56:12.891406059 CEST44349714195.201.57.90192.168.2.6
                                        Sep 6, 2024 14:56:12.891472101 CEST49714443192.168.2.6195.201.57.90
                                        Sep 6, 2024 14:56:13.025233030 CEST49714443192.168.2.6195.201.57.90
                                        Sep 6, 2024 14:56:13.264210939 CEST497129792192.168.2.6213.159.74.80
                                        Sep 6, 2024 14:56:13.269256115 CEST979249712213.159.74.80192.168.2.6
                                        Sep 6, 2024 14:56:13.269326925 CEST497129792192.168.2.6213.159.74.80
                                        Sep 6, 2024 14:56:13.274977922 CEST979249712213.159.74.80192.168.2.6
                                        Sep 6, 2024 14:56:13.582065105 CEST979249712213.159.74.80192.168.2.6
                                        Sep 6, 2024 14:56:13.631190062 CEST497129792192.168.2.6213.159.74.80
                                        Sep 6, 2024 14:56:13.842628002 CEST979249712213.159.74.80192.168.2.6
                                        Sep 6, 2024 14:56:13.842740059 CEST979249712213.159.74.80192.168.2.6
                                        Sep 6, 2024 14:56:13.842784882 CEST497129792192.168.2.6213.159.74.80
                                        Sep 6, 2024 14:56:38.849951029 CEST497129792192.168.2.6213.159.74.80
                                        Sep 6, 2024 14:56:38.854837894 CEST979249712213.159.74.80192.168.2.6
                                        Sep 6, 2024 14:57:03.865602970 CEST497129792192.168.2.6213.159.74.80
                                        Sep 6, 2024 14:57:03.870471954 CEST979249712213.159.74.80192.168.2.6
                                        Sep 6, 2024 14:57:28.881192923 CEST497129792192.168.2.6213.159.74.80
                                        Sep 6, 2024 14:57:28.886156082 CEST979249712213.159.74.80192.168.2.6
                                        Sep 6, 2024 14:57:53.896872044 CEST497129792192.168.2.6213.159.74.80
                                        Sep 6, 2024 14:57:53.901923895 CEST979249712213.159.74.80192.168.2.6
                                        Sep 6, 2024 14:58:18.912498951 CEST497129792192.168.2.6213.159.74.80
                                        Sep 6, 2024 14:58:18.917427063 CEST979249712213.159.74.80192.168.2.6
                                        Sep 6, 2024 14:58:43.928138018 CEST497129792192.168.2.6213.159.74.80
                                        Sep 6, 2024 14:58:43.933087111 CEST979249712213.159.74.80192.168.2.6
                                        Sep 6, 2024 14:59:08.943772078 CEST497129792192.168.2.6213.159.74.80
                                        Sep 6, 2024 14:59:08.949058056 CEST979249712213.159.74.80192.168.2.6
                                        Sep 6, 2024 14:59:33.959449053 CEST497129792192.168.2.6213.159.74.80
                                        Sep 6, 2024 14:59:33.964356899 CEST979249712213.159.74.80192.168.2.6
                                        Sep 6, 2024 14:59:58.975091934 CEST497129792192.168.2.6213.159.74.80
                                        Sep 6, 2024 14:59:58.979991913 CEST979249712213.159.74.80192.168.2.6

                                        UDP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Sep 6, 2024 14:56:10.332160950 CEST6010553192.168.2.61.1.1.1
                                        Sep 6, 2024 14:56:10.343485117 CEST53601051.1.1.1192.168.2.6
                                        Sep 6, 2024 14:56:11.791076899 CEST4961853192.168.2.61.1.1.1
                                        Sep 6, 2024 14:56:11.798288107 CEST53496181.1.1.1192.168.2.6

                                        DNS Queries

                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                        Sep 6, 2024 14:56:10.332160950 CEST192.168.2.61.1.1.10xc3edStandard query (0)twart.myfirewall.orgA (IP address)IN (0x0001)false
                                        Sep 6, 2024 14:56:11.791076899 CEST192.168.2.61.1.1.10x2bfeStandard query (0)ipwho.isA (IP address)IN (0x0001)false

                                        DNS Answers

                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                        Sep 6, 2024 14:56:10.343485117 CEST1.1.1.1192.168.2.60xc3edNo error (0)twart.myfirewall.org213.159.74.80A (IP address)IN (0x0001)false
                                        Sep 6, 2024 14:56:11.042975903 CEST1.1.1.1192.168.2.60x18e2No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                        Sep 6, 2024 14:56:11.042975903 CEST1.1.1.1192.168.2.60x18e2No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                        Sep 6, 2024 14:56:11.798288107 CEST1.1.1.1192.168.2.60x2bfeNo error (0)ipwho.is195.201.57.90A (IP address)IN (0x0001)false
                                        Sep 6, 2024 14:57:23.072856903 CEST1.1.1.1192.168.2.60x95d6No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                        Sep 6, 2024 14:57:23.072856903 CEST1.1.1.1192.168.2.60x95d6No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false

                                        HTTP Request Dependency Graph

                                        • ipwho.is

                                        HTTPS Proxied Packets

                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        0192.168.2.649714195.201.57.904435480C:\Users\user\AppData\Roaming\SubDir\workbook.exe
                                        TimestampBytes transferredDirectionData
                                        2024-09-06 12:56:12 UTC150OUTGET / HTTP/1.1
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0
                                        Host: ipwho.is
                                        Connection: Keep-Alive
                                        2024-09-06 12:56:12 UTC223INHTTP/1.1 200 OK
                                        Date: Fri, 06 Sep 2024 12:56:12 GMT
                                        Content-Type: application/json; charset=utf-8
                                        Transfer-Encoding: chunked
                                        Connection: close
                                        Server: ipwhois
                                        Access-Control-Allow-Headers: *
                                        X-Robots-Tag: noindex
                                        2024-09-06 12:56:12 UTC1019INData Raw: 33 65 66 0d 0a 7b 0a 20 20 20 20 22 41 62 6f 75 74 20 55 73 22 3a 20 22 68 74 74 70 73 3a 5c 2f 5c 2f 69 70 77 68 6f 69 73 2e 69 6f 22 2c 0a 20 20 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 20 20 22 73 75 63 63 65 73 73 22 3a 20 74 72 75 65 2c 0a 20 20 20 20 22 74 79 70 65 22 3a 20 22 49 50 76 34 22 2c 0a 20 20 20 20 22 63 6f 6e 74 69 6e 65 6e 74 22 3a 20 22 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 22 2c 0a 20 20 20 20 22 63 6f 6e 74 69 6e 65 6e 74 5f 63 6f 64 65 22 3a 20 22 4e 41 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f 72
                                        Data Ascii: 3ef{ "About Us": "https:\/\/ipwhois.io", "ip": "8.46.123.33", "success": true, "type": "IPv4", "continent": "North America", "continent_code": "NA", "country": "United States", "country_code": "US", "region": "New Yor


                                        Statistics

                                        CPU Usage

                                        Click to jump to process

                                        Memory Usage

                                        Click to jump to process

                                        High Level Behavior Distribution

                                        Click to dive into process behavior distribution

                                        Behavior

                                        Click to jump to process

                                        System Behavior

                                        General

                                        Target ID:0
                                        Start time:08:56:05
                                        Start date:06/09/2024
                                        Path:C:\Users\user\Desktop\Client.exe
                                        Wow64 process (32bit):false
                                        Commandline:"C:\Users\user\Desktop\Client.exe"
                                        Imagebase:0x7d0000
                                        File size:3'266'048 bytes
                                        MD5 hash:3E8B57C2BE9DF63483A368B71CCB938B
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000000.2209110258.0000000000AF0000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000000.2208748611.00000000007D2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                        Reputation:low
                                        Has exited:true

                                        General

                                        Target ID:2
                                        Start time:08:56:07
                                        Start date:06/09/2024
                                        Path:C:\Windows\System32\schtasks.exe
                                        Wow64 process (32bit):false
                                        Commandline:"schtasks" /create /tn "workbook" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\workbook.exe" /rl HIGHEST /f
                                        Imagebase:0x7ff735610000
                                        File size:235'008 bytes
                                        MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:3
                                        Start time:08:56:07
                                        Start date:06/09/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff66e660000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:4
                                        Start time:08:56:07
                                        Start date:06/09/2024
                                        Path:C:\Users\user\AppData\Roaming\SubDir\workbook.exe
                                        Wow64 process (32bit):false
                                        Commandline:"C:\Users\user\AppData\Roaming\SubDir\workbook.exe"
                                        Imagebase:0x620000
                                        File size:3'266'048 bytes
                                        MD5 hash:3E8B57C2BE9DF63483A368B71CCB938B
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000004.00000002.4675674769.0000000002FE4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe, Author: Joe Security
                                        • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe, Author: Joe Security
                                        • Rule: MAL_QuasarRAT_May19_1, Description: Detects QuasarRAT malware, Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe, Author: Florian Roth
                                        • Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe, Author: ditekSHen
                                        • Rule: MALWARE_Win_QuasarStealer, Description: Detects Quasar infostealer, Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe, Author: ditekshen
                                        Antivirus matches:
                                        • Detection: 100%, Avira
                                        • Detection: 100%, Joe Sandbox ML
                                        • Detection: 71%, ReversingLabs
                                        Reputation:low
                                        Has exited:false

                                        General

                                        Target ID:5
                                        Start time:08:56:08
                                        Start date:06/09/2024
                                        Path:C:\Users\user\AppData\Roaming\SubDir\workbook.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Users\user\AppData\Roaming\SubDir\workbook.exe
                                        Imagebase:0x4d0000
                                        File size:3'266'048 bytes
                                        MD5 hash:3E8B57C2BE9DF63483A368B71CCB938B
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:low
                                        Has exited:true

                                        General

                                        Target ID:6
                                        Start time:08:56:08
                                        Start date:06/09/2024
                                        Path:C:\Windows\System32\schtasks.exe
                                        Wow64 process (32bit):false
                                        Commandline:"schtasks" /create /tn "workbook" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\workbook.exe" /rl HIGHEST /f
                                        Imagebase:0x7ff735610000
                                        File size:235'008 bytes
                                        MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:7
                                        Start time:08:56:08
                                        Start date:06/09/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff66e660000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        Disassembly

