Edit tour

Windows Analysis Report
doc_Zapytanie - Oferta KH 09281.com.exe

Overview

General Information

Sample name:	doc_Zapytanie - Oferta KH 09281.com.exe
Analysis ID:	1508493
MD5:	d5def75143e3302847f9e6f64a1cad4e
SHA1:	8c914dd231daff31092bf5de3db22eb9c07c622d
SHA256:	f9fe40ca4d842619322a11c4013a2210132d4c7afa0c4ae88be17f13ee6d1b16
Tags:	exe
Infos:

Detection

Quasar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected Quasar RAT

.NET source code contains potential unpacker

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Installs a global keyboard hook

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected Generic Downloader

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

doc_Zapytanie - Oferta KH 09281.com.exe (PID: 3556 cmdline: "C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe" MD5: D5DEF75143E3302847F9E6F64A1CAD4E)

doc_Zapytanie - Oferta KH 09281.com.exe (PID: 1560 cmdline: "C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe" MD5: D5DEF75143E3302847F9E6F64A1CAD4E)

schtasks.exe (PID: 4836 cmdline: "schtasks" /create /tn "workbook" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\workbook.exe" /rl HIGHEST /f MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 2136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

workbook.exe (PID: 5064 cmdline: "C:\Users\user\AppData\Roaming\SubDir\workbook.exe" MD5: D5DEF75143E3302847F9E6F64A1CAD4E)

workbook.exe (PID: 6204 cmdline: "C:\Users\user\AppData\Roaming\SubDir\workbook.exe" MD5: D5DEF75143E3302847F9E6F64A1CAD4E)

schtasks.exe (PID: 6488 cmdline: "schtasks" /create /tn "workbook" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\workbook.exe" /rl HIGHEST /f MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7120 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

workbook.exe (PID: 6076 cmdline: C:\Users\user\AppData\Roaming\SubDir\workbook.exe MD5: D5DEF75143E3302847F9E6F64A1CAD4E)

workbook.exe (PID: 2316 cmdline: "C:\Users\user\AppData\Roaming\SubDir\workbook.exe" MD5: D5DEF75143E3302847F9E6F64A1CAD4E)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Quasar RAT, QuasarRAT	Quasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult.	APT33 Dropping Elephant Stone Panda The Gorgon Group	http://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/master-of-rats-how-to-create-your-own-tracker/20848 https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf https://asec.ahnlab.com/en/31089/	https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat

Malware Configuration

Threatname: Quasar

{"Version": "1.4.1", "Host:Port": "twart.myfirewall.org:9792;", "SubDirectory": "SubDir", "InstallName": "workbook.exe", "MutexName": "0235e291-5d04-4fa3-932c-869aeec51499", "StartupKey": "workbook", "Tag": "Long Leg", "LogDirectoryName": "Logs", "ServerSignature": "XBBvS+rvDQy/NRA7cnb+1Bf2zFbsUHBtrkbS5j0N0VYcCxHngz7kKbyn5Jk5bqDEI6eX9AB+bIEClKSPSVh4o0tmRTlCyQR8n6K5WidNbCUdY2+XqfpKSeeSe+/39iGrb9ZLHaZnA9ciC9yC4PwnmFUO4AD6c2tNeWgm2PU1ohA9OikWzIuh/ks9RkLPCX2N5NbpAd+AvnufkOJwDLDXLT4MfcZlD2s7folRvVMxMcO7qQh4qI3ucP90WFCEokdbM4Rp3wOtslDricIMAIkAmogGRz4B5aLGHo+UKGsYDeV1bWBtzFi1XTWQ/6q4qfqiD4xLJpDFMICIRPNdK9raQkGcTP03+NhWNSswQU59I2Ar9A0CAUdysw34N2Kjm/UbGRrW3+j9kbJxMldClUDkeN0cGmVyyaiGpPUQBlBuqH620bBOymsxD3XZ6Ouxl9MgjTV6Il/iiq/NSebMLiET2K09Tvpmc/8DD8KLeu+5NrJnmChJat6LR2NCPqv1vp8xPgJNCm4DSv6HB78QRq0Ni/oqW7UBnQR4da5/ckoEk+1ZyMZ/TftczNdKaLoyii2gXx3EzDhVEQy9OH8iNQqevGPW/pTYqLGAkH4hRs0+kir9p7nSGZpHvgHSJL7DbCzKlTEYyAlb4VFoR4L+DhJ0+A8JWxhOkfSCX2jo3RVCcPs=", "ServerCertificate": "MIIE9DCCAtygAwIBAgIQANqzkhOLx49IztAjuviKazANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI0MDgyMDEyNDQxNVoYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAgCzkFEuivKBaTsClmq/3wI2X1uYUZUxf0vEiobTv72lQBIu1jz/r6PADg+cpeGisY1MV3VsdWhecO8dT7LosHtl/FnpTjASkUp3LF0d6cPTgeLsKbK/xJ06uq5gaKvG8Q5zXq6Jbxv+STJdEgmxCf1SPAXViD1PIiGLt2B24qZyOtsSpTSnM5cQuLAvr/6xZG7GYkCU7PRADMGFUm3Xg6L3vRUU3h6vaddoMBAW9ENXVaym1eN5aax3x4tLNUp+kerM+kb/Ab/mi01+PfutPKTptP/dqEGZuKmVrGdX9A+s2Wo6sPtSl85NJT+HT+SSrROvGbx4GH3d6MSHx71JSzy+dph46LV3brBMzY/2xvLbIuPVHqniL/Y0bsUke6aD9cfXIa4UBi7TiKBuoKJYqoYa/VgdoqB4yDaczAnzzYXov7thvPL1Rwv5TueNsPSrQbXbvEJUDxRazlLIrGLuYzeGrnbFHOTM8KKpSVnE8uiXiSEW31DRNHXyLImklMHjwtGd4sjZD5EfkUcg1v9gVCu80ggT+/l7SflY07DOLFvS1ii2ZUPu3IjcbyPtlFj6pGUYjMbIZj8AdqIKyMh6IWtbsu6TMC2yEPSk5pwXrEf7M89nIfHtuhZio+mZ0MhGyHos3nv51/dDBKQnEtcJiODik24kI3JTMGnfQsp7IMjECAwEAAaMyMDAwHQYDVR0OBBYEFFUq5ihhM0we5AVYMhcmFpT6wUKMMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBAFQvpu2xTTenJ6N6YiRWxJ1cwH673yEt60lfsF/xncTeD79qdjD371b1GzQtcYZtYuSdgajGG4YZ8gBrwthm2fOcfuWK2VRDOe7/++mJVEvvsUzzexNeB5nZCYuu1N4UA7z8RHJy6ycPTTcelqyMKUjAGTCZa2BQhkxoFq+wBrEZrY975RcEe7bNNWg0S8YpvdKXxwy/gDZUoWyWXvgmDFQ6VjzDk3jJb0fonxnP/9F7sjd1uU2t5d6aQdPXzbzgWC/IKRXpfdIIZe15uHs1o1O909ymViRRsyy36cjwZ1M2snHWsU7vO//CptldBoV6k6bKkvXA23Cg1vUT0mj0MW554Vb20afxPhyWqHQa4ffHspH2HxViicHx9YaD+WjNAER0Skdo7/sxVR9Ozms2kb8Tyd18mwtVvwmlBNdtwsw8MX9PeW0AXlJUXkHkj47TVP+yyv1dKdUaGZq+ErPjiGoQGBCeHrrtGh+WryK38T7huLnpt++Q4U+CJ6+u9Mvd+C7MCZmgsO9sn0fTL/z54j3zBaWZoRcUZg8IZ7U+C5eGCrg9VjubVdYSar5CrCQnw8x2Rl63qjLVOwpiRoNnEXxmE23yyx1hkP8r27EcTbH7PpJHI22khScfDhf0X/99HEaBqcs+GI+YnC5dpPHY9koTdT5JckCfPJ9sprOn9Ble"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.2053895810.00000000033EC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000007.00000002.2145144757.0000000003017000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000008.00000002.4497355884.00000000034C3000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000003.00000002.2070881360.0000000000720000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000006.00000002.2098856236.0000000002BAC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000007.00000002.2194510600.000000000A061000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000003.00000002.2070881360.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000000.00000002.2062600325.0000000008C91000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000007.00000002.2188441156.000000000905F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000000.00000002.2055940547.00000000043A9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Process Memory Space: doc_Zapytanie - Oferta KH 09281.com.exe PID: 3556	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Process Memory Space: doc_Zapytanie - Oferta KH 09281.com.exe PID: 3556	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: doc_Zapytanie - Oferta KH 09281.com.exe PID: 1560	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Process Memory Space: workbook.exe PID: 5064	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Process Memory Space: workbook.exe PID: 5064	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: workbook.exe PID: 6076	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Process Memory Space: workbook.exe PID: 6076	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: workbook.exe PID: 6204	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Click to see the 13 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
6.2.workbook.exe.2bacc80.1.raw.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
0.2.doc_Zapytanie - Oferta KH 09281.com.exe.33eccc8.0.raw.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
3.2.doc_Zapytanie - Oferta KH 09281.com.exe.400000.0.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
3.2.doc_Zapytanie - Oferta KH 09281.com.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
3.2.doc_Zapytanie - Oferta KH 09281.com.exe.400000.0.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28ef4d:$x1: Quasar.Common.Messages 0x29f276:$x1: Quasar.Common.Messages 0x2ab83a:$x4: Uninstalling... good bye :-( 0x2ad02f:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
3.2.doc_Zapytanie - Oferta KH 09281.com.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2aadec:$f1: FileZilla\recentservers.xml 0x2aae2c:$f2: FileZilla\sitemanager.xml 0x2aae6e:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2ab0ba:$b1: Chrome\User Data\ 0x2ab110:$b1: Chrome\User Data\ 0x2ab3e8:$b2: Mozilla\Firefox\Profiles 0x2ab4e4:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fd440:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2ab63c:$b4: Opera Software\Opera Stable\Login Data 0x2ab6f6:$b5: YandexBrowser\User Data\ 0x2ab764:$b5: YandexBrowser\User Data\ 0x2ab438:$s4: logins.json 0x2ab16e:$a1: username_value 0x2ab18c:$a2: password_value 0x2ab478:$a3: encryptedUsername 0x2fd384:$a3: encryptedUsername 0x2ab49c:$a4: encryptedPassword 0x2fd3a2:$a4: encryptedPassword 0x2fd320:$a5: httpRealm
3.2.doc_Zapytanie - Oferta KH 09281.com.exe.400000.0.unpack	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x164f16:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2ab924:$s3: Process already elevated. 0x28ec4c:$s4: get_PotentiallyVulnerablePasswords 0x278d08:$s5: GetKeyloggerLogsDirectory 0x29e9d5:$s5: GetKeyloggerLogsDirectory 0x28ec6f:$s6: set_PotentiallyVulnerablePasswords 0x2fea6e:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>
7.2.workbook.exe.905fe58.3.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
7.2.workbook.exe.905fe58.3.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28d14d:$x1: Quasar.Common.Messages 0x29d476:$x1: Quasar.Common.Messages 0x2a9a3a:$x4: Uninstalling... good bye :-( 0x2ab22f:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
7.2.workbook.exe.905fe58.3.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2a8fec:$f1: FileZilla\recentservers.xml 0x2a902c:$f2: FileZilla\sitemanager.xml 0x2a906e:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2a92ba:$b1: Chrome\User Data\ 0x2a9310:$b1: Chrome\User Data\ 0x2a95e8:$b2: Mozilla\Firefox\Profiles 0x2a96e4:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fb640:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2a983c:$b4: Opera Software\Opera Stable\Login Data 0x2a98f6:$b5: YandexBrowser\User Data\ 0x2a9964:$b5: YandexBrowser\User Data\ 0x2a9638:$s4: logins.json 0x2a936e:$a1: username_value 0x2a938c:$a2: password_value 0x2a9678:$a3: encryptedUsername 0x2fb584:$a3: encryptedUsername 0x2a969c:$a4: encryptedPassword 0x2fb5a2:$a4: encryptedPassword 0x2fb520:$a5: httpRealm
7.2.workbook.exe.905fe58.3.unpack	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x163116:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2a9b24:$s3: Process already elevated. 0x28ce4c:$s4: get_PotentiallyVulnerablePasswords 0x276f08:$s5: GetKeyloggerLogsDirectory 0x29cbd5:$s5: GetKeyloggerLogsDirectory 0x28ce6f:$s6: set_PotentiallyVulnerablePasswords 0x2fcc6e:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>
0.2.doc_Zapytanie - Oferta KH 09281.com.exe.471bd40.2.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
0.2.doc_Zapytanie - Oferta KH 09281.com.exe.471bd40.2.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28d14d:$x1: Quasar.Common.Messages 0x29d476:$x1: Quasar.Common.Messages 0x2a9a3a:$x4: Uninstalling... good bye :-( 0x2ab22f:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
0.2.doc_Zapytanie - Oferta KH 09281.com.exe.471bd40.2.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2a8fec:$f1: FileZilla\recentservers.xml 0x2a902c:$f2: FileZilla\sitemanager.xml 0x2a906e:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2a92ba:$b1: Chrome\User Data\ 0x2a9310:$b1: Chrome\User Data\ 0x2a95e8:$b2: Mozilla\Firefox\Profiles 0x2a96e4:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fb640:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2a983c:$b4: Opera Software\Opera Stable\Login Data 0x2a98f6:$b5: YandexBrowser\User Data\ 0x2a9964:$b5: YandexBrowser\User Data\ 0x2a9638:$s4: logins.json 0x2a936e:$a1: username_value 0x2a938c:$a2: password_value 0x2a9678:$a3: encryptedUsername 0x2fb584:$a3: encryptedUsername 0x2a969c:$a4: encryptedPassword 0x2fb5a2:$a4: encryptedPassword 0x2fb520:$a5: httpRealm
0.2.doc_Zapytanie - Oferta KH 09281.com.exe.471bd40.2.unpack	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x163116:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2a9b24:$s3: Process already elevated. 0x28ce4c:$s4: get_PotentiallyVulnerablePasswords 0x276f08:$s5: GetKeyloggerLogsDirectory 0x29cbd5:$s5: GetKeyloggerLogsDirectory 0x28ce6f:$s6: set_PotentiallyVulnerablePasswords 0x2fcc6e:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>
7.2.workbook.exe.905fe58.3.raw.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
7.2.workbook.exe.905fe58.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
7.2.workbook.exe.905fe58.3.raw.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28ef4d:$x1: Quasar.Common.Messages 0x29f276:$x1: Quasar.Common.Messages 0x2ab83a:$x4: Uninstalling... good bye :-( 0x2ad02f:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
7.2.workbook.exe.905fe58.3.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2aadec:$f1: FileZilla\recentservers.xml 0x2aae2c:$f2: FileZilla\sitemanager.xml 0x2aae6e:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2ab0ba:$b1: Chrome\User Data\ 0x2ab110:$b1: Chrome\User Data\ 0x2ab3e8:$b2: Mozilla\Firefox\Profiles 0x2ab4e4:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fd440:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2ab63c:$b4: Opera Software\Opera Stable\Login Data 0x2ab6f6:$b5: YandexBrowser\User Data\ 0x2ab764:$b5: YandexBrowser\User Data\ 0x2ab438:$s4: logins.json 0x2ab16e:$a1: username_value 0x2ab18c:$a2: password_value 0x2ab478:$a3: encryptedUsername 0x2fd384:$a3: encryptedUsername 0x2ab49c:$a4: encryptedPassword 0x2fd3a2:$a4: encryptedPassword 0x2fd320:$a5: httpRealm
7.2.workbook.exe.905fe58.3.raw.unpack	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x164f16:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2ab924:$s3: Process already elevated. 0x28ec4c:$s4: get_PotentiallyVulnerablePasswords 0x278d08:$s5: GetKeyloggerLogsDirectory 0x29e9d5:$s5: GetKeyloggerLogsDirectory 0x28ec6f:$s6: set_PotentiallyVulnerablePasswords 0x2fea6e:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>
0.2.doc_Zapytanie - Oferta KH 09281.com.exe.471bd40.2.raw.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
0.2.doc_Zapytanie - Oferta KH 09281.com.exe.471bd40.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.doc_Zapytanie - Oferta KH 09281.com.exe.471bd40.2.raw.unpack	MAL_QuasarRAT_May19_1	Detects QuasarRAT malware	Florian Roth	0x28ef4d:$x1: Quasar.Common.Messages 0x29f276:$x1: Quasar.Common.Messages 0x5ac36d:$x1: Quasar.Common.Messages 0x5bc696:$x1: Quasar.Common.Messages 0x2ab83a:$x4: Uninstalling... good bye :-( 0x5c8c5a:$x4: Uninstalling... good bye :-( 0x2ad02f:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ... 0x5ca44f:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
0.2.doc_Zapytanie - Oferta KH 09281.com.exe.471bd40.2.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x2aadec:$f1: FileZilla\recentservers.xml 0x5c820c:$f1: FileZilla\recentservers.xml 0x2aae2c:$f2: FileZilla\sitemanager.xml 0x5c824c:$f2: FileZilla\sitemanager.xml 0x2aae6e:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x5c828e:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions 0x2ab0ba:$b1: Chrome\User Data\ 0x2ab110:$b1: Chrome\User Data\ 0x5c84da:$b1: Chrome\User Data\ 0x5c8530:$b1: Chrome\User Data\ 0x2ab3e8:$b2: Mozilla\Firefox\Profiles 0x5c8808:$b2: Mozilla\Firefox\Profiles 0x2ab4e4:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2fd440:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x5c8904:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x61a860:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x2ab63c:$b4: Opera Software\Opera Stable\Login Data 0x5c8a5c:$b4: Opera Software\Opera Stable\Login Data 0x2ab6f6:$b5: YandexBrowser\User Data\ 0x2ab764:$b5: YandexBrowser\User Data\ 0x5c8b16:$b5: YandexBrowser\User Data\
0.2.doc_Zapytanie - Oferta KH 09281.com.exe.471bd40.2.raw.unpack	MALWARE_Win_QuasarStealer	Detects Quasar infostealer	ditekshen	0x164f16:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x482336:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null 0x2ab924:$s3: Process already elevated. 0x5c8d44:$s3: Process already elevated. 0x28ec4c:$s4: get_PotentiallyVulnerablePasswords 0x5ac06c:$s4: get_PotentiallyVulnerablePasswords 0x278d08:$s5: GetKeyloggerLogsDirectory 0x29e9d5:$s5: GetKeyloggerLogsDirectory 0x596128:$s5: GetKeyloggerLogsDirectory 0x5bbdf5:$s5: GetKeyloggerLogsDirectory 0x28ec6f:$s6: set_PotentiallyVulnerablePasswords 0x5ac08f:$s6: set_PotentiallyVulnerablePasswords 0x2fea6e:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues> 0x61be8e:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>
Click to see the 20 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "schtasks" /create /tn "workbook" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\workbook.exe" /rl HIGHEST /f, CommandLine: "schtasks" /create /tn "workbook" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\workbook.exe" /rl HIGHEST /f, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\SubDir\workbook.exe", ParentImage: C:\Users\user\AppData\Roaming\SubDir\workbook.exe, ParentProcessId: 6204, ParentProcessName: workbook.exe, ProcessCommandLine: "schtasks" /create /tn "workbook" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\workbook.exe" /rl HIGHEST /f, ProcessId: 6488, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "schtasks" /create /tn "workbook" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\workbook.exe" /rl HIGHEST /f, CommandLine: "schtasks" /create /tn "workbook" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\workbook.exe" /rl HIGHEST /f, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe", ParentImage: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe, ParentProcessId: 1560, ParentProcessName: doc_Zapytanie - Oferta KH 09281.com.exe, ProcessCommandLine: "schtasks" /create /tn "workbook" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\workbook.exe" /rl HIGHEST /f, ProcessId: 4836, ProcessName: schtasks.exe

Suricata Signatures

ET MALWARE Generic AsyncRAT Style SSL Cert

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-10T10:06:11.627493+0200	2035595	1	Domain Observed Used for C2 Detected	213.159.74.80	9792	192.168.2.5	49709	TCP

ET MALWARE Observed Malicious SSL Cert (Quasar CnC)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-10T10:06:11.627493+0200	2027619	1	Domain Observed Used for C2 Detected	213.159.74.80	9792	192.168.2.5	49709	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 7.2.workbook.exe.905fe58.3.raw.unpack

Malware Configuration Extractor: Quasar {"Version": "1.4.1", "Host:Port": "twart.myfirewall.org:9792;", "SubDirectory": "SubDir", "InstallName": "workbook.exe", "MutexName": "0235e291-5d04-4fa3-932c-869aeec51499", "StartupKey": "workbook", "Tag": "Long Leg", "LogDirectoryName": "Logs", "ServerSignature": "XBBvS+rvDQy/NRA7cnb+1Bf2zFbsUHBtrkbS5j0N0VYcCxHngz7kKbyn5Jk5bqDEI6eX9AB+bIEClKSPSVh4o0tmRTlCyQR8n6K5WidNbCUdY2+XqfpKSeeSe+/39iGrb9ZLHaZnA9ciC9yC4PwnmFUO4AD6c2tNeWgm2PU1ohA9OikWzIuh/ks9RkLPCX2N5NbpAd+AvnufkOJwDLDXLT4MfcZlD2s7folRvVMxMcO7qQh4qI3ucP90WFCEokdbM4Rp3wOtslDricIMAIkAmogGRz4B5aLGHo+UKGsYDeV1bWBtzFi1XTWQ/6q4qfqiD4xLJpDFMICIRPNdK9raQkGcTP03+NhWNSswQU59I2Ar9A0CAUdysw34N2Kjm/UbGRrW3+j9kbJxMldClUDkeN0cGmVyyaiGpPUQBlBuqH620bBOymsxD3XZ6Ouxl9MgjTV6Il/iiq/NSebMLiET2K09Tvpmc/8DD8KLeu+5NrJnmChJat6LR2NCPqv1vp8xPgJNCm4DSv6HB78QRq0Ni/oqW7UBnQR4da5/ckoEk+1ZyMZ/TftczNdKaLoyii2gXx3EzDhVEQy9OH8iNQqevGPW/pTYqLGAkH4hRs0+kir9p7nSGZpHvgHSJL7DbCzKlTEYyAlb4VFoR4L+DhJ0+A8JWxhOkfSCX2jo3RVCcPs=", "ServerCertificate": "MIIE9DCCAtygAwIBAgIQANqzkhOLx49IztAjuviKazANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI0MDgyMDEyNDQxNVoYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAgCzkFEuivKBaTsClmq/3wI2X1uYUZUxf0vEiobTv72lQBIu1jz/r6PADg+cpeGisY1MV3VsdWhecO8dT7LosHtl/FnpTjASkUp3LF0d6cPTgeLsKbK/xJ06uq5gaKvG8Q5zXq6Jbxv+STJdEgmxCf1SPAXViD1PIiGLt2B24qZyOtsSpTSnM5cQuLAvr/6xZG7GYkCU7PRADMGFUm3Xg6L3vRUU3h6vaddoMBAW9ENXVaym1eN5aax3x4tLNUp+kerM+kb/Ab/mi01+PfutPKTptP/dqEGZuKmVrGdX9A+s2Wo6sPtSl85NJT+HT+SSrROvGbx4GH3d6MSHx71JSzy+dph46LV3brBMzY/2xvLbIuPVHqniL/Y0bsUke6aD9cfXIa4UBi7TiKBuoKJYqoYa/VgdoqB4yDaczAnzzYXov7thvPL1Rwv5TueNsPSrQbXbvEJUDxRazlLIrGLuYzeGrnbFHOTM8KKpSVnE8uiXiSEW31DRNHXyLImklMHjwtGd4sjZD5EfkUcg1v9gVCu80ggT+/l7SflY07DOLFvS1ii2ZUPu3IjcbyPtlFj6pGUYjMbIZj8AdqIKyMh6IWtbsu6TMC2yEPSk5pwXrEf7M89nIfHtuhZio+mZ0MhGyHos3nv51/dDBKQnEtcJiODik24kI3JTMGnfQsp7IMjECAwEAAaMyMDAwHQYDVR0OBBYEFFUq5ihhM0we5AVYMhcmFpT6wUKMMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBAFQvpu2xTTenJ6N6YiRWxJ1cwH673yEt60lfsF/xncTeD79qdjD371b1GzQtcYZtYuSdgajGG4YZ8gBrwthm2fOcfuWK2VRDOe7/++mJVEvvsUzzexNeB5nZCYuu1N4UA7z8RHJy6ycPTTcelqyMKUjAGTCZa2BQhkxoFq+wBrEZrY975RcEe7bNNWg0S8YpvdKXxwy/gDZUoWyWXvgmDFQ6VjzDk3jJb0fonxnP/9F7sjd1uU2t5d6aQdPXzbzgWC/IKRXpfdIIZe15uHs1o1O909ymViRRsyy36cjwZ1M2snHWsU7vO//CptldBoV6k6bKkvXA23Cg1vUT0mj0MW554Vb20afxPhyWqHQa4ffHspH2HxViicHx9YaD+WjNAER0Skdo7/sxVR9Ozms2kb8Tyd18mwtVvwmlBNdtwsw8MX9PeW0AXlJUXkHkj47TVP+yyv1dKdUaGZq+ErPjiGoQGBCeHrrtGh+WryK38T7huLnpt++Q4U+CJ6+u9Mvd+C7MCZmgsO9sn0fTL/z54j3zBaWZoRcUZg8IZ7U+C5eGCrg9VjubVdYSar5CrCQnw8x2Rl63qjLVOwpiRoNnEXxmE23yyx1hkP8r27EcTbH7PpJHI22khScfDhf0X/99HEaBqcs+GI+YnC5dpPHY9koTdT5JckCfPJ9sprOn9Ble"}

Multi AV Scanner detection for domain / URL

Source: twart.myfirewall.org	Virustotal: Detection: 10%			Perma Link
Source: twart.myfirewall.org	Virustotal: Detection: 10%			Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	ReversingLabs: Detection: 13%
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Virustotal: Detection: 27%			Perma Link

Multi AV Scanner detection for submitted file

Source: doc_Zapytanie - Oferta KH 09281.com.exe	Virustotal: Detection: 27%			Perma Link
Source: doc_Zapytanie - Oferta KH 09281.com.exe	ReversingLabs: Detection: 13%

Yara detected Quasar RAT

Source: Yara match	File source: 6.2.workbook.exe.2bacc80.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.doc_Zapytanie - Oferta KH 09281.com.exe.33eccc8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.doc_Zapytanie - Oferta KH 09281.com.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.workbook.exe.905fe58.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.doc_Zapytanie - Oferta KH 09281.com.exe.471bd40.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.workbook.exe.905fe58.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.doc_Zapytanie - Oferta KH 09281.com.exe.471bd40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2053895810.00000000033EC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2145144757.0000000003017000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4497355884.00000000034C3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2070881360.0000000000720000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2098856236.0000000002BAC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2194510600.000000000A061000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2070881360.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2062600325.0000000008C91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2188441156.000000000905F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2055940547.00000000043A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: doc_Zapytanie - Oferta KH 09281.com.exe PID: 3556, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: doc_Zapytanie - Oferta KH 09281.com.exe PID: 1560, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: workbook.exe PID: 5064, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: workbook.exe PID: 6076, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: workbook.exe PID: 6204, type: MEMORYSTR

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Source: doc_Zapytanie - Oferta KH 09281.com.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 195.201.57.90:443 -> 192.168.2.5:49711 version: TLS 1.2

Source: doc_Zapytanie - Oferta KH 09281.com.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: kmrq.pdbSHA256F source: doc_Zapytanie - Oferta KH 09281.com.exe, workbook.exe.3.dr
Source:	Binary string: kmrq.pdb source: doc_Zapytanie - Oferta KH 09281.com.exe, workbook.exe.3.dr

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2027619 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (Quasar CnC) : 213.159.74.80:9792 -> 192.168.2.5:49709
Source: Network traffic	Suricata IDS: 2035595 - Severity 1 - ET MALWARE Generic AsyncRAT Style SSL Cert : 213.159.74.80:9792 -> 192.168.2.5:49709

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: twart.myfirewall.org

Yara detected Generic Downloader

Source: Yara match	File source: 3.2.doc_Zapytanie - Oferta KH 09281.com.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.workbook.exe.905fe58.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.doc_Zapytanie - Oferta KH 09281.com.exe.471bd40.2.raw.unpack, type: UNPACKEDPE

Source: global traffic

TCP traffic: 192.168.2.5:49709 -> 213.159.74.80:9792

Source: Joe Sandbox View	IP Address: 213.159.74.80 213.159.74.80
Source: Joe Sandbox View	IP Address: 195.201.57.90 195.201.57.90
Source: Joe Sandbox View	IP Address: 195.201.57.90 195.201.57.90

Source: Joe Sandbox View

ASN Name: CTINET-ASCTINETAutonomousSystemRU CTINET-ASCTINETAutonomousSystemRU

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown

DNS query: name: ipwho.is

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0Host: ipwho.isConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0Host: ipwho.isConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: twart.myfirewall.org
Source: global traffic	DNS traffic detected: DNS query: ipwho.is