                                        Reset < >

                                          Execution Graph

                                          Execution Coverage:14.9%
                                          Dynamic/Decrypted Code Coverage:100%
                                          Signature Coverage:0%
                                          Total number of Nodes:6
                                          Total number of Limit Nodes:0
                                          execution_graph 1792 7ffd34803569 1793 7ffd34803571 DeleteFileW 1792->1793 1795 7ffd34803616 1793->1795 1796 7ffd34803525 1797 7ffd34803531 DeleteFileW 1796->1797 1799 7ffd34803616 1797->1799

                                          Executed Functions

                                          Function 00007FFD34803525 Relevance: 1.6, APIs: 1, Instructions: 124fileCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2234171544.00007FFD34800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34800000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ffd34800000_Client.jbxd
                                          Similarity
                                          • API ID: DeleteFile
                                          • String ID:
                                          • API String ID: 4033686569-0
                                          • Opcode ID: e14b7e910b447bcc28f3f94e4c7a1d494b64451b4977284e7f24946b711663a9
                                          • Instruction ID: 290c449eba040592dd78b1a10884dd178f24e6527e4c7db1f1b8f52fb0ebe98f
                                          • Opcode Fuzzy Hash: e14b7e910b447bcc28f3f94e4c7a1d494b64451b4977284e7f24946b711663a9
                                          • Instruction Fuzzy Hash: 2341153190DB8C9FDB19DB6888596E9BFF0FF56310F0442AFD049D75A2CA28A805C781
                                          Function 00007FFD34803569 Relevance: 1.6, APIs: 1, Instructions: 109fileCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 60 7ffd34803569-7ffd348035d8 65 7ffd348035da-7ffd348035df 60->65 66 7ffd348035e2-7ffd34803614 DeleteFileW 60->66 65->66 67 7ffd3480361c-7ffd3480364a 66->67 68 7ffd34803616 66->68 68->67
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2234171544.00007FFD34800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34800000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_7ffd34800000_Client.jbxd
                                          Similarity
                                          • API ID: DeleteFile
                                          • String ID:
                                          • API String ID: 4033686569-0
                                          • Opcode ID: 085a30235ed92d9cbaaeef1b31c64651b77a08cc1152fc8927468cfcb9d952e1
                                          • Instruction ID: c315b2422dca20f72590d3ab1cd83b932c72f878e15239bd8602bbf44b390dd6
                                          • Opcode Fuzzy Hash: 085a30235ed92d9cbaaeef1b31c64651b77a08cc1152fc8927468cfcb9d952e1
                                          • Instruction Fuzzy Hash: BF31DE3190CB5C9FDB19DBA888596E9BBF0FF66320F04426BD049D3692CB75A815CB81

                                          Execution Graph

                                          Execution Coverage:6.7%
                                          Dynamic/Decrypted Code Coverage:100%
                                          Signature Coverage:0%
                                          Total number of Nodes:8
                                          Total number of Limit Nodes:1
                                          execution_graph 54866 7ffd347d3569 54867 7ffd347d3571 DeleteFileW 54866->54867 54869 7ffd347d3616 54867->54869 54861 7ffd34a4e709 54863 7ffd34a4e71f 54861->54863 54862 7ffd34a4e7cb 54863->54862 54864 7ffd34a4e8c4 SetWindowsHookExW 54863->54864 54865 7ffd34a4e906 54864->54865