Source: workbook.exe, 00000008.00000002.4514405749.0000000005B28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft.
Source: workbook.exe, 00000008.00000002.4494264091.0000000001565000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: workbook.exe, 00000008.00000002.4513857508.0000000005A50000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F8008506.8.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: workbook.exe, 00000008.00000002.4497355884.0000000003476000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ipwho.is
Source: workbook.exe, 00000008.00000002.4497355884.0000000003476000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ipwho.isd
Source: workbook.exe, 00000008.00000002.4497355884.00000000034C3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: workbook.exe, 00000008.00000002.4497355884.00000000034C3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/d
Source: doc_Zapytanie - Oferta KH 09281.com.exe, 00000003.00000002.2083425551.0000000003021000.00000004.00000800.00020000.00000000.sdmp, workbook.exe, 00000008.00000002.4497355884.00000000032BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: doc_Zapytanie - Oferta KH 09281.com.exe, workbook.exe.3.dr	String found in binary or memory: http://tempuri.org/ADWRBWWQNJ.xsd
Source: doc_Zapytanie - Oferta KH 09281.com.exe, 00000000.00000002.2062600325.0000000008C91000.00000004.00000800.00020000.00000000.sdmp, doc_Zapytanie - Oferta KH 09281.com.exe, 00000000.00000002.2055940547.00000000043A9000.00000004.00000800.00020000.00000000.sdmp, doc_Zapytanie - Oferta KH 09281.com.exe, 00000003.00000002.2070881360.0000000000402000.00000040.00000400.00020000.00000000.sdmp, workbook.exe, 00000007.00000002.2194510600.000000000A061000.00000004.00000800.00020000.00000000.sdmp, workbook.exe, 00000007.00000002.2188441156.000000000905F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: workbook.exe, 00000008.00000002.4497355884.0000000003464000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ipwho.is
Source: doc_Zapytanie - Oferta KH 09281.com.exe, 00000000.00000002.2062600325.0000000008C91000.00000004.00000800.00020000.00000000.sdmp, doc_Zapytanie - Oferta KH 09281.com.exe, 00000000.00000002.2055940547.00000000043A9000.00000004.00000800.00020000.00000000.sdmp, doc_Zapytanie - Oferta KH 09281.com.exe, 00000003.00000002.2070881360.0000000000402000.00000040.00000400.00020000.00000000.sdmp, workbook.exe, 00000007.00000002.2194510600.000000000A061000.00000004.00000800.00020000.00000000.sdmp, workbook.exe, 00000007.00000002.2188441156.000000000905F000.00000004.00000800.00020000.00000000.sdmp, workbook.exe, 00000008.00000002.4497355884.0000000003464000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ipwho.is/
Source: doc_Zapytanie - Oferta KH 09281.com.exe, 00000000.00000002.2062600325.0000000008C91000.00000004.00000800.00020000.00000000.sdmp, doc_Zapytanie - Oferta KH 09281.com.exe, 00000000.00000002.2055940547.00000000043A9000.00000004.00000800.00020000.00000000.sdmp, doc_Zapytanie - Oferta KH 09281.com.exe, 00000003.00000002.2070881360.0000000000402000.00000040.00000400.00020000.00000000.sdmp, workbook.exe, 00000007.00000002.2194510600.000000000A061000.00000004.00000800.00020000.00000000.sdmp, workbook.exe, 00000007.00000002.2188441156.000000000905F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: doc_Zapytanie - Oferta KH 09281.com.exe, 00000000.00000002.2062600325.0000000008C91000.00000004.00000800.00020000.00000000.sdmp, doc_Zapytanie - Oferta KH 09281.com.exe, 00000000.00000002.2055940547.00000000043A9000.00000004.00000800.00020000.00000000.sdmp, doc_Zapytanie - Oferta KH 09281.com.exe, 00000003.00000002.2070881360.0000000000402000.00000040.00000400.00020000.00000000.sdmp, workbook.exe, 00000007.00000002.2194510600.000000000A061000.00000004.00000800.00020000.00000000.sdmp, workbook.exe, 00000007.00000002.2188441156.000000000905F000.00000004.00000800.00020000.00000000.sdmp, workbook.exe, 00000008.00000002.4497355884.00000000032E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: doc_Zapytanie - Oferta KH 09281.com.exe, 00000000.00000002.2062600325.0000000008C91000.00000004.00000800.00020000.00000000.sdmp, doc_Zapytanie - Oferta KH 09281.com.exe, 00000000.00000002.2055940547.00000000043A9000.00000004.00000800.00020000.00000000.sdmp, doc_Zapytanie - Oferta KH 09281.com.exe, 00000003.00000002.2070881360.0000000000402000.00000040.00000400.00020000.00000000.sdmp, workbook.exe, 00000007.00000002.2194510600.000000000A061000.00000004.00000800.00020000.00000000.sdmp, workbook.exe, 00000007.00000002.2188441156.000000000905F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354sCannot

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443

Source: unknown

HTTPS traffic detected: 195.201.57.90:443 -> 192.168.2.5:49711 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe

Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\SubDir\workbook.exe

Jump to behavior

E-Banking Fraud

Yara detected Quasar RAT

Source: Yara match	File source: 6.2.workbook.exe.2bacc80.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.doc_Zapytanie - Oferta KH 09281.com.exe.33eccc8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.doc_Zapytanie - Oferta KH 09281.com.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.workbook.exe.905fe58.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.doc_Zapytanie - Oferta KH 09281.com.exe.471bd40.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.workbook.exe.905fe58.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.doc_Zapytanie - Oferta KH 09281.com.exe.471bd40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2053895810.00000000033EC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2145144757.0000000003017000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4497355884.00000000034C3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2070881360.0000000000720000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2098856236.0000000002BAC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2194510600.000000000A061000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2070881360.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2062600325.0000000008C91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2188441156.000000000905F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2055940547.00000000043A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: doc_Zapytanie - Oferta KH 09281.com.exe PID: 3556, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: doc_Zapytanie - Oferta KH 09281.com.exe PID: 1560, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: workbook.exe PID: 5064, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: workbook.exe PID: 6076, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: workbook.exe PID: 6204, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 3.2.doc_Zapytanie - Oferta KH 09281.com.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 3.2.doc_Zapytanie - Oferta KH 09281.com.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 3.2.doc_Zapytanie - Oferta KH 09281.com.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar infostealer Author: ditekshen
Source: 7.2.workbook.exe.905fe58.3.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 7.2.workbook.exe.905fe58.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 7.2.workbook.exe.905fe58.3.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar infostealer Author: ditekshen
Source: 0.2.doc_Zapytanie - Oferta KH 09281.com.exe.471bd40.2.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 0.2.doc_Zapytanie - Oferta KH 09281.com.exe.471bd40.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.2.doc_Zapytanie - Oferta KH 09281.com.exe.471bd40.2.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar infostealer Author: ditekshen
Source: 7.2.workbook.exe.905fe58.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 7.2.workbook.exe.905fe58.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 7.2.workbook.exe.905fe58.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar infostealer Author: ditekshen
Source: 0.2.doc_Zapytanie - Oferta KH 09281.com.exe.471bd40.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects QuasarRAT malware Author: Florian Roth
Source: 0.2.doc_Zapytanie - Oferta KH 09281.com.exe.471bd40.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.2.doc_Zapytanie - Oferta KH 09281.com.exe.471bd40.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar infostealer Author: ditekshen

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: doc_Zapytanie - Oferta KH 09281.com.exe

Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Code function: 0_2_015FD424	0_2_015FD424
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Code function: 0_2_03205D98	0_2_03205D98
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Code function: 0_2_032029E0	0_2_032029E0
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Code function: 0_2_03200007	0_2_03200007
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Code function: 0_2_03200040	0_2_03200040
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Code function: 0_2_032020B0	0_2_032020B0
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Code function: 0_2_03201C68	0_2_03201C68
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Code function: 0_2_03200469	0_2_03200469
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Code function: 0_2_03200478	0_2_03200478
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Code function: 0_2_03201C78	0_2_03201C78
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Code function: 0_2_032044A0	0_2_032044A0
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Code function: 3_2_012CF03C	3_2_012CF03C
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Code function: 3_2_053E9068	3_2_053E9068
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Code function: 3_2_053E20D0	3_2_053E20D0
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Code function: 3_2_053E0518	3_2_053E0518
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Code function: 3_2_053E050B	3_2_053E050B
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Code function: 3_2_053E9EE0	3_2_053E9EE0
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Code function: 6_2_00E3D424	6_2_00E3D424
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Code function: 6_2_04BC5D98	6_2_04BC5D98
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Code function: 6_2_04BC44A0	6_2_04BC44A0
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Code function: 6_2_04BC0478	6_2_04BC0478
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Code function: 6_2_04BC1C78	6_2_04BC1C78
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Code function: 6_2_04BC1C68	6_2_04BC1C68
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Code function: 6_2_04BC0469	6_2_04BC0469
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Code function: 6_2_04BC20B0	6_2_04BC20B0
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Code function: 6_2_04BC0040	6_2_04BC0040
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Code function: 6_2_04BC29E0	6_2_04BC29E0
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Code function: 6_2_05077C30	6_2_05077C30
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Code function: 6_2_05070078	6_2_05070078
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Code function: 6_2_05070088	6_2_05070088
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Code function: 6_2_05077C20	6_2_05077C20
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Code function: 7_2_014AD424	7_2_014AD424
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Code function: 7_2_02E15C80	7_2_02E15C80
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Code function: 7_2_02E120A0	7_2_02E120A0
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Code function: 7_2_02E120B0	7_2_02E120B0
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Code function: 7_2_02E10040	7_2_02E10040
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Code function: 7_2_02E129E0	7_2_02E129E0
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Code function: 7_2_02E10469	7_2_02E10469
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Code function: 7_2_02E11C68	7_2_02E11C68
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Code function: 7_2_02E10478	7_2_02E10478
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Code function: 7_2_02E11C78	7_2_02E11C78
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Code function: 8_2_0308F03C	8_2_0308F03C
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Code function: 8_2_0828B6E0	8_2_0828B6E0
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Code function: 8_2_08287E48	8_2_08287E48
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Code function: 11_2_0184F03C	11_2_0184F03C
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Code function: 11_2_058F3CE8	11_2_058F3CE8

Source: doc_Zapytanie - Oferta KH 09281.com.exe, 00000000.00000002.2062600325.0000000008C91000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClient.exe. vs doc_Zapytanie - Oferta KH 09281.com.exe
Source: doc_Zapytanie - Oferta KH 09281.com.exe, 00000000.00000002.2062600325.0000000008C91000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs doc_Zapytanie - Oferta KH 09281.com.exe
Source: doc_Zapytanie - Oferta KH 09281.com.exe, 00000000.00000000.2030255412.0000000000EA2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamekmrq.exe@ vs doc_Zapytanie - Oferta KH 09281.com.exe
Source: doc_Zapytanie - Oferta KH 09281.com.exe, 00000000.00000002.2053290340.00000000016CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs doc_Zapytanie - Oferta KH 09281.com.exe
Source: doc_Zapytanie - Oferta KH 09281.com.exe, 00000000.00000002.2053895810.00000000033EC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameGB-lesson-forms.dll@ vs doc_Zapytanie - Oferta KH 09281.com.exe
Source: doc_Zapytanie - Oferta KH 09281.com.exe, 00000000.00000002.2053895810.00000000033EC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClient.exe. vs doc_Zapytanie - Oferta KH 09281.com.exe
Source: doc_Zapytanie - Oferta KH 09281.com.exe, 00000000.00000002.2055940547.00000000043A9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClient.exe. vs doc_Zapytanie - Oferta KH 09281.com.exe
Source: doc_Zapytanie - Oferta KH 09281.com.exe, 00000000.00000002.2053895810.00000000033A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameGB-lesson-forms.dll@ vs doc_Zapytanie - Oferta KH 09281.com.exe
Source: doc_Zapytanie - Oferta KH 09281.com.exe, 00000000.00000002.2062081256.0000000007600000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameGB-lesson-forms.dll@ vs doc_Zapytanie - Oferta KH 09281.com.exe
Source: doc_Zapytanie - Oferta KH 09281.com.exe, 00000003.00000002.2070881360.0000000000720000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClient.exe. vs doc_Zapytanie - Oferta KH 09281.com.exe
Source: doc_Zapytanie - Oferta KH 09281.com.exe	Binary or memory string: OriginalFilenamekmrq.exe@ vs doc_Zapytanie - Oferta KH 09281.com.exe

Source: doc_Zapytanie - Oferta KH 09281.com.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 3.2.doc_Zapytanie - Oferta KH 09281.com.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 3.2.doc_Zapytanie - Oferta KH 09281.com.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 3.2.doc_Zapytanie - Oferta KH 09281.com.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: 7.2.workbook.exe.905fe58.3.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 7.2.workbook.exe.905fe58.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 7.2.workbook.exe.905fe58.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: 0.2.doc_Zapytanie - Oferta KH 09281.com.exe.471bd40.2.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 0.2.doc_Zapytanie - Oferta KH 09281.com.exe.471bd40.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.2.doc_Zapytanie - Oferta KH 09281.com.exe.471bd40.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: 7.2.workbook.exe.905fe58.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 7.2.workbook.exe.905fe58.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 7.2.workbook.exe.905fe58.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
Source: 0.2.doc_Zapytanie - Oferta KH 09281.com.exe.471bd40.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: 0.2.doc_Zapytanie - Oferta KH 09281.com.exe.471bd40.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.2.doc_Zapytanie - Oferta KH 09281.com.exe.471bd40.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@16/5@2/2

Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\doc_Zapytanie - Oferta KH 09281.com.exe.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2136:120:WilError_03
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\0235e291-5d04-4fa3-932c-869aeec51499
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7120:120:WilError_03

Source: doc_Zapytanie - Oferta KH 09281.com.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: doc_Zapytanie - Oferta KH 09281.com.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: doc_Zapytanie - Oferta KH 09281.com.exe	Virustotal: Detection: 27%
Source: doc_Zapytanie - Oferta KH 09281.com.exe	ReversingLabs: Detection: 13%

Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe

File read: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe "C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe"
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Process created: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe "C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe"
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /create /tn "workbook" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\workbook.exe" /rl HIGHEST /f
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Process created: C:\Users\user\AppData\Roaming\SubDir\workbook.exe "C:\Users\user\AppData\Roaming\SubDir\workbook.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\SubDir\workbook.exe C:\Users\user\AppData\Roaming\SubDir\workbook.exe
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process created: C:\Users\user\AppData\Roaming\SubDir\workbook.exe "C:\Users\user\AppData\Roaming\SubDir\workbook.exe"
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /create /tn "workbook" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\workbook.exe" /rl HIGHEST /f
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process created: C:\Users\user\AppData\Roaming\SubDir\workbook.exe "C:\Users\user\AppData\Roaming\SubDir\workbook.exe"
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Process created: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe "C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe"	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /create /tn "workbook" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\workbook.exe" /rl HIGHEST /f	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Process created: C:\Users\user\AppData\Roaming\SubDir\workbook.exe "C:\Users\user\AppData\Roaming\SubDir\workbook.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process created: C:\Users\user\AppData\Roaming\SubDir\workbook.exe "C:\Users\user\AppData\Roaming\SubDir\workbook.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process created: C:\Users\user\AppData\Roaming\SubDir\workbook.exe "C:\Users\user\AppData\Roaming\SubDir\workbook.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /create /tn "workbook" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\workbook.exe" /rl HIGHEST /f	Jump to behavior

Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Section loaded: msasn1.dll	Jump to behavior

Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: doc_Zapytanie - Oferta KH 09281.com.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: doc_Zapytanie - Oferta KH 09281.com.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: doc_Zapytanie - Oferta KH 09281.com.exe

Static file information: File size 3863552 > 1048576

Source: doc_Zapytanie - Oferta KH 09281.com.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x3ae800

Source: doc_Zapytanie - Oferta KH 09281.com.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: doc_Zapytanie - Oferta KH 09281.com.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: kmrq.pdbSHA256F source: doc_Zapytanie - Oferta KH 09281.com.exe, workbook.exe.3.dr
Source:	Binary string: kmrq.pdb source: doc_Zapytanie - Oferta KH 09281.com.exe, workbook.exe.3.dr

Data Obfuscation

.NET source code contains potential unpacker

Source: doc_Zapytanie - Oferta KH 09281.com.exe, MainForm.cs

.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])

Source: doc_Zapytanie - Oferta KH 09281.com.exe

Static PE information: 0x82361C0D [Thu Mar 24 12:56:45 2039 UTC]

Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Code function: 8_2_0828892D push 0000005Eh; iretd	8_2_082889F6
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Code function: 8_2_082889F7 push 0000005Eh; iretd	8_2_082889F6
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Code function: 8_2_08288A6C push 0000005Eh; iretd	8_2_08288ADE
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Code function: 8_2_08288ADF push 0000005Eh; iretd	8_2_08288ADE
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Code function: 8_2_08281BF1 push 0000005Eh; iretd	8_2_08281C1E
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Code function: 8_2_08281CEF push 0000005Eh; iretd	8_2_08281D06
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Code function: 8_2_08281D07 push 0000005Eh; iretd	8_2_08281DEE
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Code function: 8_2_08281E6A push 0000005Eh; iretd	8_2_08281ED6

Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe

File created: C:\Users\user\AppData\Roaming\SubDir\workbook.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /create /tn "workbook" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\workbook.exe" /rl HIGHEST /f

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	File opened: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	File opened: C:\Users\user\AppData\Roaming\SubDir\workbook.exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	File opened: C:\Users\user\AppData\Roaming\SubDir\workbook.exe:Zone.Identifier read attributes \| delete	Jump to behavior

Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Jump to behavior

Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: doc_Zapytanie - Oferta KH 09281.com.exe PID: 3556, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: workbook.exe PID: 5064, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: workbook.exe PID: 6076, type: MEMORYSTR

Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Memory allocated: 15F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Memory allocated: 33A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Memory allocated: 31A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Memory allocated: 8C90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Memory allocated: 7670000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Memory allocated: A0F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Memory allocated: B0F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Memory allocated: B4B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Memory allocated: 1280000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Memory allocated: 3020000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Memory allocated: 14F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Memory allocated: E30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Memory allocated: 2B60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Memory allocated: 4B60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Memory allocated: 7ED0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Memory allocated: 8ED0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Memory allocated: 94F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Memory allocated: A4F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Memory allocated: A870000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Memory allocated: 1460000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Memory allocated: 2FA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Memory allocated: 2DB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Memory allocated: 8500000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Memory allocated: 72C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Memory allocated: 9860000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Memory allocated: A860000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Memory allocated: 3040000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Memory allocated: 32B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Memory allocated: 31C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Memory allocated: 1840000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Memory allocated: 32E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Memory allocated: 52E0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Window / User API: threadDelayed 4059			Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Window / User API: threadDelayed 5631			Jump to behavior

Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe TID: 1568	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe TID: 4140	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe TID: 1532	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe TID: 6768	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe TID: 2820	Thread sleep time: -25825441703193356s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe TID: 6152	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe TID: 2352	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: workbook.exe, 00000008.00000002.4525854592.0000000007607000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: workbook.exe, 00000008.00000002.4513857508.0000000005A50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0b
Source: workbook.exe, 00000008.00000002.4514405749.0000000005B28000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWyp\

Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Memory written: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Memory written: C:\Users\user\AppData\Roaming\SubDir\workbook.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Memory written: C:\Users\user\AppData\Roaming\SubDir\workbook.exe base: 400000 value starts with: 4D5A	Jump to behavior

Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Process created: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe "C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe"	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /create /tn "workbook" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\workbook.exe" /rl HIGHEST /f	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Process created: C:\Users\user\AppData\Roaming\SubDir\workbook.exe "C:\Users\user\AppData\Roaming\SubDir\workbook.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process created: C:\Users\user\AppData\Roaming\SubDir\workbook.exe "C:\Users\user\AppData\Roaming\SubDir\workbook.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process created: C:\Users\user\AppData\Roaming\SubDir\workbook.exe "C:\Users\user\AppData\Roaming\SubDir\workbook.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /create /tn "workbook" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\workbook.exe" /rl HIGHEST /f	Jump to behavior

Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Queries volume information: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Queries volume information: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Queries volume information: C:\Users\user\AppData\Roaming\SubDir\workbook.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Queries volume information: C:\Users\user\AppData\Roaming\SubDir\workbook.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Queries volume information: C:\Users\user\AppData\Roaming\SubDir\workbook.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Queries volume information: C:\Users\user\AppData\Roaming\SubDir\workbook.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Quasar RAT

Source: Yara match	File source: 6.2.workbook.exe.2bacc80.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.doc_Zapytanie - Oferta KH 09281.com.exe.33eccc8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.doc_Zapytanie - Oferta KH 09281.com.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.workbook.exe.905fe58.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.doc_Zapytanie - Oferta KH 09281.com.exe.471bd40.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.workbook.exe.905fe58.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.doc_Zapytanie - Oferta KH 09281.com.exe.471bd40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2053895810.00000000033EC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2145144757.0000000003017000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4497355884.00000000034C3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2070881360.0000000000720000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2098856236.0000000002BAC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2194510600.000000000A061000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2070881360.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2062600325.0000000008C91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2188441156.000000000905F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2055940547.00000000043A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: doc_Zapytanie - Oferta KH 09281.com.exe PID: 3556, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: doc_Zapytanie - Oferta KH 09281.com.exe PID: 1560, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: workbook.exe PID: 5064, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: workbook.exe PID: 6076, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: workbook.exe PID: 6204, type: MEMORYSTR

Remote Access Functionality

Yara detected Quasar RAT

Source: Yara match	File source: 6.2.workbook.exe.2bacc80.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.doc_Zapytanie - Oferta KH 09281.com.exe.33eccc8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.doc_Zapytanie - Oferta KH 09281.com.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.workbook.exe.905fe58.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.doc_Zapytanie - Oferta KH 09281.com.exe.471bd40.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.workbook.exe.905fe58.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.doc_Zapytanie - Oferta KH 09281.com.exe.471bd40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2053895810.00000000033EC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2145144757.0000000003017000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4497355884.00000000034C3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2070881360.0000000000720000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2098856236.0000000002BAC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2194510600.000000000A061000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2070881360.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2062600325.0000000008C91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2188441156.000000000905F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2055940547.00000000043A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: doc_Zapytanie - Oferta KH 09281.com.exe PID: 3556, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: doc_Zapytanie - Oferta KH 09281.com.exe PID: 1560, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: workbook.exe PID: 5064, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: workbook.exe PID: 6076, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: workbook.exe PID: 6204, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	21 Windows Management Instrumentation	1 Scheduled Task/Job	111 Process Injection	1 Masquerading	11 Input Capture	1 Query Registry	Remote Services	11 Input Capture	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	1 Disable or Modify Tools	LSASS Memory	111 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	41 Virtualization/Sandbox Evasion	Security Account Manager	41 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Hidden Files and Directories	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	113 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Obfuscated Files or Information	Cached Domain Credentials	23 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Timestomp	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 DLL Side-Loading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
doc_Zapytanie - Oferta KH 09281.com.exe	27%	Virustotal		Browse
doc_Zapytanie - Oferta KH 09281.com.exe	13%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\SubDir\workbook.exe	13%	ReversingLabs
C:\Users\user\AppData\Roaming\SubDir\workbook.exe	27%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
bg.microsoft.map.fastly.net	0%	Virustotal	Browse
ipwho.is	0%	Virustotal	Browse
twart.myfirewall.org	10%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://api.ipify.org/	0%	Avira URL Cloud	safe
https://stackoverflow.com/q/14436606/23354	0%	Virustotal		Browse
http://tempuri.org/ADWRBWWQNJ.xsd	0%	Avira URL Cloud	safe
http://schemas.datacontract.org/2004/07/d	0%	Avira URL Cloud	safe
https://stackoverflow.com/q/14436606/23354	0%	Avira URL Cloud	safe
http://schemas.datacontract.org/2004/07/	0%	Avira URL Cloud	safe
https://stackoverflow.com/q/11564914/23354;	0%	Avira URL Cloud	safe
https://api.ipify.org/	0%	Virustotal		Browse
twart.myfirewall.org	0%	Avira URL Cloud	safe
http://schemas.datacontract.org/2004/07/d	0%	Virustotal		Browse
http://ipwho.isd	0%	Avira URL Cloud	safe
https://ipwho.is	0%	Avira URL Cloud	safe
https://stackoverflow.com/q/2152978/23354sCannot	0%	Avira URL Cloud	safe
https://stackoverflow.com/q/11564914/23354;	0%	Virustotal		Browse
http://schemas.datacontract.org/2004/07/	0%	Virustotal		Browse
https://ipwho.is/	0%	Avira URL Cloud	safe
http://tempuri.org/ADWRBWWQNJ.xsd	1%	Virustotal		Browse
twart.myfirewall.org	10%	Virustotal		Browse
http://ipwho.is	0%	Avira URL Cloud	safe
http://crl.microsoft.	0%	Avira URL Cloud	safe
https://ipwho.is/	0%	Virustotal		Browse
http://ipwho.is	0%	Virustotal		Browse
http://crl.microsoft.	0%	Virustotal		Browse
https://stackoverflow.com/q/2152978/23354sCannot	0%	Virustotal		Browse
https://ipwho.is	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
bg.microsoft.map.fastly.net	199.232.210.172	true	false	0%, Virustotal, Browse	unknown
ipwho.is	195.201.57.90	true	false	0%, Virustotal, Browse	unknown
twart.myfirewall.org	213.159.74.80	true	true	10%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
twart.myfirewall.org	true	10%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ipwho.is/	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	doc_Zapytanie - Oferta KH 09281.com.exe, 00000000.00000002.2062600325.0000000008C91000.00000004.00000800.00020000.00000000.sdmp, doc_Zapytanie - Oferta KH 09281.com.exe, 00000000.00000002.2055940547.00000000043A9000.00000004.00000800.00020000.00000000.sdmp, doc_Zapytanie - Oferta KH 09281.com.exe, 00000003.00000002.2070881360.0000000000402000.00000040.00000400.00020000.00000000.sdmp, workbook.exe, 00000007.00000002.2194510600.000000000A061000.00000004.00000800.00020000.00000000.sdmp, workbook.exe, 00000007.00000002.2188441156.000000000905F000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.datacontract.org/2004/07/d	workbook.exe, 00000008.00000002.4497355884.00000000034C3000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/ADWRBWWQNJ.xsd	doc_Zapytanie - Oferta KH 09281.com.exe, workbook.exe.3.dr	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://stackoverflow.com/q/14436606/23354	doc_Zapytanie - Oferta KH 09281.com.exe, 00000000.00000002.2062600325.0000000008C91000.00000004.00000800.00020000.00000000.sdmp, doc_Zapytanie - Oferta KH 09281.com.exe, 00000000.00000002.2055940547.00000000043A9000.00000004.00000800.00020000.00000000.sdmp, doc_Zapytanie - Oferta KH 09281.com.exe, 00000003.00000002.2070881360.0000000000402000.00000040.00000400.00020000.00000000.sdmp, workbook.exe, 00000007.00000002.2194510600.000000000A061000.00000004.00000800.00020000.00000000.sdmp, workbook.exe, 00000007.00000002.2188441156.000000000905F000.00000004.00000800.00020000.00000000.sdmp, workbook.exe, 00000008.00000002.4497355884.00000000032E2000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.datacontract.org/2004/07/	workbook.exe, 00000008.00000002.4497355884.00000000034C3000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://stackoverflow.com/q/11564914/23354;	doc_Zapytanie - Oferta KH 09281.com.exe, 00000000.00000002.2062600325.0000000008C91000.00000004.00000800.00020000.00000000.sdmp, doc_Zapytanie - Oferta KH 09281.com.exe, 00000000.00000002.2055940547.00000000043A9000.00000004.00000800.00020000.00000000.sdmp, doc_Zapytanie - Oferta KH 09281.com.exe, 00000003.00000002.2070881360.0000000000402000.00000040.00000400.00020000.00000000.sdmp, workbook.exe, 00000007.00000002.2194510600.000000000A061000.00000004.00000800.00020000.00000000.sdmp, workbook.exe, 00000007.00000002.2188441156.000000000905F000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://ipwho.isd	workbook.exe, 00000008.00000002.4497355884.0000000003476000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ipwho.is	workbook.exe, 00000008.00000002.4497355884.0000000003464000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://stackoverflow.com/q/2152978/23354sCannot	doc_Zapytanie - Oferta KH 09281.com.exe, 00000000.00000002.2062600325.0000000008C91000.00000004.00000800.00020000.00000000.sdmp, doc_Zapytanie - Oferta KH 09281.com.exe, 00000000.00000002.2055940547.00000000043A9000.00000004.00000800.00020000.00000000.sdmp, doc_Zapytanie - Oferta KH 09281.com.exe, 00000003.00000002.2070881360.0000000000402000.00000040.00000400.00020000.00000000.sdmp, workbook.exe, 00000007.00000002.2194510600.000000000A061000.00000004.00000800.00020000.00000000.sdmp, workbook.exe, 00000007.00000002.2188441156.000000000905F000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	doc_Zapytanie - Oferta KH 09281.com.exe, 00000003.00000002.2083425551.0000000003021000.00000004.00000800.00020000.00000000.sdmp, workbook.exe, 00000008.00000002.4497355884.00000000032BC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ipwho.is	workbook.exe, 00000008.00000002.4497355884.0000000003476000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://crl.microsoft.	workbook.exe, 00000008.00000002.4514405749.0000000005B28000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
213.159.74.80	twart.myfirewall.org	Russian Federation		13078	CTINET-ASCTINETAutonomousSystemRU	true
195.201.57.90	ipwho.is	Germany		24940	HETZNER-ASDE	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1508493
Start date and time:	2024-09-10 10:05:10 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 16s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	doc_Zapytanie - Oferta KH 09281.com.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@16/5@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 208 Number of non-executed functions: 10
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 199.232.210.172
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
04:06:01	API Interceptor	1x Sleep call for process: doc_Zapytanie - Oferta KH 09281.com.exe modified
04:06:05	API Interceptor	12784617x Sleep call for process: workbook.exe modified
10:06:05	Task Scheduler	Run new task: workbook path: C:\Users\user\AppData\Roaming\SubDir\workbook.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
213.159.74.80	doc_rfq Oferta KH 09281.pdf.com.exe	Get hash	malicious	Quasar	Browse
	Client.exe	Get hash	malicious	Quasar	Browse
	rNuevoPedidoPO-00843.pdf.com.exe	Get hash	malicious	Quasar	Browse
	rVAKIFBANK-#U00d6demeonaymakbuzu20240826.pdf.exe	Get hash	malicious	Quasar	Browse
	ZKB - Zahlungsbest#U00e4tigung an 20240828.pdf.exe	Get hash	malicious	Quasar	Browse
	Vak#U0131fBank - #U00d6deme onay makbuzu 20240826.pdf.exe	Get hash	malicious	Quasar	Browse
	4dALKsHYFM.exe	Get hash	malicious	AgentTesla, AsyncRAT, PureLog Stealer, zgRAT	Browse
195.201.57.90	SPt4FUjZMt.exe	Get hash	malicious	AsyncRAT, Luca Stealer, MicroClip, PythonCryptoHijacker, RedLine	Browse	/?output=json
	765iYbgWn9.exe	Get hash	malicious	Luca Stealer	Browse	/?output=json
	765iYbgWn9.exe	Get hash	malicious	Luca Stealer	Browse	/?output=json
	WfKynArKjH.exe	Get hash	malicious	AsyncRAT, Luca Stealer, MicroClip, RedLine	Browse	/?output=json
	ubes6SC7Vd.exe	Get hash	malicious	Unknown	Browse	ipwhois.app/xml/
	cOQD62FceM.exe	Get hash	malicious	Luca Stealer, Rusty Stealer	Browse	/?output=json
	Clipper.exe	Get hash	malicious	Unknown	Browse	/?output=json
	cOQD62FceM.exe	Get hash	malicious	Luca Stealer	Browse	/?output=json
	Cryptor.exe	Get hash	malicious	Luca Stealer	Browse	/?output=json
	Cryptor.exe	Get hash	malicious	Luca Stealer, Rusty Stealer	Browse	/?output=json