                                          Executed Functions

                                          Function 00007FFD34A49FD0 Relevance: 9.8, Strings: 7, Instructions: 1078COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 47 7ffd34a49fd0-7ffd34a4a018 51 7ffd34a4a5be-7ffd34a4a5d0 47->51 52 7ffd34a4a01e-7ffd34a4a030 47->52 52->51 54 7ffd34a4a036-7ffd34a4a06f 52->54 54->51 58 7ffd34a4a075-7ffd34a4a0b6 54->58 62 7ffd34a4a0bc-7ffd34a4a0d4 58->62 63 7ffd34a4a168-7ffd34a4a17b 58->63 66 7ffd34a4a0da-7ffd34a4a0fa 62->66 67 7ffd34a4a15c-7ffd34a4a162 62->67 68 7ffd34a4a17d-7ffd34a4a19e 63->68 69 7ffd34a4a1d0 63->69 66->67 80 7ffd34a4a0fc-7ffd34a4a10e 66->80 67->62 67->63 75 7ffd34a4a1a0-7ffd34a4a1c7 68->75 76 7ffd34a4a1c9-7ffd34a4a1ce 68->76 70 7ffd34a4a1d2-7ffd34a4a1d7 69->70 71 7ffd34a4a21e-7ffd34a4a241 70->71 72 7ffd34a4a1d9-7ffd34a4a1e0 70->72 81 7ffd34a4a337-7ffd34a4a343 71->81 82 7ffd34a4a247-7ffd34a4a26f 71->82 77 7ffd34a4a1e7-7ffd34a4a201 72->77 75->70 76->70 77->71 86 7ffd34a4a203-7ffd34a4a21c 77->86 80->67 89 7ffd34a4a110-7ffd34a4a114 80->89 81->51 85 7ffd34a4a349-7ffd34a4a35e 81->85 94 7ffd34a4a32b-7ffd34a4a331 82->94 95 7ffd34a4a275-7ffd34a4a290 82->95 85->51 86->71 91 7ffd34a4a5d1-7ffd34a4a673 89->91 92 7ffd34a4a11a-7ffd34a4a12f 89->92 104 7ffd34a4a679-7ffd34a4a67b 91->104 105 7ffd34a4a785-7ffd34a4a791 91->105 100 7ffd34a4a136-7ffd34a4a138 92->100 94->81 94->82 95->94 106 7ffd34a4a296-7ffd34a4a2a8 95->106 100->67 103 7ffd34a4a13a-7ffd34a4a158 call 7ffd34a453c0 100->103 103->67 109 7ffd34a4a67d-7ffd34a4a68f 104->109 110 7ffd34a4a695-7ffd34a4a6a3 104->110 115 7ffd34a4a793-7ffd34a4a7b8 105->115 116 7ffd34a4a7bb-7ffd34a4a7bd 105->116 106->94 120 7ffd34a4a2ae-7ffd34a4a2b2 106->120 109->110 122 7ffd34a4a7bf-7ffd34a4a7f1 109->122 113 7ffd34a4a6a9-7ffd34a4a6c0 110->113 114 7ffd34a4a7f8-7ffd34a4a82b 110->114 134 7ffd34a4a6c2-7ffd34a4a6d4 113->134 135 7ffd34a4a6da-7ffd34a4a6dd 113->135 138 7ffd34a4a832-7ffd34a4a83e 114->138 115->116 116->122 120->91 124 7ffd34a4a2b8-7ffd34a4a2fb 120->124 122->114 124->94 151 7ffd34a4a2fd-7ffd34a4a328 call 7ffd34a453c0 124->151 134->135 134->138 136 7ffd34a4a6df-7ffd34a4a6f6 135->136 137 7ffd34a4a706-7ffd34a4a722 call 7ffd34a47a50 135->137 136->137 157 7ffd34a4a6f8-7ffd34a4a6fc 136->157 159 7ffd34a4a753-7ffd34a4a757 137->159 160 7ffd34a4a724-7ffd34a4a752 137->160 144 7ffd34a4a840-7ffd34a4a864 138->144 145 7ffd34a4a868-7ffd34a4a871 138->145 144->145 147 7ffd34a4a873-7ffd34a4a879 145->147 148 7ffd34a4a87d 145->148 152 7ffd34a4a881-7ffd34a4a8bc 147->152 153 7ffd34a4a87b 147->153 148->152 154 7ffd34a4a87f 148->154 151->94 163 7ffd34a4a8be-7ffd34a4a8e5 152->163 164 7ffd34a4a8ff-7ffd34a4a932 152->164 153->148 154->152 169 7ffd34a4a703-7ffd34a4a704 157->169 166 7ffd34a4a75e-7ffd34a4a784 159->166 177 7ffd34a4a939-7ffd34a4a981 163->177 180 7ffd34a4a8e7-7ffd34a4a8fe 163->180 164->177 169->137 186 7ffd34a4a983 177->186 187 7ffd34a4a985-7ffd34a4a9a7 177->187 186->187 188 7ffd34a4a9c5-7ffd34a4a9ca 186->188 190 7ffd34a4a9ad-7ffd34a4a9bf 187->190 191 7ffd34a4aa8a-7ffd34a4aa96 187->191 198 7ffd34a4a9c1-7ffd34a4a9c4 190->198 199 7ffd34a4a9cb-7ffd34a4a9e3 call 7ffd34a440b0 190->199 194 7ffd34a4aac0-7ffd34a4aad3 191->194 195 7ffd34a4aa98-7ffd34a4aabd 191->195 196 7ffd34a4ab15-7ffd34a4ab17 194->196 197 7ffd34a4aad5-7ffd34a4aaf2 194->197 195->194 202 7ffd34a4ab19-7ffd34a4ab1b 196->202 201 7ffd34a4aaf4-7ffd34a4ab0f 197->201 197->202 198->188 209 7ffd34a4a9e5-7ffd34a4aa16 199->209 210 7ffd34a4aa47-7ffd34a4aa50 199->210 201->202 205 7ffd34a4ab11-7ffd34a4ab12 201->205 206 7ffd34a4ab1d-7ffd34a4ab2b 202->206 207 7ffd34a4ab2c-7ffd34a4ab3c 202->207 205->196 214 7ffd34a4aa41-7ffd34a4aa45 209->214 215 7ffd34a4aa18-7ffd34a4aa3f 209->215 214->209 214->210 215->214 217 7ffd34a4aa51-7ffd34a4aa89 215->217
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.4687876922.00007FFD34A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ffd34a40000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: HAl4$HAl4$HAl4$HAl4$HAl4$HAl4$HAl4
                                          • API String ID: 0-1539364782
                                          • Opcode ID: 7705af680dca76d400fd4f1274b23d55f8ab811e01c00ee19b0bbb27eb933cec
                                          • Instruction ID: c0ef4118459bebf6bce6065efa567ec960c2c1a13054ecfc5a10268c47467261
                                          • Opcode Fuzzy Hash: 7705af680dca76d400fd4f1274b23d55f8ab811e01c00ee19b0bbb27eb933cec
                                          • Instruction Fuzzy Hash: 5162273171C9494FEB98EB2C94A5AB937D1FF9A314B1401BAE54EC7393DE28EC428741
                                          Function 00007FFD34B62321 Relevance: 7.5, Strings: 1, Instructions: 6251COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.4688588540.00007FFD34B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34B60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ffd34b60000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: H
                                          • API String ID: 0-2852464175
                                          • Opcode ID: 877bee6fd6dc107cf61031d6f5dfc6c218e1346e3217600f62edf466468c0cbd
                                          • Instruction ID: 0d06ea9b5d2957d38014dc40165e8b1692d741d1366f5466d62546eeb8bcac8c
                                          • Opcode Fuzzy Hash: 877bee6fd6dc107cf61031d6f5dfc6c218e1346e3217600f62edf466468c0cbd
                                          • Instruction Fuzzy Hash: F373E452B19E4B0BF7E5A62C04B527973C2EFDA260B9901BBD15ED32D6ED1CEC025342
                                          Function 00007FFD34A5FE90 Relevance: 4.9, Strings: 3, Instructions: 1117COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.4687876922.00007FFD34A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ffd34a40000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: HAl4$HAl4$HAl4
                                          • API String ID: 0-2430118954
                                          • Opcode ID: 06043be47622c692ec6c367dafb60dfbfffcdc25b3e6cf573432641d363a9ffe
                                          • Instruction ID: ae70d4a5ed424edbb0f5581a618e793722a4493e4008a960430b8ffd4392c34d
                                          • Opcode Fuzzy Hash: 06043be47622c692ec6c367dafb60dfbfffcdc25b3e6cf573432641d363a9ffe
                                          • Instruction Fuzzy Hash: 6472F67171CA494FEBA4EB2CC4A5A7837D1FF5A315B2400B9D14EC72A2DE2CEC859741
                                          Function 00007FFD34A5B861 Relevance: 4.7, Strings: 3, Instructions: 938COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 2739 7ffd34a5b861-7ffd34a5b8c4 2741 7ffd34a5b8c6-7ffd34a5b920 2739->2741 2742 7ffd34a5b925-7ffd34a5b929 2739->2742 2784 7ffd34a5beff-7ffd34a5bf12 2741->2784 2743 7ffd34a5b93a 2742->2743 2744 7ffd34a5b92b-7ffd34a5b933 call 7ffd34a49fd0 2742->2744 2747 7ffd34a5b93c-7ffd34a5b945 2743->2747 2748 7ffd34a5b938 2744->2748 2749 7ffd34a5ba7a-7ffd34a5ba7f 2747->2749 2750 7ffd34a5b94b-7ffd34a5b950 2747->2750 2748->2747 2754 7ffd34a5ba81-7ffd34a5ba93 call 7ffd34a43830 2749->2754 2755 7ffd34a5bae5-7ffd34a5bae9 2749->2755 2752 7ffd34a5bf13-7ffd34a5bf45 2750->2752 2753 7ffd34a5b956-7ffd34a5b95b 2750->2753 2763 7ffd34a5bf4c-7ffd34a5bf7e 2752->2763 2756 7ffd34a5b95d-7ffd34a5b969 2753->2756 2757 7ffd34a5b96f-7ffd34a5b985 call 7ffd34a49bf0 2753->2757 2773 7ffd34a5ba98-7ffd34a5ba9f 2754->2773 2758 7ffd34a5bb3a-7ffd34a5bb65 2755->2758 2759 7ffd34a5baeb-7ffd34a5bb07 call 7ffd34a44180 2755->2759 2756->2757 2756->2763 2771 7ffd34a5b98a-7ffd34a5ba75 call 7ffd34a4a890 2757->2771 2788 7ffd34a5bb74 2758->2788 2789 7ffd34a5bb67-7ffd34a5bb72 2758->2789 2791 7ffd34a5bb0d-7ffd34a5bb23 2759->2791 2792 7ffd34a5bf85-7ffd34a5bfa1 2759->2792 2763->2792 2771->2784 2775 7ffd34a5baa1-7ffd34a5bab8 2773->2775 2776 7ffd34a5ba95-7ffd34a5ba96 2773->2776 2786 7ffd34a5bb24-7ffd34a5bb35 2775->2786 2787 7ffd34a5baba-7ffd34a5bac2 call 7ffd34a5b700 2775->2787 2776->2773 2786->2784 2799 7ffd34a5bac7-7ffd34a5bae0 2787->2799 2795 7ffd34a5bb76-7ffd34a5bb99 2788->2795 2789->2795 2791->2786 2810 7ffd34a5bfa8-7ffd34a5bfb3 2792->2810 2806 7ffd34a5bb9b-7ffd34a5bba5 2795->2806 2807 7ffd34a5bc05-7ffd34a5bc0a 2795->2807 2799->2784 2811 7ffd34a5bbab-7ffd34a5bbca call 7ffd34a47b40 2806->2811 2812 7ffd34a5bd87-7ffd34a5bd8a 2806->2812 2808 7ffd34a5bc0c-7ffd34a5bc30 2807->2808 2809 7ffd34a5bc36-7ffd34a5bc3d 2807->2809 2808->2809 2808->2810 2816 7ffd34a5bc43-7ffd34a5bc5a 2809->2816 2817 7ffd34a5bffe-7ffd34a5c006 2809->2817 2823 7ffd34a5c01a-7ffd34a5c040 2810->2823 2824 7ffd34a5bfb5-7ffd34a5bfb6 2810->2824 2827 7ffd34a5bbd0-7ffd34a5bbe7 call 7ffd34a47220 2811->2827 2828 7ffd34a5bd7f-7ffd34a5bd82 2811->2828 2814 7ffd34a5bc9a-7ffd34a5bc9c 2812->2814 2820 7ffd34a5bca2-7ffd34a5bcc1 call 7ffd34a47b40 2814->2820 2821 7ffd34a5bd51-7ffd34a5bd5a 2814->2821 2825 7ffd34a5bc5c-7ffd34a5bc79 2816->2825 2826 7ffd34a5bc7b-7ffd34a5bc94 call 7ffd34a47b40 2816->2826 2838 7ffd34a5c008-7ffd34a5c016 2817->2838 2820->2821 2851 7ffd34a5bcc7-7ffd34a5bcde call 7ffd34a47220 2820->2851 2834 7ffd34a5bd60-7ffd34a5bd65 2821->2834 2835 7ffd34a5be37-7ffd34a5be3c 2821->2835 2840 7ffd34a5c042-7ffd34a5c049 2823->2840 2841 7ffd34a5c04b-7ffd34a5c056 2823->2841 2833 7ffd34a5bfb7-7ffd34a5bfd2 2824->2833 2825->2826 2826->2814 2870 7ffd34a5bd77-7ffd34a5bd78 2826->2870 2861 7ffd34a5bc00-7ffd34a5bc04 2827->2861 2862 7ffd34a5bbe9-7ffd34a5bbff 2827->2862 2828->2814 2869 7ffd34a5bfd4-7ffd34a5bfdf 2833->2869 2844 7ffd34a5bd8f 2834->2844 2845 7ffd34a5bd67-7ffd34a5bd75 2834->2845 2842 7ffd34a5be3e-7ffd34a5be62 2835->2842 2843 7ffd34a5be8a-7ffd34a5bef4 2835->2843 2838->2823 2840->2841 2852 7ffd34a5c057-7ffd34a5c0a8 2840->2852 2857 7ffd34a5be82-7ffd34a5be83 2842->2857 2858 7ffd34a5be64-7ffd34a5be7b 2842->2858 2871 7ffd34a5befb-7ffd34a5befc 2843->2871 2850 7ffd34a5bd91-7ffd34a5bd93 2844->2850 2845->2850 2865 7ffd34a5bd9a-7ffd34a5bd9f 2850->2865 2866 7ffd34a5bd95-7ffd34a5bd98 2850->2866 2880 7ffd34a5bce0-7ffd34a5bcf5 2851->2880 2881 7ffd34a5bcf7-7ffd34a5bcfe 2851->2881 2857->2843 2858->2857 2861->2807 2862->2861 2873 7ffd34a5bda1-7ffd34a5bdc3 2865->2873 2874 7ffd34a5bdca-7ffd34a5bdcf 2865->2874 2872 7ffd34a5bdd2-7ffd34a5bdde 2866->2872 2869->2838 2877 7ffd34a5bfe1-7ffd34a5bff7 2869->2877 2870->2828 2871->2784 2887 7ffd34a5bde0-7ffd34a5bde3 2872->2887 2888 7ffd34a5be2a-7ffd34a5be31 2872->2888 2873->2874 2874->2872 2877->2817 2880->2881 2881->2817 2886 7ffd34a5bd04-7ffd34a5bd1a 2881->2886 2889 7ffd34a5bd33-7ffd34a5bd4b call 7ffd34a47b40 2886->2889 2890 7ffd34a5bd1c-7ffd34a5bd1d 2886->2890 2894 7ffd34a5bde5-7ffd34a5be00 2887->2894 2895 7ffd34a5be08-7ffd34a5be26 call 7ffd34a453c0 2887->2895 2888->2834 2888->2835 2889->2821 2889->2851 2897 7ffd34a5bd24-7ffd34a5bd2c 2890->2897 2894->2895 2895->2888 2897->2889
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.4687876922.00007FFD34A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ffd34a40000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: HAl4$HAl4$HAl4
                                          • API String ID: 0-2430118954
                                          • Opcode ID: ff37c485d4dcab6d0bd632921f4daa31b3a9c4f2ca35492aeb3465d3d0a42e7a
                                          • Instruction ID: de3b65f0502be0d594ff3607a3f521d20d83a7d1aa6b9b4b11a58c6ad4a35d62
                                          • Opcode Fuzzy Hash: ff37c485d4dcab6d0bd632921f4daa31b3a9c4f2ca35492aeb3465d3d0a42e7a
                                          • Instruction Fuzzy Hash: 85520871B18E094FEBA4DB1C84A5679B3E1FF99305F1402BDD58EC3282DE28F8428780
                                          Function 00007FFD34A455D6 Relevance: 4.6, Strings: 2, Instructions: 2118COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.4687876922.00007FFD34A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ffd34a40000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: HAl4$HAl4
                                          • API String ID: 0-1187830295
                                          • Opcode ID: d4c41c1bb9c0977d4807c169c4c577cf34ec42f6b52065117a528b1153ee0962
                                          • Instruction ID: b42aafae436ebbedb1978662df531d880260f6d671c9e4831edb16b2a25ed603
                                          • Opcode Fuzzy Hash: d4c41c1bb9c0977d4807c169c4c577cf34ec42f6b52065117a528b1153ee0962
                                          • Instruction Fuzzy Hash: 7AF28F70A18A098FDB98DF18C494BA977E2FF59304F2441B9D54ED7392DE39E882DB40
                                          Function 00007FFD34A5CAE5 Relevance: 4.0, Strings: 2, Instructions: 1545COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.4687876922.00007FFD34A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ffd34a40000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: HAl4$HAl4
                                          • API String ID: 0-1187830295
                                          • Opcode ID: 77ac3b250be9eb20ec3963f7b5a78fd312caacd5fc61682dd9148bf1760dac24
                                          • Instruction ID: 768c34efbde3b0f6d63e9442b4b79bace8ee50d5c3ff1c23addbb69d4933378d
                                          • Opcode Fuzzy Hash: 77ac3b250be9eb20ec3963f7b5a78fd312caacd5fc61682dd9148bf1760dac24
                                          • Instruction Fuzzy Hash: 5FA26D71B1DA894FE7A5DB2884A56A83BE0FF5B314F1441FAD18DC7193DE1CAC0A8741
                                          Function 00007FFD34A63B09 Relevance: 3.0, Strings: 2, Instructions: 540COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 3924 7ffd34a63b09-7ffd34a63b0d 3925 7ffd34a63b12-7ffd34a63b3f 3924->3925 3926 7ffd34a63b0f-7ffd34a63b11 3924->3926 3929 7ffd34a63b62-7ffd34a63b66 3925->3929 3930 7ffd34a63b41-7ffd34a63b5d 3925->3930 3926->3925 3931 7ffd34a63bcd-7ffd34a63bda 3929->3931 3932 7ffd34a63b68-7ffd34a63bc8 call 7ffd34a606d0 call 7ffd34a5fe90 3929->3932 3936 7ffd34a63c5f-7ffd34a63c61 3930->3936 3938 7ffd34a63bdc-7ffd34a63be0 3931->3938 3939 7ffd34a63bfb-7ffd34a63bfc 3931->3939 3932->3936 3940 7ffd34a63cc1-7ffd34a63cc6 3936->3940 3941 7ffd34a63c63-7ffd34a63cbc call 7ffd34a5d8d0 call 7ffd34a61370 call 7ffd34a5fe90 3936->3941 3938->3939 3945 7ffd34a63be2-7ffd34a63bf2 3938->3945 3947 7ffd34a63bfe-7ffd34a63c14 call 7ffd34a606d0 3939->3947 3943 7ffd34a63d0a-7ffd34a63d11 3940->3943 3944 7ffd34a63cc8-7ffd34a63cd2 3940->3944 3941->3940 3944->3943 3948 7ffd34a63cd4-7ffd34a63cdb 3944->3948 3954 7ffd34a63bf9 3945->3954 3963 7ffd34a63c16-7ffd34a63c5d call 7ffd34a5fe90 3947->3963 3952 7ffd34a63d12-7ffd34a63d23 3948->3952 3953 7ffd34a63cdd-7ffd34a63d08 3948->3953 3965 7ffd34a63d65-7ffd34a63d69 3952->3965 3966 7ffd34a63d25-7ffd34a63d39 3952->3966 3953->3943 3953->3948 3954->3936 3963->3936 3968 7ffd34a63dbd-7ffd34a63dcd 3965->3968 3969 7ffd34a63d6b-7ffd34a63d6f 3965->3969 3975 7ffd34a63d83 3966->3975 3976 7ffd34a63d3b-7ffd34a63d69 3966->3976 3974 7ffd34a63dcf-7ffd34a63ddb 3968->3974 3969->3968 3977 7ffd34a63d71-7ffd34a63d81 3969->3977 3991 7ffd34a63ddc-7ffd34a63de6 3974->3991 3980 7ffd34a63df4-7ffd34a63dfb 3975->3980 3981 7ffd34a63d85-7ffd34a63d87 3975->3981 3976->3968 3976->3969 3977->3975 3984 7ffd34a63e03-7ffd34a63e0e 3981->3984 3985 7ffd34a63d89 3981->3985 3994 7ffd34a63e10-7ffd34a63e5f 3984->3994 3985->3974 3989 7ffd34a63d8b-7ffd34a63d8f 3985->3989 3992 7ffd34a63d91-7ffd34a63d94 3989->3992 3993 7ffd34a63e00-7ffd34a63e02 3989->3993 3999 7ffd34a63dfc-7ffd34a63dfd 3991->3999 4000 7ffd34a63de8-7ffd34a63df3 3991->4000 3992->3994 3996 7ffd34a63d96 3992->3996 3993->3984 4008 7ffd34a63ea1-7ffd34a63ec0 call 7ffd34a60010 3994->4008 4009 7ffd34a63e61-7ffd34a63e78 3994->4009 3996->3991 4001 7ffd34a63d98-7ffd34a63dbc 3996->4001 3999->3993 4000->3980 4012 7ffd34a63ec2-7ffd34a63ec4 4008->4012 4009->4012 4013 7ffd34a63e7a-7ffd34a63e9f 4009->4013 4015 7ffd34a63f40-7ffd34a63f41 4012->4015 4016 7ffd34a63ec5 4012->4016 4013->4008 4022 7ffd34a63eff-7ffd34a63f0f 4013->4022 4017 7ffd34a63f42 4015->4017 4019 7ffd34a63f36 4016->4019 4020 7ffd34a63ec6-7ffd34a63ec9 4016->4020 4021 7ffd34a63f45 4017->4021 4024 7ffd34a63f63-7ffd34a63f6b 4019->4024 4025 7ffd34a63f38-7ffd34a63f3e 4019->4025 4020->4021 4023 7ffd34a63ecb 4020->4023 4026 7ffd34a63f46 4021->4026 4027 7ffd34a63f47-7ffd34a63f62 4021->4027 4029 7ffd34a63f11-7ffd34a63f1d 4022->4029 4023->4029 4030 7ffd34a63ecd-7ffd34a63ed1 4023->4030 4025->4015 4026->4027 4027->4024 4032 7ffd34a63f1e 4029->4032 4033 7ffd34a63f1f-7ffd34a63f32 4029->4033 4030->4017 4034 7ffd34a63ed3-7ffd34a63ed8 4030->4034 4032->4033 4033->4019 4034->4032 4036 7ffd34a63eda-7ffd34a63efe 4034->4036
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.4687876922.00007FFD34A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ffd34a40000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: HAl4$HAl4
                                          • API String ID: 0-1187830295
                                          • Opcode ID: 7b447a61ec6d36d979c31179bbd8b191fe5f2a97b0c86a85e2a5e7b7e920f4a5
                                          • Instruction ID: e8a1f91f3957a2c8b1180f28f8da922104c7537296ef8bc93870676f63e4f34c
                                          • Opcode Fuzzy Hash: 7b447a61ec6d36d979c31179bbd8b191fe5f2a97b0c86a85e2a5e7b7e920f4a5
                                          • Instruction Fuzzy Hash: C9F1E230B1CA494FEBA5EB2C84A567477E2FF9A324F1404B9D14EC7692CE2DAC469740
                                          Function 00007FFD34A4AFDD Relevance: .9, Instructions: 860COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.4687876922.00007FFD34A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ffd34a40000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7f9d8b8bab682c808a968080692b60665deb0129b87accd6c0cfc653ce2ebf8d
                                          • Instruction ID: e21a24d3dbe5e5f823aaa07d40d3a9dd8c3084624c2491459c4093ffee37b5d5
                                          • Opcode Fuzzy Hash: 7f9d8b8bab682c808a968080692b60665deb0129b87accd6c0cfc653ce2ebf8d
                                          • Instruction Fuzzy Hash: DB525230B18A498FEB98EB2CC4A476977E1FF99304F1445B9E54DC73A2DE39E8418B41
                                          Function 00007FFD34A49271 Relevance: .7, Instructions: 677COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.4687876922.00007FFD34A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ffd34a40000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 280fb27fc4c79067eb1ff7f1b6ad8b2dc2413b624727d9d07b7bd559007a2401
                                          • Instruction ID: 568ac2c26aefa5bfb0c332b9e5aeeb14af7ca1b1c0e897d40c13154e10b64842
                                          • Opcode Fuzzy Hash: 280fb27fc4c79067eb1ff7f1b6ad8b2dc2413b624727d9d07b7bd559007a2401
                                          • Instruction Fuzzy Hash: F4228270B1CA094FEB98DB2884A57B977E5FF9A304F64417DD54EC3392CE38A8468B41
                                          Function 00007FFD34A4621F Relevance: .5, Instructions: 529COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.4687876922.00007FFD34A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ffd34a40000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5e082de51b60956a9050de04b07892a2c3374ba79b51cad4a5108c0c5a6876ff
                                          • Instruction ID: ebd4f5d44fe4292d54fc09cce4133899e2eb39b3e0b33badfb2444ddf34e5e02
                                          • Opcode Fuzzy Hash: 5e082de51b60956a9050de04b07892a2c3374ba79b51cad4a5108c0c5a6876ff
                                          • Instruction Fuzzy Hash: 34025C70B18A198FEB98DF18C4947A977E1FF99305F2445B9D54ED33A1DA38B8818B40
                                          Function 00007FFD34A57C26 Relevance: .5, Instructions: 476COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.4687876922.00007FFD34A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ffd34a40000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 187aca03b44dd74dfca7eb624821722ae3afc0270cc43bfed1d54a4e5cf62248
                                          • Instruction ID: c988070c29d38e56a5394d33621a7079626e6a6976d6e40d140f02111efee321
                                          • Opcode Fuzzy Hash: 187aca03b44dd74dfca7eb624821722ae3afc0270cc43bfed1d54a4e5cf62248
                                          • Instruction Fuzzy Hash: B9F1A430A08A8D8FEBA8DF28C8557F977D1FF55311F14426EE84DC7291DB38A9458B82
                                          Function 00007FFD34A58A1F Relevance: .4, Instructions: 428COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.4687876922.00007FFD34A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ffd34a40000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: be9cc14ab3c758bd42e474c4bfd58316bbdd240cf8d38e5539d1d5a1b6493fa0
                                          • Instruction ID: 7b851e66155a4bde2dd677cf3a570a514a741c90a73d693eb3836f67b2568eed
                                          • Opcode Fuzzy Hash: be9cc14ab3c758bd42e474c4bfd58316bbdd240cf8d38e5539d1d5a1b6493fa0
                                          • Instruction Fuzzy Hash: F7E19330A08A4D8FEBA8DF28C8A57F977E1FB54311F10426EE84DC7291DF7899558B81
                                          Function 00007FFD34A515B0 Relevance: .2, Instructions: 156COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.4687876922.00007FFD34A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ffd34a40000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d764bbb9309952ea361f5a877cc4c95831e0ddab7fbe649b471550a61a05acd0
                                          • Instruction ID: 1b5d0f976baacd54fb3a2afacab9f4077a890cb15a732145626964205fcac4d4
                                          • Opcode Fuzzy Hash: d764bbb9309952ea361f5a877cc4c95831e0ddab7fbe649b471550a61a05acd0
                                          • Instruction Fuzzy Hash: F1416E32A0CB861BD358EF7894A91F97BD0EF56324B28017FE1CDC7583DE29A4858384
                                          Function 00007FFD347D3525 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 131fileCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 3911 7ffd347d3525-7ffd347d352f 3912 7ffd347d3571-7ffd347d35d8 3911->3912 3913 7ffd347d3531-7ffd347d3562 3911->3913 3919 7ffd347d35da-7ffd347d35df 3912->3919 3920 7ffd347d35e2-7ffd347d3614 DeleteFileW 3912->3920 3913->3912 3919->3920 3921 7ffd347d361c-7ffd347d364a 3920->3921 3922 7ffd347d3616 3920->3922 3922->3921
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.4685321728.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ffd347d0000_workbook.jbxd