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ipwho.is	doc_rfq Oferta KH 09281.pdf.com.exe	Get hash	malicious	Quasar	Browse	195.201.57.90
	bin homebots io.bat	Get hash	malicious	Unknown	Browse	195.201.57.90
	yJrZoOsgfl.exe	Get hash	malicious	Unknown	Browse	195.201.57.90
	IMKssbDprn.exe	Get hash	malicious	Unknown	Browse	108.181.98.179
	WBmC56ADQF.lnk	Get hash	malicious	Unknown	Browse	195.201.57.90
	uScqjqUS1m.exe	Get hash	malicious	Unknown	Browse	195.201.57.90
	CVSIyqGKKK.exe	Get hash	malicious	Unknown	Browse	108.181.98.179
	Client.exe	Get hash	malicious	Quasar	Browse	195.201.57.90
	AdjustLoader.exe	Get hash	malicious	Unknown	Browse	195.201.57.90
	rNuevoPedidoPO-00843.pdf.com.exe	Get hash	malicious	Quasar	Browse	195.201.57.90
bg.microsoft.map.fastly.net	SOA.exe	Get hash	malicious	FormBook	Browse	199.232.210.172
	LETTER OF DEMAND.pdf	Get hash	malicious	HTMLPhisher	Browse	199.232.210.172
	https://clf.questionpro.eu/cxportal/login?feedbackId=1602631631	Get hash	malicious	Unknown	Browse	199.232.210.172
	https://go.skimresources.com/?id=129857X1600501&url=https://www.freelancer.com/users/login-quick.php?token=30b3628412ea618dcc3f414b266ae263302b3e1b43e6d2d885225319dabe8e68&url=https://secure.adnxs.com/seg?redir=https://link.sbstck.com/redirect/298cfa06-ad24-42db-8a85-7a3ca069b2cf?j=eyJ1IjoiNGRnZ2x2In0.IkG1h6SLHR3lrFyu	Get hash	malicious	HTMLPhisher	Browse	199.232.214.172
	https://dl9r8y25t98wv.cloudfront.net/?YS50YW5ndXlAc2JtLm1j	Get hash	malicious	Unknown	Browse	199.232.210.172
	http://117.176.194.239:8060/OrBitPluginServiceR15/Upgrade/WindowsFormsControlLibrary1.dll	Get hash	malicious	Unknown	Browse	199.232.214.172
	https://dev-owaserv.pantheonsite.io/auth/?email=*@index.shtmlindex.shtml?code=105145d3e057663131503877b5102ed4786ce1790639df67b80662c0910934b9cb6a3b4145df9f53c74dbffec3e673d99215bbfcf2f5cfa23784f8cf995f10d98d180a3a72929bb118e2374079a4a9e43f65d534532f56b6d1704020291abc40b998f8ba2bc3ffc433df5f4285ff9f9d81725bindex.shtml/	Get hash	malicious	Unknown	Browse	199.232.210.172
	https://mostacho.ru.com/index.php	Get hash	malicious	Unknown	Browse	199.232.214.172
	https://kby.oqp.mybluehost.me/wp-admin/20191952407230/account/amendes2024org	Get hash	malicious	Unknown	Browse	199.232.214.172
	http://whats.met-esm.top/	Get hash	malicious	Unknown	Browse	199.232.210.172
twart.myfirewall.org	doc_rfq Oferta KH 09281.pdf.com.exe	Get hash	malicious	Quasar	Browse	213.159.74.80
	Client.exe	Get hash	malicious	Quasar	Browse	213.159.74.80
	rNuevoPedidoPO-00843.pdf.com.exe	Get hash	malicious	Quasar	Browse	213.159.74.80
	rVAKIFBANK-#U00d6demeonaymakbuzu20240826.pdf.exe	Get hash	malicious	Quasar	Browse	213.159.74.80
	ZKB - Zahlungsbest#U00e4tigung an 20240828.pdf.exe	Get hash	malicious	Quasar	Browse	213.159.74.80
	Vak#U0131fBank - #U00d6deme onay makbuzu 20240826.pdf.exe	Get hash	malicious	Quasar	Browse	213.159.74.80
	4dALKsHYFM.exe	Get hash	malicious	AgentTesla, AsyncRAT, PureLog Stealer, zgRAT	Browse	213.159.74.80
	doc_RFQ NEW ORDER #2400228341.pdf.exe	Get hash	malicious	AsyncRAT	Browse	41.151.251.119
	doc_Rfq_TNTM #U00daj rend TM00002916620 exp_pdf.exe	Get hash	malicious	XWorm	Browse	103.35.191.158
	6KfY269eO6.exe	Get hash	malicious	LodaRAT	Browse	103.35.191.158

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
HETZNER-ASDE	Aviso pago_inv08122047.shtml	Get hash	malicious	Unknown	Browse	116.202.95.229
	r3SKZgalaR.exe	Get hash	malicious	Unknown	Browse	128.140.55.152
	RFQ_0230909024SEPT.xla.xlsx	Get hash	malicious	Remcos	Browse	95.217.202.210
	xrrwwstCMd.docx	Get hash	malicious	Remcos	Browse	95.217.202.210
	myfile.exe	Get hash	malicious	Sodinokibi, Chaos, Netwalker, Revil, TrojanRansom	Browse	188.40.30.106
	doc_rfq Oferta KH 09281.pdf.com.exe	Get hash	malicious	Quasar	Browse	195.201.57.90
	Quotation.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	135.181.160.46
	uD9I18eLZ6.exe	Get hash	malicious	PureLog Stealer, Raccoon Stealer v2, RedLine, zgRAT	Browse	116.203.232.114
	http://pratikg7028.github.io/Task4	Get hash	malicious	HTMLPhisher	Browse	78.46.22.25
	IDMan.exe	Get hash	malicious	Fredy Stealer	Browse	5.161.243.5
CTINET-ASCTINETAutonomousSystemRU	doc_rfq Oferta KH 09281.pdf.com.exe	Get hash	malicious	Quasar	Browse	213.159.74.80
	Client.exe	Get hash	malicious	Quasar	Browse	213.159.74.80
	rNuevoPedidoPO-00843.pdf.com.exe	Get hash	malicious	Quasar	Browse	213.159.74.80
	rVAKIFBANK-#U00d6demeonaymakbuzu20240826.pdf.exe	Get hash	malicious	Quasar	Browse	213.159.74.80
	ZKB - Zahlungsbest#U00e4tigung an 20240828.pdf.exe	Get hash	malicious	Quasar	Browse	213.159.74.80
	Vak#U0131fBank - #U00d6deme onay makbuzu 20240826.pdf.exe	Get hash	malicious	Quasar	Browse	213.159.74.80
	4dALKsHYFM.exe	Get hash	malicious	AgentTesla, AsyncRAT, PureLog Stealer, zgRAT	Browse	213.159.74.80
	yEL4yMV0s4.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	213.159.64.146
	AGREEMENT AND APPROVAL REPORT FECRWY RN & FR OF 2024-501144_6.5.24.pdf	Get hash	malicious	HTMLPhisher	Browse	213.159.64.109

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	https://go.skimresources.com/?id=129857X1600501&url=https://www.freelancer.com/users/login-quick.php?token=30b3628412ea618dcc3f414b266ae263302b3e1b43e6d2d885225319dabe8e68&url=https://secure.adnxs.com/seg?redir=https://link.sbstck.com/redirect/298cfa06-ad24-42db-8a85-7a3ca069b2cf?j=eyJ1IjoiNGRnZ2x2In0.IkG1h6SLHR3lrFyu	Get hash	malicious	HTMLPhisher	Browse	195.201.57.90
	https://dl9r8y25t98wv.cloudfront.net/?YS50YW5ndXlAc2JtLm1j	Get hash	malicious	Unknown	Browse	195.201.57.90
	MALED_Q88_10.09.24.doc.scr.exe	Get hash	malicious	AgentTesla	Browse	195.201.57.90
	HelperLibrary.ps1	Get hash	malicious	Unknown	Browse	195.201.57.90
	Q88_MT Carol 2024.09.10.doc.scr.exe	Get hash	malicious	AgentTesla	Browse	195.201.57.90
	iBypass LPro A12+.exe	Get hash	malicious	Unknown	Browse	195.201.57.90
	iBypass LPro A12+.exe	Get hash	malicious	Unknown	Browse	195.201.57.90
	SecuriteInfo.com.Trojan.PackedNET.3050.5454.27030.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	195.201.57.90
	r3SKZgalaR.exe	Get hash	malicious	Unknown	Browse	195.201.57.90
	https://mostacho.ru.com/index.php	Get hash	malicious	Unknown	Browse	195.201.57.90

Process:	C:\Users\user\AppData\Roaming\SubDir\workbook.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	71954
Entropy (8bit):	7.996617769952133
Encrypted:	true
SSDEEP:	1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
MD5:	49AEBF8CBD62D92AC215B2923FB1B9F5
SHA1:	1723BE06719828DDA65AD804298D0431F6AFF976
SHA-256:	B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
SHA-512:	BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
Malicious:	false
Reputation:	high, very likely benign file
Preview:	MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..\|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........\|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.\|.c.&>?..^t. ..;..X.d.E.0G....[Q.,......#.Dp..L.o\|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Users\user\AppData\Roaming\SubDir\workbook.exe
File Type:	data
Category:	dropped
Size (bytes):	328
Entropy (8bit):	3.2418003062782916
Encrypted:	false
SSDEEP:	6:kK5a/L9UswD8HGsL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:giDImsLNkPlE99SNxAhUe/3
MD5:	1CDC4C7FCB68658DE45A23775177A2F7
SHA1:	1B3761EBAF4972523E7E502E6362BBBE13D3C40A
SHA-256:	E158B0EAA87269D30A476163909C5141AA6F889D72348308960DBFDAE9E5180C
SHA-512:	8169410B1DBAFE7B41CA0202C1645B2A4E1048C72D5E9F0B015A7828A071E35B80DAD1310C696D66A2A8CF806325C583CF672CD3725853C61C332B55A6DB5BA2
Malicious:	false
Reputation:	low
Preview:	p...... ..........x.X...(....................................................... ........G..@.......&......X........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\doc_Zapytanie - Oferta KH 09281.com.exe.log

Download File

Process:	C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\workbook.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\SubDir\workbook.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Roaming\SubDir\workbook.exe

Download File

Process:	C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3863552
Entropy (8bit):	7.963670649250203
Encrypted:	false
SSDEEP:	49152:cfMJOv6Id+/vm1z5O2W925nAkOvFNhRg6Zuzzt1TjmFPJBld+3Y81SUAbaYgrL8z:ckoSYGu15jWqQvbUN125JKrAbabB0
MD5:	D5DEF75143E3302847F9E6F64A1CAD4E
SHA1:	8C914DD231DAFF31092BF5DE3DB22EB9C07C622D
SHA-256:	F9FE40CA4D842619322A11C4013A2210132D4C7AFA0C4AE88BE17F13EE6D1B16
SHA-512:	584B1C2437140B4916A34F34FD5EFF93CADF0E7C4CE00AA509FB25758D633A75E5E6B64FB585FAFD0EE5E0AC38E8D03391D8E7C39F8F57F7E4BD0CC388DCFE81
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 13% Antivirus: Virustotal, Detection: 27%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....6...............0...:...........;.. ... ;...@.. .......................`;...........@...................................;.O.... ;.,....................@;.......:.p............................................ ............... ..H............text.....:.. ....:................. ..`.rsrc...,.... ;.......:.............@..@.reloc.......@;.......:.............@..B..................;.....H.......,P...X......q...<...`.8..........................................0..L.........}.....(.......(......(........0...s......( ....o!.....("....o#.....($.....0..+.........}........(%........(&.....,5...(........0...s......(.....o!.....(.....o#....8.....r...p.`...('...o(...t`.......()..........9d....s.........s...s+...o,......o ...r...po-..........,$..( .....o ...r...po-...s....o........o ...r+..po-..........,$..( .....o ...r+..po-...s....o........o ...rC..po-..........,$.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.963670649250203
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	doc_Zapytanie - Oferta KH 09281.com.exe
File size:	3'863'552 bytes
MD5:	d5def75143e3302847f9e6f64a1cad4e
SHA1:	8c914dd231daff31092bf5de3db22eb9c07c622d
SHA256:	f9fe40ca4d842619322a11c4013a2210132d4c7afa0c4ae88be17f13ee6d1b16
SHA512:	584b1c2437140b4916a34f34fd5eff93cadf0e7c4ce00aa509fb25758d633a75e5e6b64fb585fafd0ee5e0ac38e8d03391d8e7c39f8f57f7e4bd0cc388dcfe81
SSDEEP:	49152:cfMJOv6Id+/vm1z5O2W925nAkOvFNhRg6Zuzzt1TjmFPJBld+3Y81SUAbaYgrL8z:ckoSYGu15jWqQvbUN125JKrAbabB0
TLSH:	860623131BD8C959C1BAD2B466AAC1300B76DE0BF8A3D376DEC1E9D33E15321AD0574A
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....6...............0...:...........;.. ... ;...@.. .......................`;...........@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x7b0706
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x82361C0D [Thu Mar 24 12:56:45 2039 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3b06b4	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3b2000	0x62c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x3b4000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x3ab59c	0x70	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x3ae70c	0x3ae800	3b565b359e94e443836cbee6bcec68b2	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x3b2000	0x62c	0x800	89cd2bcd6456e0f3d9913e7c69040afe	False	0.33837890625	data	3.46497434020257	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x3b4000	0xc	0x200	b9e17dec0b80900eda76118493ab561b	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x3b2090	0x39c	data			0.42207792207792205
RT_MANIFEST	0x3b243c	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-09-10T10:06:11.627493+0200	2027619	ET MALWARE Observed Malicious SSL Cert (Quasar CnC)	1	213.159.74.80	9792	192.168.2.5	49709	TCP
2024-09-10T10:06:11.627493+0200	2035595	ET MALWARE Generic AsyncRAT Style SSL Cert	1	213.159.74.80	9792	192.168.2.5	49709	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 10, 2024 10:06:10.367732048 CEST	49709	9792	192.168.2.5	213.159.74.80
Sep 10, 2024 10:06:10.373444080 CEST	9792	49709	213.159.74.80	192.168.2.5
Sep 10, 2024 10:06:10.373528004 CEST	49709	9792	192.168.2.5	213.159.74.80
Sep 10, 2024 10:06:10.400552988 CEST	49709	9792	192.168.2.5	213.159.74.80
Sep 10, 2024 10:06:10.405715942 CEST	9792	49709	213.159.74.80	192.168.2.5
Sep 10, 2024 10:06:11.617322922 CEST	9792	49709	213.159.74.80	192.168.2.5
Sep 10, 2024 10:06:11.617348909 CEST	9792	49709	213.159.74.80	192.168.2.5
Sep 10, 2024 10:06:11.617441893 CEST	49709	9792	192.168.2.5	213.159.74.80
Sep 10, 2024 10:06:11.622612000 CEST	49709	9792	192.168.2.5	213.159.74.80
Sep 10, 2024 10:06:11.627492905 CEST	9792	49709	213.159.74.80	192.168.2.5
Sep 10, 2024 10:06:11.724909067 CEST	9792	49709	213.159.74.80	192.168.2.5
Sep 10, 2024 10:06:11.860805035 CEST	49709	9792	192.168.2.5	213.159.74.80
Sep 10, 2024 10:06:11.966264009 CEST	9792	49709	213.159.74.80	192.168.2.5
Sep 10, 2024 10:06:11.966439009 CEST	49709	9792	192.168.2.5	213.159.74.80
Sep 10, 2024 10:06:12.931309938 CEST	49711	443	192.168.2.5	195.201.57.90
Sep 10, 2024 10:06:12.931346893 CEST	443	49711	195.201.57.90	192.168.2.5
Sep 10, 2024 10:06:12.931418896 CEST	49711	443	192.168.2.5	195.201.57.90
Sep 10, 2024 10:06:12.932303905 CEST	49711	443	192.168.2.5	195.201.57.90
Sep 10, 2024 10:06:12.932317019 CEST	443	49711	195.201.57.90	192.168.2.5
Sep 10, 2024 10:06:13.790040016 CEST	443	49711	195.201.57.90	192.168.2.5
Sep 10, 2024 10:06:13.790124893 CEST	49711	443	192.168.2.5	195.201.57.90
Sep 10, 2024 10:06:13.793839931 CEST	49711	443	192.168.2.5	195.201.57.90
Sep 10, 2024 10:06:13.793853045 CEST	443	49711	195.201.57.90	192.168.2.5
Sep 10, 2024 10:06:13.794080973 CEST	443	49711	195.201.57.90	192.168.2.5
Sep 10, 2024 10:06:13.799444914 CEST	49711	443	192.168.2.5	195.201.57.90
Sep 10, 2024 10:06:13.847423077 CEST	443	49711	195.201.57.90	192.168.2.5
Sep 10, 2024 10:06:13.994381905 CEST	443	49711	195.201.57.90	192.168.2.5
Sep 10, 2024 10:06:13.994460106 CEST	443	49711	195.201.57.90	192.168.2.5
Sep 10, 2024 10:06:13.994508028 CEST	49711	443	192.168.2.5	195.201.57.90
Sep 10, 2024 10:06:14.047632933 CEST	49711	443	192.168.2.5	195.201.57.90
Sep 10, 2024 10:06:14.215007067 CEST	49709	9792	192.168.2.5	213.159.74.80
Sep 10, 2024 10:06:14.571158886 CEST	49709	9792	192.168.2.5	213.159.74.80
Sep 10, 2024 10:06:15.151449919 CEST	9792	49709	213.159.74.80	192.168.2.5
Sep 10, 2024 10:06:15.151469946 CEST	9792	49709	213.159.74.80	192.168.2.5
Sep 10, 2024 10:06:15.261044025 CEST	9792	49709	213.159.74.80	192.168.2.5
Sep 10, 2024 10:06:15.313862085 CEST	49709	9792	192.168.2.5	213.159.74.80
Sep 10, 2024 10:06:15.348113060 CEST	9792	49709	213.159.74.80	192.168.2.5
Sep 10, 2024 10:06:15.391995907 CEST	49709	9792	192.168.2.5	213.159.74.80
Sep 10, 2024 10:06:40.360882998 CEST	49709	9792	192.168.2.5	213.159.74.80
Sep 10, 2024 10:06:40.368875027 CEST	9792	49709	213.159.74.80	192.168.2.5
Sep 10, 2024 10:07:05.376503944 CEST	49709	9792	192.168.2.5	213.159.74.80
Sep 10, 2024 10:07:05.381417036 CEST	9792	49709	213.159.74.80	192.168.2.5
Sep 10, 2024 10:07:30.388959885 CEST	49709	9792	192.168.2.5	213.159.74.80
Sep 10, 2024 10:07:30.393893003 CEST	9792	49709	213.159.74.80	192.168.2.5
Sep 10, 2024 10:07:55.407767057 CEST	49709	9792	192.168.2.5	213.159.74.80
Sep 10, 2024 10:07:55.413057089 CEST	9792	49709	213.159.74.80	192.168.2.5
Sep 10, 2024 10:08:20.423410892 CEST	49709	9792	192.168.2.5	213.159.74.80
Sep 10, 2024 10:08:20.428747892 CEST	9792	49709	213.159.74.80	192.168.2.5
Sep 10, 2024 10:08:45.439055920 CEST	49709	9792	192.168.2.5	213.159.74.80
Sep 10, 2024 10:08:45.443995953 CEST	9792	49709	213.159.74.80	192.168.2.5
Sep 10, 2024 10:09:10.454838037 CEST	49709	9792	192.168.2.5	213.159.74.80
Sep 10, 2024 10:09:10.460005999 CEST	9792	49709	213.159.74.80	192.168.2.5
Sep 10, 2024 10:09:35.470362902 CEST	49709	9792	192.168.2.5	213.159.74.80
Sep 10, 2024 10:09:35.475414038 CEST	9792	49709	213.159.74.80	192.168.2.5
Sep 10, 2024 10:10:00.486008883 CEST	49709	9792	192.168.2.5	213.159.74.80
Sep 10, 2024 10:10:00.491162062 CEST	9792	49709	213.159.74.80	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 10, 2024 10:06:10.294033051 CEST	49600	53	192.168.2.5	1.1.1.1
Sep 10, 2024 10:06:10.305733919 CEST	53	49600	1.1.1.1	192.168.2.5
Sep 10, 2024 10:06:12.920706034 CEST	51238	53	192.168.2.5	1.1.1.1
Sep 10, 2024 10:06:12.927690983 CEST	53	51238	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 10, 2024 10:06:10.294033051 CEST	192.168.2.5	1.1.1.1	0x8ae4	Standard query (0)	twart.myfirewall.org	A (IP address)	IN (0x0001)	false
Sep 10, 2024 10:06:12.920706034 CEST	192.168.2.5	1.1.1.1	0xc7ff	Standard query (0)	ipwho.is	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Sep 10, 2024 10:06:10.305733919 CEST	1.1.1.1	192.168.2.5	0x8ae4	No error (0)	twart.myfirewall.org	213.159.74.80	A (IP address)	IN (0x0001)	false
Sep 10, 2024 10:06:12.177741051 CEST	1.1.1.1	192.168.2.5	0xf71b	No error (0)	bg.microsoft.map.fastly.net	199.232.210.172	A (IP address)	IN (0x0001)	false
Sep 10, 2024 10:06:12.177741051 CEST	1.1.1.1	192.168.2.5	0xf71b	No error (0)	bg.microsoft.map.fastly.net	199.232.214.172	A (IP address)	IN (0x0001)	false
Sep 10, 2024 10:06:12.927690983 CEST	1.1.1.1	192.168.2.5	0xc7ff	No error (0)	ipwho.is	195.201.57.90	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ipwho.is

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49711	195.201.57.90	443	6204	C:\Users\user\AppData\Roaming\SubDir\workbook.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-10 08:06:13 UTC	150	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0 Host: ipwho.is Connection: Keep-Alive
2024-09-10 08:06:13 UTC	223	IN	HTTP/1.1 200 OK Date: Tue, 10 Sep 2024 08:06:13 GMT Content-Type: application/json; charset=utf-8 Transfer-Encoding: chunked Connection: close Server: ipwhois Access-Control-Allow-Headers: * X-Robots-Tag: noindex
2024-09-10 08:06:13 UTC	1019	IN	Data Raw: 33 65 66 0d 0a 7b 0a 20 20 20 20 22 41 62 6f 75 74 20 55 73 22 3a 20 22 68 74 74 70 73 3a 5c 2f 5c 2f 69 70 77 68 6f 69 73 2e 69 6f 22 2c 0a 20 20 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 20 20 22 73 75 63 63 65 73 73 22 3a 20 74 72 75 65 2c 0a 20 20 20 20 22 74 79 70 65 22 3a 20 22 49 50 76 34 22 2c 0a 20 20 20 20 22 63 6f 6e 74 69 6e 65 6e 74 22 3a 20 22 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 22 2c 0a 20 20 20 20 22 63 6f 6e 74 69 6e 65 6e 74 5f 63 6f 64 65 22 3a 20 22 4e 41 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f 72 Data Ascii: 3ef{ "About Us": "https:\/\/ipwhois.io", "ip": "8.46.123.33", "success": true, "type": "IPv4", "continent": "North America", "continent_code": "NA", "country": "United States", "country_code": "US", "region": "New Yor

Target ID:	0
Start time:	04:06:00
Start date:	10/09/2024
Path:	C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe"
Imagebase:	0xaf0000
File size:	3'863'552 bytes
MD5 hash:	D5DEF75143E3302847F9E6F64A1CAD4E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000002.2053895810.00000000033EC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000002.2062600325.0000000008C91000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000002.2055940547.00000000043A9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	04:06:02
Start date:	10/09/2024
Path:	C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\doc_Zapytanie - Oferta KH 09281.com.exe"
Imagebase:	0x740000
File size:	3'863'552 bytes
MD5 hash:	D5DEF75143E3302847F9E6F64A1CAD4E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000003.00000002.2070881360.0000000000720000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000003.00000002.2070881360.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	04:06:04
Start date:	10/09/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"schtasks" /create /tn "workbook" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\workbook.exe" /rl HIGHEST /f
Imagebase:	0x850000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	04:06:04
Start date:	10/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	04:06:04
Start date:	10/09/2024
Path:	C:\Users\user\AppData\Roaming\SubDir\workbook.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\SubDir\workbook.exe"
Imagebase:	0x7ff6d64d0000
File size:	3'863'552 bytes
MD5 hash:	D5DEF75143E3302847F9E6F64A1CAD4E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000006.00000002.2098856236.0000000002BAC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 13%, ReversingLabs Detection: 27%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	04:06:05
Start date:	10/09/2024
Path:	C:\Users\user\AppData\Roaming\SubDir\workbook.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\SubDir\workbook.exe
Imagebase:	0x740000
File size:	3'863'552 bytes
MD5 hash:	D5DEF75143E3302847F9E6F64A1CAD4E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000007.00000002.2145144757.0000000003017000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000007.00000002.2194510600.000000000A061000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000007.00000002.2188441156.000000000905F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	04:06:06
Start date:	10/09/2024
Path:	C:\Users\user\AppData\Roaming\SubDir\workbook.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\SubDir\workbook.exe"
Imagebase:	0xb50000
File size:	3'863'552 bytes
MD5 hash:	D5DEF75143E3302847F9E6F64A1CAD4E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000008.00000002.4497355884.00000000034C3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	04:06:08
Start date:	10/09/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"schtasks" /create /tn "workbook" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\workbook.exe" /rl HIGHEST /f
Imagebase:	0x850000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	04:06:08
Start date:	10/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	04:06:11
Start date:	10/09/2024
Path:	C:\Users\user\AppData\Roaming\SubDir\workbook.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\SubDir\workbook.exe"
Imagebase:	0xc20000
File size:	3'863'552 bytes
MD5 hash:	D5DEF75143E3302847F9E6F64A1CAD4E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	11.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	2.3%
Total number of Nodes:	176
Total number of Limit Nodes:	12

Executed Functions

Function 03205D98 Relevance: .4, Instructions: 405COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2053686278.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3200000_doc_Zapytanie - Oferta KH 09281.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 846f1905ef04f3013d197afc30b90a672030397c83a5e9c80ff5519df13c3cd0
Instruction ID: 1d9aeb5572cae481ba79526ce1ac1b767a0c604f29fc1b4841ae96b3f529922c
Opcode Fuzzy Hash: 846f1905ef04f3013d197afc30b90a672030397c83a5e9c80ff5519df13c3cd0
Instruction Fuzzy Hash: 62E1EB307012068FDB29DB65C454BAEB7FAEFC9700F28446DD14A9B392CB35E986CB51

Function 032044A0 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2053686278.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3200000_doc_Zapytanie - Oferta KH 09281.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9f2ef678149446e8252cfee46d3cb7cd078a192b9aa0da683148b17ac9e48af
Instruction ID: 372971d2e455ed48ecbb1218a44bb087af966d2bd60819b4c4b129c6c75af4ab
Opcode Fuzzy Hash: f9f2ef678149446e8252cfee46d3cb7cd078a192b9aa0da683148b17ac9e48af
Instruction Fuzzy Hash: EB310A71D193588FDB29CF67C844789BBB6AFCA300F18C0EAC808AB256DB750985CF51

Function 015FD4E8 Relevance: 6.1, APIs: 4, Instructions: 131
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 015FD576
GetCurrentThread.KERNEL32 ref: 015FD5B3
GetCurrentProcess.KERNEL32 ref: 015FD5F0
GetCurrentThreadId.KERNEL32 ref: 015FD649

Memory Dump Source

Source File: 00000000.00000002.2053169292.00000000015F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15f0000_doc_Zapytanie - Oferta KH 09281.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 1e4c3ad96178277f3e7828560a299ed326d2b7df0610f64c16513ad54125bf29
Instruction ID: c97d619aeb12808e545a26d7e35265d6b5d9dbd95955c174c014d93438458bd5
Opcode Fuzzy Hash: 1e4c3ad96178277f3e7828560a299ed326d2b7df0610f64c16513ad54125bf29
Instruction Fuzzy Hash: 425145B09013498FDB14DFA9D548BAEBBF1FF49304F248459E109AB2A0D7389944CB65