                                          Similarity
                                          • API ID: DeleteFile
                                          • String ID: ` }4
                                          • API String ID: 4033686569-2567609841
                                          • Opcode ID: 95496b8800f9f4358045f98b80aef33d29fa39bcd8077e57b721c09266c49d6c
                                          • Instruction ID: 306a51130094a0f3280bc15fafd28a4fc4297c158fe9878cb796ba93d8a16222
                                          • Opcode Fuzzy Hash: 95496b8800f9f4358045f98b80aef33d29fa39bcd8077e57b721c09266c49d6c
                                          • Instruction Fuzzy Hash: BE41237190DA4C9FDB19DF6888596F9BBF0FF56311F04426BD049D7292CB28A809C791
                                          Function 00007FFD34A4E709 Relevance: 1.8, APIs: 1, Instructions: 272COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.4687876922.00007FFD34A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ffd34a40000_workbook.jbxd
                                          Similarity
                                          • API ID: HookWindows
                                          • String ID:
                                          • API String ID: 2559412058-0
                                          • Opcode ID: 15d66cf09431734a41aa2b0ee6b4127634557725aa3961af56a0fafda542ccc7
                                          • Instruction ID: 1db1fc64a046573a55dcae3d31c69fd42ae802f956f41574706f2571d906da55
                                          • Opcode Fuzzy Hash: 15d66cf09431734a41aa2b0ee6b4127634557725aa3961af56a0fafda542ccc7
                                          • Instruction Fuzzy Hash: 3D710871A1DA494FDB58AB6C98A61B977E0FF5A310B1441BFE049C7283DE28A846C781
                                          Function 00007FFD347D3569 Relevance: 1.6, APIs: 1, Instructions: 109fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.4685321728.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ffd347d0000_workbook.jbxd
                                          Similarity
                                          • API ID: DeleteFile
                                          • String ID:
                                          • API String ID: 4033686569-0
                                          • Opcode ID: 5fc052ddf04baf6f87704566a25fc81a1fd03dd4603d3492ad14a7ddf782695d
                                          • Instruction ID: 5432c595cc48ff979b3b6d9d946e911473e7c5c91e18ba8e252aaf2e4d2fa165
                                          • Opcode Fuzzy Hash: 5fc052ddf04baf6f87704566a25fc81a1fd03dd4603d3492ad14a7ddf782695d
                                          • Instruction Fuzzy Hash: 1731D07190CB5C8FDB19DBA888596F9BBF0FF66311F04426BD049D3292CB74A809CB91
                                          Function 00007FFD34B652F1 Relevance: 1.3, Strings: 1, Instructions: 89COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.4688588540.00007FFD34B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34B60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ffd34b60000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: H
                                          • API String ID: 0-2852464175
                                          • Opcode ID: 0c140ac6a200510d991e728dba9304f114a3d9da1fc807d8edebcaa47dd58ffd
                                          • Instruction ID: a4b387db2324404fd6fcdcef2f538b05e316c0034050a681f8e273d14cef2327
                                          • Opcode Fuzzy Hash: 0c140ac6a200510d991e728dba9304f114a3d9da1fc807d8edebcaa47dd58ffd
                                          • Instruction Fuzzy Hash: F121DA42B1DD4A0BF7E6A62C14F527876C2EF9A520B98017AD55EC32D6DD2CEC425341
                                          Function 00007FFD34B6207D Relevance: .3, Instructions: 277COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.4688588540.00007FFD34B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34B60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ffd34b60000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2d5176724b108f8715afaae9d38c24d6d476859d25a3c2191fe13ab845d099c2
                                          • Instruction ID: ff29b63f07131ca89f4d1edc0827add72b845096ea5e3344c5baacd48947ce85
                                          • Opcode Fuzzy Hash: 2d5176724b108f8715afaae9d38c24d6d476859d25a3c2191fe13ab845d099c2
                                          • Instruction Fuzzy Hash: C2816D11B29EA61BE785AB6C84E57B576D2EF9A310F94407AD24DC32C7CE1CAC059382
                                          Function 00007FFD346BED80 Relevance: .1, Instructions: 134COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.4685002529.00007FFD346BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD346BD000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ffd346bd000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c89b31da57a98c99fcb040751a4c870e8bed0e471f4ceab9990318c3a5eae343
                                          • Instruction ID: d77838a76333e928169c3c74ef37800fe967519c72b01a4c4560b3d41b22d95b
                                          • Opcode Fuzzy Hash: c89b31da57a98c99fcb040751a4c870e8bed0e471f4ceab9990318c3a5eae343
                                          • Instruction Fuzzy Hash: B341C13150DBC44FD75A8F29D8959923FF0EF57320B1506DFD088CB1A3DA69A84AC7A2
                                          Function 00007FFD34B6014A Relevance: .1, Instructions: 125COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.4688588540.00007FFD34B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34B60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ffd34b60000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 683d9680285f9a60df00f1c82f10d9eb0aacbe4b666e7681ae6ff9353a84d613
                                          • Instruction ID: 74c30f4ddb3df6a77d4d93ba8838884ec45294f54d1e9a086ae5d0c9b2674269
                                          • Opcode Fuzzy Hash: 683d9680285f9a60df00f1c82f10d9eb0aacbe4b666e7681ae6ff9353a84d613
                                          • Instruction Fuzzy Hash: B6310762B1DA894FE795DB2D58B62B477C1EF56320F0401BEE48EC3293DE1DA8429743
                                          Function 00007FFD34B60676 Relevance: .1, Instructions: 123COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.4688588540.00007FFD34B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34B60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ffd34b60000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 723a7069a8d7251c3c9202652f80cdb988da9aac8764e86a0c01b2a775f040e5
                                          • Instruction ID: 890afaaacfd7bff0c05c4b229077e591adf71282707f84a836933cf1725cb421
                                          • Opcode Fuzzy Hash: 723a7069a8d7251c3c9202652f80cdb988da9aac8764e86a0c01b2a775f040e5
                                          • Instruction Fuzzy Hash: 15313962B1DA490FE798DB1D58662B577C1EB56320F54027ED48ED32D3DE1CAC069343
                                          Function 00007FFD34B60063 Relevance: .1, Instructions: 121COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.4688588540.00007FFD34B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34B60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ffd34b60000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 28d9ff72e2c63d455a4299c80e9ad2af2e2d5513b218179c9a45ae071796d545
                                          • Instruction ID: d7521454ebbcc603bdd8f92ab01ac38176282b21c50815b1e37b6abcbb0edff1
                                          • Opcode Fuzzy Hash: 28d9ff72e2c63d455a4299c80e9ad2af2e2d5513b218179c9a45ae071796d545
                                          • Instruction Fuzzy Hash: 3A31D83170C94C0FE758DA1C9899A7537D5EB56321F0502BFD44EC72A3DA59EC468781
                                          Function 00007FFD34B63D9F Relevance: .1, Instructions: 112COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.4688588540.00007FFD34B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34B60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ffd34b60000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 08b7286b858ba446c9f69d68fe09b080fa9bd017e97e8c360d6af777d5dfd6eb
                                          • Instruction ID: a2e47f017a84777d9debfadcd5207f8044023299771c014044b6bef03b37d23c
                                          • Opcode Fuzzy Hash: 08b7286b858ba446c9f69d68fe09b080fa9bd017e97e8c360d6af777d5dfd6eb
                                          • Instruction Fuzzy Hash: E831D212B1EE4A0BF7E5A22C18F527876C2DFDA26075802BAE10DC32D6ED1CEC026351
                                          Function 00007FFD34B635BA Relevance: .1, Instructions: 112COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.4688588540.00007FFD34B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34B60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ffd34b60000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c6c9286309c9b33c14f759f7dbf9862784d89f364dad515078ac7f1c464f1897
                                          • Instruction ID: a46274650bbd29b6db6a3132847e953e8d3b34f954e926744dba590703318791
                                          • Opcode Fuzzy Hash: c6c9286309c9b33c14f759f7dbf9862784d89f364dad515078ac7f1c464f1897
                                          • Instruction Fuzzy Hash: AE21D616B1EE4B0BF7E9A22C14B527972C2DFDA260798017BD50DD32DAED1CEC425342
                                          Function 00007FFD34B63293 Relevance: .1, Instructions: 110COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.4688588540.00007FFD34B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34B60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ffd34b60000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 756c969535bc91608329c3cb89a5787585506705af9c14fbf44bd2514abd6e45
                                          • Instruction ID: 4ce3c208e745f67611abb9aa4df7231e41d9c4ca5448963b0d1dadd0719e43cf
                                          • Opcode Fuzzy Hash: 756c969535bc91608329c3cb89a5787585506705af9c14fbf44bd2514abd6e45
                                          • Instruction Fuzzy Hash: 0821D612B1AE4A0BFBE5E22C14B527972C2DFDA660B58117AD10DD329AED1CEC425341
                                          Function 00007FFD34B62AAF Relevance: .1, Instructions: 109COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.4688588540.00007FFD34B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34B60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ffd34b60000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d3593cd2e964862ebb238f8686ef996384f1bdc984e92f9390160d3297be56da
                                          • Instruction ID: 2334a9acf7ceadc4a27ca6bdeb5f1b821f87846ab93df95b3e3419012314504f
                                          • Opcode Fuzzy Hash: d3593cd2e964862ebb238f8686ef996384f1bdc984e92f9390160d3297be56da
                                          • Instruction Fuzzy Hash: B821B412B19D4A0BF7F9A62C14E527972C2DFDA26075802BBD14EC329AED2CEC435341
                                          Function 00007FFD34B65090 Relevance: .1, Instructions: 109COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.4688588540.00007FFD34B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34B60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ffd34b60000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9ff24521aebeb9ed18ac7a8b6d5502cf106fd79991cf38c436d3d5583adeeb04
                                          • Instruction ID: 5bc4ef37e427140f8a5ba8ae3fd60054500017f791bafe36e29140217ed8a6f3
                                          • Opcode Fuzzy Hash: 9ff24521aebeb9ed18ac7a8b6d5502cf106fd79991cf38c436d3d5583adeeb04
                                          • Instruction Fuzzy Hash: 9021B412B1AE4A0BF7E5A62C24F527972C2DFDA16075801BAE10DC729AED2DEC425381
                                          Function 00007FFD34B643EE Relevance: .1, Instructions: 108COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.4688588540.00007FFD34B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34B60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ffd34b60000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 539175021790ac2cb2a0592d516039f331679ede1c8d75332b9db8ccc9129d65
                                          • Instruction ID: ce0b93093fc5463925ec76cda5d5b4e3ca170357a66bb2c34d417e10e80bb2e9
                                          • Opcode Fuzzy Hash: 539175021790ac2cb2a0592d516039f331679ede1c8d75332b9db8ccc9129d65
                                          • Instruction Fuzzy Hash: D4210742B1DD4B0BF7E9A62C04F527976C2DFDA564798027AE50DC32CAED1CEC025341
                                          Function 00007FFD34B6292E Relevance: .1, Instructions: 100COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.4688588540.00007FFD34B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34B60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ffd34b60000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a5980a2eb872ae01769be918bb8f33bca975f1526b22f570425877f519eea367
                                          • Instruction ID: e827a77f096dfe7bf5ceefa4390b44d72757a854cb0d5bf30fc9c53973307630
                                          • Opcode Fuzzy Hash: a5980a2eb872ae01769be918bb8f33bca975f1526b22f570425877f519eea367
                                          • Instruction Fuzzy Hash: 2921F502B19D0A0FF7E9A62C14A527972C2DFEA26079802BAD14DC32DAED2CEC435341
                                          Function 00007FFD34B639C2 Relevance: .1, Instructions: 98COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.4688588540.00007FFD34B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34B60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ffd34b60000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1beea8de0a7aa17cfd7f30319b4991d4067c72c2dd77013e1acd02f10015850e
                                          • Instruction ID: 9e3d898f1ee8da3e0800efd565ce70ab34e8cfc1a295addaae0961af31ad494c
                                          • Opcode Fuzzy Hash: 1beea8de0a7aa17cfd7f30319b4991d4067c72c2dd77013e1acd02f10015850e
                                          • Instruction Fuzzy Hash: D721C552B19E4A0BE7E5A62C14B527972C2DFDA22075901BBD10EC32DAED2CEC436341
                                          Function 00007FFD34B6555F Relevance: .1, Instructions: 98COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.4688588540.00007FFD34B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34B60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ffd34b60000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 88c4ced82d0f7e6f61c4b98a221ccc5648c3b9194221508f32e239e16697f3d1
                                          • Instruction ID: 9a2d5907e138906be779d98216b44aad1afec61c6f2e4f14c6d04852504a3c66
                                          • Opcode Fuzzy Hash: 88c4ced82d0f7e6f61c4b98a221ccc5648c3b9194221508f32e239e16697f3d1
                                          • Instruction Fuzzy Hash: 35219852B1AE4A0FF7E5A22C18F537972C3EFDA120799017AE54EC3296DD2CEC425341
                                          Function 00007FFD34B63762 Relevance: .1, Instructions: 97COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.4688588540.00007FFD34B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34B60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ffd34b60000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e27a04d02da6d5b8448c3c4e728a49d0d689ba02b842a8515a81d379c5d8f410
                                          • Instruction ID: b3ea8dcb8d07f5e3ba080e415a4880e70acfb68f834ac7b438dc71aee3ed8a92
                                          • Opcode Fuzzy Hash: e27a04d02da6d5b8448c3c4e728a49d0d689ba02b842a8515a81d379c5d8f410
                                          • Instruction Fuzzy Hash: 6B21B351B1AE4E0BF7A5A62C14A527972C2EFDA62075801BAE50EC339AED2CEC425341
                                          Function 00007FFD34B64E48 Relevance: .1, Instructions: 96COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.4688588540.00007FFD34B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34B60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ffd34b60000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 852dcad7d754fd4011b62ad300479f51e89ed03b41eadf6b60c3b2ad911d4945
                                          • Instruction ID: 09921d5a7a7e282f50d5545aa83879e7e37966f894f6ae40a0039acf84b6ae9f
                                          • Opcode Fuzzy Hash: 852dcad7d754fd4011b62ad300479f51e89ed03b41eadf6b60c3b2ad911d4945
                                          • Instruction Fuzzy Hash: 1D21F552B1AE4B0FF7E9A22C04F527972C2DFDA12075905BAE10DC329AED2CEC425341
                                          Function 00007FFD34B626DA Relevance: .1, Instructions: 95COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.4688588540.00007FFD34B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34B60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ffd34b60000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e23e49b9807d12009ed7d70a05ea4dcdd13c147a1edcb8db927ba96a819fe6ef
                                          • Instruction ID: 9500994fb50691e60b87326b7187e58623c589623c776c28075334175136e180
                                          • Opcode Fuzzy Hash: e23e49b9807d12009ed7d70a05ea4dcdd13c147a1edcb8db927ba96a819fe6ef
                                          • Instruction Fuzzy Hash: 4321A412B1AE4A0BF3E9A66C14B527971C2DFDA121B9801BBD54EC339ADD1CEC465341
                                          Function 00007FFD34B63CF1 Relevance: .1, Instructions: 93COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.4688588540.00007FFD34B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34B60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ffd34b60000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: eebcb0b74dad3a095330d312f11bfef325c499a60426c8cded4a371665fa2976
                                          • Instruction ID: f4f10b4d3d950d5aea61f56c57d812b35c5404e1bedca60c8e83ba7263b92daa
                                          • Opcode Fuzzy Hash: eebcb0b74dad3a095330d312f11bfef325c499a60426c8cded4a371665fa2976
                                          • Instruction Fuzzy Hash: 9821C912B1DE4B0FF7E5A62C14B527972C2DFDA22079941BAD51EC32CADD2CEC426341
                                          Function 00007FFD34B63B82 Relevance: .1, Instructions: 75COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.4688588540.00007FFD34B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34B60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ffd34b60000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9020743a674242d1f2dff02c3ef09fce520cf9c7892fc9be1fd1e26dcc0446c9
                                          • Instruction ID: 3af4e24dc3dc6c965ed61067985958e8b1210e55be79195a36d34ab990f3c94e
                                          • Opcode Fuzzy Hash: 9020743a674242d1f2dff02c3ef09fce520cf9c7892fc9be1fd1e26dcc0446c9
                                          • Instruction Fuzzy Hash: D011C422B1DE4A0BF7A5A22C14F127976C2DF9A22175D01BAD55DC32D6ED2DEC025301
                                          Function 00007FFD34B6597E Relevance: .1, Instructions: 75COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.4688588540.00007FFD34B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34B60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ffd34b60000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 123458a800b88dfc333a48406230d1fb547358c3ac75d369067fbf246cefd61c
                                          • Instruction ID: 7e0a0edeba631075034c40d5955dd9f8e9cac5297c0a22de1fea9d8109c36e3c
                                          • Opcode Fuzzy Hash: 123458a800b88dfc333a48406230d1fb547358c3ac75d369067fbf246cefd61c
                                          • Instruction Fuzzy Hash: 75110412B1AE0A0BF7E5A62C14F123972C2DF9A22075902BED51DC73DAED2DEC025302
                                          Function 00007FFD34B65330 Relevance: .1, Instructions: 74COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.4688588540.00007FFD34B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34B60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ffd34b60000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 94a61d36f55d1e6988f2e250a33981d07a7f2e3dd53a899ef03381d65c8a05cc
                                          • Instruction ID: d7e387adfc2e0b83530487cf5dba25395c657027ba07b13aa8e9c04e36064569
                                          • Opcode Fuzzy Hash: 94a61d36f55d1e6988f2e250a33981d07a7f2e3dd53a899ef03381d65c8a05cc
                                          • Instruction Fuzzy Hash: AB11AB52719E4A0FF7E6E22C14B027976C2EF9A620B9D01BAD55EC32D6ED2DEC025341
                                          Function 00007FFD34B65268 Relevance: .1, Instructions: 72COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.4688588540.00007FFD34B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34B60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ffd34b60000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9cdc788a72ef3e81d8fce2486dfd9af8365387ec382a56342eb531a39d01ec79
                                          • Instruction ID: 5ced4b4e552104f11071207415d86a2650b71b6d69071e3ad8f31294233a1a0b
                                          • Opcode Fuzzy Hash: 9cdc788a72ef3e81d8fce2486dfd9af8365387ec382a56342eb531a39d01ec79
                                          • Instruction Fuzzy Hash: B311AB1171AE4A0BFBE6A22C14B027976C2DF9A220759017AD55DC32DADD1DEC025301
                                          Function 00007FFD34B60EE1 Relevance: .0, Instructions: 20COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.4688588540.00007FFD34B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34B60000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ffd34b60000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7132ee8eef00a2a47b9499304da65b0b0587b90a3f8772fa7fd1dea43b6e66bc
                                          • Instruction ID: c40549f81911bfc372e4b1582bf037f2b39dc5d7e3142dbc7df66c6c8e80b701
                                          • Opcode Fuzzy Hash: 7132ee8eef00a2a47b9499304da65b0b0587b90a3f8772fa7fd1dea43b6e66bc
                                          • Instruction Fuzzy Hash: DAD0C911B2A52247F204219C68A23F8B286CB8A724F501137E649C62C6C8CEBCC552C2