Function 015FD4F8 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 015FD576
GetCurrentThread.KERNEL32 ref: 015FD5B3
GetCurrentProcess.KERNEL32 ref: 015FD5F0
GetCurrentThreadId.KERNEL32 ref: 015FD649

Memory Dump Source

Source File: 00000000.00000002.2053169292.00000000015F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15f0000_doc_Zapytanie - Oferta KH 09281.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 0c9161d59b1d9010f491b5593bd4377ae12adaef55d22d8e84e45b82353b2039
Instruction ID: 8e6b6537b4943ba2ddbaed3dd5f3773a79e6a2495ee5ba278e35fb08ede5135d
Opcode Fuzzy Hash: 0c9161d59b1d9010f491b5593bd4377ae12adaef55d22d8e84e45b82353b2039
Instruction Fuzzy Hash: AA5146B09003098FDB18DFAAD548BAEBBF5FF49304F20845DE119AB360D7389944CB65

Function 0320322E Relevance: 1.7, APIs: 1, Instructions: 246
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0320346E

Memory Dump Source

Source File: 00000000.00000002.2053686278.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3200000_doc_Zapytanie - Oferta KH 09281.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 5460a79320e90b83c9559753f2f898813abb2c4970b40db23d7a6d270c6d242c
Instruction ID: 188e92bbe9a70ee986ef8938d8001e8218425d278f203ba6433208a3f25322c7
Opcode Fuzzy Hash: 5460a79320e90b83c9559753f2f898813abb2c4970b40db23d7a6d270c6d242c
Instruction Fuzzy Hash: A0A18F75D1061ACFDB14CFA8C881BDDBBB2FF48310F188169D918A7290DB759989CF91

Function 03203238 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0320346E

Memory Dump Source

Source File: 00000000.00000002.2053686278.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3200000_doc_Zapytanie - Oferta KH 09281.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 9d21c9b4ec00a1822e1c3e14bb8a1590a0b7da7701c3dac0e4d68950be90840b
Instruction ID: 3d8074ccd5a26a0a20c9d60782efb50b42d11c4bab50f552c4bb95530a029858
Opcode Fuzzy Hash: 9d21c9b4ec00a1822e1c3e14bb8a1590a0b7da7701c3dac0e4d68950be90840b
Instruction Fuzzy Hash: 94919F75D1061ACFDB14CFA8C8817DDBBB2FF48310F188169D908A7290DB759989CF91

Function 015FAE59 Relevance: 1.7, APIs: 1, Instructions: 202
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 015FB0BE

Memory Dump Source

Source File: 00000000.00000002.2053169292.00000000015F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15f0000_doc_Zapytanie - Oferta KH 09281.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 5d73b45c31505895323462415424f7fc462f5050713bf6e0486ad2c776776dfe
Instruction ID: 850c54056e2c9aa2b381849f6041d60ed546fa9026991deb452eaaa808fb2200
Opcode Fuzzy Hash: 5d73b45c31505895323462415424f7fc462f5050713bf6e0486ad2c776776dfe
Instruction Fuzzy Hash: 878167B0A00B068FD724DF29D48479ABBF5FF88700F00892ED59ACBA94D735E845CB91

Function 015F590D Relevance: 1.6, APIs: 1, Instructions: 98
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 015F59C9

Memory Dump Source

Source File: 00000000.00000002.2053169292.00000000015F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15f0000_doc_Zapytanie - Oferta KH 09281.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: c1c72b0eb2bc8bc650895e86c380f09f7f6b2a3e78a54e8992dc0f072a8c8652
Instruction ID: b2fb87407e123a348c31b1aa82fb8f5ec8244d373f48909a021b2191ccec9155
Opcode Fuzzy Hash: c1c72b0eb2bc8bc650895e86c380f09f7f6b2a3e78a54e8992dc0f072a8c8652
Instruction Fuzzy Hash: EB41E2B0C00719CFDB24CFAAC984B9DBBF1BF89304F20846AD508AB255D775594ACF90

Function 015F44E4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 015F59C9

Memory Dump Source

Source File: 00000000.00000002.2053169292.00000000015F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15f0000_doc_Zapytanie - Oferta KH 09281.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: ba66f44b695665bd0b3b45f099d0e42148f62b0ee557b09b41154236a0b6503b
Instruction ID: ac94bb41082c38f16e9f9d178b603f84fda4c37d0745fa229581e15f6a0dab92
Opcode Fuzzy Hash: ba66f44b695665bd0b3b45f099d0e42148f62b0ee557b09b41154236a0b6503b
Instruction Fuzzy Hash: 934104B0C0071DCBDB24DFA9C848B9DBBF5BF49304F20846AD508AB255DBB56949CF90

Function 03202FAA Relevance: 1.6, APIs: 1, Instructions: 72
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 03203040

Memory Dump Source

Source File: 00000000.00000002.2053686278.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3200000_doc_Zapytanie - Oferta KH 09281.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 23b7885bde61c3d44e42c376b76e0d35f828a26322f9a6fad367e950e95a6001
Instruction ID: c908a3d97d913761101009f9ac27762eef9095ce4d3fd2c356dd644a45adee68
Opcode Fuzzy Hash: 23b7885bde61c3d44e42c376b76e0d35f828a26322f9a6fad367e950e95a6001
Instruction Fuzzy Hash: 6E2148B59003499FCB10DFA9C885BEEBBF5FF48310F148429E959A7240D779A954CBA0

Function 03202FB0 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 03203040

Memory Dump Source

Source File: 00000000.00000002.2053686278.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3200000_doc_Zapytanie - Oferta KH 09281.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: e49b4272e7b0d8a8442c010787c230e133fb5370ae3ddf9f041b0c23aac9495b
Instruction ID: ba5549b49aab2a6fcca302aeafeaba5cd7697a717accb92ae4de068892b5751b
Opcode Fuzzy Hash: e49b4272e7b0d8a8442c010787c230e133fb5370ae3ddf9f041b0c23aac9495b
Instruction Fuzzy Hash: 772139B5D003499FCB10DFAAC985BEEBBF5FF48310F108429E959A7241C7799944CBA4

Function 03203098 Relevance: 1.6, APIs: 1, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 03203120

Memory Dump Source

Source File: 00000000.00000002.2053686278.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3200000_doc_Zapytanie - Oferta KH 09281.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: e4a107526d71d89cb4ff9d5a28e31fa09d9bf4a7f4fac3c5a6e5364602aec18a
Instruction ID: f4308694b1df8c9858a1b50e6ce87dfe46b660acda8612d4f8bee73a85155db8
Opcode Fuzzy Hash: e4a107526d71d89cb4ff9d5a28e31fa09d9bf4a7f4fac3c5a6e5364602aec18a
Instruction Fuzzy Hash: 3E2136B1C003499FCB10DFAAC884AEEFBF5FF48310F508429E518A7241D7389945CBA1

Function 03202E12 Relevance: 1.6, APIs: 1, Instructions: 66
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 03202E96

Memory Dump Source

Source File: 00000000.00000002.2053686278.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3200000_doc_Zapytanie - Oferta KH 09281.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 213c759ecd54e74de9b7cfc2df2eace2b78c7686655c8d507947e52dcba19f9f
Instruction ID: a9a82a598af914995cca7d4ae061ce679edc38eb47fc4bc0fb25d1c3dec629ac
Opcode Fuzzy Hash: 213c759ecd54e74de9b7cfc2df2eace2b78c7686655c8d507947e52dcba19f9f
Instruction Fuzzy Hash: 9F212571D003098FDB10DFAAC4857EEFBF4EF88320F14842AD519A7241CB78A985CBA0

Function 015FD738 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 015FD7C7

Memory Dump Source

Source File: 00000000.00000002.2053169292.00000000015F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15f0000_doc_Zapytanie - Oferta KH 09281.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 8f4be1128c70402a98bb79806dbe2c7a3f9bcf93144df00b4feb0c665e0047ef
Instruction ID: e8842fa015e396e7ba61cb41c5e609c12a2decfb503ab8f011733a5c611e8de7
Opcode Fuzzy Hash: 8f4be1128c70402a98bb79806dbe2c7a3f9bcf93144df00b4feb0c665e0047ef
Instruction Fuzzy Hash: F021E3B5D012489FDB10CFAAD985AEEBFF4FB08310F14841AE918A7310C378A945CFA1

Function 032030A0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 03203120

Memory Dump Source

Source File: 00000000.00000002.2053686278.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3200000_doc_Zapytanie - Oferta KH 09281.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 951af9bcd7244c4d07297a52d30e665a10d26572ff660bfea138dfa3a4171984
Instruction ID: 3c18927b9e05dae990831c32b5fa3832a1b160426a3b6bd9f34e8020ee3c3505
Opcode Fuzzy Hash: 951af9bcd7244c4d07297a52d30e665a10d26572ff660bfea138dfa3a4171984
Instruction Fuzzy Hash: CD2125B1C003499FCB10DFAAC884AEEFBF5FF48310F10842AE519A7240C7789945CBA0

Function 03202E18 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 03202E96

Memory Dump Source

Source File: 00000000.00000002.2053686278.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3200000_doc_Zapytanie - Oferta KH 09281.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 2c15a1d6da5852ecad4c7c0479adab4cc08c935d536ea46184eba5258f0ab664
Instruction ID: 27ffab4def8552c1adf7bcb1b81c917da68334b700600403e6b7fcec724b2b42
Opcode Fuzzy Hash: 2c15a1d6da5852ecad4c7c0479adab4cc08c935d536ea46184eba5258f0ab664
Instruction Fuzzy Hash: D1210771D003098FDB10DFAAC4857AEBBF4EF49314F14842AD559A7241CB78A985CBA5

Function 015FD740 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 015FD7C7

Memory Dump Source

Source File: 00000000.00000002.2053169292.00000000015F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15f0000_doc_Zapytanie - Oferta KH 09281.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 0696fe1b8b38849e2b20360e3d3a4222fb72a3cac02343465d3f41867a0ea74d
Instruction ID: adb10a5f28c1338692240f0fc1ea60e557bfa20ec4a50a765cb75f39e8acc110
Opcode Fuzzy Hash: 0696fe1b8b38849e2b20360e3d3a4222fb72a3cac02343465d3f41867a0ea74d
Instruction Fuzzy Hash: 0221C4B5D012489FDB10CF9AD584ADEBFF9FB48310F14841AE918A7350D379A944CFA5

Function 03202EEA Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 03202F5E

Memory Dump Source

Source File: 00000000.00000002.2053686278.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3200000_doc_Zapytanie - Oferta KH 09281.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: b1b2db015d5c93aa7e5af7e34339426f3472539044eba07d2f55583b55659fa5
Instruction ID: ca66a3188598ee699989c3c80c0dc84c8536ca1022190e1e917f324b476c5270
Opcode Fuzzy Hash: b1b2db015d5c93aa7e5af7e34339426f3472539044eba07d2f55583b55659fa5
Instruction Fuzzy Hash: A1112C75800249DFCB10DFA9D845ADEBFF5FF48314F248819E519A7250C779A544CFA1

Function 03202928 Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 03202992

Memory Dump Source

Source File: 00000000.00000002.2053686278.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3200000_doc_Zapytanie - Oferta KH 09281.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: f0140fafbcff72bda62f9253e264554d778e08ca442f02629c60e331f6e4209c
Instruction ID: f32ea6fcde52e2ad670c342be34dd6a8ff6acf386a67320451f79eb24cfc1ee7
Opcode Fuzzy Hash: f0140fafbcff72bda62f9253e264554d778e08ca442f02629c60e331f6e4209c
Instruction Fuzzy Hash: 831137B18003498FCB10DFAAD4457EEFBF5EF89320F24881AD459A7240CB79A585CBA1

Function 03202EF0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 03202F5E

Memory Dump Source

Source File: 00000000.00000002.2053686278.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3200000_doc_Zapytanie - Oferta KH 09281.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 140cdb04eb1ee7ba0eeeef2c68222fc79445417eb2b771bbeb993b68a025931f
Instruction ID: 5b04804d54482c523df4abfa2f4ea34cf087b6b83d4a017317098f9153f2e30a
Opcode Fuzzy Hash: 140cdb04eb1ee7ba0eeeef2c68222fc79445417eb2b771bbeb993b68a025931f
Instruction Fuzzy Hash: 7B1129718002499FCB10DFAAC848ADEBFF5EF48314F248819E519A7250C775A544CBA0

Function 03202930 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 03202992

Memory Dump Source

Source File: 00000000.00000002.2053686278.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3200000_doc_Zapytanie - Oferta KH 09281.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 258a6fbe991db953337b8e39400a6ebfec16d5d7e59bce4384c0af9e46b96804
Instruction ID: 452426b41f49776100fa50842f52ea7ac8f529cf87f652e55bf9aaaef0b7c380
Opcode Fuzzy Hash: 258a6fbe991db953337b8e39400a6ebfec16d5d7e59bce4384c0af9e46b96804
Instruction Fuzzy Hash: F4113AB1D003498FCB20DFAAC4457EEFBF5EF88324F24881AD559A7240CB79A545CBA5

Function 015FB058 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 015FB0BE

Memory Dump Source

Source File: 00000000.00000002.2053169292.00000000015F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15f0000_doc_Zapytanie - Oferta KH 09281.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 021641f5445e3a06a1ff4dfd1f67846ee5f63eadc38c0ce9f9baa746b7bfafaf
Instruction ID: 8376c991c11bb000457cb1473d962ab4dbba492a5b4867cc9f29c121599f95aa
Opcode Fuzzy Hash: 021641f5445e3a06a1ff4dfd1f67846ee5f63eadc38c0ce9f9baa746b7bfafaf
Instruction Fuzzy Hash: 0B11DFB5C002498FDB20DF9AD444B9EFBF8EF88224F10841AD529A7610D379A545CFA5

Function 0320135C Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 03205645

Memory Dump Source

Source File: 00000000.00000002.2053686278.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3200000_doc_Zapytanie - Oferta KH 09281.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: db08b99fadb11e5b5af53d7c1a2746103e09243d21ce2c016024427a3c6858ed
Instruction ID: 26bf0ce2a9d604beb665b78e5cfba86c8b932b690f632f9d4a1843a11c2865ba
Opcode Fuzzy Hash: db08b99fadb11e5b5af53d7c1a2746103e09243d21ce2c016024427a3c6858ed
Instruction Fuzzy Hash: 1F11F5B58043499FCB10DF99D448BDEFFF8EB49320F20841AE518A7241C375A984CFA1

Function 032055E1 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 03205645

Memory Dump Source

Source File: 00000000.00000002.2053686278.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3200000_doc_Zapytanie - Oferta KH 09281.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 8d0c0d6c86800f66d4fe607a0d0a70021e1de7663c94f35a559ecdfd90fcd7e5
Instruction ID: ee144f37307ae77ecfe3f4c84d63cdd2a363f3aea8fe4696e49d01dcc863bfcb
Opcode Fuzzy Hash: 8d0c0d6c86800f66d4fe607a0d0a70021e1de7663c94f35a559ecdfd90fcd7e5
Instruction Fuzzy Hash: 301106B58003499FCB10DF99D585BDEFBF8FB49320F24841AD518A7240C379A984CFA1

Function 03206870 Relevance: 1.3, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 032068D0

Memory Dump Source

Source File: 00000000.00000002.2053686278.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3200000_doc_Zapytanie - Oferta KH 09281.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 23b82f0b3d9d86cca8e54c651587f8472687fbffbb6a72c656db929f5e2a3ab5
Instruction ID: bb6a5a6b4f3be870ac3884d689247868e3f73023bebf45ab366832e489abfd93
Opcode Fuzzy Hash: 23b82f0b3d9d86cca8e54c651587f8472687fbffbb6a72c656db929f5e2a3ab5
Instruction Fuzzy Hash: 261136B5C006498FCB20DF99D585BDEBBF4EF48320F14842AD558A7341D379A688CFA1

Function 03206878 Relevance: 1.3, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 032068D0

Memory Dump Source

Source File: 00000000.00000002.2053686278.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3200000_doc_Zapytanie - Oferta KH 09281.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: f02594198910103116d0746269da01425c223032091bf1f9428272ab2f571ba4
Instruction ID: a395987e15769f3402dec5a8437ea0db692d67a9d4fc21098f58b14bc7a43fe1
Opcode Fuzzy Hash: f02594198910103116d0746269da01425c223032091bf1f9428272ab2f571ba4
Instruction Fuzzy Hash: AA1133B1C003498FCB20DF9AD584BDEBBF4EF48320F20841AD558A7240D338A588CFA5

Function 0148D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2052978225.000000000148D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0148D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_148d000_doc_Zapytanie - Oferta KH 09281.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd2638281ef1d67d3d5d9ae0cadd5ec1db091b4df23287713360c173d7b66ed4
Instruction ID: c90e844ba53c9c31f28cc41565f70500184f0a6e040f8e5ad87c981c79984278
Opcode Fuzzy Hash: cd2638281ef1d67d3d5d9ae0cadd5ec1db091b4df23287713360c173d7b66ed4
Instruction Fuzzy Hash: 2B21F471901240DFDB05EF58D980F2BBF65FB88318F20C56BD9090A2A6C336D456C6B1

Function 0149D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2053006951.000000000149D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0149D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_149d000_doc_Zapytanie - Oferta KH 09281.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5f397a8c049d6142f3451701b5f8b0a341dc24ee0c463e49ceca39f8d4efa84
Instruction ID: a8b89de523fac15e3aad18463b66db88b17a8fc6c9675e06d4c8910f1409fdf9
Opcode Fuzzy Hash: c5f397a8c049d6142f3451701b5f8b0a341dc24ee0c463e49ceca39f8d4efa84
Instruction Fuzzy Hash: 3A21F5B1904204DFDF15DF68D984B16BF65FB84358F20C56ED94A4B366C33AD407CA61

Function 0149D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2053006951.000000000149D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0149D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_149d000_doc_Zapytanie - Oferta KH 09281.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4020603c81fee359ed5fb07b956c24683449f3fa6f80ccbc0e05f6bd910b1126
Instruction ID: 8df22bc4ce1c85a4fa0ef04a972a678aa7578b692f004c9a19db58a35a431f02
Opcode Fuzzy Hash: 4020603c81fee359ed5fb07b956c24683449f3fa6f80ccbc0e05f6bd910b1126
Instruction Fuzzy Hash: 3421F571904204DFDF05DF98D9C0B26BF65FB84324F20C5AED9094B3A6C33AD406CA61

Function 0149D006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2053006951.000000000149D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0149D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_149d000_doc_Zapytanie - Oferta KH 09281.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb905b3f97cb76192fb92538a13176474922a3563d5554b036b08bb33621e002
Instruction ID: 31ed71352d60e35834b605aae1c935d7d224d41b3f34c88ed3a8acc90411e32b
Opcode Fuzzy Hash: cb905b3f97cb76192fb92538a13176474922a3563d5554b036b08bb33621e002
Instruction Fuzzy Hash: F62180755093808FDB07CF64D594716BF71EB46214F28C5DBD8498B2A7C33A980ACB62

Function 0148D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2052978225.000000000148D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0148D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_148d000_doc_Zapytanie - Oferta KH 09281.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction ID: 120ffeef11ff7b60fe0d5001c8f988c183f03bc4a7e18c5f84835d337762be3b
Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction Fuzzy Hash: F611E172804280CFCB02DF54D9C4B1ABF71FB88314F24C6AAD9490B667C336D45ACBA2

Function 0149D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2053006951.000000000149D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0149D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_149d000_doc_Zapytanie - Oferta KH 09281.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction ID: ddb409e28a1b10e02fa69d44a2f8bbf9a879d9eac006d584f03ae7948ddec227
Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction Fuzzy Hash: 4011BB75904280DFDB02CF54C5C4B16BFA1FB84224F24C6AAD8494B3A6C33AD40ACB62

Function 0148D745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2052978225.000000000148D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0148D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_148d000_doc_Zapytanie - Oferta KH 09281.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 110efb33af682c8b2828b45a420558e7143a4aea846e25f740a16c1a899786ed
Instruction ID: a36b037552c1a5008d2d39c238444f85bce16bb6460032d3f6e9de801c21be04
Opcode Fuzzy Hash: 110efb33af682c8b2828b45a420558e7143a4aea846e25f740a16c1a899786ed
Instruction Fuzzy Hash: A10120714053C499E7107E99CD84B5BBF9CDF45320F14C52BED080A3D6C2399441C671

Function 0148D744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2052978225.000000000148D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0148D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_148d000_doc_Zapytanie - Oferta KH 09281.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 131b0b98cd2e3359508778770f27ba826fc53680e71c3bb21d968ce7265f9395
Instruction ID: f77eda126ce0f031e5e6c0e3eb6b859f665dfbe120daabce6b2ef1340a696adb
Opcode Fuzzy Hash: 131b0b98cd2e3359508778770f27ba826fc53680e71c3bb21d968ce7265f9395
Instruction Fuzzy Hash: FEF0C2714053849AEB10AE1AC888B67FF98EF46234F18C45AED480A396C2799840CBB1

Non-executed Functions

Function 032029E0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2053686278.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3200000_doc_Zapytanie - Oferta KH 09281.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31c1a9ffccdf7aca90161de5c9de8897928fa9397a8d210359c7da89388f3da9
Instruction ID: 6ef059c8d3c83b64636682dc250d65c6ba315c488a423ac8c151eaccd093ff1a
Opcode Fuzzy Hash: 31c1a9ffccdf7aca90161de5c9de8897928fa9397a8d210359c7da89388f3da9
Instruction Fuzzy Hash: D1E10775E102198FCB14CFA8C5849AEFBB2FF89305F24856AD414AB356C731AD85CFA1

Function 03200040 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2053686278.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3200000_doc_Zapytanie - Oferta KH 09281.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a247233a63ad816012925614eba4c624abef498d1bbe8b791d8f7c551f9e468
Instruction ID: 6652b991e7b90a9e81f9d69c24e5c2987bb7c42c1a269ac07ac08945f8bc8776
Opcode Fuzzy Hash: 4a247233a63ad816012925614eba4c624abef498d1bbe8b791d8f7c551f9e468
Instruction Fuzzy Hash: 74E1E475E101198FDB14CFA9C580AAEFBB2FB89305F24C169D414AB356D730AD85CFA1

Function 032020B0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2053686278.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3200000_doc_Zapytanie - Oferta KH 09281.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8f5497bc16f0ddc224c1bfafd238716b36f74cc9d27b910b76bdc85aef13872
Instruction ID: 473b8211f73ef80d7c4187700ac812892533ce2225f69e3637fca1fc84ddd1b5
Opcode Fuzzy Hash: f8f5497bc16f0ddc224c1bfafd238716b36f74cc9d27b910b76bdc85aef13872
Instruction Fuzzy Hash: 4DE1F975E10219CFCB14CFA8C5849AEFBB6FF89305F24856AD414AB356D730A985CFA0

Function 03200478 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2053686278.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3200000_doc_Zapytanie - Oferta KH 09281.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ddf54c400f5c40748aab12d1f619e653a119323be2303a6dc3a1b3d339100cd
Instruction ID: 2d4913b0e55c52b7c1ed357547cbad89def20dafb6228f1a846f8a4576c27892
Opcode Fuzzy Hash: 3ddf54c400f5c40748aab12d1f619e653a119323be2303a6dc3a1b3d339100cd
Instruction Fuzzy Hash: A6E1F4B5E101198FDB14DFA9C580AAEFBB2FF89305F24C169D414AB356C730A985CFA0

Function 03201C78 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2053686278.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3200000_doc_Zapytanie - Oferta KH 09281.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 437159a7ab4bea6266bf89d3412918ed25a57026bd9e2a85841cbed261e9217f
Instruction ID: 88eeea6cf5f569f9b1da32b98274c8e337e4ff6b33463251bf32c4a7592061ea
Opcode Fuzzy Hash: 437159a7ab4bea6266bf89d3412918ed25a57026bd9e2a85841cbed261e9217f
Instruction Fuzzy Hash: E4E1F875E102198FCB14CFA9C5809AEFBB2FF89305F248169D414AB396D731AD85CFA1

Function 015FD424 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2053169292.00000000015F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15f0000_doc_Zapytanie - Oferta KH 09281.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9f11f498960fafe842be564052270fd83b8e119fe81bfa19692c281c729aa53
Instruction ID: 742d106894b0735c03ed7316c04cb3fa80de44c0e35967c83a2dd3d6fd69dca3
Opcode Fuzzy Hash: a9f11f498960fafe842be564052270fd83b8e119fe81bfa19692c281c729aa53
Instruction Fuzzy Hash: 41A17032E002169FCF15DFB4C88499EBBB2FF85300B15856EEA05AF265DB31E955CB40

Function 03201C68 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2053686278.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3200000_doc_Zapytanie - Oferta KH 09281.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70c19bd786f9becc977bdac60dcc4391a80731657e2902f85a66dd70651bd440
Instruction ID: 02f3399d5321163ff996379304956cf2c2dedc9a1f49247c637d1cbd856b737b
Opcode Fuzzy Hash: 70c19bd786f9becc977bdac60dcc4391a80731657e2902f85a66dd70651bd440
Instruction Fuzzy Hash: 59616075E142198FCB15CF69C9805AEFBF6FF89300F24816AD418AB252C730A985CFA1

Function 03200007 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2053686278.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3200000_doc_Zapytanie - Oferta KH 09281.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1748bee69402c2dc7798f0cb3e8116c714a5438df7f4f641d0a0b07ccb714c31
Instruction ID: c580644f19fb9da39923825f9072e53f78b52716c872a0cac217c22f0faee810
Opcode Fuzzy Hash: 1748bee69402c2dc7798f0cb3e8116c714a5438df7f4f641d0a0b07ccb714c31
Instruction Fuzzy Hash: 77616F71D052598FDB15CF69C9805AEFBF2FF8A300F18C1AAD408AB256D7349945CFA1

Function 03200469 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2053686278.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3200000_doc_Zapytanie - Oferta KH 09281.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed20375df2f21445443332c5ef10e63a95ed63a96b3cb148e400e56a778f2f0c
Instruction ID: 2caf907a1a936049f15c8d94ffae7b3687abcf6b14545ad722bde380f9dcee85
Opcode Fuzzy Hash: ed20375df2f21445443332c5ef10e63a95ed63a96b3cb148e400e56a778f2f0c
Instruction Fuzzy Hash: BD5108B1E102198FDB14CFA9C9805AEFBF2BF89305F24C169D418AB256D7319A45CFA1

Analysis Process: doc_Zapytanie - Oferta KH 09281.com.exePID: 1560, Parent PID: 3556COMMON

Execution Graph

Execution Coverage:	11.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	470
Total number of Limit Nodes:	41

Executed Functions

Function 012C6530 Relevance: 6.1, APIs: 4, Instructions: 142
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 012C65BE
GetCurrentThread.KERNEL32 ref: 012C65FB
GetCurrentProcess.KERNEL32 ref: 012C6638
GetCurrentThreadId.KERNEL32 ref: 012C6691

Memory Dump Source

Source File: 00000003.00000002.2080775142.00000000012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_12c0000_doc_Zapytanie - Oferta KH 09281.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: e0516b26b48fd6ee9b19f9962a8fa42396046d732315ee900a5c6652fcf9e671
Instruction ID: b5019684c78481a47a67c350eb32b07b3199d15b0d0ecc19b2224926c035d98c
Opcode Fuzzy Hash: e0516b26b48fd6ee9b19f9962a8fa42396046d732315ee900a5c6652fcf9e671
Instruction Fuzzy Hash: 715187B090134A8FDB08DFA9D948BAEBFF1EF49304F248559D209A73A1C7386944CF65

Function 012C6540 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 012C65BE
GetCurrentThread.KERNEL32 ref: 012C65FB
GetCurrentProcess.KERNEL32 ref: 012C6638
GetCurrentThreadId.KERNEL32 ref: 012C6691

Memory Dump Source

Source File: 00000003.00000002.2080775142.00000000012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_12c0000_doc_Zapytanie - Oferta KH 09281.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 9f09b066e382c77fa46fead20af93d29c13ae4a91c6fa0cf548cb9f56cc7d15a
Instruction ID: 8bc42b1b9080ac32c7590cac265581e26be963d7c08a1b06095bcc3f3c65f878
Opcode Fuzzy Hash: 9f09b066e382c77fa46fead20af93d29c13ae4a91c6fa0cf548cb9f56cc7d15a
Instruction Fuzzy Hash: 055135B09113098FDB18DFA9D548B9EBBF5EF48304F208559E509A7390DB38A944CF65

Function 053E3720 Relevance: 2.0, APIs: 1, Instructions: 508COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2093755321.00000000053E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_53e0000_doc_Zapytanie - Oferta KH 09281.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e020d418b4a11c6f2bcf78728af2521827632b258a07a50807ca51da9c2cfe5
Instruction ID: 32fa7d8f76b18dc630ed25fda50fa340be86944e3d953e5862a446fcadc506e0
Opcode Fuzzy Hash: 5e020d418b4a11c6f2bcf78728af2521827632b258a07a50807ca51da9c2cfe5
Instruction Fuzzy Hash: DC224A74E04265CBCF14DB98C889AAEB7F7FF88310F248556D902AB7D5C774A882CB51

Function 012CBFF0 Relevance: 1.7, APIs: 1, Instructions: 200
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 012CC256

Memory Dump Source

Source File: 00000003.00000002.2080775142.00000000012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_12c0000_doc_Zapytanie - Oferta KH 09281.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 42d8c22b7082aba125cbe108675ed97324716012b875b60612643782b9a218c4
Instruction ID: 4e9a27fbaad706f6d5058b316512acb5478d0bae13bdcbed0312e93df31f06b3
Opcode Fuzzy Hash: 42d8c22b7082aba125cbe108675ed97324716012b875b60612643782b9a218c4
Instruction Fuzzy Hash: 6A818AB0A10B468FD724DF69D45076ABBF1FF88700F008A2ED68AD7A40D775E856CB91

Function 053EDAE7 Relevance: 1.7, APIs: 1, Instructions: 166
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 053EDC34

Memory Dump Source

Source File: 00000003.00000002.2093755321.00000000053E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_53e0000_doc_Zapytanie - Oferta KH 09281.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: 59be72aa9109753ff3e8e30c886cc7236a97ffeb79b36b86e65f510a1aa74031
Instruction ID: d2ad95f765dbcbc4d57c832e1dcdeb45fd8d4e314fe555d32731d23d688e26bd
Opcode Fuzzy Hash: 59be72aa9109753ff3e8e30c886cc7236a97ffeb79b36b86e65f510a1aa74031
Instruction Fuzzy Hash: A761F071E002589FCB18DFA9D594AADFBF6FF84300F148529E41AAB3A4DB74AC45CB41

Function 053EDAF8 Relevance: 1.7, APIs: 1, Instructions: 160
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 053EDC34

Memory Dump Source

Source File: 00000003.00000002.2093755321.00000000053E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_53e0000_doc_Zapytanie - Oferta KH 09281.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: fc90ea2c95d35fc6598680f05a468a4778858169788c73e0918df67fb4ec9e60
Instruction ID: 590b42eba608204e23694c2b4a79b1e4ba2f1d4f9852749591c0950a9ef0409f
Opcode Fuzzy Hash: fc90ea2c95d35fc6598680f05a468a4778858169788c73e0918df67fb4ec9e60
Instruction Fuzzy Hash: 8B51DF74E002589FCB18EFA9D554AADFBF5FF84300F108529E419AB3A4DB74AC45CB51

Function 053EC90C Relevance: 1.6, APIs: 1, Instructions: 117
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnumThreadWindows.USER32(?,00000000,?), ref: 053EE259

Memory Dump Source

Source File: 00000003.00000002.2093755321.00000000053E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_53e0000_doc_Zapytanie - Oferta KH 09281.jbxd

Similarity

API ID: EnumThreadWindows
String ID:
API String ID: 2941952884-0
Opcode ID: 6e9bad0460bdd7b06e7f41fc460b193f95a21ec438c3d0f2ed116f60c2610c9d
Instruction ID: c9b0efff564a712ff9e478ca8962b20febdf407ae7b3b2558914e743331bccd6
Opcode Fuzzy Hash: 6e9bad0460bdd7b06e7f41fc460b193f95a21ec438c3d0f2ed116f60c2610c9d
Instruction Fuzzy Hash: 5B41A371A042198FDB14DF99C844BBEBBF9FF88310F14842AD419E7390CB789945DB65

Function 053E1DC4 Relevance: 1.6, APIs: 1, Instructions: 115
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 053E1EE2

Memory Dump Source

Source File: 00000003.00000002.2093755321.00000000053E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_53e0000_doc_Zapytanie - Oferta KH 09281.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: bd7d57daf28d972c1e9e64121000edac9a25b5704ece4759da822ac63d36521f
Instruction ID: eb1cea88020b38ccc8a4a683048e2f6258134e2a6b79c8dbed197c3edebb0bec
Opcode Fuzzy Hash: bd7d57daf28d972c1e9e64121000edac9a25b5704ece4759da822ac63d36521f
Instruction Fuzzy Hash: E751C0B1D003599FDB14CFA9C984ADEBBF5FF48310F24812AE819AB250D7759885CF90

Function 053E1DD0 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 053E1EE2

Memory Dump Source

Source File: 00000003.00000002.2093755321.00000000053E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_53e0000_doc_Zapytanie - Oferta KH 09281.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: af6ee43667449b5bf294ae2e8fea23a519c1dac1c9b0f1c7f0240bc8661fe9d6
Instruction ID: 4aad6d63c5c478b91fb4288fe0089a32eff216242146573475ffec085b4d19fe
Opcode Fuzzy Hash: af6ee43667449b5bf294ae2e8fea23a519c1dac1c9b0f1c7f0240bc8661fe9d6
Instruction Fuzzy Hash: 1C41AFB1D003599FDB14CF99C984ADEBBF5BF88310F24812AE819AB250D775A845CF90

Function 012C7364 Relevance: 1.6, APIs: 1, Instructions: 99
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 012C7421

Memory Dump Source

Source File: 00000003.00000002.2080775142.00000000012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_12c0000_doc_Zapytanie - Oferta KH 09281.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 7d829ce995c09c2ed89970220e7e9340b01bf3a4a035949918ca7631d65d0693
Instruction ID: d38739901086f7e13958f6f9f22962c8a2ca051516fb4c8d4fc2238f0b197fad
Opcode Fuzzy Hash: 7d829ce995c09c2ed89970220e7e9340b01bf3a4a035949918ca7631d65d0693
Instruction Fuzzy Hash: 6C41EEB0C00619CFDB24CFA9C844B8DFBB6FF49704F20816AD518AB251DB75694ACF90

Function 053E5A6C Relevance: 1.6, APIs: 1, Instructions: 98
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.2093755321.00000000053E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_53e0000_doc_Zapytanie - Oferta KH 09281.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a692ba787467083555fd9a0d53dd2a021ffd32011c17935f6848b5df8ba83916
Instruction ID: 5580ded156e1ce7db3804c3a26b3beee4297b538773c9046e36ab13a255e4815
Opcode Fuzzy Hash: a692ba787467083555fd9a0d53dd2a021ffd32011c17935f6848b5df8ba83916
Instruction Fuzzy Hash: 2831C471A043189FCB10DF59D844AAEBFF9EF89310F14845AE509E7390C774A845CBA0

Function 053E2B64 Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 053E4411

Memory Dump Source

Source File: 00000003.00000002.2093755321.00000000053E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_53e0000_doc_Zapytanie - Oferta KH 09281.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 643a573e073c833fc65cffe15b8ce762d70faaad1abea54dd3bf8456704b82f8
Instruction ID: 3091a305543aa57981bb3cbc7adffb0620ede5e96ea598196162cbc606f49c34
Opcode Fuzzy Hash: 643a573e073c833fc65cffe15b8ce762d70faaad1abea54dd3bf8456704b82f8
Instruction Fuzzy Hash: DE4129B9A003198FCB14DF99C448AAABBF6FF88314F24C459D519A7361D775A841CFA0

Function 012C6414 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 012C7421

Memory Dump Source

Source File: 00000003.00000002.2080775142.00000000012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_12c0000_doc_Zapytanie - Oferta KH 09281.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 4fc42f50a07ae4b84832eb4f3bb70d1009042a56ac42623b90f4cc115eb36526
Instruction ID: cf4c0e56c32e8dbdaa35fd427eacabef6904e134608163da24ad95ef1105fb0a
Opcode Fuzzy Hash: 4fc42f50a07ae4b84832eb4f3bb70d1009042a56ac42623b90f4cc115eb36526
Instruction Fuzzy Hash: 3F41DFB0C0061DCADB24DFA9C844B9DFBF6FF48704F20816AD518AB255DBB56946CF90

Function 053EB159 Relevance: 1.6, APIs: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?), ref: 053EB227

Memory Dump Source

Source File: 00000003.00000002.2093755321.00000000053E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_53e0000_doc_Zapytanie - Oferta KH 09281.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: 5683ddea36a2a33317aa3b1852fd6e5389c19d40285e5556c5e9e18e2c1e066f
Instruction ID: 6dba80fa9841d53dfbcf9e9e31b5ac77ba9230b54443b75e002b171dd0ce3b46
Opcode Fuzzy Hash: 5683ddea36a2a33317aa3b1852fd6e5389c19d40285e5556c5e9e18e2c1e066f
Instruction Fuzzy Hash: E231AAB29043589FCB12DFA9C944AAEBFF5EF09310F14805AE554A7261C339E954CBA0

Function 012C6780 Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 012C680F

Memory Dump Source

Source File: 00000003.00000002.2080775142.00000000012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_12c0000_doc_Zapytanie - Oferta KH 09281.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 1b0f2a9891b778b536a6bbaff0e17ea41e5997426fe5c7d894146e326301b321
Instruction ID: 397d6d3936e29be1d2a64712d1a23bae5dc135e8005e0add8f5e13876776bfdb
Opcode Fuzzy Hash: 1b0f2a9891b778b536a6bbaff0e17ea41e5997426fe5c7d894146e326301b321
Instruction Fuzzy Hash: 232113B59002499FDB10CFAAD884AEEBFF9FF48310F14855AE914A3311D378A944CFA1

Function 012C6788 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 012C680F

Memory Dump Source

Source File: 00000003.00000002.2080775142.00000000012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_12c0000_doc_Zapytanie - Oferta KH 09281.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 8c5ce65e78fe7f8786bb9179fe5637aa60e3f2480f1aead725e4971b5a40a917
Instruction ID: c060088dd50099a2f1f1c30e06f1e4ff58f930d38d446973797dbf14cb81558e
Opcode Fuzzy Hash: 8c5ce65e78fe7f8786bb9179fe5637aa60e3f2480f1aead725e4971b5a40a917
Instruction Fuzzy Hash: 1A21C4B59002499FDB10CFAAD984ADEBFF9FB48310F14851AE918A3350D378A954CFA5

Function 053EC91C Relevance: 1.6, APIs: 1, Instructions: 62threadCOMMON

Download Yara Rule

APIs

EnumThreadWindows.USER32(?,00000000,?), ref: 053EE259

Memory Dump Source

Source File: 00000003.00000002.2093755321.00000000053E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_53e0000_doc_Zapytanie - Oferta KH 09281.jbxd

Similarity

API ID: EnumThreadWindows
String ID:
API String ID: 2941952884-0
Opcode ID: 7d66c8cb66a41622a38adc6fde0eefbb717eae75e3b158ca68c64f6d7affeb3b
Instruction ID: 50dc51b1a05aa7794a99ee3d8b3a6d617e8f944df9e310f88ef43bbb933425db
Opcode Fuzzy Hash: 7d66c8cb66a41622a38adc6fde0eefbb717eae75e3b158ca68c64f6d7affeb3b
Instruction Fuzzy Hash: 242147719042198FDB14DF9AC844BEEFBF9FB88310F14842AE419A3290D778A945CFA1

Function 053EB1B8 Relevance: 1.6, APIs: 1, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?), ref: 053EB227

Memory Dump Source

Source File: 00000003.00000002.2093755321.00000000053E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_53e0000_doc_Zapytanie - Oferta KH 09281.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: e6c6ecaf5784078803000bb3bc935abe1c793547de698280c2943b1cbbe99744
Instruction ID: 1fa02f1b6593c9f66509cf0cf8f9bb5e9b939e5de8f4c652d8d03a94f0ae3d08
Opcode Fuzzy Hash: e6c6ecaf5784078803000bb3bc935abe1c793547de698280c2943b1cbbe99744
Instruction Fuzzy Hash: 161146B58003499FDB10CFAAD844BEEBFF8EF48320F14841AE518A3250C379A950DFA5

Function 012CC1F0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 012CC256

Memory Dump Source

Source File: 00000003.00000002.2080775142.00000000012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_12c0000_doc_Zapytanie - Oferta KH 09281.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: d1dcafa116195ab54e1fcde450f4425128c2951fa54004615fbf4128bf8ed183
Instruction ID: 209d525dccd92b11ca2876db150471e9e75f45c8d549028ac99d9b56b776c401
Opcode Fuzzy Hash: d1dcafa116195ab54e1fcde450f4425128c2951fa54004615fbf4128bf8ed183
Instruction Fuzzy Hash: F0110FB5C002498FDB10DF9AC444A9EFBF9EB88610F14851AD629A7200C379A545CFA1

Function 053E9DC0 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?), ref: 053EB58D

Memory Dump Source

Source File: 00000003.00000002.2093755321.00000000053E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_53e0000_doc_Zapytanie - Oferta KH 09281.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: c21fba836f260cd45363b3dcfceafd962ab8797cef6b43b5fdb6a2ae15101e2b
Instruction ID: d15c7861322b7337c064bae97846340c7fc11ef886fa3e6f9c9f7a78648b8cc3
Opcode Fuzzy Hash: c21fba836f260cd45363b3dcfceafd962ab8797cef6b43b5fdb6a2ae15101e2b
Instruction Fuzzy Hash: CE11F2B580035D9FDB10DF9AD544BEEFBF8EB48310F10845AE518A7240C3B9A944CFA1

Function 053EB52A Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?), ref: 053EB58D

Memory Dump Source

Source File: 00000003.00000002.2093755321.00000000053E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_53e0000_doc_Zapytanie - Oferta KH 09281.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 17ec47c92b3c42307817e92aa0f35d4dfb6b102ec8ddceafe9d4f6213402dde3
Instruction ID: 557ff135496e85345af9e4930bf07a4351c545b693493893dcdba57fc8c10f52
Opcode Fuzzy Hash: 17ec47c92b3c42307817e92aa0f35d4dfb6b102ec8ddceafe9d4f6213402dde3
Instruction Fuzzy Hash: 2B11D3B58003499FDB10DF9AD985BDEFBF8FB48324F148419E558A7240C379A944CFA1

Function 053E2010 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 053E2075

Memory Dump Source

Source File: 00000003.00000002.2093755321.00000000053E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_53e0000_doc_Zapytanie - Oferta KH 09281.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 22e38f534a4ae7f97054994d27d86c0d3afce32cd4331edda60cde772a937f3d
Instruction ID: 66d4425ff893fd289606cf0e0f7a74701f7c0c39179373c2194e5c627cc05571
Opcode Fuzzy Hash: 22e38f534a4ae7f97054994d27d86c0d3afce32cd4331edda60cde772a937f3d
Instruction Fuzzy Hash: E51103B98002598FDB10DF99D585BEFBBF8FB48314F20845AE919A7241C378A944CFA1

Function 053E2018 Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 053E2075

Memory Dump Source

Source File: 00000003.00000002.2093755321.00000000053E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_53e0000_doc_Zapytanie - Oferta KH 09281.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 5b51f3a46a4361d33c595ab59ea4e647b17e843c320da3bc4cfcef467f41b07e
Instruction ID: aef929ca08d5d7743c14a8f0638996f22c9940678a8ed6027cf1e05556000977
Opcode Fuzzy Hash: 5b51f3a46a4361d33c595ab59ea4e647b17e843c320da3bc4cfcef467f41b07e
Instruction Fuzzy Hash: FE1100B58002498FDB10DF9AC584BDFBBF8EB48320F20841AE919A3240C379A944CFA1

Function 010ED01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2080200414.00000000010ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 010ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10ed000_doc_Zapytanie - Oferta KH 09281.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 726f1458932393d82291f92a4d090414714b48280ec6836300aa0043d7f56be2
Instruction ID: 01af1e3fb8f514865df9ec75464c24ad2774a619ede0321ea03a04bca970298a
Opcode Fuzzy Hash: 726f1458932393d82291f92a4d090414714b48280ec6836300aa0043d7f56be2
Instruction Fuzzy Hash: 49212571604200DFCB15DF68D588B16BFE5FB84314F28C5ADE9890B256C33AD407CB61

Function 010ED006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2080200414.00000000010ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 010ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10ed000_doc_Zapytanie - Oferta KH 09281.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abbb95b2db24be9c731221642a8e9a786d331357ba67601458f9a9b12d8617b5
Instruction ID: 0dd762e0d7ac707259e04f6a97e053007c57851d98fb4214def597a086a8fedb
Opcode Fuzzy Hash: abbb95b2db24be9c731221642a8e9a786d331357ba67601458f9a9b12d8617b5
Instruction Fuzzy Hash: E02184755093808FDB13CF64D994715BFB1FB46214F28C5DAD8898F6A7C33A980ACB62

Analysis Process: workbook.exePID: 5064, Parent PID: 1560COMMON

Execution Graph

Execution Coverage:	9.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	308
Total number of Limit Nodes:	14

Executed Functions

Function 00E3D4E8 Relevance: 6.1, APIs: 4, Instructions: 131
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00E3D576
GetCurrentThread.KERNEL32 ref: 00E3D5B3
GetCurrentProcess.KERNEL32 ref: 00E3D5F0
GetCurrentThreadId.KERNEL32 ref: 00E3D649

Memory Dump Source

Source File: 00000006.00000002.2095042162.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_e30000_workbook.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 5a37421cf5e0d9a4f6adf2950c3111e798649921b6b6bacf6fbd6b6d42a1fc5b
Instruction ID: 961b042b49900da24fecd67d7579c8410c44e0cf3c182ddfb8f7db07b3785fbf
Opcode Fuzzy Hash: 5a37421cf5e0d9a4f6adf2950c3111e798649921b6b6bacf6fbd6b6d42a1fc5b
Instruction Fuzzy Hash: 8D5147B0904309CFDB04DFA9D588B9EBFF1FF88304F248469E019A72A1D7789944CB65

Function 00E3D4F8 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00E3D576
GetCurrentThread.KERNEL32 ref: 00E3D5B3
GetCurrentProcess.KERNEL32 ref: 00E3D5F0
GetCurrentThreadId.KERNEL32 ref: 00E3D649

Memory Dump Source

Source File: 00000006.00000002.2095042162.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_e30000_workbook.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: dee91e2df1bd593d33322414eadf7f1b0474aabf37cf100042b8923a1d7a74cb
Instruction ID: 24a35f419e76c548439a244be9d0f9b50f8bb569072db82d259a3a619e649581
Opcode Fuzzy Hash: dee91e2df1bd593d33322414eadf7f1b0474aabf37cf100042b8923a1d7a74cb
Instruction Fuzzy Hash: 9B5136B0900209CFDB14DFA9D988B9EBFF5FF88314F208459E019A72A1D7749944CB65

Function 04BC322E Relevance: 1.7, APIs: 1, Instructions: 247
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 04BC346E

Memory Dump Source

Source File: 00000006.00000002.2111214043.0000000004BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4bc0000_workbook.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: d093613b4ecbde54eec506139fce1e3b74e624b81f55874cf79a2994850252d5
Instruction ID: a031896ec8c447c77c5fa93846ceefd6f1a313575e4b072d8275d31fc48d23ea
Opcode Fuzzy Hash: d093613b4ecbde54eec506139fce1e3b74e624b81f55874cf79a2994850252d5
Instruction Fuzzy Hash: 3CA14971D002199FEB24CFA8C881BEDBBF2FF44314F5495A9E809A7240DB75A985CF91

Function 04BC3238 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 04BC346E

Memory Dump Source

Source File: 00000006.00000002.2111214043.0000000004BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4bc0000_workbook.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 977bf85bc6c79ca2d97c021b8c1386bbceb80f455352d3e313fc83d0b7f16798
Instruction ID: b65acb4a47d335a25c805cd5b5bb4861715e2bb0b11d7e9f09364cfaf9f3718f
Opcode Fuzzy Hash: 977bf85bc6c79ca2d97c021b8c1386bbceb80f455352d3e313fc83d0b7f16798
Instruction Fuzzy Hash: FC914971D002199FEB24CF68C881BEDBBF2FF48314F5485A9E809A7250DB75A985CF91

Function 00E3AE59 Relevance: 1.7, APIs: 1, Instructions: 204
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00E3B0BE

Memory Dump Source

Source File: 00000006.00000002.2095042162.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_e30000_workbook.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 8ce6c48d5fd2dc321f1712f0868844587e7c3b46be3a924611147d2ce231ce92
Instruction ID: 153e339d0e158431983bd7d0821a11586e9db78f8cb57922bbdcff1cecbdab40
Opcode Fuzzy Hash: 8ce6c48d5fd2dc321f1712f0868844587e7c3b46be3a924611147d2ce231ce92
Instruction Fuzzy Hash: 078168B0A00B458FD724DF29D4597AABBF1FF88304F148A2DE486D7A50D735E885CB91

Function 05071924 Relevance: 1.6, APIs: 1, Instructions: 119
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05071A42

Memory Dump Source

Source File: 00000006.00000002.2114547015.0000000005070000.00000040.00000800.00020000.00000000.sdmp, Offset: 05070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5070000_workbook.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: cba5db07c6f12a379518bc104a114f1076ff79e457efdff95f0d26c6f663e3c7
Instruction ID: 67bfd4c478952d052c50466c0df43d3d4034bf5786ed87ab7fbe427893afccbf
Opcode Fuzzy Hash: cba5db07c6f12a379518bc104a114f1076ff79e457efdff95f0d26c6f663e3c7
Instruction Fuzzy Hash: 8C51C0B1D00349EFDB14CF99D884ADEBBF6BF48310F24812AE819AB250D7759985CF94

Function 05071930 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05071A42

Memory Dump Source

Source File: 00000006.00000002.2114547015.0000000005070000.00000040.00000800.00020000.00000000.sdmp, Offset: 05070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5070000_workbook.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: db46ee5b5cd955f58bc20c818496dbf2ac55802029495b733426d29cad74e3a9
Instruction ID: 6343760c9c18207928494d88e51422fc91ffefd57edf71048a61ae2482eba498
Opcode Fuzzy Hash: db46ee5b5cd955f58bc20c818496dbf2ac55802029495b733426d29cad74e3a9
Instruction Fuzzy Hash: 3F41C0B1D00309EFDB14CF99D884ADEBBF6BF48310F24812AE819AB250D774A945CF94

Function 00E3590D Relevance: 1.6, APIs: 1, Instructions: 98
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00E359C9

Memory Dump Source

Source File: 00000006.00000002.2095042162.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_e30000_workbook.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 393bee54b5b2ead70092ffd3b34a85357242193c47eac4540a23110c67a40d13
Instruction ID: acc7e952f332716fbb1906e3fdbfc1b6d2395ce29fba00c5c87387af48b72278
Opcode Fuzzy Hash: 393bee54b5b2ead70092ffd3b34a85357242193c47eac4540a23110c67a40d13
Instruction Fuzzy Hash: 5541F4B1C00619CEDB25CFA9C8897DDBBF5BF88304F20816AD418AB255D775594ACF90

Function 00E344E4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00E359C9

Memory Dump Source

Source File: 00000006.00000002.2095042162.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_e30000_workbook.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 43fd27ed19db6d6d90170de72267f592c296f3cc78e8ebf1700dc1567252a8ef
Instruction ID: 407319d1b1585ca4066a1a05848268e2bfb634a27578ef203bcaa4cf819b988d
Opcode Fuzzy Hash: 43fd27ed19db6d6d90170de72267f592c296f3cc78e8ebf1700dc1567252a8ef
Instruction Fuzzy Hash: 3041E3B1C0071DCBDB24DFA9C888B9EBBF5BF88304F20816AD419AB255DB755945CF90

Function 05074090 Relevance: 1.6, APIs: 1, Instructions: 93COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 05074151

Memory Dump Source

Source File: 00000006.00000002.2114547015.0000000005070000.00000040.00000800.00020000.00000000.sdmp, Offset: 05070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5070000_workbook.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: c707d764c17030f12d97d6bfc715a3e056444b8e5616d32d9179e1e8afe86bd3
Instruction ID: 1e709591330c25c98c56dcf73b4cc813c1f3c77ae0b7e06c28577a75e687668a
Opcode Fuzzy Hash: c707d764c17030f12d97d6bfc715a3e056444b8e5616d32d9179e1e8afe86bd3
Instruction Fuzzy Hash: C0411AB5A002098FCB14DF99C888AAEFBF5FB98314F28C459D519A7321D374A841CFA4

Function 04BC2FB0 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 04BC3040

Memory Dump Source

Source File: 00000006.00000002.2111214043.0000000004BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4bc0000_workbook.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 4a9b2883587468421a1226589890adffe78dae8c07d6a6a1475113e229027d40
Instruction ID: 385db0473458ea697c6022393fe863b648816e5ba3208a7e3a50495d3eef3096
Opcode Fuzzy Hash: 4a9b2883587468421a1226589890adffe78dae8c07d6a6a1475113e229027d40
Instruction Fuzzy Hash: BD213B719003099FCB10DFA9C885BDEBBF5FF48310F508429E919A7240C778A944CBA4

Function 04BC2FAA Relevance: 1.6, APIs: 1, Instructions: 68injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 04BC3040

Memory Dump Source

Source File: 00000006.00000002.2111214043.0000000004BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4bc0000_workbook.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 83528a7273475d767ab96d6377ba1916f162f8e91c966b0db0c956eea18dc2d8
Instruction ID: 29be576767ed9bce2aa85990c478467f2a74d24b1adb5d46b2e4479a84523ed0
Opcode Fuzzy Hash: 83528a7273475d767ab96d6377ba1916f162f8e91c966b0db0c956eea18dc2d8
Instruction Fuzzy Hash: 6E2127B6D003099FCB10CFA9C985BEEBBF5FF48310F50842AE919A7240C7789944CBA4

Function 00E3D738 Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00E3D7C7

Memory Dump Source

Source File: 00000006.00000002.2095042162.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_e30000_workbook.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: a717a416dd26cd01ff8a23a257d81808c0ac0a4e2c56c523eb8fd0251c944a28
Instruction ID: d5795d74ad11b4e4057cec3abfde5a4de24d2998b22f6c5ced76bae9c0d0ce54
Opcode Fuzzy Hash: a717a416dd26cd01ff8a23a257d81808c0ac0a4e2c56c523eb8fd0251c944a28
Instruction Fuzzy Hash: 4B21E3B59002099FDB10CFAAD985ADEBFF9FB48710F14841AE918A3310C378A945CFA1

Function 04BC2E18 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNELBASE(?,00000000), ref: 04BC2E96

Memory Dump Source

Source File: 00000006.00000002.2111214043.0000000004BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4bc0000_workbook.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: dde9d99b2bc0391f07bfeb0bb277fb2016981bb2cd634c98c831adb7b1be55ef
Instruction ID: d16559310532cedea25ce5220e3b4e0a4877a4e705eb9e6abb04f4a660cc2bab
Opcode Fuzzy Hash: dde9d99b2bc0391f07bfeb0bb277fb2016981bb2cd634c98c831adb7b1be55ef
Instruction Fuzzy Hash: AC2135B1D003098FDB14DFAAC485BEEBBF4EF48310F10846AD419A7240CB78A985CFA1

Function 04BC30A0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 04BC3120

Memory Dump Source

Source File: 00000006.00000002.2111214043.0000000004BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4bc0000_workbook.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 8e5f6320a0c8989bd5424d198801f1bdc432b38e93e1e5e0981c12dcff468a16
Instruction ID: 28b4bd631b21c5bda7e1d243705436e40a0fbbc73eda8d920c475f05707345d0
Opcode Fuzzy Hash: 8e5f6320a0c8989bd5424d198801f1bdc432b38e93e1e5e0981c12dcff468a16
Instruction Fuzzy Hash: 1B2139B1C003499FCB10DFAAC881AEEFBF5FF48310F508429E919A7250C738A945CBA1

Function 04BC3098 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 04BC3120

Memory Dump Source

Source File: 00000006.00000002.2111214043.0000000004BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4bc0000_workbook.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: f69ac5dca4846f1c4191689a03d335119504abd42103e69a3749f1f011459c91
Instruction ID: 6f0f12f8398f757e58705e7ad52f08f4bc3033b2f3776b5437cd94bebc975b39
Opcode Fuzzy Hash: f69ac5dca4846f1c4191689a03d335119504abd42103e69a3749f1f011459c91
Instruction Fuzzy Hash: 4D2125B1C002499FCB10DFAAC985BEEFBF5FF48310F50842AE959A7250C7389945CBA1

Function 00E3D740 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00E3D7C7

Memory Dump Source

Source File: 00000006.00000002.2095042162.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_e30000_workbook.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 351d72f38d6ca83dff897a590379fee0b7e687f6e9c0ca15292408e738cc9cc9
Instruction ID: 8393be4e2118b657d1c139539a0dda450a444637ae6a7d973f8244c9da13e943
Opcode Fuzzy Hash: 351d72f38d6ca83dff897a590379fee0b7e687f6e9c0ca15292408e738cc9cc9
Instruction Fuzzy Hash: C121C2B59002489FDB10CFAAD984ADEBFF9FB48310F14841AE918A3350D378A944CFA5

Function 04BC2E12 Relevance: 1.6, APIs: 1, Instructions: 62threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNELBASE(?,00000000), ref: 04BC2E96

Memory Dump Source

Source File: 00000006.00000002.2111214043.0000000004BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4bc0000_workbook.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: e5d0847aa8720375e37ac73c22ec1939eae38b407bb42b34c536e45dc464e8a1
Instruction ID: f37c2cda81c61c439b6b3a24f3ab13d8845dc7fc5b3231029ebdddde50f5b3af
Opcode Fuzzy Hash: e5d0847aa8720375e37ac73c22ec1939eae38b407bb42b34c536e45dc464e8a1
Instruction Fuzzy Hash: 622137B1D00209CFDB14DFAAC5857EEBBF4EF48310F14846AD519A7240C778A945CBA1

Function 04BC2EF0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 04BC2F5E

Memory Dump Source

Source File: 00000006.00000002.2111214043.0000000004BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4bc0000_workbook.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 65b6cf9740f5e24f694acbc02413ed5ecfd35cb8762f60e856e1cc842ef109f7
Instruction ID: af36d6c23607c84b6177169cf4a5c138df5700b5e3aadf76c1d01a582b3dd9ce
Opcode Fuzzy Hash: 65b6cf9740f5e24f694acbc02413ed5ecfd35cb8762f60e856e1cc842ef109f7
Instruction Fuzzy Hash: 921126718002499FCB14DFAAC845AEEBBF5FF48314F208459E519A7250CB79A544CBA1

Function 04BC2EEA Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 04BC2F5E

Memory Dump Source

Source File: 00000006.00000002.2111214043.0000000004BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4bc0000_workbook.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 4600a8128613a6f7a55bb77ca2d7bfc6c49a2ba71d472d4dfec10b9fabdcdad4
Instruction ID: b83d9608181e76cd4c890a6561f3e53217e4a1f2c8a1fa8692bf7897be3a60d2
Opcode Fuzzy Hash: 4600a8128613a6f7a55bb77ca2d7bfc6c49a2ba71d472d4dfec10b9fabdcdad4
Instruction Fuzzy Hash: C21167B6C002089FCB10DFA9C945BEEBBF5FF48310F208459E519A7250C739A540CFA0