                                          Non-executed Functions

                                          Function 00007FFD347D63D3 Relevance: 1.9, Strings: 1, Instructions: 630COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.4685321728.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ffd347d0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: 4
                                          • API String ID: 0-4088798008
                                          • Opcode ID: 1c4713ea5360e12b66970302219cede5bcef445a5481f9152e727711b8f739ad
                                          • Instruction ID: 7c16917e4f73768b001a24fd2b9e61aa1747875f3ba6d96be55985b34410e32c
                                          • Opcode Fuzzy Hash: 1c4713ea5360e12b66970302219cede5bcef445a5481f9152e727711b8f739ad
                                          • Instruction Fuzzy Hash: AB02264BB0D69266E72173BE74B61EA3F64DF4323970842B7E3D89D093DD0C248E9295
                                          Function 00007FFD34A421FA Relevance: 1.8, Strings: 1, Instructions: 580COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.4687876922.00007FFD34A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34A40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ffd34a40000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: !)_^
                                          • API String ID: 0-3215349568
                                          • Opcode ID: dd206bbad91a12099723b6ac6e49c85f84a6b0c0593ce496fd6d6a9393bfedae
                                          • Instruction ID: 09f05f64f6f6de3df9b24a47b480c0ead435453e342a548056ca1e0df1a1bc6e
                                          • Opcode Fuzzy Hash: dd206bbad91a12099723b6ac6e49c85f84a6b0c0593ce496fd6d6a9393bfedae
                                          • Instruction Fuzzy Hash: 1512EB27E0D7926FD311B7BDA4E60EE7B64DF0233C71802BBE2988A453DD1D60C68695
                                          Function 00007FFD347D5FA7 Relevance: .4, Instructions: 374COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.4685321728.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ffd347d0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4116d73cb16c3138551907c64e15dfd790e8836940d76a68ba7dc697653824a4
                                          • Instruction ID: e0c36895ac8a89dd40c63125fdf438207c94d1b45ae6e0dd0d6075c57fb0d3b6
                                          • Opcode Fuzzy Hash: 4116d73cb16c3138551907c64e15dfd790e8836940d76a68ba7dc697653824a4
                                          • Instruction Fuzzy Hash: D2B1655BB0D6515BD321B6AEB4F61EA3764DF8323970846B7D398CD063EC0C688E81E5
                                          Function 00007FFD347DB7FB Relevance: .3, Instructions: 258COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.4685321728.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ffd347d0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4c1e465ef22d992932398f5d26f4ae7ad9440b3a410f7a39f5f2ae8ad2639a2c
                                          • Instruction ID: f352ad19284a19e985209ea17d3ee90262fc46bc44233397f11bf54e2db9eb9c
                                          • Opcode Fuzzy Hash: 4c1e465ef22d992932398f5d26f4ae7ad9440b3a410f7a39f5f2ae8ad2639a2c
                                          • Instruction Fuzzy Hash: 8481AE6760D5925BE711BBADA8F64EE7B64DF0323D70842B7E29D8D083DD0C209B82D5
                                          Function 00007FFD347DB9F2 Relevance: .2, Instructions: 195COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.4685321728.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ffd347d0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 544d06f9f84cc1eea4673895a6a1ad5fa704202b1f6d7a248e925deae93997ca
                                          • Instruction ID: 86a68c88c7fa59f26875d90268853226119e0bcacfdb8d29f32471d0eb67428b
                                          • Opcode Fuzzy Hash: 544d06f9f84cc1eea4673895a6a1ad5fa704202b1f6d7a248e925deae93997ca
                                          • Instruction Fuzzy Hash: B051FC67A0E592ABD326A76DA8F64D67F54EF0322D30C02FAD19D8D143DD092487C2D5
                                          Function 00007FFD347DF1F2 Relevance: .1, Instructions: 118COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.4685321728.00007FFD347D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ffd347d0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9dec4b4dd49df088323ee9592281c4e66af9436a074faca3b34d0f727c674802
                                          • Instruction ID: 6a427e349d74a9f9d32ade140a542ea1347aa7cfbb72877577601541b29ea878
                                          • Opcode Fuzzy Hash: 9dec4b4dd49df088323ee9592281c4e66af9436a074faca3b34d0f727c674802
                                          • Instruction Fuzzy Hash: 3C31641BB095A226E721B7FE74B24EE3B64CF8323970842B3E39C9D053DC0824CB41A5