Function 04BC2930 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 04BC2992

Memory Dump Source

Source File: 00000006.00000002.2111214043.0000000004BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4bc0000_workbook.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: aa757ee8efbddeffaeebb30cb7bc9dac79cf1815cd9a2d02c4b1e6def55065a9
Instruction ID: b8514fae2565180aaa68bef141105807bcee2c6f01243dd0a82491d8990606a1
Opcode Fuzzy Hash: aa757ee8efbddeffaeebb30cb7bc9dac79cf1815cd9a2d02c4b1e6def55065a9
Instruction Fuzzy Hash: DA1136B1D003488FDB24DFAAC4457EEFBF5EF88324F208469D519A7240CB79A945CBA5

Function 04BC2928 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 04BC2992

Memory Dump Source

Source File: 00000006.00000002.2111214043.0000000004BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4bc0000_workbook.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 290d41e42ae9b4fc38af0c24a11147ea1c3306b0ded95d0be51e7222281c4a80
Instruction ID: d66777ef8cf67226c564a1f20b7daddd44015f77dcf95e3cf762fd63d08aa9a0
Opcode Fuzzy Hash: 290d41e42ae9b4fc38af0c24a11147ea1c3306b0ded95d0be51e7222281c4a80
Instruction Fuzzy Hash: 0B1158B1D003488FDB14DFA9C5457EEFBF4EF48310F208469C119A7240CB78A945CBA1

Function 00E3B058 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00E3B0BE

Memory Dump Source

Source File: 00000006.00000002.2095042162.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_e30000_workbook.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 92e703f160ebdd43f741b30c732040800d6399ed38e91c0ea167efc12c47074a
Instruction ID: 02cd66aaa44a0f1c6fc0ab7f77f0ba105e331c101057bdcbf86c435f42f63757
Opcode Fuzzy Hash: 92e703f160ebdd43f741b30c732040800d6399ed38e91c0ea167efc12c47074a
Instruction Fuzzy Hash: 0511DFB5C002498FCB24DF9AC548B9EFBF4EF88314F10846AD529B7650D379A545CFA1

Function 04BC135C Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 04BC5645

Memory Dump Source

Source File: 00000006.00000002.2111214043.0000000004BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4bc0000_workbook.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: a636308923375f4fd0613694c317fe72449ba2416da50e02ba049270df74adf5
Instruction ID: 38191b5d89dd123b27802b81c93146afa7a7dcaca78f67526844278788349916
Opcode Fuzzy Hash: a636308923375f4fd0613694c317fe72449ba2416da50e02ba049270df74adf5
Instruction Fuzzy Hash: 6111F2B58003499FDB20DF9AC885BDEBBF8FB48310F10845AE519A7210C379A944CFA1

Function 04BC55E1 Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 04BC5645

Memory Dump Source

Source File: 00000006.00000002.2111214043.0000000004BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4bc0000_workbook.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 9b7357c71a0525cdfd5c6682c78ce1371c6e6aacebb756a6443a7911a8ea8e88
Instruction ID: f55fce90431e8a66323827728128b12eeb16f19b93b690d1a95a0fe2043260b1
Opcode Fuzzy Hash: 9b7357c71a0525cdfd5c6682c78ce1371c6e6aacebb756a6443a7911a8ea8e88
Instruction Fuzzy Hash: A41115B58003499FDB20DF99C585BEEFBF4FB48310F20845AE558A3210C379A944CFA1

Function 04BC6878 Relevance: 1.3, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 04BC68D0

Memory Dump Source

Source File: 00000006.00000002.2111214043.0000000004BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4bc0000_workbook.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 320547d6d357f3473e0e456e57630355a2aa49ed1900bc3d014cc53a69531806
Instruction ID: 4067f67840718923520c4d3290565809635ac69f998e342203afb79224cd7760
Opcode Fuzzy Hash: 320547d6d357f3473e0e456e57630355a2aa49ed1900bc3d014cc53a69531806
Instruction Fuzzy Hash: 371103B58002498FDB20DF9AC585BDEBBF4EB48320F20846AD558A7340D738A984CFA5

Function 04BC6870 Relevance: 1.3, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 04BC68D0

Memory Dump Source

Source File: 00000006.00000002.2111214043.0000000004BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4bc0000_workbook.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: a7871f9781b3cf744e25629c3a33206402f6a3997bc992a93f6af0a111f232d3
Instruction ID: 848ffaa15801bdf9b0d652609d0bf38d7e44dc0af9a9e94824b4c89a9a57dc06
Opcode Fuzzy Hash: a7871f9781b3cf744e25629c3a33206402f6a3997bc992a93f6af0a111f232d3
Instruction Fuzzy Hash: 1F1125B68002098FCB10DF99C585BDEBBF4EB48320F10845AD558A7341D338A944CFA5

Function 00DCD3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2093987856.0000000000DCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_dcd000_workbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a4024feea1f245b852efc702253c0e5e3b3e92f860d799367ead7b209d96475
Instruction ID: 8beba1fae59725b1ff28023ea36bfd6414ac3ebdaa4c042c7a64058b74b7bb3e
Opcode Fuzzy Hash: 8a4024feea1f245b852efc702253c0e5e3b3e92f860d799367ead7b209d96475
Instruction Fuzzy Hash: CD21F171108205DFCB09DF14C9C0F26BB66EB98314F24817DEA090B256C33AE806CAB2

Function 00DDD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2094119642.0000000000DDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ddd000_workbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eee0b3c8305af2a34b22d4337e3db7cc6bfcdf29b9e3c4f1b68c772c728b9897
Instruction ID: 603ce90000805e9d867a92526780f626acc64c7c34ee12373edfbf1f5c009d08
Opcode Fuzzy Hash: eee0b3c8305af2a34b22d4337e3db7cc6bfcdf29b9e3c4f1b68c772c728b9897
Instruction Fuzzy Hash: 5721D071604204DFCF14DF24D984B26BB66EB88314F24C56AE94A4B396C33AD80ACAB1

Function 00DDD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2094119642.0000000000DDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ddd000_workbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 912dd606112f87e65619e64218d40b94e8c75db41aa6879e0fc383a8c7b37c4a
Instruction ID: 0e4be48c1b8ec717399c6d7bda45c0accef01806e9b14f485ef38aad5f836e64
Opcode Fuzzy Hash: 912dd606112f87e65619e64218d40b94e8c75db41aa6879e0fc383a8c7b37c4a
Instruction Fuzzy Hash: 7621D071544204AFDF15DF64D980F26BFA6FB88314F24C56AE9494B396C33AD806CA71

Function 00DDD005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2094119642.0000000000DDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ddd000_workbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acea2128fac930488f875100eb0d502bc5a22ee1111c17c2ce81e56b897d1413
Instruction ID: 47971672b64d8237971f794de598089d680bbeebfa913a22f05a8efba47f7588
Opcode Fuzzy Hash: acea2128fac930488f875100eb0d502bc5a22ee1111c17c2ce81e56b897d1413
Instruction Fuzzy Hash: 762153755093808FDB12CF24D994715BF71EB46314F29C5EBD8498B6A7C33A980ACB62

Function 00DCD3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2093987856.0000000000DCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_dcd000_workbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction ID: 3a7bdbaf166aeb2fba106dc7c887cfe9d180b8a40ced95cbe1b5c7806ce0402b
Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction Fuzzy Hash: 9D110372404240DFCB06CF00D9C4B16BF72FB94324F28C6ADD9090B256C33AE85ACBA2

Function 00DDD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2094119642.0000000000DDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ddd000_workbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction ID: ebb38e32d7dfe8af98124ec624700a933135d1476cf44c29ba610fdfb5801308
Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction Fuzzy Hash: 5F118B75504280DFDB16CF14D5C4B15BFB2FB84314F28C6AAD8494B796C33AD84ACB62

Function 00DCD745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2093987856.0000000000DCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_dcd000_workbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2563637765870a9bf9022e3a9dd99ea590d1ed39ef7bc3cb5f86b75c7f26c1e7
Instruction ID: 9ac3d04e35996fe22540bb95c4a184cff85dfe2b992326fb141cb997be64cb1c
Opcode Fuzzy Hash: 2563637765870a9bf9022e3a9dd99ea590d1ed39ef7bc3cb5f86b75c7f26c1e7
Instruction Fuzzy Hash: B701F2310043419AE7209E29CD84F66BF9CEF46320F28C53EED4A0B2C6C2799801CAB1

Function 00DCD744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2093987856.0000000000DCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_dcd000_workbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ab7e9412357aa2328024116165989778ba0467f7a7306c97f103b00b6e82869
Instruction ID: 535b2dcf266ebde0c9fe39629ad56fbc4812cd2f4262e06068eb393a11e79a30
Opcode Fuzzy Hash: 9ab7e9412357aa2328024116165989778ba0467f7a7306c97f103b00b6e82869
Instruction Fuzzy Hash: BDF06271404344AAEB108E16CC88B62FF98EF55734F28C56AED494B2D6C2799C44CBB1

Analysis Process: workbook.exePID: 6076, Parent PID: 1068COMMON

Execution Graph

Execution Coverage:	9.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	177
Total number of Limit Nodes:	9

Executed Functions

Function 02E1322F Relevance: 1.7, APIs: 1, Instructions: 246
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 02E1346E

Memory Dump Source

Source File: 00000007.00000002.2144709219.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2e10000_workbook.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 77780aecec96a4fe2b51b4a4331b0f17a0bd99feac5dc90815047243f76cdd03
Instruction ID: 62b997a2490b14a415a1efd28ab44d24031ea4175e61ce857ecc56719636fe67
Opcode Fuzzy Hash: 77780aecec96a4fe2b51b4a4331b0f17a0bd99feac5dc90815047243f76cdd03
Instruction Fuzzy Hash: 2E918C71D00619CFDB24CFA9C841BEDBBB2FF48318F1491AAE819A7240DB759985CF91

Function 02E13238 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 02E1346E

Memory Dump Source

Source File: 00000007.00000002.2144709219.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2e10000_workbook.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: fa4b4e5008d35594b785583246fc3cb38c657582cd9055efc5560edf85e4db16
Instruction ID: 86dc6887cc418925f6126d0476f5156062eb7de205adb3108888fd76a05ccfe1
Opcode Fuzzy Hash: fa4b4e5008d35594b785583246fc3cb38c657582cd9055efc5560edf85e4db16
Instruction Fuzzy Hash: 52917C71D00619CFDB24CFA9C841BEDBBB2FF48318F1491AAE819A7240DB759985CF91

Function 014AAE59 Relevance: 1.7, APIs: 1, Instructions: 203
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 014AB0BE

Memory Dump Source

Source File: 00000007.00000002.2144228245.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_14a0000_workbook.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: ceb4d17b9b0773c4c35f2553f1ada3c873193db90b946623088c11b2895ec7ba
Instruction ID: 591b2a5e0bf97a9c09d890a1f22ab1858ff4fda82a9ff40825b6e3b813814e94
Opcode Fuzzy Hash: ceb4d17b9b0773c4c35f2553f1ada3c873193db90b946623088c11b2895ec7ba
Instruction Fuzzy Hash: 088155B0A00B059FD728DF2AD45075BBBF5FF98204F10892EE48A87B60DB75E845CB91

Function 014A44E4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 014A59C9

Memory Dump Source

Source File: 00000007.00000002.2144228245.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_14a0000_workbook.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: f5bf5166b3a5caa84f464fc0262f0d02508bf741c687ab362b002a29db6fa475
Instruction ID: 6a9805ac23b99cd67f4882ffd4f7b31221146403259d5df85ae4715776b7651e
Opcode Fuzzy Hash: f5bf5166b3a5caa84f464fc0262f0d02508bf741c687ab362b002a29db6fa475
Instruction Fuzzy Hash: 6841F2B0D0071DCBDB24DFA9C984B9EBBB5BF49304F60806AD408AB261DB756946CF90

Function 014A590D Relevance: 1.6, APIs: 1, Instructions: 95
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 014A59C9

Memory Dump Source

Source File: 00000007.00000002.2144228245.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_14a0000_workbook.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: c96a7e6b55db6e90095371aa0bf8e5bcef2fb10fef83a8d9745d08805ad0f35d
Instruction ID: 50e6f0cb48f7244c5fc5243df1d419441b862d161bf1d2d3792276632e6d7180
Opcode Fuzzy Hash: c96a7e6b55db6e90095371aa0bf8e5bcef2fb10fef83a8d9745d08805ad0f35d
Instruction Fuzzy Hash: E84102B0D00719CFDB24CFA9C985B9EBBF5BF49304F20806AD408AB261DB756946CF90

Function 02E13098 Relevance: 1.6, APIs: 1, Instructions: 73
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 02E13120

Memory Dump Source

Source File: 00000007.00000002.2144709219.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2e10000_workbook.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 1ea24305565e3c58423c5e2b0813f7e412dfc84fce3a025ebf2623eeeaa81ac4
Instruction ID: b29a02d18d13b44495070ee1af9ebd21a7530e220261da84c63c63ea6ac6b7f4
Opcode Fuzzy Hash: 1ea24305565e3c58423c5e2b0813f7e412dfc84fce3a025ebf2623eeeaa81ac4
Instruction Fuzzy Hash: 622119759003599FCB20DFAAD841AEEBBF5FF88320F10846AE559A7240C7789945CBA1

Function 02E12FAB Relevance: 1.6, APIs: 1, Instructions: 72
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 02E13040

Memory Dump Source

Source File: 00000007.00000002.2144709219.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2e10000_workbook.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 02c339703bf900b73fd05bcd8073fadc61cb3351bf86027cfdea386575347716
Instruction ID: b8b3e690489d610f77ff77530450569b0089152059bb705e305353f98fd6272e
Opcode Fuzzy Hash: 02c339703bf900b73fd05bcd8073fadc61cb3351bf86027cfdea386575347716
Instruction Fuzzy Hash: 272146B5D003499FCB10DFAAC881BEEBBF5FF48314F10842AE959A7240C7789940CBA4

Function 02E12FB0 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 02E13040

Memory Dump Source

Source File: 00000007.00000002.2144709219.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2e10000_workbook.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 4d9af261194bbf808b248800f861c57284cd63805d4f4b5c7aeb32c8c8f41c72
Instruction ID: 59ca14ff50ea6cfa484b40ee29c79e79f39eaad34e486be4c4f518eb48d4a967
Opcode Fuzzy Hash: 4d9af261194bbf808b248800f861c57284cd63805d4f4b5c7aeb32c8c8f41c72
Instruction Fuzzy Hash: 742148B5D003499FCB10DFAAC885BEEBBF5FF48314F10842AE919A7240C7789944CBA4

Function 02E12E13 Relevance: 1.6, APIs: 1, Instructions: 66
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 02E12E96

Memory Dump Source

Source File: 00000007.00000002.2144709219.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2e10000_workbook.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: e8adc08630c8cdbe5bc164be79451dd77a0aaef66ee101b0f1a484c771d0fb5e
Instruction ID: 111d9c2415e9d4cc478f326cba6ec9602d6043e80ab8f0d01e30eebab5b221ab
Opcode Fuzzy Hash: e8adc08630c8cdbe5bc164be79451dd77a0aaef66ee101b0f1a484c771d0fb5e
Instruction Fuzzy Hash: 01213775D002098FDB10DFAAC8857EEBBF4EF88324F14842AD519A7241CB789985CFA5

Function 014AB850 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,014AD706,?,?,?,?,?), ref: 014AD7C7

Memory Dump Source

Source File: 00000007.00000002.2144228245.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_14a0000_workbook.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: a467781170fcb0c03c4dded2a7618c55e607469306c7c3fb3cc9a904064da2cc
Instruction ID: 71bdf6875480bc39e7b73cbee4d9a7c79674a8627131267a996b455d45f00a75
Opcode Fuzzy Hash: a467781170fcb0c03c4dded2a7618c55e607469306c7c3fb3cc9a904064da2cc
Instruction Fuzzy Hash: 2721E6B5D002489FDB10CF9AD584AEEBFF8FB48710F14841AE918A3310D378A944CFA5

Function 014AD738 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,014AD706,?,?,?,?,?), ref: 014AD7C7

Memory Dump Source

Source File: 00000007.00000002.2144228245.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_14a0000_workbook.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 6ccaf8e94a9977836dc1f55894f493cded2c366a5da8c22ce55b35cf2c4798c5
Instruction ID: 42a20a5f7b104643af449caff08a45d19d4f3bc5b31c60e005026fcd28e5d2d3
Opcode Fuzzy Hash: 6ccaf8e94a9977836dc1f55894f493cded2c366a5da8c22ce55b35cf2c4798c5
Instruction Fuzzy Hash: 1E21E4B5D002489FDB10CFAAD984ADEBFF9FB48310F14841AE958A7310D378A954CFA5

Function 02E130A0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 02E13120

Memory Dump Source

Source File: 00000007.00000002.2144709219.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2e10000_workbook.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 0817df710006ea20e30ec1852a31d1c45b9634214d6eaee2eae9e11098c65d31
Instruction ID: be3588a85c0e5825a2f7cb8200fbe2e1cb15faf97c81d099c215bcd48c8569ba
Opcode Fuzzy Hash: 0817df710006ea20e30ec1852a31d1c45b9634214d6eaee2eae9e11098c65d31
Instruction Fuzzy Hash: 7B2138B1D003499FCB10DFAAC881AEEFBF5FF48320F10842AE519A7240C7389941CBA1

Function 02E12E18 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 02E12E96

Memory Dump Source

Source File: 00000007.00000002.2144709219.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2e10000_workbook.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 0db42f020b1ec4ec5333a11781d09f390e35002d23f5e4051756da5b5c95fa5e
Instruction ID: e151b25c9c9a9ce49f203c3ef7aefce3bb84da2b49830bd9da341fd80c05b7a4
Opcode Fuzzy Hash: 0db42f020b1ec4ec5333a11781d09f390e35002d23f5e4051756da5b5c95fa5e
Instruction Fuzzy Hash: CA211871D002098FDB10DFAAC9857EEBBF4EF48314F14842AD559A7240CB789945CFA5

Function 02E12EEB Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 02E12F5E

Memory Dump Source

Source File: 00000007.00000002.2144709219.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2e10000_workbook.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 04f6e1cf88aef119a5e563aca570c2fe6b8193cce2bf5af854477d502d7d0448
Instruction ID: b6c93750a8c28a3dba5c7439e8a75de2b33dc3622535e2e2efd0e5f632929b66
Opcode Fuzzy Hash: 04f6e1cf88aef119a5e563aca570c2fe6b8193cce2bf5af854477d502d7d0448
Instruction Fuzzy Hash: DC1159759002499FCB10DFAAD845AEEBFF5EF88314F248419E519A7250CB39A540CBA1

Function 02E12928 Relevance: 1.6, APIs: 1, Instructions: 54threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 02E12992

Memory Dump Source

Source File: 00000007.00000002.2144709219.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2e10000_workbook.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 718a797a3981e2300b57f50f0631a0c5221f56d0e2e45d0f8947c2927b51aa0f
Instruction ID: 1587d7dc8fff060ed69d754de9e721894214524ef8c716a53da4110573aaf1e9
Opcode Fuzzy Hash: 718a797a3981e2300b57f50f0631a0c5221f56d0e2e45d0f8947c2927b51aa0f
Instruction Fuzzy Hash: 80117CB5D002488FCB20DFAEC8457EEFBF4EF88314F208429D519A7200C738A441CBA5

Function 02E12EF0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 02E12F5E

Memory Dump Source

Source File: 00000007.00000002.2144709219.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2e10000_workbook.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a027077014610c10f9a15432b6f81057b5c0fd571cde7b737933a1ab99572d7d
Instruction ID: d3aab44f8e6792de8b4ee4ad0b5975ef13454e0ab745f4e60867344db480beb7
Opcode Fuzzy Hash: a027077014610c10f9a15432b6f81057b5c0fd571cde7b737933a1ab99572d7d
Instruction Fuzzy Hash: 801137759002499FCB10DFAAC845AEFBFF5FF88314F208419E519A7250C779A540CFA1

Function 02E12930 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 02E12992

Memory Dump Source

Source File: 00000007.00000002.2144709219.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2e10000_workbook.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 18463efbedbdb469595337d64eb613fe01e005cfd9b7f62e1de6ecbc4abb6cac
Instruction ID: a18d6195b117b9600bb5320bf7d317b68866658a2203e788b49b46d0098947f3
Opcode Fuzzy Hash: 18463efbedbdb469595337d64eb613fe01e005cfd9b7f62e1de6ecbc4abb6cac
Instruction Fuzzy Hash: DF1128B19002498FCB10DFAAC8457EEFBF5EF88324F208419D519A7240CB79A544CBA5

Function 014AB058 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 014AB0BE

Memory Dump Source

Source File: 00000007.00000002.2144228245.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_14a0000_workbook.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: ba1ac7f48da2f3f0edcdc9f01cd5c230bca9285e013d5b14eef089037f2304c0
Instruction ID: 6b0362ab8a1ba47dec95d72a62a63a7a92d2fd5a073511e809839980fa14e0c6
Opcode Fuzzy Hash: ba1ac7f48da2f3f0edcdc9f01cd5c230bca9285e013d5b14eef089037f2304c0
Instruction Fuzzy Hash: EC1110B5C002498FDB10CF9AC444BDEFBF4EF88310F11841AD529A7210D379A545CFA1

Function 02E154E9 Relevance: 1.5, APIs: 1, Instructions: 30windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 02E15515

Memory Dump Source

Source File: 00000007.00000002.2144709219.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2e10000_workbook.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 01d0ce1dd3f6f026846e6ac25e10d1595bbcfddd1a2120e39c001d308ae2539b
Instruction ID: 4e3ea525cd0dce4986097e43eacf5ab2f7b34be8742cc00a4697f598c4752a83
Opcode Fuzzy Hash: 01d0ce1dd3f6f026846e6ac25e10d1595bbcfddd1a2120e39c001d308ae2539b
Instruction Fuzzy Hash: FBF0E7B5900309DFDB10DF89D484BDEBBF4FB88324F10845AE558A7210C379A584CFA1

Function 02E16748 Relevance: 1.3, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 02E167A8

Memory Dump Source

Source File: 00000007.00000002.2144709219.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2e10000_workbook.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 2eacc2d6713f285cb6615e8932ce7cfb225ae58d6bcceb3c4f2508d7766ff0b1
Instruction ID: b95a8c32efb581891817c74346e312d20d01c7f483646d39a4076bfb00d30092
Opcode Fuzzy Hash: 2eacc2d6713f285cb6615e8932ce7cfb225ae58d6bcceb3c4f2508d7766ff0b1
Instruction Fuzzy Hash: 481166B58002498FCB10DF99C645BEEBBF4EF48324F20846AD958A7340D339A944CFA1

Function 02E16750 Relevance: 1.3, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 02E167A8

Memory Dump Source

Source File: 00000007.00000002.2144709219.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2e10000_workbook.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: dc3b3755cd8514031aa9387044f39e425bef0fa9423e0cfd7a9706c6c79b967b
Instruction ID: 171742dd40f1f367bbaa33691701405df7473228b5ea24c5db2ce62777cf4b6c
Opcode Fuzzy Hash: dc3b3755cd8514031aa9387044f39e425bef0fa9423e0cfd7a9706c6c79b967b
Instruction Fuzzy Hash: EC1115B58007498FCB10DF9AC545BDEBBF8EF48324F14846AD958A7340D739A544CFA5

Function 011CD3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2142400354.00000000011CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11cd000_workbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 395038858c10a8fefbed137d762fa2ccbe20aabfff07b4343fe2dc02867ca636
Instruction ID: f4398b35a2bf7ef0ed6471e2ffe5c74ac41134bc7d4efb9f256a728c30725d4f
Opcode Fuzzy Hash: 395038858c10a8fefbed137d762fa2ccbe20aabfff07b4343fe2dc02867ca636
Instruction Fuzzy Hash: 9D2102B1100204DFDF09DF58E9C0B66BF65FBA8714F20C17DDA090A656C33AE406C6E2

Function 011CD4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2142400354.00000000011CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11cd000_workbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c682381b428f05191c6ed94f6878215238f7d7c7b3306b562d8e5a26714ff3d0
Instruction ID: 3d8e68ddfd10205cbb7d5612da47636204fa614bc96549997c095d1a3c7e1749
Opcode Fuzzy Hash: c682381b428f05191c6ed94f6878215238f7d7c7b3306b562d8e5a26714ff3d0
Instruction Fuzzy Hash: 4721E071500240DFDF09DF98E980B26BF65FBA8718F20857DE9090A256C33AD416CAE2

Function 011DD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2142460969.00000000011DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11dd000_workbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5460ebf116109e13c0cbc5b0d310a434c50d8345fde043156d68a2e4da636501
Instruction ID: 80fb3d64eec20b38956f3eaa105501d71da903b974192f08b685cf429ae0159d
Opcode Fuzzy Hash: 5460ebf116109e13c0cbc5b0d310a434c50d8345fde043156d68a2e4da636501
Instruction Fuzzy Hash: 4921F271604204DFDF19DF68E984B26BF65FBC8354F24C56DD90A4B296C33AD407CAA2

Function 011DD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2142460969.00000000011DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11dd000_workbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 744916b34125f87588b6035d00ae888af3c7285f2f7b93544f1a86abd0bee9ee
Instruction ID: b59d1efbdcc4e487caf784dc92376b9ebd627433f3d6bc5f160b75d6bdd3c29b
Opcode Fuzzy Hash: 744916b34125f87588b6035d00ae888af3c7285f2f7b93544f1a86abd0bee9ee
Instruction Fuzzy Hash: 1121D771544204EFDF09DFA8E9C0F26BF65FB84324F24C56DE9494B296C33AD446CA62

Function 011DD006 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2142460969.00000000011DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11dd000_workbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3564bd54dc7e41f34523aef8253bd213474e163ab3c7660a87fb06100f82ae1
Instruction ID: a93b39dcfc62cbdd1f13b35ddec322aab985b5e8f387b31ebf3814410005a977
Opcode Fuzzy Hash: a3564bd54dc7e41f34523aef8253bd213474e163ab3c7660a87fb06100f82ae1
Instruction Fuzzy Hash: 4D21A1755093808FDB17CF24D994B15BF71EB86214F28C5EAD8498B6A7C33AD40ACB62

Function 011CD3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2142400354.00000000011CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11cd000_workbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction ID: 8e31b088c14b66bb675da1a29ea5540dd088482c7b5b5f0a9c7894d648f93670
Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction Fuzzy Hash: BC11CD72404280DFDF06CF44D9C4B56BF61FB94224F24C6ADDA090A656C33AE45ACBA2

Function 011CD4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2142400354.00000000011CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11cd000_workbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction ID: 5f7358f9821de03d1d006202401b064cb9cae840db22e487c15a223ef9ce6c6a
Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction Fuzzy Hash: CE11CD76404280CFCF06CF54E9C4B16BF71FBA8614F24C6A9D9490B256C336D45ACBA2

Function 011DD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2142460969.00000000011DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11dd000_workbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction ID: f8668bc3675b7cd7abe3d5776c26f50fa6a7ab07a422a886a53b6b9682c51410
Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction Fuzzy Hash: 9E11BB75504280DFDF06CF54D5C4B15BFB1FB84224F24C6A9D8494B696C33AD40ACB62

Function 011CD745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2142400354.00000000011CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11cd000_workbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0122e34f357ef7329154d79e391c2432e2ec181663b5a0320281a0cf298ec3a6
Instruction ID: 625b9b76c72edb7f243663f73617f44126470b003c361dec26ef690b19102f24
Opcode Fuzzy Hash: 0122e34f357ef7329154d79e391c2432e2ec181663b5a0320281a0cf298ec3a6
Instruction Fuzzy Hash: 3B01203100478099EB145E99DD84B67FF9CDF55728F18C57EED090A246D3799401C6F2

Function 011CD744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2142400354.00000000011CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11cd000_workbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75bdcd98b3db1ea2b04594ff305e5ff0440d625fe123c3a54f24d8cd458c2217
Instruction ID: fe315d444351414e6497fe080826d4a8a53dbbbde417697ef1dec76582466a16
Opcode Fuzzy Hash: 75bdcd98b3db1ea2b04594ff305e5ff0440d625fe123c3a54f24d8cd458c2217
Instruction Fuzzy Hash: F2F0C8710043849AEB148E59DC84B62FF98EF55634F18C45AED484A286C3799840CBB1

Analysis Process: workbook.exePID: 6204, Parent PID: 5064COMMON

Execution Graph

Execution Coverage:	10.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	86
Total number of Limit Nodes:	10

Executed Functions

Function 0828B6E0 Relevance: 3.2, Strings: 2, Instructions: 707
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(aq, xrefs: 0828BEEB
(aq, xrefs: 0828B8A0

Memory Dump Source

Source File: 00000008.00000002.4528078849.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_8280000_workbook.jbxd

Similarity

API ID:
String ID: (aq$(aq
API String ID: 0-3916115647
Opcode ID: 77c33a5e5cd830050711f5ea38468a2f0c3719868fe5f8c0cfb7622595fe839e
Instruction ID: 0518b9b700882c057237c3c41e927d88d6ad209a552088e040f1574cb40567e2
Opcode Fuzzy Hash: 77c33a5e5cd830050711f5ea38468a2f0c3719868fe5f8c0cfb7622595fe839e
Instruction Fuzzy Hash: 22429A74B01216CFCB19DF69C49466EFBF2BF88311F14896DD95A9B391CB30A806CB91