                                          Executed Functions

                                          Function 00007FFD34800BBD Relevance: 10.2, Strings: 8, Instructions: 247COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.2259600194.00007FFD34800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34800000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_7ffd34800000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: (Yn4$0[n4$8Yn4$;M_I$HYn4$XZn4$Wn4$Xn4
                                          • API String ID: 0-2078600579
                                          • Opcode ID: 8dc644b3373bc4b6235ad3b56ab379542a8ea56426b77a3f1ce889a17b2adb18
                                          • Instruction ID: 9955a027cee989c380dfdd7f5e78c6329dff7ca011304043a269094c9ca01533
                                          • Opcode Fuzzy Hash: 8dc644b3373bc4b6235ad3b56ab379542a8ea56426b77a3f1ce889a17b2adb18
                                          • Instruction Fuzzy Hash: 16913D2271F6894FE3159BAC98B11B93FE0EF43314B5842FEE4888B297DD2CA845C341
                                          Function 00007FFD34802DE9 Relevance: 1.5, Strings: 1, Instructions: 235COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.2259600194.00007FFD34800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34800000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_7ffd34800000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: HAo4
                                          • API String ID: 0-3446524900
                                          • Opcode ID: 21d40d7bfb911d92377ef3d7edc83e06dbadf0bd5937028301569497d489bd07
                                          • Instruction ID: d31694b7daa96c1915824a00639c962c3bb0089583315d2b14b0243f007f14a1
                                          • Opcode Fuzzy Hash: 21d40d7bfb911d92377ef3d7edc83e06dbadf0bd5937028301569497d489bd07
                                          • Instruction Fuzzy Hash: 0F718E21F1891A4FEBA8EB5884A57FDB7E2FF99310F540179D54ED32D2CE28AC429740
                                          Function 00007FFD34802729 Relevance: 1.4, Strings: 1, Instructions: 161COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.2259600194.00007FFD34800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34800000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_7ffd34800000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: HAo4
                                          • API String ID: 0-3446524900
                                          • Opcode ID: 98d7f916bff2238722ca4d1a2075312276973026a5617d98e7702bddcfc747d9
                                          • Instruction ID: acf2f339a8eaba9c81c1fb39d5178122388f316b4d2d5a582269994dac87ee25
                                          • Opcode Fuzzy Hash: 98d7f916bff2238722ca4d1a2075312276973026a5617d98e7702bddcfc747d9
                                          • Instruction Fuzzy Hash: A0411722B1CA491FE768975C98667B977D1FF9A310F04017EE04EC3292DE6C6C428392
                                          Function 00007FFD348015FA Relevance: 1.3, Strings: 1, Instructions: 83COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.2259600194.00007FFD34800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34800000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_7ffd34800000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: .M_^
                                          • API String ID: 0-2820351210
                                          • Opcode ID: bd9ee967075ad3ece1d8e9e21b75cf858c29a8f957dbde6c905b33ce95f33cbb
                                          • Instruction ID: 6af1772be98f08138c8bd0ca9e9c81640f9db3116dc1a0dcba056d8cb98423cb
                                          • Opcode Fuzzy Hash: bd9ee967075ad3ece1d8e9e21b75cf858c29a8f957dbde6c905b33ce95f33cbb
                                          • Instruction Fuzzy Hash: A921DE26B0DA9A1FD356AB2CACA95E43BE0EF5723170D02BBD298CB193CC0D5C068351
                                          Function 00007FFD348020FA Relevance: .4, Instructions: 360COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.2259600194.00007FFD34800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34800000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_7ffd34800000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0cd31ad72f843b1e52d6033fbb7510c94cb1b73630ec26d6f7befbd8a30ab945
                                          • Instruction ID: fccc9095d268bb2d798c1cb70d6331b4dc03899a40501c23466c0d9af71d9501
                                          • Opcode Fuzzy Hash: 0cd31ad72f843b1e52d6033fbb7510c94cb1b73630ec26d6f7befbd8a30ab945
                                          • Instruction Fuzzy Hash: 82A1E622B2DD8E5FEB95EB2884A57B977D1EF96310F0401B6D54DC7297CD2CAC029341
                                          Function 00007FFD348024A2 Relevance: .2, Instructions: 189COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.2259600194.00007FFD34800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34800000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_7ffd34800000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a03619870ecff0c07f8e93d6e25b5f5a1b153484b20d295ff91b1d08948e5850
                                          • Instruction ID: 33e55f910ce7402be5219c67f239a5648b08b50fd5299b1cc0a801582f9f37c0
                                          • Opcode Fuzzy Hash: a03619870ecff0c07f8e93d6e25b5f5a1b153484b20d295ff91b1d08948e5850
                                          • Instruction Fuzzy Hash: 54519F21B5DE5E1FFB92A37C44B56BD2AD2EF86250B4841B9E00DCB297CD1DDC028341
                                          Function 00007FFD34802110 Relevance: .2, Instructions: 167COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.2259600194.00007FFD34800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34800000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_7ffd34800000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: db8742b58c2bf05bb207f907c408016c9041308177a118b6e34e64cf96b17216
                                          • Instruction ID: 90f0113ef9faa9cfcdb7185f9b8be19fb84f2be844d5b9a05a7ce15b7ef57a05
                                          • Opcode Fuzzy Hash: db8742b58c2bf05bb207f907c408016c9041308177a118b6e34e64cf96b17216
                                          • Instruction Fuzzy Hash: 05410922B1CA891FEB92EB6854B16F977A1EF97310F0401B6E14DC72D3DE2CAC059741
                                          Function 00007FFD348032DD Relevance: .1, Instructions: 105COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.2259600194.00007FFD34800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34800000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_7ffd34800000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: eee222a4f341ebf089cc188081ff6011e626830614f8a5cb6b64ddbad1c163bd
                                          • Instruction ID: 98fc337f6c3fcb950451a646d7ee2793d79363a3201f10e0f7b719c091d1f631
                                          • Opcode Fuzzy Hash: eee222a4f341ebf089cc188081ff6011e626830614f8a5cb6b64ddbad1c163bd
                                          • Instruction Fuzzy Hash: ED313531F18A0C4FE791EB6D98A95B977E1FF59311B0501BAE00CC3292DE39D840C780
                                          Function 00007FFD3480196D Relevance: .1, Instructions: 91COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.2259600194.00007FFD34800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34800000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_7ffd34800000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 746a778b5bfa31160c3d9892433018a29dd34c34232e1801f3bfcafe0cf25d41
                                          • Instruction ID: 6fa8fa7548f7709e5e75e646e476b9a494ec0511efd3664adec455cd8d4e9f5c
                                          • Opcode Fuzzy Hash: 746a778b5bfa31160c3d9892433018a29dd34c34232e1801f3bfcafe0cf25d41
                                          • Instruction Fuzzy Hash: 4321493171D5815FEB55DF28C4E54A57B91EF52320B1882F9D108CF1ABDA2DEC86C381
                                          Function 00007FFD34801BF5 Relevance: .1, Instructions: 84COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.2259600194.00007FFD34800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34800000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_7ffd34800000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9b61216ec5b06df936bb68b53716d20891e7718d0c59406bd2c5d86180eb4cce
                                          • Instruction ID: a0ff1de47a0fcedc2686775f413749ea52f55dafa53b0c850a5d8e92f56958a4
                                          • Opcode Fuzzy Hash: 9b61216ec5b06df936bb68b53716d20891e7718d0c59406bd2c5d86180eb4cce
                                          • Instruction Fuzzy Hash: 5031B23165DA4D4FF315E76CC8A27F93F61EB84304F8842ACE4198B39ACA3D6901C751
                                          Function 00007FFD34803491 Relevance: .1, Instructions: 74COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.2259600194.00007FFD34800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34800000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_7ffd34800000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b58879967a8183ce273999fb52ae93177e6414ee0b34f4d33c39ffd7867d415c
                                          • Instruction ID: 967d4529158507f61a26e6569150679c816c68e933d30fc8d3c7631a51c1f5a9
                                          • Opcode Fuzzy Hash: b58879967a8183ce273999fb52ae93177e6414ee0b34f4d33c39ffd7867d415c
                                          • Instruction Fuzzy Hash: FC119921B1DF851FE342A7386CAA4F27BD0EFA132470802BBE40DC71A3CD1DA9868341
                                          Function 00007FFD3480088B Relevance: .1, Instructions: 68COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.2259600194.00007FFD34800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34800000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_7ffd34800000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 918cb7c9c3502061e6ecaa91fcd0b409ef796538d0bd6469f8b245d11773a8a0
                                          • Instruction ID: 6ab251cd05dbe714d813c05239d12c83e00e6176434d7a7695c487d45e88ba8d
                                          • Opcode Fuzzy Hash: 918cb7c9c3502061e6ecaa91fcd0b409ef796538d0bd6469f8b245d11773a8a0
                                          • Instruction Fuzzy Hash: 8C112792A2DD8A4BF3A5E76468766A9A790FF96340F8406BDD14ACB1D3DC1C78444381
                                          Function 00007FFD348028D5 Relevance: .1, Instructions: 62COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.2259600194.00007FFD34800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34800000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_7ffd34800000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: be3e6e328b0c923dcf3c7d9ee286ae827cd74973ad5fd1c93095eb467b5184d7
                                          • Instruction ID: 44b928deba08438d4fd7abdfd60655218bb7f8f6c216e8e0ad055d5c57b0e2aa
                                          • Opcode Fuzzy Hash: be3e6e328b0c923dcf3c7d9ee286ae827cd74973ad5fd1c93095eb467b5184d7
                                          • Instruction Fuzzy Hash: 2911E920B1EAC81FE347E33858A8BA43FD1AF47224B0901F7D048CB1A3C9594C45C342
                                          Function 00007FFD34800DA9 Relevance: .1, Instructions: 60COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.2259600194.00007FFD34800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34800000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_7ffd34800000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4bffe6181c2d27f851f9a2668d58d4b0f7cabf532613b042d669029d4585ac1c
                                          • Instruction ID: e4ecffbda2b7f51346e0d870bdf37dc4c41fbd8d77a1979fb6440745d12e40a3
                                          • Opcode Fuzzy Hash: 4bffe6181c2d27f851f9a2668d58d4b0f7cabf532613b042d669029d4585ac1c
                                          • Instruction Fuzzy Hash: 2F014513B39C8E0AD6A6A32C68E59F573D2EF97310B0407BBE40DD6286DD1878428381
                                          Function 00007FFD34801E58 Relevance: .0, Instructions: 49COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.2259600194.00007FFD34800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34800000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_7ffd34800000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: bbba8a03d031f9783e1c05b9a3ac3b6af44a19e93376a717b908d962465e3af4
                                          • Instruction ID: 2bc4e9c26fa5cc4a2248e91b2309283d0419e841974679cfdb1da8eb2dca849b
                                          • Opcode Fuzzy Hash: bbba8a03d031f9783e1c05b9a3ac3b6af44a19e93376a717b908d962465e3af4
                                          • Instruction Fuzzy Hash: 6AF0B422B18C1D1FE754F3AD54EDAFA67D9DFAD22571402B7E50CC72A3DC1998828380
                                          Function 00007FFD34801E70 Relevance: .0, Instructions: 38COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.2259600194.00007FFD34800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34800000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_7ffd34800000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f651f757393b58d8e0fd1121fcc3f11236c7dc6a4cec25f4596dadf185172fbf
                                          • Instruction ID: 3e9187a0d3425164e6de2ecaaf933756f62f49dd26db8a6166b2335bbf39bc3f
                                          • Opcode Fuzzy Hash: f651f757393b58d8e0fd1121fcc3f11236c7dc6a4cec25f4596dadf185172fbf
                                          • Instruction Fuzzy Hash: 36E09221F28C1D1FABA4F3AD44DDF7962C6EFAC22171005B6E40CC73A2DC199C819380
                                          Function 00007FFD3480094D Relevance: .0, Instructions: 26COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.2259600194.00007FFD34800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34800000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_7ffd34800000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 26790d763ae03fd6b4cedaffe498ef14f369d9e78fb0b21dd059f710ad1b005b
                                          • Instruction ID: 7aeafd441c09b8aa347fbbd2d75ccc27232b6320c3627d9d0b48139ca61fc52b
                                          • Opcode Fuzzy Hash: 26790d763ae03fd6b4cedaffe498ef14f369d9e78fb0b21dd059f710ad1b005b
                                          • Instruction Fuzzy Hash: 94E08622F1D91607E585333C24661FC13C0DF46691F44157AE74ED7283DC1D6D8342C4
                                          Function 00007FFD34802DC8 Relevance: .0, Instructions: 13COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.2259600194.00007FFD34800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34800000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_7ffd34800000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: da909bd91bb5a98980b94e1cd4461e6d9b98cbee5e2f93559fe799e702738c2a
                                          • Instruction ID: cdbe6953018bb27699981efd9c0d081479ec6b62c5ad6cf7088f783813233743
                                          • Opcode Fuzzy Hash: da909bd91bb5a98980b94e1cd4461e6d9b98cbee5e2f93559fe799e702738c2a
                                          • Instruction Fuzzy Hash: FCC01262A24E4E5B9B55DB4824D12F86291FFC83807900239950CE11A5CF681862A240