Function 08289700 Relevance: 9.2, Strings: 7, Instructions: 408
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Haq, xrefs: 08289BFD
Haq, xrefs: 08289BD2
(aq, xrefs: 08289B7A
(aq, xrefs: 08289BA6
(aq, xrefs: 08289A48
(aq, xrefs: 082899DE
(aq, xrefs: 08289ED8

Memory Dump Source

Source File: 00000008.00000002.4528078849.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_8280000_workbook.jbxd

Similarity

API ID:
String ID: (aq$(aq$(aq$(aq$(aq$Haq$Haq
API String ID: 0-2223377583
Opcode ID: 28e79237ce9e3497d9f333c689183395fcc512a78c6b6a0935695c06bbc84a2e
Instruction ID: d4fadef523359b4c77a931cd1ff4ab0595cc18a3b10788e5160c98fc21f6df1e
Opcode Fuzzy Hash: 28e79237ce9e3497d9f333c689183395fcc512a78c6b6a0935695c06bbc84a2e
Instruction Fuzzy Hash: 54E1D030612606CFCB15EF68D48463ABFE2FF85216B548A5DD846DB786CB30F882CB51

Function 03086530 Relevance: 6.1, APIs: 4, Instructions: 135
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 030865BE
GetCurrentThread.KERNEL32 ref: 030865FB
GetCurrentProcess.KERNEL32 ref: 03086638
GetCurrentThreadId.KERNEL32 ref: 03086691

Memory Dump Source

Source File: 00000008.00000002.4496276055.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3080000_workbook.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 4daf9f4fb66504eb7ff9f2fd5590449be34458090e799358a1e45926f9ccdead
Instruction ID: 21e81fe6c12811b2179efcd9b520799b476f1aea0074b743a62df2adafc79a98
Opcode Fuzzy Hash: 4daf9f4fb66504eb7ff9f2fd5590449be34458090e799358a1e45926f9ccdead
Instruction Fuzzy Hash: F45164B0901249CFDB04DFAAD548BAEBFF1EF48304F248069E509A7360DB39A944CB65

Function 03086540 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 030865BE
GetCurrentThread.KERNEL32 ref: 030865FB
GetCurrentProcess.KERNEL32 ref: 03086638
GetCurrentThreadId.KERNEL32 ref: 03086691

Memory Dump Source

Source File: 00000008.00000002.4496276055.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3080000_workbook.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: a9c0a5d0b2a3865868d406489735464a02a0848142cd6806ca6a72fe102a33a5
Instruction ID: 02936657e6a87dc20c510d211a01c022159050993b81355aa12e7761e916cf03
Opcode Fuzzy Hash: a9c0a5d0b2a3865868d406489735464a02a0848142cd6806ca6a72fe102a33a5
Instruction Fuzzy Hash: 245153B0901249CFDB04DFAAD548BAEBFF5EF48304F248429E509A7360CB39A944CB65

Function 08288F40 Relevance: 4.3, Strings: 3, Instructions: 505
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(aq, xrefs: 082894E0
(aq, xrefs: 08289308
(aq, xrefs: 08289045

Memory Dump Source

Source File: 00000008.00000002.4528078849.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_8280000_workbook.jbxd

Similarity

API ID:
String ID: (aq$(aq$(aq
API String ID: 0-2593664646
Opcode ID: 298bfacf7a30017dd4fbe0b23f927f073ff1f9cda4cb03245e713688f125bdfb
Instruction ID: 75b895ac67065c005dbae25e49773ff176c17e522cf46a7c378e215d02f21e56
Opcode Fuzzy Hash: 298bfacf7a30017dd4fbe0b23f927f073ff1f9cda4cb03245e713688f125bdfb
Instruction Fuzzy Hash: 3A02CB34B016068FCB14DF68C884A6FBBF2FF89310B10856DD94ADB795DA34E942CB95

Function 082828A0 Relevance: 4.1, Strings: 3, Instructions: 362
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(aq, xrefs: 082829C9
Haq, xrefs: 08282A21
(aq, xrefs: 082829F5

Memory Dump Source

Source File: 00000008.00000002.4528078849.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_8280000_workbook.jbxd

Similarity

API ID:
String ID: (aq$(aq$Haq
API String ID: 0-2456560092
Opcode ID: 507e9b4e9da2ec751e80665bd61f2e1f18a66387008f0b51ff4b69d1a677b004
Instruction ID: b97cef8d65329bdfd0dbd0daf060a0b62292ec608b4243e06c2beb474b8d215d
Opcode Fuzzy Hash: 507e9b4e9da2ec751e80665bd61f2e1f18a66387008f0b51ff4b69d1a677b004
Instruction Fuzzy Hash: EBE15434A01209DFCB44EF64D9949AEBBB6FF88310F118569E805AB364DF34ED46CB90

Function 08287920 Relevance: 2.8, Strings: 2, Instructions: 295
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4']q, xrefs: 08287C09
4']q, xrefs: 08287BD2

Memory Dump Source

Source File: 00000008.00000002.4528078849.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_8280000_workbook.jbxd

Similarity

API ID:
String ID: 4']q$4']q
API String ID: 0-3120983240
Opcode ID: f94c489dbc761fa8490e113ecc1b6413e8f818f6e2d0dba173d7d2a491138b27
Instruction ID: 1bc50fc1121896c1f0a5b6d4423c42ac93ed6f0ab9a4d19a0ca7ca6b70b36736
Opcode Fuzzy Hash: f94c489dbc761fa8490e113ecc1b6413e8f818f6e2d0dba173d7d2a491138b27
Instruction Fuzzy Hash: 83C1B674B10218DFDB44EFA8C994AADB7B6FF88300F104569E506AB3A5DB71AC42CF50

Function 08287917 Relevance: 2.8, Strings: 2, Instructions: 276
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4']q, xrefs: 08287C09
4']q, xrefs: 08287BD2

Memory Dump Source

Source File: 00000008.00000002.4528078849.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_8280000_workbook.jbxd

Similarity

API ID:
String ID: 4']q$4']q
API String ID: 0-3120983240
Opcode ID: 1d283b071e0c9bd1b6a5d6100b3e6f24e63194e3d6609c3556bbd5e8fc605b2f
Instruction ID: cb0a35ff21e44c7b5db96ec8b857ac4b25b28a7143b6eb73cffb26711fb4bd27
Opcode Fuzzy Hash: 1d283b071e0c9bd1b6a5d6100b3e6f24e63194e3d6609c3556bbd5e8fc605b2f
Instruction Fuzzy Hash: 50C1D874B10218DFCB44EFA8C994AADB7B6FF88301F104569E506AB3A5DB74AC46CF50

Function 08280E88 Relevance: 2.7, Strings: 2, Instructions: 219
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(aq, xrefs: 08280ED6
Haq, xrefs: 08280FB5

Memory Dump Source

Source File: 00000008.00000002.4528078849.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_8280000_workbook.jbxd

Similarity

API ID:
String ID: (aq$Haq
API String ID: 0-3785302501
Opcode ID: 07718dd921c45401212158e143489d441ff75eeebf13b609334e646e0288fb2e
Instruction ID: bb1c50e796bccc1939c04ea239b3a3a1d79f5dc90a523193a0204f230d793f9b
Opcode Fuzzy Hash: 07718dd921c45401212158e143489d441ff75eeebf13b609334e646e0288fb2e
Instruction Fuzzy Hash: A971C430710605CFCB45EB78C9549AEBBB6EF89211B1181AAE506DB3A1DF34DD06CBA1

Function 0828AE38 Relevance: 2.7, Strings: 2, Instructions: 172
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Haq, xrefs: 0828AF89
(aq, xrefs: 0828AF5D

Memory Dump Source

Source File: 00000008.00000002.4528078849.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_8280000_workbook.jbxd

Similarity

API ID:
String ID: (aq$Haq
API String ID: 0-3785302501
Opcode ID: a7b7c38d76a284449239e6e791421b04aed560de1763e88471257996cef43f3e
Instruction ID: eb2bd612beb7b11a8a483b436dda3910df36dd442cf73f3085ee671a54ba5bde
Opcode Fuzzy Hash: a7b7c38d76a284449239e6e791421b04aed560de1763e88471257996cef43f3e
Instruction Fuzzy Hash: E751ED313017518FD729DF29C880B5ABBE6AF84320F10892EE55A8B7E1DF75E806CB51

Function 08287238 Relevance: 2.7, Strings: 2, Instructions: 161
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

,aq, xrefs: 08287251
(aq, xrefs: 082872B1

Memory Dump Source

Source File: 00000008.00000002.4528078849.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_8280000_workbook.jbxd

Similarity

API ID:
String ID: (aq$,aq
API String ID: 0-1929014441
Opcode ID: 78e2f4f5c5b81eb241bbf3b7069243d1a343da396376f9ca7b5c775eb1aa0494
Instruction ID: 45e39db5c51a7600b0929f9686fa9ec274536d8f64fbd7fca2e2983dca9235a7
Opcode Fuzzy Hash: 78e2f4f5c5b81eb241bbf3b7069243d1a343da396376f9ca7b5c775eb1aa0494
Instruction Fuzzy Hash: FC41C43270015AAFCF019EE99C509FF7FEAEF88211B14406BFA45D3291DE35C91597A0

Function 0308BFF0 Relevance: 1.7, APIs: 1, Instructions: 203
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.4496276055.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3080000_workbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 590657c08ddb627d17fe38e186b9a9b2e6156d26825fc669269f670aefc04cba
Instruction ID: ccf83ce81c1385c7fb9587cde4c16c2eefadeca5c76b69f5edc1a73f7832c3b0
Opcode Fuzzy Hash: 590657c08ddb627d17fe38e186b9a9b2e6156d26825fc669269f670aefc04cba
Instruction Fuzzy Hash: FA815570A01B058FE764EF69D44475AFBF5FF88240F048A6ED08ADBA50DB75E845CBA0

Function 0308670F Relevance: 1.6, APIs: 1, Instructions: 101COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0308680F

Memory Dump Source

Source File: 00000008.00000002.4496276055.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3080000_workbook.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: aaccd2f6671e31db1aa49c28defd68390399c2709c2ba335b9ab2ee658ae311b
Instruction ID: ca63a47717cb6e8ff27f4694bf73ad8789802e04d14a190525f27aece896d142
Opcode Fuzzy Hash: aaccd2f6671e31db1aa49c28defd68390399c2709c2ba335b9ab2ee658ae311b
Instruction Fuzzy Hash: 2B415B76900248AFCF01DF99C844ADEBFF9FB49320F15806AEA58A7310C7399910DFA4

Function 03087364 Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 03087421

Memory Dump Source

Source File: 00000008.00000002.4496276055.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3080000_workbook.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 78e4b11f2443f3c2cabbcd70f3e7a53c60e2bdc0f9f787a6c0497bf9c48e29fa
Instruction ID: 8d25bfafa278ea8e5b1010436d2635d1a949a78adef4ea3e956731661dc2476c
Opcode Fuzzy Hash: 78e4b11f2443f3c2cabbcd70f3e7a53c60e2bdc0f9f787a6c0497bf9c48e29fa
Instruction Fuzzy Hash: B34101B0C00219CADB24DFA9C844B8EBBF5BF49704F24806AD458AB255DB756949CF90

Function 03086414 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 03087421

Memory Dump Source

Source File: 00000008.00000002.4496276055.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3080000_workbook.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 09b61364c37d4c517df34d95bcc42cfd9aa2fe4680466eb71afe6742052f0490
Instruction ID: 2e2145d93aaadcbd420bb7b6904029e41f775f154d70025c2e2035969fc4a329
Opcode Fuzzy Hash: 09b61364c37d4c517df34d95bcc42cfd9aa2fe4680466eb71afe6742052f0490
Instruction Fuzzy Hash: 75410FB0C0061DCFDB24DFA9C844B9EBBF6BF49704F20806AD458AB255DB75694ACF90

Function 03086780 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0308680F

Memory Dump Source

Source File: 00000008.00000002.4496276055.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3080000_workbook.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 842c5bf92bfc520465afa992171c8e441fee81200161cb1d5f4f527a11538ee3
Instruction ID: afb2cc0e56ec3b53cca0f262a72b5e88c17e0bf949f3907c5e3755f13389039f
Opcode Fuzzy Hash: 842c5bf92bfc520465afa992171c8e441fee81200161cb1d5f4f527a11538ee3
Instruction Fuzzy Hash: 3D21E3B5901208DFDB10DF9AD984AEEBBF8FB48310F14841AE958A3310D379A944CFA5

Function 03086788 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0308680F

Memory Dump Source

Source File: 00000008.00000002.4496276055.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3080000_workbook.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 9e0bda4372010b9c98ab1e245e7117d245e5cecd7fae387f3b5f0d3d5e75bbc6
Instruction ID: 99a9be62986500c7b8e19d2168a59842fb10e639e803a8f4c3e6bfb7ed59f08d
Opcode Fuzzy Hash: 9e0bda4372010b9c98ab1e245e7117d245e5cecd7fae387f3b5f0d3d5e75bbc6
Instruction Fuzzy Hash: 9521E3B59002089FDB10CF9AD984ADEBBF8FB48310F14841AE958A3310D379A944CFA5

Function 08286680 Relevance: 1.6, Strings: 1, Instructions: 309COMMON

Download Yara Rule

Strings

Pl]q, xrefs: 0828669F

Memory Dump Source

Source File: 00000008.00000002.4528078849.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_8280000_workbook.jbxd

Similarity

API ID:
String ID: Pl]q
API String ID: 0-2207481929
Opcode ID: 72bc41989f26a46a05a8a29bbd0247bd2e2c8f28cf779ccd39a5b8eed760de5d
Instruction ID: f66bcfdae5e902f2ab635ceed324e2e455a041c3e070b20a450defeb574ecc8c
Opcode Fuzzy Hash: 72bc41989f26a46a05a8a29bbd0247bd2e2c8f28cf779ccd39a5b8eed760de5d
Instruction Fuzzy Hash: 1FD1FF34B11218DFDB48EFA8D994E9EB7B6FF88700F108558E506AB3A5CB74AC05CB50

Function 0308C1F0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 0308C256

Memory Dump Source

Source File: 00000008.00000002.4496276055.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_3080000_workbook.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 2ac7cfa75b2d65c838c79f88f6d20ea754627a18bd46bee1952f19f80c220106
Instruction ID: c7901db4508301c78057fdf368634bc238db18244a9ee3018149d6ca384f1b33
Opcode Fuzzy Hash: 2ac7cfa75b2d65c838c79f88f6d20ea754627a18bd46bee1952f19f80c220106
Instruction Fuzzy Hash: DB11DFB5C002498FDB10DF9AC444A9EFBF4AB89210F14851AD469A7650C379A545CFA5

Function 08282E38 Relevance: 1.5, Strings: 1, Instructions: 291COMMON

Download Yara Rule

Strings

(aq, xrefs: 08283105

Memory Dump Source

Source File: 00000008.00000002.4528078849.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_8280000_workbook.jbxd

Similarity

API ID:
String ID: (aq
API String ID: 0-600464949
Opcode ID: 9146b03c2e8d932da26c20efbcba01a67f125d290116920eeae7d38d8af6231d
Instruction ID: 411272509a97876ea4fca2da7088d22ef15ff073c0ebe0fcd837c3aa08a03b48
Opcode Fuzzy Hash: 9146b03c2e8d932da26c20efbcba01a67f125d290116920eeae7d38d8af6231d
Instruction Fuzzy Hash: 77A1B335315201DFDB15DF68D994A2A7BB2EF89311F1584ADE6098F3A2CB35EC02CB51

Function 08286673 Relevance: 1.5, Strings: 1, Instructions: 258COMMON

Download Yara Rule

Strings

Pl]q, xrefs: 0828669F

Memory Dump Source

Source File: 00000008.00000002.4528078849.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_8280000_workbook.jbxd

Similarity

API ID:
String ID: Pl]q
API String ID: 0-2207481929
Opcode ID: 39b0586959d498f428cb4ce3d8e38d7d511419fb95cf9e2c1034db522717164d
Instruction ID: 6467a70111f19044b588767364e9cc17a7c708006211d383c77f5b0e6d039fee
Opcode Fuzzy Hash: 39b0586959d498f428cb4ce3d8e38d7d511419fb95cf9e2c1034db522717164d
Instruction Fuzzy Hash: 5FB1FF34B11218DFCB48EFA8D994E9EBBB6FF88700F104558E505AB3A5CB75AC45CB50

Function 08281EF5 Relevance: 1.4, Strings: 1, Instructions: 135COMMON

Download Yara Rule

Strings

4']q, xrefs: 08281FAA

Memory Dump Source

Source File: 00000008.00000002.4528078849.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_8280000_workbook.jbxd

Similarity

API ID:
String ID: 4']q
API String ID: 0-1259897404
Opcode ID: 0ac8c00a64a26286af7826a1846450715b7104d8c9603247034324a4c968357a
Instruction ID: 17e247ad629d80a013b08d9077dd5bf865734246980231f04b5f53c582dc2fd6
Opcode Fuzzy Hash: 0ac8c00a64a26286af7826a1846450715b7104d8c9603247034324a4c968357a
Instruction Fuzzy Hash: 7C41B230B193D19FCB07A73898687AD7FB6AF86610F19409BE441DF293CE645C0AC792

Function 08281F70 Relevance: 1.4, Strings: 1, Instructions: 134COMMON

Download Yara Rule

Strings

4']q, xrefs: 08281FAA

Memory Dump Source

Source File: 00000008.00000002.4528078849.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_8280000_workbook.jbxd

Similarity

API ID:
String ID: 4']q
API String ID: 0-1259897404
Opcode ID: a7a8fed6b761d7c805ce088ee5862aec4e057b3eda934a0f2660363c5a543f46
Instruction ID: 8ec0fa213fff274d94f3d190de191c9c93af6f8a9799367162f9ce17cdbeab2b
Opcode Fuzzy Hash: a7a8fed6b761d7c805ce088ee5862aec4e057b3eda934a0f2660363c5a543f46
Instruction Fuzzy Hash: 8C416F30B206148FCB48EB68D894AADB7BBEFC9610F10451AE502AB794CF749C06CB91

Function 08283CE8 Relevance: 1.4, Strings: 1, Instructions: 109COMMON

Download Yara Rule

Strings

4']q, xrefs: 08283D8E

Memory Dump Source

Source File: 00000008.00000002.4528078849.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_8280000_workbook.jbxd

Similarity

API ID:
String ID: 4']q
API String ID: 0-1259897404
Opcode ID: 0dea42373bdbb4d01a97f95d258f93567f6b386a2711ae9a5d8f1ff60cfb48d1
Instruction ID: e460b24a458e915a0fd95688d2385736c6d9e83630b3ccefa9c2145bfe13926c
Opcode Fuzzy Hash: 0dea42373bdbb4d01a97f95d258f93567f6b386a2711ae9a5d8f1ff60cfb48d1
Instruction Fuzzy Hash: 1F318F357406009FD718EB29C998F2B77EAAFC8B04F104568E6068B3A5CF75EC02CB94

Function 08283CE5 Relevance: 1.4, Strings: 1, Instructions: 107COMMON

Download Yara Rule

Strings

4']q, xrefs: 08283D8E

Memory Dump Source

Source File: 00000008.00000002.4528078849.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_8280000_workbook.jbxd

Similarity

API ID:
String ID: 4']q
API String ID: 0-1259897404
Opcode ID: 50b817eb6511fdb9c069b66cbc7dfca9469d1115ef344e03ffd7fa399901e999
Instruction ID: f6325fbd80a1830acba7aa75e1d98f415f7e5798d976b3e2601051171c83b392
Opcode Fuzzy Hash: 50b817eb6511fdb9c069b66cbc7dfca9469d1115ef344e03ffd7fa399901e999
Instruction Fuzzy Hash: 8E315E357406009FD718EB69C998F2A77EAAFC8B05F104568E6068B3A5CF75EC02CB94

Function 0828A551 Relevance: 1.3, Strings: 1, Instructions: 27COMMON

Download Yara Rule

Strings

xaq, xrefs: 0828A551

Memory Dump Source

Source File: 00000008.00000002.4528078849.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_8280000_workbook.jbxd

Similarity

API ID:
String ID: xaq
API String ID: 0-793007810
Opcode ID: d9b590ca6e61084c87f1bdce96ec11d0d64fec86a92c90598b0e6de3006b148b
Instruction ID: 1b0d6ba064785abed84828ca50cff3f935a0907e13fd68d2bb9a0da0fd7f890a
Opcode Fuzzy Hash: d9b590ca6e61084c87f1bdce96ec11d0d64fec86a92c90598b0e6de3006b148b
Instruction Fuzzy Hash: 55F0A0347001109FDB04CB18D981A69BBF5FF88224F158199E10A9F361C771FC068B90

Function 082857B8 Relevance: .5, Instructions: 452COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4528078849.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_8280000_workbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2534d2bb720dd270be59ef9afdcd5b1c3134aedbac9d256401e6ca05af8462ba
Instruction ID: f4b88db8ac699bd47c5b87dcc09f5993d8a3e12daaab6a9effe75ee8e4ca7eb0
Opcode Fuzzy Hash: 2534d2bb720dd270be59ef9afdcd5b1c3134aedbac9d256401e6ca05af8462ba
Instruction Fuzzy Hash: BEF1CB30B11605CFCB05EB38D894AAE7BB2AF85301F24856ED5029B3D1CE74AC46CB91

Function 082821B0 Relevance: .4, Instructions: 437COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4528078849.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_8280000_workbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c233397c3ee4216d383cb576125bbbb6fded58803e2dd7661f87da32a8b897a
Instruction ID: 4b0298360905b3359d24ea0fb6e4e8653e805c34965eff77224b94fd5046bbdb
Opcode Fuzzy Hash: 6c233397c3ee4216d383cb576125bbbb6fded58803e2dd7661f87da32a8b897a
Instruction Fuzzy Hash: DF120834A10219CFCB54EF68C994A9DB7B2FF89300F5085A9E54AAB395DF30AD85CF50

Function 0828B2C0 Relevance: .3, Instructions: 314COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4528078849.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_8280000_workbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a73b870aa41a1c7918f0cba574b3bbe34765acc96c44fdf7ccb75ab1423eb7e
Instruction ID: d785db944398e65d935225483372a799c6753c2a3b7e0c2587d01edf6bc0489b
Opcode Fuzzy Hash: 0a73b870aa41a1c7918f0cba574b3bbe34765acc96c44fdf7ccb75ab1423eb7e
Instruction Fuzzy Hash: 55C1C131A11751CFCF25DF28C454A2ABBF2BF85321F19865DE4968B6E2CB34E841CB41

Function 08286B14 Relevance: .3, Instructions: 273COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4528078849.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_8280000_workbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3092ea9f945d46e7c6d297b526b50d2eb002165e035cc89385716fb22e8f039a
Instruction ID: fdefb2bb392be13bbde775d107d1af3ad507e4d9db212f94af17886be72a587c
Opcode Fuzzy Hash: 3092ea9f945d46e7c6d297b526b50d2eb002165e035cc89385716fb22e8f039a
Instruction Fuzzy Hash: 89A18D34711604CFCB44EF68C8A49AE7BB6EFC9700B108969E5069B3A5DF74AC46CB91

Function 08286B48 Relevance: .3, Instructions: 256COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4528078849.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_8280000_workbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e97620ddda3ed30bbb8ff511e127a3886c4b36d9f53b09b5c280dbb0d7dd05a
Instruction ID: f3491c8a88560167ab4facc26c96b0620a20f59b39da4711cad8e16f0e8183c2
Opcode Fuzzy Hash: 5e97620ddda3ed30bbb8ff511e127a3886c4b36d9f53b09b5c280dbb0d7dd05a
Instruction Fuzzy Hash: 27A16C34710618CFCB44EF68C8949AE7BB6EFC9700F108A58E5169B3A4DF74AD46CB91

Function 08283170 Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4528078849.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_8280000_workbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc2b0d8fbde93600bccca17feac585eae029048619aa4a685264884f62433ee9
Instruction ID: 48199b21e2d28cfa9050ad974e48ec911caff2e2dc6c094bc92b1f87f2b5888d
Opcode Fuzzy Hash: dc2b0d8fbde93600bccca17feac585eae029048619aa4a685264884f62433ee9
Instruction Fuzzy Hash: 2B915E34710615DFCB45EF68D898A6DBBB6BF89611F1480A9E506DB3A5CF30EC42CB90

Function 0828A6CB Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4528078849.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_8280000_workbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3935f35d8ae47c80c6da542c50f18395924064fcb28db76298329989c1d8acb
Instruction ID: 73d87184a4d685f7fcb4336d2cf815eba41a3536fe1f6dc88a2f5781c0c07a68
Opcode Fuzzy Hash: c3935f35d8ae47c80c6da542c50f18395924064fcb28db76298329989c1d8acb
Instruction Fuzzy Hash: 3A810674A22229EFCB14DF98D984E9DB7B2FF48310F154159E906AB3A1EB71EC41CB41

Function 08283161 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4528078849.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_8280000_workbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2218aa21f67029635db7802f9030d75dce5c30f3178ec52ebb8c62c5045dc7f
Instruction ID: b3950eb7eb0c584f20ac78d01e0ab9df694a884c6db081effaacef6ba5c66751
Opcode Fuzzy Hash: d2218aa21f67029635db7802f9030d75dce5c30f3178ec52ebb8c62c5045dc7f
Instruction Fuzzy Hash: DC612F34711605DFCB44EF68D894AADB7B6FF89711F1481A9E4069B3A5CB30EC42CB90

Function 08285AA0 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4528078849.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_8280000_workbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41fa232eadc32f4e6aaaa77a3dfc1296802e240c611c2cd6fe0195a7d56cdc8c
Instruction ID: 2b0cf94bf3659a6137ceeed869d59b788a92a4994f259268396bf37a972ebc8a
Opcode Fuzzy Hash: 41fa232eadc32f4e6aaaa77a3dfc1296802e240c611c2cd6fe0195a7d56cdc8c
Instruction Fuzzy Hash: 5D519D34B12605DFDB09EF64D594BAE7BB2EF88301F204429D8029B3D1CB78AD46CB95

Function 08285AC8 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4528078849.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_8280000_workbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 116ae6fd1386286db07e62edbeb152ec163c17e80b315476304dc061156a107b
Instruction ID: 581c98626b0caa0a81f023872acb4dbfb0e44f787d91dbea661aba503e4024c9
Opcode Fuzzy Hash: 116ae6fd1386286db07e62edbeb152ec163c17e80b315476304dc061156a107b
Instruction Fuzzy Hash: 9E516D74B11605DFDB09EB64D554BAEBBB2EF88301F204529E9029B3D0CF74AD42CB95

Function 0828B158 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4528078849.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_8280000_workbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb7acd38c2d8af3f4b6cc090d34225eac488516fe49d93129728de989ff558d3
Instruction ID: 3613bb82ad1837812f5e4a629154f26bd3fdf77552c606081fecedabaa1b935a
Opcode Fuzzy Hash: cb7acd38c2d8af3f4b6cc090d34225eac488516fe49d93129728de989ff558d3
Instruction Fuzzy Hash: 3841D131B11715CFCF60EB78D54029EBBF1FF84621B04896EC55ACBA94DA30E841CB81

Function 0828AA70 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4528078849.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_8280000_workbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 082ba610190980c0ee0582ab1acbcf2c0776bab8304536040954b99f5f1d4f60
Instruction ID: 63e540ec51ef11543b4c444453ef2984ba8a52299bba74671722e8d8b476aab4
Opcode Fuzzy Hash: 082ba610190980c0ee0582ab1acbcf2c0776bab8304536040954b99f5f1d4f60
Instruction Fuzzy Hash: 3A419E31B012159FCB44DB68D854A9EBBF6FF88310B2585AAE50ADB361DB31EC01CB80

Function 08285E11 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4528078849.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_8280000_workbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7610789632b0fb8e01ce385b931a6972da1200fc3a91ac02cc3b893153ea341a
Instruction ID: ccb3cfd8967471d5c33dbc4883b4c86b460b64b6e0aaf9c20b72c627d6605443
Opcode Fuzzy Hash: 7610789632b0fb8e01ce385b931a6972da1200fc3a91ac02cc3b893153ea341a
Instruction Fuzzy Hash: 3431BE34B206048FCB45EF38C9955AEBBB6EFC9600B10815AE402DB3A5DF749D06CBD1

Function 082834A0 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4528078849.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_8280000_workbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f51479fba65ecf547e620c509df52c64f4912d38b415d70d2a2d307c7aaa60c
Instruction ID: c63f58fe78f451ce3ec4b61459f91763d23c2d84e2ec79442b66cb3859f91474
Opcode Fuzzy Hash: 5f51479fba65ecf547e620c509df52c64f4912d38b415d70d2a2d307c7aaa60c
Instruction Fuzzy Hash: FE315C35A11119DBDF14EF68D858AEEB7B6FF88311F108029E801B7394CB359D05CBA0

Function 08285E28 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4528078849.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_8280000_workbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe477cf2882267c48b7021b1ce1937c05f927d725dcca1896c7d016e12025abe
Instruction ID: 76c3040bf1d874dc6b5d32a1463a0711afbf21a902ac7725b8b3505c88933536
Opcode Fuzzy Hash: fe477cf2882267c48b7021b1ce1937c05f927d725dcca1896c7d016e12025abe
Instruction Fuzzy Hash: D5317234B106188FCB44EF68C995AAEB7BAEFC8700F10851AE5069B354DF709D06CBD1

Function 016FD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4495340399.00000000016FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_16fd000_workbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf328bb05fa29b548c27f4c418bce0060fc5e8121fcda37cfb966cea5ff4ebd1
Instruction ID: 61924d3be35d909951ff6dabf0e377ddb5306220a36d63bd06dd58d14ed40efd
Opcode Fuzzy Hash: bf328bb05fa29b548c27f4c418bce0060fc5e8121fcda37cfb966cea5ff4ebd1
Instruction Fuzzy Hash: 4321F271604204DFDB15DF68D984F26BF65FB88354F20C56DEA0A4B396C33AE447CA62

Function 0828B2B0 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4528078849.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_8280000_workbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bc8607e8822f381af9d6da807e9820942bdda6d775c3c8b396c9dde124e5f5a
Instruction ID: 23211b7ea1401c769fae7bd9ec10a835b3af3085bd1287a472b3df94927b2d42
Opcode Fuzzy Hash: 9bc8607e8822f381af9d6da807e9820942bdda6d775c3c8b396c9dde124e5f5a
Instruction Fuzzy Hash: A8212771619784DFC7129B39D8106067FF1AF87231B0986AFD0A5CB6E7C630A84ACB11

Function 0828388F Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4528078849.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_8280000_workbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 289ebf005c076ceda8358584a35bb06e81241a8b1ec8281209c52e87ee1841cb
Instruction ID: 556b35cdc4042d06270d0212c75cfc782fa56d5250997ebf20882461a60149be
Opcode Fuzzy Hash: 289ebf005c076ceda8358584a35bb06e81241a8b1ec8281209c52e87ee1841cb
Instruction Fuzzy Hash: 1E21CA7520A7808FD302AB3498645593F71EF93710B8A44EBC5428F2A3DA39980ACB26

Function 0828ABB8 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4528078849.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_8280000_workbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adc0c987b5e167a2341777e93123ca576230de3926c7c631935747d8a3a2e370
Instruction ID: 8d5c9056e3f67736e73e3f73f3b502dbfb866d68896557cfa37b5f7c8ae705dd
Opcode Fuzzy Hash: adc0c987b5e167a2341777e93123ca576230de3926c7c631935747d8a3a2e370
Instruction Fuzzy Hash: A8216935A10219DFCB05DFA8C4849DE7FB6BB88321F14852AE816AB390CE319881CF91

Function 0828ABC8 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4528078849.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_8280000_workbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 261a350e9fed029787b0c20c58cae743606f64dbcf905a5353c07bb86b0c34ed
Instruction ID: bf0ce6b60a282b338bdaef4159ed32fb3ad3039e8271e608f85ae758b8a6bec8
Opcode Fuzzy Hash: 261a350e9fed029787b0c20c58cae743606f64dbcf905a5353c07bb86b0c34ed
Instruction Fuzzy Hash: A8215935A10219DFCF159FA8C8549EEBFB6FB8C320F14412AE816A7394CE319841CB91

Function 08280E78 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4528078849.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_8280000_workbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 175b8b95142271a1da068d8341713511a3b419f0901ed6a4bd3a5d5ab63ce708
Instruction ID: 4df707992539e4e5909a33bb60f740f38b3e86a65ae292dba795e76e952ca8ce
Opcode Fuzzy Hash: 175b8b95142271a1da068d8341713511a3b419f0901ed6a4bd3a5d5ab63ce708
Instruction Fuzzy Hash: D011E536210500EFCF065F98D904DAA7F72EF89212B0540DAE6058F272CB36CC56DB50

Function 08282D78 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4528078849.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_8280000_workbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89ba2282cead71207dbeb77614129ff5f1bc7ac782b77e246a792989b5d977d0
Instruction ID: 98cb8020ef6f424c5399a85492da7c3f87557fa4a553337eb8b9eb7741fe4169
Opcode Fuzzy Hash: 89ba2282cead71207dbeb77614129ff5f1bc7ac782b77e246a792989b5d977d0
Instruction Fuzzy Hash: DB21DE70610204CFCB55EF28D984AAABBF6FF85311F144469E4029B3A1DB30AD05CB61

Function 016FD006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4495340399.00000000016FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_16fd000_workbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 969cfd739f1dacd2dd5f55382d77606a307225c8b33ce6c1078b35d2ecf53e46
Instruction ID: 3127601ae05317eae2d64baf92a43a3ef48770fac6bd2f5f60423c2517f998ea
Opcode Fuzzy Hash: 969cfd739f1dacd2dd5f55382d77606a307225c8b33ce6c1078b35d2ecf53e46
Instruction Fuzzy Hash: AF218B755093808FDB03CF24D994B15BF71EB46214F28C5EAD9498B6A7C33A980ACB62

Function 08282D88 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4528078849.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_8280000_workbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ced5c0b6a815178457d3e332273eae24465bd44dd1329a1928655bf53bedb391
Instruction ID: 1742efe1f53f6971e0eacb16a8a1a7459c35dd4e0200167824c37551df64446f
Opcode Fuzzy Hash: ced5c0b6a815178457d3e332273eae24465bd44dd1329a1928655bf53bedb391
Instruction Fuzzy Hash: A0117934B10604CFCB54EF28D984AAEB7BAEFC8310F144529E5069B360DB70ED05CBA1

Function 0828A8C8 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4528078849.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_8280000_workbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8078f2a67803dd3098a6d12bcf1fbc098cab93345da0cd6f8b472dd880adfff
Instruction ID: 978eaa11622e3a690ac4828093da800c552b2701ce632d35d1ba6f7a440a4870
Opcode Fuzzy Hash: a8078f2a67803dd3098a6d12bcf1fbc098cab93345da0cd6f8b472dd880adfff
Instruction Fuzzy Hash: E711A034A26225DFCB11DB68D894EADBBB1FF48320F05019AF512AB3A2CB349C41CB41

Function 082835D9 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4528078849.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_8280000_workbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 954de88f62a8710ffef7e008bb99d22177f8229e3c370ea7b3d7ae769f8e688b
Instruction ID: 5bde8265f2be102b8a83f992ec6578aa7f6ff4cbb873c2a8d07beaacf5b148c6
Opcode Fuzzy Hash: 954de88f62a8710ffef7e008bb99d22177f8229e3c370ea7b3d7ae769f8e688b
Instruction Fuzzy Hash: 0001C231315780CFC715E728D454A26BBA2AFC5221F1886ADD1568B7D1CB74AC06DB41

Function 0828B6D0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4528078849.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_8280000_workbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ed29f8e6e1b59bf9d2ae8ab3f83442fbc43f2480d09b3fdd8d4b6ec5175e727
Instruction ID: 252abe42d037e5b0b1335b329fd98825ff32fd8b3c207b58d3ed7a0976d8aae0
Opcode Fuzzy Hash: 4ed29f8e6e1b59bf9d2ae8ab3f83442fbc43f2480d09b3fdd8d4b6ec5175e727
Instruction Fuzzy Hash: 5C01CC35E117099FCB01EFA8D4049ADBFB5AF89311B0081AEE449E7360EB309A08CF61

Function 08280991 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4528078849.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_8280000_workbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70945b5547310368e6fc37b7c1b13ad0bacae32af8d71ac5ce639d69a3e3e065
Instruction ID: 884cf64626ebe945c73144d9414d6769dc80e8d282ef839076aa850935e830ec
Opcode Fuzzy Hash: 70945b5547310368e6fc37b7c1b13ad0bacae32af8d71ac5ce639d69a3e3e065
Instruction Fuzzy Hash: A5017175300744DFC3069B28D61491ABBB2EF89711710859AE9058B7A1CF35DD03CB95

Function 082835E8 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4528078849.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_8280000_workbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25ccf390dc2823321643a08123818732e79afc949914067666f62db44ef4b51b
Instruction ID: bf58bba7c18a6e5ab199af08a810539dee7d7c9c2ff81942624ca5f23177c9b1
Opcode Fuzzy Hash: 25ccf390dc2823321643a08123818732e79afc949914067666f62db44ef4b51b
Instruction Fuzzy Hash: 3C019E35711610DFCB25AB28D458A2BBBA2EFC8621F14856CE6164B7D0CB75EC02DB84

Function 082809A0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4528078849.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_8280000_workbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19e1a44058cdb7e4d6e4a6e2411200516a3cf76c96d2fd6c250614244934a9d1
Instruction ID: 95e51432b58956f2d148c0de71a676cec3140c8ae319735b583b223325e236ae
Opcode Fuzzy Hash: 19e1a44058cdb7e4d6e4a6e2411200516a3cf76c96d2fd6c250614244934a9d1
Instruction Fuzzy Hash: 61018135300610AFC705DB28D51491EBBA6EFCC711710812AEA0687790CF75EC03CBD5

Function 016ED603 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4495267368.00000000016ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 016ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_16ed000_workbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56b90e07b7c379f7fa8ceeccd564aaa60f6cace2ae6d93815679169dc245ed2f
Instruction ID: 885e48692aa497768809c851d01eea507363fafb26d09edc8d77695d4b8a188e
Opcode Fuzzy Hash: 56b90e07b7c379f7fa8ceeccd564aaa60f6cace2ae6d93815679169dc245ed2f
Instruction Fuzzy Hash: 44F0E7B6200650AF97208F0AD885C27FBADFBD4674715C59AE84A4B712C671EC42CEA0

Function 08280718 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4528078849.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_8280000_workbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15cc0815fe5414b19f43346eda52229a4e5d451976a670326b2f74575d304e35
Instruction ID: e8149e374c61a94b82ea834d7a04899b0c8e83b6c1720bd52d0c17090c69fefb
Opcode Fuzzy Hash: 15cc0815fe5414b19f43346eda52229a4e5d451976a670326b2f74575d304e35
Instruction Fuzzy Hash: 9DF0CD793013809FC306CB28C454D6A7FB2EF8A321B0544AAE946CF3B2CA31DC06DB50

Function 016ED5F4 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4495267368.00000000016ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 016ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_16ed000_workbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee3d53c97ba917c09a07cb505b8f08b7587f3760aa67b55b7cd5b5b9e1c3e050
Instruction ID: 970f3f81276e91abce0894fefc1f0b3894fdd88b7b26ad9bdafd7e93c3051679
Opcode Fuzzy Hash: ee3d53c97ba917c09a07cb505b8f08b7587f3760aa67b55b7cd5b5b9e1c3e050
Instruction Fuzzy Hash: 84F03775104680AFD325CF06CC84C22BBF9FF89760B198589E88A8B362C631FC42CF60

Function 08280728 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4528078849.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_8280000_workbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c445859f7b16abd1fdf66aa1f36d148b45aeae33a1669dcc0b562713d5d61a9f
Instruction ID: 814f2e59aab9b7487d66ee5e0250814ad1926de73f4231c305d7e683e20a52af
Opcode Fuzzy Hash: c445859f7b16abd1fdf66aa1f36d148b45aeae33a1669dcc0b562713d5d61a9f
Instruction Fuzzy Hash: E6F03A353103009FC704DB19D854D2A77AAEFC9721B144069F906CB360CE31EC42DB90

Function 0828AA20 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4528078849.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_8280000_workbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7c5ccce2be06ae3dfe8ae0c56255414bc9da4e2e14b2fd9ede3ace420d46191
Instruction ID: ef8fc87120ab60577fbb6d969a2762e8d843e62914851c10f166e03db134f7cf
Opcode Fuzzy Hash: a7c5ccce2be06ae3dfe8ae0c56255414bc9da4e2e14b2fd9ede3ace420d46191
Instruction Fuzzy Hash: F8D02B2170A1508FD304D2B499711AE3B979BC9110788C05FC54DC7A95DC398C034359

Function 0828AA30 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4528078849.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_8280000_workbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95e0e718509916fef51bf459b2f0245b2715c214e22a27f7c91399918c01c0cd
Instruction ID: 7cfd0d4c3fddf5933c5c516c23f67fb3a1d98f3b765f6f20d2bec2b0d7cd1633
Opcode Fuzzy Hash: 95e0e718509916fef51bf459b2f0245b2715c214e22a27f7c91399918c01c0cd
Instruction Fuzzy Hash: 4DD0123570612487C718E6BAA8645AF76CFDBCD261B44C02AD60EC3B54CD799C0347ED

Function 082806F1 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4528078849.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_8280000_workbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c16445234cd1cd601a4b6716a53d7a982afa153b1ec7842522197510c767dae5
Instruction ID: 641ddd9e09dde10c7fdd7d2e119e9acb59a3d51fdb1d42da3dbf6915f3d34ee2
Opcode Fuzzy Hash: c16445234cd1cd601a4b6716a53d7a982afa153b1ec7842522197510c767dae5
Instruction Fuzzy Hash: 75D0923604D684AFC3028B24E8558507FB19E1666132E80D7E488CF673C6268C5ACB16

Function 08280E51 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4528078849.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_8280000_workbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1940ff109858dc60fa9c02908d7787df2cec87e889afe8340f4e3ba9e588c4c4
Instruction ID: 1eda7b764c6fd32a83bc3be46451f965d8c350d8707f4de00ecae66983004eb0
Opcode Fuzzy Hash: 1940ff109858dc60fa9c02908d7787df2cec87e889afe8340f4e3ba9e588c4c4
Instruction Fuzzy Hash: C2D0A97221ABC18FD303CB30A5254403F30EA4321039588EAD086CF493C339984ADB2A

Function 0828AA43 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4528078849.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_8280000_workbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a4e5112f517afd36ea840ba8af381a237089a20a5daabd57e49ee680a295d96
Instruction ID: 9052a322cae696b60329e7136e38bc78a429c3a4202a7e3c45a47f36ea69d9c8
Opcode Fuzzy Hash: 3a4e5112f517afd36ea840ba8af381a237089a20a5daabd57e49ee680a295d96
Instruction Fuzzy Hash: 91B012E3EA0A148748010CF4FC2C6DE2F43F8740FA75C0071E48CC6326910FC6470564

Function 08289F78 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4528078849.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_8280000_workbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04a6343fbd4700706ef2b5cadc7211305ebb299552f6b9df566e3bebd50c6aa2
Instruction ID: a2dc259c2525898e418c4b3dbd914e9bdaf0248e3e64ef4e1b157ef62cf3eb13
Opcode Fuzzy Hash: 04a6343fbd4700706ef2b5cadc7211305ebb299552f6b9df566e3bebd50c6aa2
Instruction Fuzzy Hash: 73C08C3842220CCFEE206B60D449735BB9CE70433BF10229CEC08051C18B7664D3C993

Function 08280700 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4528078849.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_8280000_workbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9145439845d19ed285ef8ed2e2731e53e84310996d3e08af64ba1494253e8755
Instruction ID: a5ced1602b898661de329531365079a034e3d75a808f59c5ffcbefa728424f66
Opcode Fuzzy Hash: 9145439845d19ed285ef8ed2e2731e53e84310996d3e08af64ba1494253e8755
Instruction Fuzzy Hash: 58C0927A140208EFC700DF69E848C85BBB8EF1977171180A1FA088B332C732EC60DA94

Function 082838C0 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4528078849.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_8280000_workbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 304e9e2103c68f733927a7b048fbe792a07fad40ee1e1ea353e53303cea05ab8
Instruction ID: 63b7206a1deec53de168eaedddd7c36ff7ba00c58f4eaa4236a759c56ce0b1a4
Opcode Fuzzy Hash: 304e9e2103c68f733927a7b048fbe792a07fad40ee1e1ea353e53303cea05ab8
Instruction Fuzzy Hash: 9CB09236008308EB8601AA84E904855BB69AB58660700C025B609061118B32A822DB94

Non-executed Functions

Function 08281108 Relevance: 5.2, Strings: 4, Instructions: 184COMMON

Download Yara Rule

Strings

(_]q, xrefs: 0828182A
(_]q, xrefs: 082817F4
(_]q, xrefs: 082817BD
(_]q, xrefs: 082817B3

Memory Dump Source

Source File: 00000008.00000002.4528078849.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_8280000_workbook.jbxd

Similarity

API ID:
String ID: (_]q$(_]q$(_]q$(_]q
API String ID: 0-2651352888
Opcode ID: e8a736befb37d85f867c91f0c159465a7116ec972ca736485d3bba0e5f1f7b10
Instruction ID: f5306fa617974ee6f3a5bfdadc1392838d68f0a012f9f828ad4fccebf9df4a76
Opcode Fuzzy Hash: e8a736befb37d85f867c91f0c159465a7116ec972ca736485d3bba0e5f1f7b10
Instruction Fuzzy Hash: DC61DD34B15245CFCB05AB78C89446E7FB2EF8A200B1548AED4469B3A2EB35DC56CB90

Analysis Process: workbook.exePID: 2316, Parent PID: 6076COMMON

Execution Graph

Execution Coverage:	6.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	91
Total number of Limit Nodes:	14

Executed Functions

Function 01846518 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 132
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 018465BE
GetCurrentThread.KERNEL32 ref: 018465FB
GetCurrentProcess.KERNEL32 ref: 01846638
GetCurrentThreadId.KERNEL32 ref: 01846691

Strings

a`RI, xrefs: 0184655C

Memory Dump Source

Source File: 0000000B.00000002.2157767456.0000000001840000.00000040.00000800.00020000.00000000.sdmp, Offset: 01840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1840000_workbook.jbxd

Similarity

API ID: Current$ProcessThread
String ID: a`RI
API String ID: 2063062207-1837384376
Opcode ID: e4755fd2cc6c8322636c6d9a931c6f4c73e4fc579be017152bfb3bd4fb75f074
Instruction ID: b210b2e36142bc2dab02141c5092907250029dd865f440fb2b69c22938c57181
Opcode Fuzzy Hash: e4755fd2cc6c8322636c6d9a931c6f4c73e4fc579be017152bfb3bd4fb75f074
Instruction Fuzzy Hash: C25188B09013498FDB08CFA9D548B9EBFF5EF49314F208459D509A7290DB389948CFA9

Function 01846540 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 018465BE
GetCurrentThread.KERNEL32 ref: 018465FB
GetCurrentProcess.KERNEL32 ref: 01846638
GetCurrentThreadId.KERNEL32 ref: 01846691

Strings

a`RI, xrefs: 0184655C

Memory Dump Source

Source File: 0000000B.00000002.2157767456.0000000001840000.00000040.00000800.00020000.00000000.sdmp, Offset: 01840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1840000_workbook.jbxd

Similarity

API ID: Current$ProcessThread
String ID: a`RI
API String ID: 2063062207-1837384376
Opcode ID: 49abca8c548ae5affdb41c770b89f395e4bf72f497bee23f2fec255144220bb7
Instruction ID: 47821d2e38e22aaa94363a0805565f7a67aa527b597a25c382597ae43554633e
Opcode Fuzzy Hash: 49abca8c548ae5affdb41c770b89f395e4bf72f497bee23f2fec255144220bb7
Instruction Fuzzy Hash: D45147B09013098FDB18DFA9D548BAEBFF5EF49304F208459E509A7350DB346948CFA5

Function 0184BFF0 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 200
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0184C256

Strings

a`RI, xrefs: 0184C20F

Memory Dump Source

Source File: 0000000B.00000002.2157767456.0000000001840000.00000040.00000800.00020000.00000000.sdmp, Offset: 01840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1840000_workbook.jbxd

Similarity

API ID: HandleModule
String ID: a`RI
API String ID: 4139908857-1837384376
Opcode ID: 68aca1930082884bdcf039261c67d463748ab9ff81e73b899751e53aac2ca66e
Instruction ID: 5d512a2303bd9be1b7b84ed6a611140b94561f4ae62a66691698b39dfa056fcf
Opcode Fuzzy Hash: 68aca1930082884bdcf039261c67d463748ab9ff81e73b899751e53aac2ca66e
Instruction Fuzzy Hash: AF817970A01B498FD724DF6AD44475ABBF5FF88300F00892ED48ACBA50DB75E949CB91

Function 01846414 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 01847421

Strings

a`RI, xrefs: 018473A4

Memory Dump Source

Source File: 0000000B.00000002.2157767456.0000000001840000.00000040.00000800.00020000.00000000.sdmp, Offset: 01840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1840000_workbook.jbxd

Similarity

API ID: Create
String ID: a`RI
API String ID: 2289755597-1837384376
Opcode ID: eca5c1bc31095f56701e0dce8bca940f71b8f605f810351091591602d2628b9b
Instruction ID: 56d5a40945255120c7784b276d9896386152b1d86ad59d70b7256e90ef0ed25a
Opcode Fuzzy Hash: eca5c1bc31095f56701e0dce8bca940f71b8f605f810351091591602d2628b9b
Instruction Fuzzy Hash: 7741B2B0C0071DCBDB24DFA9C884B9DBBF5BF49304F20806AD918AB255DB756949CF91

Function 01847364 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 01847421

Strings

a`RI, xrefs: 018473A4

Memory Dump Source

Source File: 0000000B.00000002.2157767456.0000000001840000.00000040.00000800.00020000.00000000.sdmp, Offset: 01840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1840000_workbook.jbxd

Similarity

API ID: Create
String ID: a`RI
API String ID: 2289755597-1837384376
Opcode ID: 60530ad34363b40e5dbe848a8fc76ae000090820dc2698f4cc47a5ec82364acc
Instruction ID: 1ffbcf59192f43a579b87f886b93c10be636d6625b119dcb0f2f69a559710638
Opcode Fuzzy Hash: 60530ad34363b40e5dbe848a8fc76ae000090820dc2698f4cc47a5ec82364acc
Instruction Fuzzy Hash: 6741F2B0C0021DCFDB24DFA9C884B9DBBF5BF48304F20805AD518AB255DB756949CF90

Function 01846780 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 72
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0184680F

Strings

a`RI, xrefs: 018467A7

Memory Dump Source

Source File: 0000000B.00000002.2157767456.0000000001840000.00000040.00000800.00020000.00000000.sdmp, Offset: 01840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1840000_workbook.jbxd

Similarity

API ID: DuplicateHandle
String ID: a`RI
API String ID: 3793708945-1837384376
Opcode ID: c163b599303d236e73446d0855ec01712ef690efa3e18f87fc70930477eac0d7
Instruction ID: 6d95230020fff306012e110124fca9ecaa455264f8a0cc474204ef67b2cb6f69
Opcode Fuzzy Hash: c163b599303d236e73446d0855ec01712ef690efa3e18f87fc70930477eac0d7
Instruction Fuzzy Hash: 6A21F7B5D002089FDB10CF9AD984ADEFBF4FB48320F14805AE918A3211D775A954CFA5

Function 01846788 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0184680F

Strings

a`RI, xrefs: 018467A7

Memory Dump Source

Source File: 0000000B.00000002.2157767456.0000000001840000.00000040.00000800.00020000.00000000.sdmp, Offset: 01840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1840000_workbook.jbxd

Similarity

API ID: DuplicateHandle
String ID: a`RI
API String ID: 3793708945-1837384376
Opcode ID: 7524b144cde6c7d2acc78a5667de96f83588a4e6fa5cbf3e92e6300549e20cac
Instruction ID: 1949fd47b3cac83b53175636da44005b2d1cebdaa8bcdaad4146504b59d6fbd2
Opcode Fuzzy Hash: 7524b144cde6c7d2acc78a5667de96f83588a4e6fa5cbf3e92e6300549e20cac
Instruction Fuzzy Hash: 0B21C4B5D002489FDB10CFAAD984ADEBFF9FB48310F14841AE918A3350D779A944CFA5

Function 0184C1F0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0184C256

Strings

a`RI, xrefs: 0184C20F

Memory Dump Source

Source File: 0000000B.00000002.2157767456.0000000001840000.00000040.00000800.00020000.00000000.sdmp, Offset: 01840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1840000_workbook.jbxd

Similarity

API ID: HandleModule
String ID: a`RI
API String ID: 4139908857-1837384376
Opcode ID: 4fb99648d835c70181dbc20198c8d927c6623a8dfcdbb3cd603a1a7b9e89e391
Instruction ID: 9f04c2968f44bdd8886e90053ce1e208f3f676f58a20604641ba42414f71bc8b
Opcode Fuzzy Hash: 4fb99648d835c70181dbc20198c8d927c6623a8dfcdbb3cd603a1a7b9e89e391
Instruction Fuzzy Hash: 4F1110B5C002498FDB10DF9AC444ADEFBF8EF88310F10841AD929B7210C3B9A645CFA1

Function 058F23A8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostMessageW.USER32(?,?,?,?), ref: 058F240D

Strings

a`RI, xrefs: 058F23CA

Memory Dump Source

Source File: 0000000B.00000002.2169326120.00000000058F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_58f0000_workbook.jbxd

Similarity

API ID: MessagePost
String ID: a`RI
API String ID: 410705778-1837384376
Opcode ID: b10b676609b1d229696642201d3322d6b4f3488b422afecb334c47bbee057dd6
Instruction ID: 52f6f7805e097f4dee9009c9e14127de8e95103cbf308ae95060231f94ee444e
Opcode Fuzzy Hash: b10b676609b1d229696642201d3322d6b4f3488b422afecb334c47bbee057dd6
Instruction Fuzzy Hash: 9911C5B58003499FDB10DF9AD885BDEBFF8EB58320F108459EA19A7250D379A944CFA1

Function 058F23B0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 44
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostMessageW.USER32(?,?,?,?), ref: 058F240D

Strings

a`RI, xrefs: 058F23CA

Memory Dump Source

Source File: 0000000B.00000002.2169326120.00000000058F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_58f0000_workbook.jbxd

Similarity

API ID: MessagePost
String ID: a`RI
API String ID: 410705778-1837384376
Opcode ID: 66df7ccdc036aa0915c36be365d31fe64154a20a7ebe431ccfd55624e0a07bc0
Instruction ID: 74221c07a7186b4f64a7a6d7949520be278b8a99222169acff04b4648ce12b20
Opcode Fuzzy Hash: 66df7ccdc036aa0915c36be365d31fe64154a20a7ebe431ccfd55624e0a07bc0
Instruction Fuzzy Hash: E211D3B58003499FDB10DF9AD845BDEBBF8FB58320F10845ADA19A7240C379A984CFA1

Function 058F264F Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 85
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

a`RI, xrefs: 058F26F2

Memory Dump Source

Source File: 0000000B.00000002.2169326120.00000000058F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_58f0000_workbook.jbxd

Similarity

API ID:
String ID: a`RI
API String ID: 0-1837384376
Opcode ID: d19afd9bdb11ad50274bd0e79f6b6b7d00f2570ad47fab87e47c057ab185f0f3
Instruction ID: c299085e2a1da177fa22a3d4ff9cb14d782fc63b620311a3c04e69e223be0d5a
Opcode Fuzzy Hash: d19afd9bdb11ad50274bd0e79f6b6b7d00f2570ad47fab87e47c057ab185f0f3
Instruction Fuzzy Hash: 5831EBBA8043888FCB11DFA9D844BDABFF0BF19310F14849AD995A7252C3389944CFA1

Function 058F26D8 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 058F2730

Strings

a`RI, xrefs: 058F26F2

Memory Dump Source

Source File: 0000000B.00000002.2169326120.00000000058F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_58f0000_workbook.jbxd

Similarity

API ID: CloseHandle
String ID: a`RI
API String ID: 2962429428-1837384376
Opcode ID: a57f3d99f9d9b19b95e074ec62d1bfa6be798c56e01fc5fd0b27b7906d87bcb6
Instruction ID: 20ed8ca1a9a3bfe4ff38696644d6ad923a3e1002e761e0e7ee3ad50581ca135c
Opcode Fuzzy Hash: a57f3d99f9d9b19b95e074ec62d1bfa6be798c56e01fc5fd0b27b7906d87bcb6
Instruction Fuzzy Hash: 191106B58002498FCB10DF9AC545BDEBBF4FB48320F10845ADA59A7240D739A944CFA5

Function 01846847 Relevance: 1.6, APIs: 1, Instructions: 102COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0184680F

Memory Dump Source

Source File: 0000000B.00000002.2157767456.0000000001840000.00000040.00000800.00020000.00000000.sdmp, Offset: 01840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1840000_workbook.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 13193feaabf566a689fdebb66133efc08a111bc26552ee823269d80d11d1c64e
Instruction ID: 31d5bc0cf2703dfed6027264b79504c3bd1f61a29a909cafe02f53aa1d9ec93d
Opcode Fuzzy Hash: 13193feaabf566a689fdebb66133efc08a111bc26552ee823269d80d11d1c64e
Instruction Fuzzy Hash: 1F412974A40304DFE704DF65F449B6A7BB9FB48311F148429E9069B380DB785941CF21

Function 017AD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2157304992.00000000017AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17ad000_workbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf6deeb10f614ad7f54fa8e73e778a76f9da7253cd81ec837395a0ac6477fc48
Instruction ID: fe55d2f5214882252fcb2f00b8f63292bad74d180af96388c32b6c4d89366785
Opcode Fuzzy Hash: cf6deeb10f614ad7f54fa8e73e778a76f9da7253cd81ec837395a0ac6477fc48
Instruction Fuzzy Hash: 5F210371684204DFCB25DF68D984B17FF65EB88314F60C6A9D9094B656C33AD406CA61

Function 017AD017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2157304992.00000000017AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_17ad000_workbook.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction ID: c892b94cc35907913457ec6eabcf30731c959ffd77ed794cc6f9bd20401520cf
Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction Fuzzy Hash: 2611D075544280CFDB12CF54D5C4B16FF71FB88314F24C6A9D8494B656C33AD40ACB62

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report doc_Zapytanie - Oferta KH 09281.com.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Quasar

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\doc_Zapytanie - Oferta KH 09281.com.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\workbook.exe.log

C:\Users\user\AppData\Roaming\SubDir\workbook.exe

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Windows Analysis Report
doc_Zapytanie - Oferta KH 09281.com.exe

Function 015FD4E8 Relevance: 6.1, APIs: 4, Instructions: 131
threadCOMMON

Function 015FD4F8 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Function 0320322E Relevance: 1.7, APIs: 1, Instructions: 246
processCOMMON

Function 03203238 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Function 015FAE59 Relevance: 1.7, APIs: 1, Instructions: 202
COMMON

Function 015F590D Relevance: 1.6, APIs: 1, Instructions: 98
COMMON

Function 015F44E4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 03202FAA Relevance: 1.6, APIs: 1, Instructions: 72
injectionCOMMON

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre