Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
doc_Zapytanie - Oferta POLSKA 91044PL.com.exe

Overview

General Information

Sample name:doc_Zapytanie - Oferta POLSKA 91044PL.com.exe
Analysis ID:1509224
MD5:72c1f40eafabdcdb3662d1dad9ee2230
SHA1:7c7ad3ba48bf9ce3e2b487d98b6a66d4d631892a
SHA256:fd3b039df3e9a565b6964276f98c61d4555f3f3dabf1a9d76604f9ff4d4b3fb7
Tags:exe
Infos:

Detection

Quasar
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected Quasar RAT
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • doc_Zapytanie - Oferta POLSKA 91044PL.com.exe (PID: 7344 cmdline: "C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exe" MD5: 72C1F40EAFABDCDB3662D1DAD9EE2230)
    • doc_Zapytanie - Oferta POLSKA 91044PL.com.exe (PID: 7496 cmdline: "C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exe" MD5: 72C1F40EAFABDCDB3662D1DAD9EE2230)
      • schtasks.exe (PID: 7544 cmdline: "schtasks" /create /tn "workbook" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\workbook.exe" /rl HIGHEST /f MD5: 48C2FE20575769DE916F48EF0676A965)
        • conhost.exe (PID: 7556 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • workbook.exe (PID: 7596 cmdline: "C:\Users\user\AppData\Roaming\SubDir\workbook.exe" MD5: 72C1F40EAFABDCDB3662D1DAD9EE2230)
        • workbook.exe (PID: 7720 cmdline: "C:\Users\user\AppData\Roaming\SubDir\workbook.exe" MD5: 72C1F40EAFABDCDB3662D1DAD9EE2230)
          • schtasks.exe (PID: 7764 cmdline: "schtasks" /create /tn "workbook" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\workbook.exe" /rl HIGHEST /f MD5: 48C2FE20575769DE916F48EF0676A965)
            • conhost.exe (PID: 7776 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • schtasks.exe (PID: 5164 cmdline: "schtasks" /delete /tn "workbook" /f MD5: 48C2FE20575769DE916F48EF0676A965)
            • conhost.exe (PID: 5796 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • cmd.exe (PID: 5040 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\WVguSISHHEaz.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 7240 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • chcp.com (PID: 2124 cmdline: chcp 65001 MD5: 20A59FB950D8A191F7D35C4CA7DA9CAF)
            • PING.EXE (PID: 6556 cmdline: ping -n 10 localhost MD5: B3624DD758CCECF93A1226CEF252CA12)
  • workbook.exe (PID: 7684 cmdline: C:\Users\user\AppData\Roaming\SubDir\workbook.exe MD5: 72C1F40EAFABDCDB3662D1DAD9EE2230)
    • workbook.exe (PID: 7896 cmdline: "C:\Users\user\AppData\Roaming\SubDir\workbook.exe" MD5: 72C1F40EAFABDCDB3662D1DAD9EE2230)
    • workbook.exe (PID: 7904 cmdline: "C:\Users\user\AppData\Roaming\SubDir\workbook.exe" MD5: 72C1F40EAFABDCDB3662D1DAD9EE2230)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Quasar RAT, QuasarRATQuasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult.
  • APT33
  • Dropping Elephant
  • Stone Panda
  • The Gorgon Group
https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat

Malware Configuration

Threatname: Quasar

{"Version": "1.4.1", "Host:Port": "twart.myfirewall.org:9792;", "SubDirectory": "SubDir", "InstallName": "workbook.exe", "MutexName": "0235e291-5d04-4fa3-932c-869aeec51499", "StartupKey": "workbook", "Tag": "Long Leg", "LogDirectoryName": "Logs", "ServerSignature": "XBBvS+rvDQy/NRA7cnb+1Bf2zFbsUHBtrkbS5j0N0VYcCxHngz7kKbyn5Jk5bqDEI6eX9AB+bIEClKSPSVh4o0tmRTlCyQR8n6K5WidNbCUdY2+XqfpKSeeSe+/39iGrb9ZLHaZnA9ciC9yC4PwnmFUO4AD6c2tNeWgm2PU1ohA9OikWzIuh/ks9RkLPCX2N5NbpAd+AvnufkOJwDLDXLT4MfcZlD2s7folRvVMxMcO7qQh4qI3ucP90WFCEokdbM4Rp3wOtslDricIMAIkAmogGRz4B5aLGHo+UKGsYDeV1bWBtzFi1XTWQ/6q4qfqiD4xLJpDFMICIRPNdK9raQkGcTP03+NhWNSswQU59I2Ar9A0CAUdysw34N2Kjm/UbGRrW3+j9kbJxMldClUDkeN0cGmVyyaiGpPUQBlBuqH620bBOymsxD3XZ6Ouxl9MgjTV6Il/iiq/NSebMLiET2K09Tvpmc/8DD8KLeu+5NrJnmChJat6LR2NCPqv1vp8xPgJNCm4DSv6HB78QRq0Ni/oqW7UBnQR4da5/ckoEk+1ZyMZ/TftczNdKaLoyii2gXx3EzDhVEQy9OH8iNQqevGPW/pTYqLGAkH4hRs0+kir9p7nSGZpHvgHSJL7DbCzKlTEYyAlb4VFoR4L+DhJ0+A8JWxhOkfSCX2jo3RVCcPs=", "ServerCertificate": "MIIE9DCCAtygAwIBAgIQANqzkhOLx49IztAjuviKazANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI0MDgyMDEyNDQxNVoYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAgCzkFEuivKBaTsClmq/3wI2X1uYUZUxf0vEiobTv72lQBIu1jz/r6PADg+cpeGisY1MV3VsdWhecO8dT7LosHtl/FnpTjASkUp3LF0d6cPTgeLsKbK/xJ06uq5gaKvG8Q5zXq6Jbxv+STJdEgmxCf1SPAXViD1PIiGLt2B24qZyOtsSpTSnM5cQuLAvr/6xZG7GYkCU7PRADMGFUm3Xg6L3vRUU3h6vaddoMBAW9ENXVaym1eN5aax3x4tLNUp+kerM+kb/Ab/mi01+PfutPKTptP/dqEGZuKmVrGdX9A+s2Wo6sPtSl85NJT+HT+SSrROvGbx4GH3d6MSHx71JSzy+dph46LV3brBMzY/2xvLbIuPVHqniL/Y0bsUke6aD9cfXIa4UBi7TiKBuoKJYqoYa/VgdoqB4yDaczAnzzYXov7thvPL1Rwv5TueNsPSrQbXbvEJUDxRazlLIrGLuYzeGrnbFHOTM8KKpSVnE8uiXiSEW31DRNHXyLImklMHjwtGd4sjZD5EfkUcg1v9gVCu80ggT+/l7SflY07DOLFvS1ii2ZUPu3IjcbyPtlFj6pGUYjMbIZj8AdqIKyMh6IWtbsu6TMC2yEPSk5pwXrEf7M89nIfHtuhZio+mZ0MhGyHos3nv51/dDBKQnEtcJiODik24kI3JTMGnfQsp7IMjECAwEAAaMyMDAwHQYDVR0OBBYEFFUq5ihhM0we5AVYMhcmFpT6wUKMMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBAFQvpu2xTTenJ6N6YiRWxJ1cwH673yEt60lfsF/xncTeD79qdjD371b1GzQtcYZtYuSdgajGG4YZ8gBrwthm2fOcfuWK2VRDOe7/++mJVEvvsUzzexNeB5nZCYuu1N4UA7z8RHJy6ycPTTcelqyMKUjAGTCZa2BQhkxoFq+wBrEZrY975RcEe7bNNWg0S8YpvdKXxwy/gDZUoWyWXvgmDFQ6VjzDk3jJb0fonxnP/9F7sjd1uU2t5d6aQdPXzbzgWC/IKRXpfdIIZe15uHs1o1O909ymViRRsyy36cjwZ1M2snHWsU7vO//CptldBoV6k6bKkvXA23Cg1vUT0mj0MW554Vb20afxPhyWqHQa4ffHspH2HxViicHx9YaD+WjNAER0Skdo7/sxVR9Ozms2kb8Tyd18mwtVvwmlBNdtwsw8MX9PeW0AXlJUXkHkj47TVP+yyv1dKdUaGZq+ErPjiGoQGBCeHrrtGh+WryK38T7huLnpt++Q4U+CJ6+u9Mvd+C7MCZmgsO9sn0fTL/z54j3zBaWZoRcUZg8IZ7U+C5eGCrg9VjubVdYSar5CrCQnw8x2Rl63qjLVOwpiRoNnEXxmE23yyx1hkP8r27EcTbH7PpJHI22khScfDhf0X/99HEaBqcs+GI+YnC5dpPHY9koTdT5JckCfPJ9sprOn9Ble"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.1824379236.00000000028B0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
    00000000.00000002.1780683199.0000000003030000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
      00000002.00000002.1796545473.0000000000720000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
        00000007.00000002.2341312292.00000000036F5000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
          00000006.00000002.1862456672.000000000282F000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
            Click to see the 13 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            2.2.doc_Zapytanie - Oferta POLSKA 91044PL.com.exe.400000.0.unpackJoeSecurity_QuasarYara detected Quasar RATJoe Security
              2.2.doc_Zapytanie - Oferta POLSKA 91044PL.com.exe.400000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                2.2.doc_Zapytanie - Oferta POLSKA 91044PL.com.exe.400000.0.unpackMAL_QuasarRAT_May19_1Detects QuasarRAT malwareFlorian Roth
                • 0x28ef4d:$x1: Quasar.Common.Messages
                • 0x29f276:$x1: Quasar.Common.Messages
                • 0x2ab83a:$x4: Uninstalling... good bye :-(
                • 0x2ad02f:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
                2.2.doc_Zapytanie - Oferta POLSKA 91044PL.com.exe.400000.0.unpackINDICATOR_SUSPICIOUS_GENInfoStealerDetects executables containing common artifcats observed in infostealersditekSHen
                • 0x2aadec:$f1: FileZilla\recentservers.xml
                • 0x2aae2c:$f2: FileZilla\sitemanager.xml
                • 0x2aae6e:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions
                • 0x2ab0ba:$b1: Chrome\User Data\
                • 0x2ab110:$b1: Chrome\User Data\
                • 0x2ab3e8:$b2: Mozilla\Firefox\Profiles
                • 0x2ab4e4:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
                • 0x2fd440:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
                • 0x2ab63c:$b4: Opera Software\Opera Stable\Login Data
                • 0x2ab6f6:$b5: YandexBrowser\User Data\
                • 0x2ab764:$b5: YandexBrowser\User Data\
                • 0x2ab438:$s4: logins.json
                • 0x2ab16e:$a1: username_value
                • 0x2ab18c:$a2: password_value
                • 0x2ab478:$a3: encryptedUsername
                • 0x2fd384:$a3: encryptedUsername
                • 0x2ab49c:$a4: encryptedPassword
                • 0x2fd3a2:$a4: encryptedPassword
                • 0x2fd320:$a5: httpRealm
                2.2.doc_Zapytanie - Oferta POLSKA 91044PL.com.exe.400000.0.unpackMALWARE_Win_QuasarStealerDetects Quasar infostealerditekshen
                • 0x164f16:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null
                • 0x2ab924:$s3: Process already elevated.
                • 0x28ec4c:$s4: get_PotentiallyVulnerablePasswords
                • 0x278d08:$s5: GetKeyloggerLogsDirectory
                • 0x29e9d5:$s5: GetKeyloggerLogsDirectory
                • 0x28ec6f:$s6: set_PotentiallyVulnerablePasswords
                • 0x2fea6e:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>
                Click to see the 18 entries

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Suspicious Add Scheduled Task Parent
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "schtasks" /create /tn "workbook" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\workbook.exe" /rl HIGHEST /f, CommandLine: "schtasks" /create /tn "workbook" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\workbook.exe" /rl HIGHEST /f, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\SubDir\workbook.exe", ParentImage: C:\Users\user\AppData\Roaming\SubDir\workbook.exe, ParentProcessId: 7720, ParentProcessName: workbook.exe, ProcessCommandLine: "schtasks" /create /tn "workbook" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\workbook.exe" /rl HIGHEST /f, ProcessId: 7764, ProcessName: schtasks.exe
                Sigma detected: Suspicious Schtasks From Env Var Folder
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "schtasks" /create /tn "workbook" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\workbook.exe" /rl HIGHEST /f, CommandLine: "schtasks" /create /tn "workbook" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\workbook.exe" /rl HIGHEST /f, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exe", ParentImage: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exe, ParentProcessId: 7496, ParentProcessName: doc_Zapytanie - Oferta POLSKA 91044PL.com.exe, ProcessCommandLine: "schtasks" /create /tn "workbook" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\workbook.exe" /rl HIGHEST /f, ProcessId: 7544, ProcessName: schtasks.exe

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-09-11T10:25:15.454254+020020355951Domain Observed Used for C2 Detected213.159.74.809792192.168.2.449735TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-09-11T10:25:15.454254+020020276191Domain Observed Used for C2 Detected213.159.74.809792192.168.2.449735TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus detection for dropped file
                Source: C:\Users\user\AppData\Local\Temp\WVguSISHHEaz.batAvira: detection malicious, Label: BAT/Delbat.C
                Found malware configuration
                Source: 6.2.workbook.exe.3b6c688.1.raw.unpackMalware Configuration Extractor: Quasar {"Version": "1.4.1", "Host:Port": "twart.myfirewall.org:9792;", "SubDirectory": "SubDir", "InstallName": "workbook.exe", "MutexName": "0235e291-5d04-4fa3-932c-869aeec51499", "StartupKey": "workbook", "Tag": "Long Leg", "LogDirectoryName": "Logs", "ServerSignature": "XBBvS+rvDQy/NRA7cnb+1Bf2zFbsUHBtrkbS5j0N0VYcCxHngz7kKbyn5Jk5bqDEI6eX9AB+bIEClKSPSVh4o0tmRTlCyQR8n6K5WidNbCUdY2+XqfpKSeeSe+/39iGrb9ZLHaZnA9ciC9yC4PwnmFUO4AD6c2tNeWgm2PU1ohA9OikWzIuh/ks9RkLPCX2N5NbpAd+AvnufkOJwDLDXLT4MfcZlD2s7folRvVMxMcO7qQh4qI3ucP90WFCEokdbM4Rp3wOtslDricIMAIkAmogGRz4B5aLGHo+UKGsYDeV1bWBtzFi1XTWQ/6q4qfqiD4xLJpDFMICIRPNdK9raQkGcTP03+NhWNSswQU59I2Ar9A0CAUdysw34N2Kjm/UbGRrW3+j9kbJxMldClUDkeN0cGmVyyaiGpPUQBlBuqH620bBOymsxD3XZ6Ouxl9MgjTV6Il/iiq/NSebMLiET2K09Tvpmc/8DD8KLeu+5NrJnmChJat6LR2NCPqv1vp8xPgJNCm4DSv6HB78QRq0Ni/oqW7UBnQR4da5/ckoEk+1ZyMZ/TftczNdKaLoyii2gXx3EzDhVEQy9OH8iNQqevGPW/pTYqLGAkH4hRs0+kir9p7nSGZpHvgHSJL7DbCzKlTEYyAlb4VFoR4L+DhJ0+A8JWxhOkfSCX2jo3RVCcPs=", "ServerCertificate": "MIIE9DCCAtygAwIBAgIQANqzkhOLx49IztAjuviKazANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI0MDgyMDEyNDQxNVoYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAgCzkFEuivKBaTsClmq/3wI2X1uYUZUxf0vEiobTv72lQBIu1jz/r6PADg+cpeGisY1MV3VsdWhecO8dT7LosHtl/FnpTjASkUp3LF0d6cPTgeLsKbK/xJ06uq5gaKvG8Q5zXq6Jbxv+STJdEgmxCf1SPAXViD1PIiGLt2B24qZyOtsSpTSnM5cQuLAvr/6xZG7GYkCU7PRADMGFUm3Xg6L3vRUU3h6vaddoMBAW9ENXVaym1eN5aax3x4tLNUp+kerM+kb/Ab/mi01+PfutPKTptP/dqEGZuKmVrGdX9A+s2Wo6sPtSl85NJT+HT+SSrROvGbx4GH3d6MSHx71JSzy+dph46LV3brBMzY/2xvLbIuPVHqniL/Y0bsUke6aD9cfXIa4UBi7TiKBuoKJYqoYa/VgdoqB4yDaczAnzzYXov7thvPL1Rwv5TueNsPSrQbXbvEJUDxRazlLIrGLuYzeGrnbFHOTM8KKpSVnE8uiXiSEW31DRNHXyLImklMHjwtGd4sjZD5EfkUcg1v9gVCu80ggT+/l7SflY07DOLFvS1ii2ZUPu3IjcbyPtlFj6pGUYjMbIZj8AdqIKyMh6IWtbsu6TMC2yEPSk5pwXrEf7M89nIfHtuhZio+mZ0MhGyHos3nv51/dDBKQnEtcJiODik24kI3JTMGnfQsp7IMjECAwEAAaMyMDAwHQYDVR0OBBYEFFUq5ihhM0we5AVYMhcmFpT6wUKMMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBAFQvpu2xTTenJ6N6YiRWxJ1cwH673yEt60lfsF/xncTeD79qdjD371b1GzQtcYZtYuSdgajGG4YZ8gBrwthm2fOcfuWK2VRDOe7/++mJVEvvsUzzexNeB5nZCYuu1N4UA7z8RHJy6ycPTTcelqyMKUjAGTCZa2BQhkxoFq+wBrEZrY975RcEe7bNNWg0S8YpvdKXxwy/gDZUoWyWXvgmDFQ6VjzDk3jJb0fonxnP/9F7sjd1uU2t5d6aQdPXzbzgWC/IKRXpfdIIZe15uHs1o1O909ymViRRsyy36cjwZ1M2snHWsU7vO//CptldBoV6k6bKkvXA23Cg1vUT0mj0MW554Vb20afxPhyWqHQa4ffHspH2HxViicHx9YaD+WjNAER0Skdo7/sxVR9Ozms2kb8Tyd18mwtVvwmlBNdtwsw8MX9PeW0AXlJUXkHkj47TVP+yyv1dKdUaGZq+ErPjiGoQGBCeHrrtGh+WryK38T7huLnpt++Q4U+CJ6+u9Mvd+C7MCZmgsO9sn0fTL/z54j3zBaWZoRcUZg8IZ7U+C5eGCrg9VjubVdYSar5CrCQnw8x2Rl63qjLVOwpiRoNnEXxmE23yyx1hkP8r27EcTbH7PpJHI22khScfDhf0X/99HEaBqcs+GI+YnC5dpPHY9koTdT5JckCfPJ9sprOn9Ble"}
                Multi AV Scanner detection for domain / URL
                Source: twart.myfirewall.orgVirustotal: Detection: 10%Perma Link
                Source: twart.myfirewall.orgVirustotal: Detection: 10%Perma Link
                Multi AV Scanner detection for dropped file
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeReversingLabs: Detection: 18%
                Multi AV Scanner detection for submitted file
                Source: doc_Zapytanie - Oferta POLSKA 91044PL.com.exeVirustotal: Detection: 31%Perma Link
                Source: doc_Zapytanie - Oferta POLSKA 91044PL.com.exeReversingLabs: Detection: 18%
                Yara detected Quasar RAT
                Source: Yara matchFile source: 2.2.doc_Zapytanie - Oferta POLSKA 91044PL.com.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.doc_Zapytanie - Oferta POLSKA 91044PL.com.exe.a50fe58.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.workbook.exe.3b6c688.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.doc_Zapytanie - Oferta POLSKA 91044PL.com.exe.a50fe58.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.workbook.exe.3b6c688.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000005.00000002.1824379236.00000000028B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1780683199.0000000003030000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1796545473.0000000000720000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2341312292.00000000036F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.1862456672.000000000282F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1796545473.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1791185855.000000000A50F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1791185855.00000000099B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1802872858.000000000B841000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.1876814149.0000000003B6C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: doc_Zapytanie - Oferta POLSKA 91044PL.com.exe PID: 7344, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: doc_Zapytanie - Oferta POLSKA 91044PL.com.exe PID: 7496, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: workbook.exe PID: 7596, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: workbook.exe PID: 7684, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: workbook.exe PID: 7720, type: MEMORYSTR
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for dropped file
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeJoe Sandbox ML: detected
                Machine Learning detection for sample
                Source: doc_Zapytanie - Oferta POLSKA 91044PL.com.exeJoe Sandbox ML: detected
                Source: doc_Zapytanie - Oferta POLSKA 91044PL.com.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: unknownHTTPS traffic detected: 195.201.57.90:443 -> 192.168.2.4:49737 version: TLS 1.2
                Source: doc_Zapytanie - Oferta POLSKA 91044PL.com.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: CEnL.pdbSHA256(53 source: doc_Zapytanie - Oferta POLSKA 91044PL.com.exe, workbook.exe.2.dr
                Source: Binary string: CEnL.pdb source: doc_Zapytanie - Oferta POLSKA 91044PL.com.exe, workbook.exe.2.dr

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2027619 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (Quasar CnC) : 213.159.74.80:9792 -> 192.168.2.4:49735
                Source: Network trafficSuricata IDS: 2035595 - Severity 1 - ET MALWARE Generic AsyncRAT Style SSL Cert : 213.159.74.80:9792 -> 192.168.2.4:49735
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: twart.myfirewall.org
                Uses ping.exe to check the status of other devices and networks
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 10 localhost
                Yara detected Generic Downloader
                Source: Yara matchFile source: 2.2.doc_Zapytanie - Oferta POLSKA 91044PL.com.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.doc_Zapytanie - Oferta POLSKA 91044PL.com.exe.a50fe58.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.workbook.exe.3b6c688.1.raw.unpack, type: UNPACKEDPE
                Source: global trafficTCP traffic: 192.168.2.4:49735 -> 213.159.74.80:9792
                Source: Joe Sandbox ViewIP Address: 213.159.74.80 213.159.74.80
                Source: Joe Sandbox ViewIP Address: 195.201.57.90 195.201.57.90
                Source: Joe Sandbox ViewIP Address: 195.201.57.90 195.201.57.90
                Source: Joe Sandbox ViewASN Name: CTINET-ASCTINETAutonomousSystemRU CTINET-ASCTINETAutonomousSystemRU
                Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                Source: unknownDNS query: name: ipwho.is
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0Host: ipwho.isConnection: Keep-Alive
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0Host: ipwho.isConnection: Keep-Alive
                Source: global trafficDNS traffic detected: DNS query: twart.myfirewall.org
                Source: global trafficDNS traffic detected: DNS query: ipwho.is
                Source: workbook.exe, 00000007.00000002.2339113373.0000000001985000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
                Source: workbook.exe, 00000007.00000002.2339113373.0000000001985000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F8008506.7.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                Source: workbook.exe, 00000007.00000002.2341312292.00000000036A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ipwho.is
                Source: workbook.exe, 00000007.00000002.2341312292.00000000036A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ipwho.isd
                Source: workbook.exe, 00000007.00000002.2341312292.00000000036F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/
                Source: workbook.exe, 00000007.00000002.2341312292.00000000036F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/d
                Source: doc_Zapytanie - Oferta POLSKA 91044PL.com.exe, 00000002.00000002.1808999815.0000000002E11000.00000004.00000800.00020000.00000000.sdmp, workbook.exe, 00000007.00000002.2341312292.00000000034EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: doc_Zapytanie - Oferta POLSKA 91044PL.com.exe, 00000000.00000002.1789262166.0000000006F92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                Source: doc_Zapytanie - Oferta POLSKA 91044PL.com.exe, 00000000.00000002.1789262166.0000000006F92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                Source: doc_Zapytanie - Oferta POLSKA 91044PL.com.exe, 00000000.00000002.1789262166.0000000006F92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                Source: doc_Zapytanie - Oferta POLSKA 91044PL.com.exe, 00000000.00000002.1789262166.0000000006F92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                Source: doc_Zapytanie - Oferta POLSKA 91044PL.com.exe, 00000000.00000002.1789262166.0000000006F92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                Source: doc_Zapytanie - Oferta POLSKA 91044PL.com.exe, 00000000.00000002.1789262166.0000000006F92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                Source: doc_Zapytanie - Oferta POLSKA 91044PL.com.exe, 00000000.00000002.1789262166.0000000006F92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                Source: doc_Zapytanie - Oferta POLSKA 91044PL.com.exe, 00000000.00000002.1789262166.0000000006F92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                Source: doc_Zapytanie - Oferta POLSKA 91044PL.com.exe, 00000000.00000002.1789262166.0000000006F92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                Source: doc_Zapytanie - Oferta POLSKA 91044PL.com.exe, 00000000.00000002.1789262166.0000000006F92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                Source: doc_Zapytanie - Oferta POLSKA 91044PL.com.exe, 00000000.00000002.1789262166.0000000006F92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                Source: doc_Zapytanie - Oferta POLSKA 91044PL.com.exe, 00000000.00000002.1789262166.0000000006F92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                Source: doc_Zapytanie - Oferta POLSKA 91044PL.com.exe, 00000000.00000002.1789262166.0000000006F92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                Source: doc_Zapytanie - Oferta POLSKA 91044PL.com.exe, 00000000.00000002.1789262166.0000000006F92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                Source: doc_Zapytanie - Oferta POLSKA 91044PL.com.exe, 00000000.00000002.1789262166.0000000006F92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                Source: doc_Zapytanie - Oferta POLSKA 91044PL.com.exe, 00000000.00000002.1789262166.0000000006F92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                Source: doc_Zapytanie - Oferta POLSKA 91044PL.com.exe, 00000000.00000002.1789262166.0000000006F92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                Source: doc_Zapytanie - Oferta POLSKA 91044PL.com.exe, 00000000.00000002.1789262166.0000000006F92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                Source: doc_Zapytanie - Oferta POLSKA 91044PL.com.exe, 00000000.00000002.1789262166.0000000006F92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                Source: doc_Zapytanie - Oferta POLSKA 91044PL.com.exe, 00000000.00000002.1789262166.0000000006F92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                Source: doc_Zapytanie - Oferta POLSKA 91044PL.com.exe, 00000000.00000002.1789220021.0000000005810000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com.
                Source: doc_Zapytanie - Oferta POLSKA 91044PL.com.exe, 00000000.00000002.1789262166.0000000006F92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                Source: doc_Zapytanie - Oferta POLSKA 91044PL.com.exe, 00000000.00000002.1789262166.0000000006F92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                Source: doc_Zapytanie - Oferta POLSKA 91044PL.com.exe, 00000000.00000002.1789262166.0000000006F92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                Source: doc_Zapytanie - Oferta POLSKA 91044PL.com.exe, 00000000.00000002.1789262166.0000000006F92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                Source: doc_Zapytanie - Oferta POLSKA 91044PL.com.exe, 00000000.00000002.1789262166.0000000006F92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                Source: doc_Zapytanie - Oferta POLSKA 91044PL.com.exe, 00000000.00000002.1791185855.000000000A50F000.00000004.00000800.00020000.00000000.sdmp, doc_Zapytanie - Oferta POLSKA 91044PL.com.exe, 00000000.00000002.1791185855.00000000099B1000.00000004.00000800.00020000.00000000.sdmp, doc_Zapytanie - Oferta POLSKA 91044PL.com.exe, 00000000.00000002.1802872858.000000000B841000.00000004.00000800.00020000.00000000.sdmp, doc_Zapytanie - Oferta POLSKA 91044PL.com.exe, 00000002.00000002.1796545473.0000000000402000.00000040.00000400.00020000.00000000.sdmp, workbook.exe, 00000006.00000002.1876814149.0000000003B6C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                Source: workbook.exe, 00000007.00000002.2341312292.0000000003696000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ipwho.is
                Source: doc_Zapytanie - Oferta POLSKA 91044PL.com.exe, 00000000.00000002.1791185855.000000000A50F000.00000004.00000800.00020000.00000000.sdmp, doc_Zapytanie - Oferta POLSKA 91044PL.com.exe, 00000000.00000002.1791185855.00000000099B1000.00000004.00000800.00020000.00000000.sdmp, doc_Zapytanie - Oferta POLSKA 91044PL.com.exe, 00000000.00000002.1802872858.000000000B841000.00000004.00000800.00020000.00000000.sdmp, doc_Zapytanie - Oferta POLSKA 91044PL.com.exe, 00000002.00000002.1796545473.0000000000402000.00000040.00000400.00020000.00000000.sdmp, workbook.exe, 00000006.00000002.1876814149.0000000003B6C000.00000004.00000800.00020000.00000000.sdmp, workbook.exe, 00000007.00000002.2341312292.0000000003696000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ipwho.is/
                Source: doc_Zapytanie - Oferta POLSKA 91044PL.com.exe, 00000000.00000002.1791185855.000000000A50F000.00000004.00000800.00020000.00000000.sdmp, doc_Zapytanie - Oferta POLSKA 91044PL.com.exe, 00000000.00000002.1791185855.00000000099B1000.00000004.00000800.00020000.00000000.sdmp, doc_Zapytanie - Oferta POLSKA 91044PL.com.exe, 00000000.00000002.1802872858.000000000B841000.00000004.00000800.00020000.00000000.sdmp, doc_Zapytanie - Oferta POLSKA 91044PL.com.exe, 00000002.00000002.1796545473.0000000000402000.00000040.00000400.00020000.00000000.sdmp, workbook.exe, 00000006.00000002.1876814149.0000000003B6C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/11564914/23354;
                Source: doc_Zapytanie - Oferta POLSKA 91044PL.com.exe, 00000000.00000002.1791185855.000000000A50F000.00000004.00000800.00020000.00000000.sdmp, doc_Zapytanie - Oferta POLSKA 91044PL.com.exe, 00000000.00000002.1791185855.00000000099B1000.00000004.00000800.00020000.00000000.sdmp, doc_Zapytanie - Oferta POLSKA 91044PL.com.exe, 00000000.00000002.1802872858.000000000B841000.00000004.00000800.00020000.00000000.sdmp, doc_Zapytanie - Oferta POLSKA 91044PL.com.exe, 00000002.00000002.1796545473.0000000000402000.00000040.00000400.00020000.00000000.sdmp, workbook.exe, 00000006.00000002.1876814149.0000000003B6C000.00000004.00000800.00020000.00000000.sdmp, workbook.exe, 00000007.00000002.2341312292.0000000003512000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/14436606/23354
                Source: doc_Zapytanie - Oferta POLSKA 91044PL.com.exe, 00000000.00000002.1791185855.000000000A50F000.00000004.00000800.00020000.00000000.sdmp, doc_Zapytanie - Oferta POLSKA 91044PL.com.exe, 00000000.00000002.1791185855.00000000099B1000.00000004.00000800.00020000.00000000.sdmp, doc_Zapytanie - Oferta POLSKA 91044PL.com.exe, 00000000.00000002.1802872858.000000000B841000.00000004.00000800.00020000.00000000.sdmp, doc_Zapytanie - Oferta POLSKA 91044PL.com.exe, 00000002.00000002.1796545473.0000000000402000.00000040.00000400.00020000.00000000.sdmp, workbook.exe, 00000006.00000002.1876814149.0000000003B6C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/2152978/23354sCannot
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
                Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
                Source: unknownHTTPS traffic detected: 195.201.57.90:443 -> 192.168.2.4:49737 version: TLS 1.2

                Key, Mouse, Clipboard, Microphone and Screen Capturing

                barindex
                Installs a global keyboard hook
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\SubDir\workbook.exeJump to behavior

                E-Banking Fraud

                barindex
                Yara detected Quasar RAT
                Source: Yara matchFile source: 2.2.doc_Zapytanie - Oferta POLSKA 91044PL.com.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.doc_Zapytanie - Oferta POLSKA 91044PL.com.exe.a50fe58.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.workbook.exe.3b6c688.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.doc_Zapytanie - Oferta POLSKA 91044PL.com.exe.a50fe58.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.workbook.exe.3b6c688.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000005.00000002.1824379236.00000000028B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1780683199.0000000003030000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1796545473.0000000000720000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2341312292.00000000036F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.1862456672.000000000282F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1796545473.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1791185855.000000000A50F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1791185855.00000000099B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1802872858.000000000B841000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.1876814149.0000000003B6C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: doc_Zapytanie - Oferta POLSKA 91044PL.com.exe PID: 7344, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: doc_Zapytanie - Oferta POLSKA 91044PL.com.exe PID: 7496, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: workbook.exe PID: 7596, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: workbook.exe PID: 7684, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: workbook.exe PID: 7720, type: MEMORYSTR

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 2.2.doc_Zapytanie - Oferta POLSKA 91044PL.com.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
                Source: 2.2.doc_Zapytanie - Oferta POLSKA 91044PL.com.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                Source: 2.2.doc_Zapytanie - Oferta POLSKA 91044PL.com.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Quasar infostealer Author: ditekshen
                Source: 0.2.doc_Zapytanie - Oferta POLSKA 91044PL.com.exe.a50fe58.3.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
                Source: 0.2.doc_Zapytanie - Oferta POLSKA 91044PL.com.exe.a50fe58.3.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                Source: 0.2.doc_Zapytanie - Oferta POLSKA 91044PL.com.exe.a50fe58.3.unpack, type: UNPACKEDPEMatched rule: Detects Quasar infostealer Author: ditekshen
                Source: 6.2.workbook.exe.3b6c688.1.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
                Source: 6.2.workbook.exe.3b6c688.1.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                Source: 6.2.workbook.exe.3b6c688.1.unpack, type: UNPACKEDPEMatched rule: Detects Quasar infostealer Author: ditekshen
                Source: 0.2.doc_Zapytanie - Oferta POLSKA 91044PL.com.exe.a50fe58.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
                Source: 0.2.doc_Zapytanie - Oferta POLSKA 91044PL.com.exe.a50fe58.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                Source: 0.2.doc_Zapytanie - Oferta POLSKA 91044PL.com.exe.a50fe58.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Quasar infostealer Author: ditekshen
                Source: 6.2.workbook.exe.3b6c688.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
                Source: 6.2.workbook.exe.3b6c688.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                Source: 6.2.workbook.exe.3b6c688.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Quasar infostealer Author: ditekshen
                Initial sample is a PE file and has a suspicious name
                Source: initial sampleStatic PE information: Filename: doc_Zapytanie - Oferta POLSKA 91044PL.com.exe
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeCode function: 0_2_0134D3440_2_0134D344
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeCode function: 0_2_07A1E7D00_2_07A1E7D0
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeCode function: 0_2_07A107F90_2_07A107F9
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeCode function: 0_2_07A185A00_2_07A185A0
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeCode function: 0_2_07A141400_2_07A14140
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeCode function: 0_2_07A1A0800_2_07A1A080
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeCode function: 0_2_07A1AE680_2_07A1AE68
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeCode function: 0_2_07A19C480_2_07A19C48
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeCode function: 0_2_07A1AA300_2_07A1AA30
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeCode function: 0_2_07A108080_2_07A10808
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeCode function: 2_2_0148F03C2_2_0148F03C
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeCode function: 2_2_054190682_2_05419068
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeCode function: 2_2_054105082_2_05410508
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeCode function: 2_2_054105182_2_05410518
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeCode function: 2_2_05419EE02_2_05419EE0
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 5_2_00E4D3445_2_00E4D344
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 6_2_026CD3446_2_026CD344
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 7_2_0188F03C7_2_0188F03C
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 7_2_085CDC507_2_085CDC50
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 7_2_085C7E487_2_085C7E48
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 11_2_02DBF03C11_2_02DBF03C
                Source: doc_Zapytanie - Oferta POLSKA 91044PL.com.exe, 00000000.00000002.1790894206.0000000008EF0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameGB-lesson-forms.dll@ vs doc_Zapytanie - Oferta POLSKA 91044PL.com.exe
                Source: doc_Zapytanie - Oferta POLSKA 91044PL.com.exe, 00000000.00000002.1780683199.0000000003030000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameClient.exe. vs doc_Zapytanie - Oferta POLSKA 91044PL.com.exe
                Source: doc_Zapytanie - Oferta POLSKA 91044PL.com.exe, 00000000.00000002.1791185855.000000000A50F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameClient.exe. vs doc_Zapytanie - Oferta POLSKA 91044PL.com.exe
                Source: doc_Zapytanie - Oferta POLSKA 91044PL.com.exe, 00000000.00000002.1791185855.00000000099B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameClient.exe. vs doc_Zapytanie - Oferta POLSKA 91044PL.com.exe
                Source: doc_Zapytanie - Oferta POLSKA 91044PL.com.exe, 00000000.00000002.1791185855.00000000099B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs doc_Zapytanie - Oferta POLSKA 91044PL.com.exe
                Source: doc_Zapytanie - Oferta POLSKA 91044PL.com.exe, 00000000.00000002.1780683199.0000000002FD1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameGB-lesson-forms.dll@ vs doc_Zapytanie - Oferta POLSKA 91044PL.com.exe
                Source: doc_Zapytanie - Oferta POLSKA 91044PL.com.exe, 00000000.00000000.1749779539.0000000000A5A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameCEnL.exe@ vs doc_Zapytanie - Oferta POLSKA 91044PL.com.exe
                Source: doc_Zapytanie - Oferta POLSKA 91044PL.com.exe, 00000000.00000002.1779498530.000000000108E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs doc_Zapytanie - Oferta POLSKA 91044PL.com.exe
                Source: doc_Zapytanie - Oferta POLSKA 91044PL.com.exe, 00000002.00000002.1796545473.0000000000720000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameClient.exe. vs doc_Zapytanie - Oferta POLSKA 91044PL.com.exe
                Source: doc_Zapytanie - Oferta POLSKA 91044PL.com.exeBinary or memory string: OriginalFilenameCEnL.exe@ vs doc_Zapytanie - Oferta POLSKA 91044PL.com.exe
                Source: doc_Zapytanie - Oferta POLSKA 91044PL.com.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 2.2.doc_Zapytanie - Oferta POLSKA 91044PL.com.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                Source: 2.2.doc_Zapytanie - Oferta POLSKA 91044PL.com.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                Source: 2.2.doc_Zapytanie - Oferta POLSKA 91044PL.com.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
                Source: 0.2.doc_Zapytanie - Oferta POLSKA 91044PL.com.exe.a50fe58.3.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                Source: 0.2.doc_Zapytanie - Oferta POLSKA 91044PL.com.exe.a50fe58.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                Source: 0.2.doc_Zapytanie - Oferta POLSKA 91044PL.com.exe.a50fe58.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
                Source: 6.2.workbook.exe.3b6c688.1.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                Source: 6.2.workbook.exe.3b6c688.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                Source: 6.2.workbook.exe.3b6c688.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
                Source: 0.2.doc_Zapytanie - Oferta POLSKA 91044PL.com.exe.a50fe58.3.raw.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                Source: 0.2.doc_Zapytanie - Oferta POLSKA 91044PL.com.exe.a50fe58.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                Source: 0.2.doc_Zapytanie - Oferta POLSKA 91044PL.com.exe.a50fe58.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
                Source: 6.2.workbook.exe.3b6c688.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                Source: 6.2.workbook.exe.3b6c688.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                Source: 6.2.workbook.exe.3b6c688.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@29/7@2/2
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\doc_Zapytanie - Oferta POLSKA 91044PL.com.exe.logJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeMutant created: NULL
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7556:120:WilError_03
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeMutant created: \Sessions\1\BaseNamedObjects\Local\0235e291-5d04-4fa3-932c-869aeec51499
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7240:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7776:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5796:120:WilError_03
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeFile created: C:\Users\user\AppData\Local\Temp\WVguSISHHEaz.batJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\WVguSISHHEaz.bat" "
                Source: doc_Zapytanie - Oferta POLSKA 91044PL.com.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: doc_Zapytanie - Oferta POLSKA 91044PL.com.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: doc_Zapytanie - Oferta POLSKA 91044PL.com.exeVirustotal: Detection: 31%
                Source: doc_Zapytanie - Oferta POLSKA 91044PL.com.exeReversingLabs: Detection: 18%
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeFile read: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exe "C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exe"
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeProcess created: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exe "C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exe"
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /create /tn "workbook" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\workbook.exe" /rl HIGHEST /f
                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\workbook.exe "C:\Users\user\AppData\Roaming\SubDir\workbook.exe"
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\SubDir\workbook.exe C:\Users\user\AppData\Roaming\SubDir\workbook.exe
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\workbook.exe "C:\Users\user\AppData\Roaming\SubDir\workbook.exe"
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /create /tn "workbook" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\workbook.exe" /rl HIGHEST /f
                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\workbook.exe "C:\Users\user\AppData\Roaming\SubDir\workbook.exe"
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\workbook.exe "C:\Users\user\AppData\Roaming\SubDir\workbook.exe"
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /delete /tn "workbook" /f
                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\WVguSISHHEaz.bat" "
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\chcp.com chcp 65001
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 10 localhost
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeProcess created: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exe "C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exe"Jump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /create /tn "workbook" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\workbook.exe" /rl HIGHEST /fJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\workbook.exe "C:\Users\user\AppData\Roaming\SubDir\workbook.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\workbook.exe "C:\Users\user\AppData\Roaming\SubDir\workbook.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\workbook.exe "C:\Users\user\AppData\Roaming\SubDir\workbook.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\workbook.exe "C:\Users\user\AppData\Roaming\SubDir\workbook.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /create /tn "workbook" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\workbook.exe" /rl HIGHEST /fJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /delete /tn "workbook" /fJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\WVguSISHHEaz.bat" "Jump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\chcp.com chcp 65001
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 10 localhost
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeSection loaded: textshaping.dllJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: textshaping.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: textshaping.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: cryptnet.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: webio.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: cabinet.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: rasapi32.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: rasman.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: rtutils.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dll
                Source: C:\Windows\SysWOW64\chcp.comSection loaded: ulib.dll
                Source: C:\Windows\SysWOW64\chcp.comSection loaded: fsutilext.dll
                Source: C:\Windows\SysWOW64\PING.EXESection loaded: iphlpapi.dll
                Source: C:\Windows\SysWOW64\PING.EXESection loaded: mswsock.dll
                Source: C:\Windows\SysWOW64\PING.EXESection loaded: dnsapi.dll
                Source: C:\Windows\SysWOW64\PING.EXESection loaded: rasadhlp.dll
                Source: C:\Windows\SysWOW64\PING.EXESection loaded: fwpuclnt.dll
                Source: C:\Windows\SysWOW64\PING.EXESection loaded: winnsi.dll
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: doc_Zapytanie - Oferta POLSKA 91044PL.com.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: doc_Zapytanie - Oferta POLSKA 91044PL.com.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                Source: doc_Zapytanie - Oferta POLSKA 91044PL.com.exeStatic file information: File size 3701760 > 1048576
                Source: doc_Zapytanie - Oferta POLSKA 91044PL.com.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x387000
                Source: doc_Zapytanie - Oferta POLSKA 91044PL.com.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: doc_Zapytanie - Oferta POLSKA 91044PL.com.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: CEnL.pdbSHA256(53 source: doc_Zapytanie - Oferta POLSKA 91044PL.com.exe, workbook.exe.2.dr
                Source: Binary string: CEnL.pdb source: doc_Zapytanie - Oferta POLSKA 91044PL.com.exe, workbook.exe.2.dr
                Source: doc_Zapytanie - Oferta POLSKA 91044PL.com.exeStatic PE information: 0xE9F7EC64 [Sat May 22 04:00:36 2094 UTC]
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 6_2_026C47B0 push ebp; retf 6_2_026C4815
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 6_2_026C5EDD push edi; retf 6_2_026C5EDE
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 7_2_085C9AEC push FFFFFF8Bh; iretd 7_2_085C9AF0
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeFile created: C:\Users\user\AppData\Roaming\SubDir\workbook.exeJump to dropped file

                Boot Survival

                barindex
                Uses schtasks.exe or at.exe to add and modify task schedules
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /create /tn "workbook" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\workbook.exe" /rl HIGHEST /f

                Hooking and other Techniques for Hiding and Protection

                barindex
                Hides that the sample has been downloaded from the Internet (zone.identifier)
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeFile opened: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exe:Zone.Identifier read attributes | deleteJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeFile opened: C:\Users\user\AppData\Roaming\SubDir\workbook.exe:Zone.Identifier read attributes | deleteJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeFile opened: C:\Users\user\AppData\Roaming\SubDir\workbook.exe:Zone.Identifier read attributes | deleteJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX

                Malware Analysis System Evasion

                barindex
                Yara detected AntiVM3
                Source: Yara matchFile source: Process Memory Space: doc_Zapytanie - Oferta POLSKA 91044PL.com.exe PID: 7344, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: workbook.exe PID: 7596, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: workbook.exe PID: 7684, type: MEMORYSTR
                Uses ping.exe to sleep
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 10 localhost
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 10 localhost
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeMemory allocated: 12F0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeMemory allocated: 2FD0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeMemory allocated: 2DA0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeMemory allocated: 99B0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeMemory allocated: A9B0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeMemory allocated: B040000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeMemory allocated: C040000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeMemory allocated: 1480000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeMemory allocated: 2E10000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeMemory allocated: 4E10000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeMemory allocated: E40000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeMemory allocated: 2850000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeMemory allocated: 2770000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeMemory allocated: 9130000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeMemory allocated: A130000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeMemory allocated: A6C0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeMemory allocated: B6C0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeMemory allocated: 2510000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeMemory allocated: 27F0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeMemory allocated: 2510000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeMemory allocated: 9070000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeMemory allocated: A070000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeMemory allocated: A5F0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeMemory allocated: B5F0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeMemory allocated: BA30000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeMemory allocated: 1880000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeMemory allocated: 34E0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeMemory allocated: 3400000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeMemory allocated: 2D70000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeMemory allocated: 2FC0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeMemory allocated: 2EE0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeWindow / User API: threadDelayed 6184Jump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeWindow / User API: threadDelayed 3453Jump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exe TID: 7368Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exe TID: 7540Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe TID: 7620Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe TID: 7704Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe TID: 7840Thread sleep time: -30437127721620741s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe TID: 7884Thread sleep time: -30000s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe TID: 7936Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BaseBoard
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BIOS
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\PING.EXELast function: Thread delayed
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: workbook.exe, 00000007.00000002.2362697689.0000000005E60000.00000004.00000020.00020000.00000000.sdmp, workbook.exe, 00000007.00000002.2365532678.0000000005E78000.00000004.00000020.00020000.00000000.sdmp, workbook.exe, 00000007.00000002.2362697689.0000000005E2B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Injects a PE file into a foreign processes
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeMemory written: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeProcess created: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exe "C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exe"Jump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /create /tn "workbook" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\workbook.exe" /rl HIGHEST /fJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\workbook.exe "C:\Users\user\AppData\Roaming\SubDir\workbook.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\workbook.exe "C:\Users\user\AppData\Roaming\SubDir\workbook.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\workbook.exe "C:\Users\user\AppData\Roaming\SubDir\workbook.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\workbook.exe "C:\Users\user\AppData\Roaming\SubDir\workbook.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /create /tn "workbook" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\workbook.exe" /rl HIGHEST /fJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /delete /tn "workbook" /fJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\WVguSISHHEaz.bat" "Jump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\chcp.com chcp 65001
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 10 localhost
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeQueries volume information: C:\Users\user\AppData\Roaming\SubDir\workbook.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeQueries volume information: C:\Users\user\AppData\Roaming\SubDir\workbook.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeQueries volume information: C:\Users\user\AppData\Roaming\SubDir\workbook.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeQueries volume information: C:\Users\user\AppData\Roaming\SubDir\workbook.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected Quasar RAT
                Source: Yara matchFile source: 2.2.doc_Zapytanie - Oferta POLSKA 91044PL.com.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.doc_Zapytanie - Oferta POLSKA 91044PL.com.exe.a50fe58.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.workbook.exe.3b6c688.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.doc_Zapytanie - Oferta POLSKA 91044PL.com.exe.a50fe58.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.workbook.exe.3b6c688.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000005.00000002.1824379236.00000000028B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1780683199.0000000003030000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1796545473.0000000000720000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2341312292.00000000036F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.1862456672.000000000282F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1796545473.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1791185855.000000000A50F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1791185855.00000000099B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1802872858.000000000B841000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.1876814149.0000000003B6C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: doc_Zapytanie - Oferta POLSKA 91044PL.com.exe PID: 7344, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: doc_Zapytanie - Oferta POLSKA 91044PL.com.exe PID: 7496, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: workbook.exe PID: 7596, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: workbook.exe PID: 7684, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: workbook.exe PID: 7720, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected Quasar RAT
                Source: Yara matchFile source: 2.2.doc_Zapytanie - Oferta POLSKA 91044PL.com.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.doc_Zapytanie - Oferta POLSKA 91044PL.com.exe.a50fe58.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.workbook.exe.3b6c688.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.doc_Zapytanie - Oferta POLSKA 91044PL.com.exe.a50fe58.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.workbook.exe.3b6c688.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000005.00000002.1824379236.00000000028B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1780683199.0000000003030000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1796545473.0000000000720000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2341312292.00000000036F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.1862456672.000000000282F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1796545473.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1791185855.000000000A50F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1791185855.00000000099B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1802872858.000000000B841000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.1876814149.0000000003B6C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: doc_Zapytanie - Oferta POLSKA 91044PL.com.exe PID: 7344, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: doc_Zapytanie - Oferta POLSKA 91044PL.com.exe PID: 7496, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: workbook.exe PID: 7596, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: workbook.exe PID: 7684, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: workbook.exe PID: 7720, type: MEMORYSTR

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity Information1
                Scripting                		Valid Accounts21
                Windows Management Instrumentation                		1
                Scripting                		1
                DLL Side-Loading                		1
                Disable or Modify Tools                		11
                Input Capture                		1
                File and Directory Discovery                		Remote Services1
                Archive Collected Data                		1
                Ingress Tool Transfer                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts1
                Scheduled Task/Job                		1
                DLL Side-Loading                		111
                Process Injection                		1
                Obfuscated Files or Information                		LSASS Memory23
                System Information Discovery                		Remote Desktop Protocol11
                Input Capture                		11
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAt1
                Scheduled Task/Job                		1
                Scheduled Task/Job                		1
                Timestomp                		Security Account Manager1
                Query Registry                		SMB/Windows Admin SharesData from Network Shared Drive1
                Non-Standard Port                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                DLL Side-Loading                		NTDS111
                Security Software Discovery                		Distributed Component Object ModelInput Capture2
                Non-Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Masquerading                		LSA Secrets1
                Process Discovery                		SSHKeylogging113
                Application Layer Protocol                		Scheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts41
                Virtualization/Sandbox Evasion                		Cached Domain Credentials41
                Virtualization/Sandbox Evasion                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items111
                Process Injection                		DCSync1
                Application Window Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                Hidden Files and Directories                		Proc Filesystem1
                Remote System Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow11
                System Network Configuration Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1509224 Sample: doc_Zapytanie - Oferta POLS... Startdate: 11/09/2024 Architecture: WINDOWS Score: 100 60 twart.myfirewall.org 2->60 62 windowsupdatebg.s.llnwi.net 2->62 64 ipwho.is 2->64 76 Multi AV Scanner detection for domain / URL 2->76 78 Suricata IDS alerts for network traffic 2->78 80 Found malware configuration 2->80 82 11 other signatures 2->82 11 doc_Zapytanie - Oferta POLSKA 91044PL.com.exe 3 2->11         started        15 workbook.exe 2 2->15         started        signatures3 process4 file5 56 doc_Zapytanie - Of...91044PL.com.exe.log, ASCII 11->56 dropped 92 Injects a PE file into a foreign processes 11->92 17 doc_Zapytanie - Oferta POLSKA 91044PL.com.exe 4 11->17         started        21 workbook.exe 2 15->21         started        23 workbook.exe 15->23         started        signatures6 process7 file8 54 C:\Users\user\AppData\...\workbook.exe, PE32 17->54 dropped 74 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->74 25 workbook.exe 3 17->25         started        28 schtasks.exe 1 17->28         started        signatures9 process10 signatures11 88 Multi AV Scanner detection for dropped file 25->88 90 Machine Learning detection for dropped file 25->90 30 workbook.exe 15 4 25->30         started        35 conhost.exe 28->35         started        process12 dnsIp13 66 twart.myfirewall.org 213.159.74.80, 49735, 9792 CTINET-ASCTINETAutonomousSystemRU Russian Federation 30->66 68 ipwho.is 195.201.57.90, 443, 49737 HETZNER-ASDE Germany 30->68 58 C:\Users\user\AppData\...\WVguSISHHEaz.bat, DOS 30->58 dropped 70 Hides that the sample has been downloaded from the Internet (zone.identifier) 30->70 72 Installs a global keyboard hook 30->72 37 cmd.exe 30->37         started        40 schtasks.exe 1 30->40         started        42 schtasks.exe 30->42         started        file14 signatures15 process16 signatures17 84 Uses ping.exe to sleep 37->84 86 Uses ping.exe to check the status of other devices and networks 37->86 44 conhost.exe 37->44         started        46 chcp.com 37->46         started        48 PING.EXE 37->48         started        50 conhost.exe 40->50         started        52 conhost.exe 42->52         started        process18

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                doc_Zapytanie - Oferta POLSKA 91044PL.com.exe31%VirustotalBrowse
                doc_Zapytanie - Oferta POLSKA 91044PL.com.exe18%ReversingLabs
                doc_Zapytanie - Oferta POLSKA 91044PL.com.exe100%Joe Sandbox ML

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Local\Temp\WVguSISHHEaz.bat100%AviraBAT/Delbat.C
                C:\Users\user\AppData\Roaming\SubDir\workbook.exe100%Joe Sandbox ML
                C:\Users\user\AppData\Roaming\SubDir\workbook.exe18%ReversingLabs

                Unpacked PE Files

                No Antivirus matches

                Domains

                SourceDetectionScannerLabelLink
                ipwho.is0%VirustotalBrowse
                twart.myfirewall.org10%VirustotalBrowse
                windowsupdatebg.s.llnwi.net0%VirustotalBrowse

                URLs

                SourceDetectionScannerLabelLink
                http://www.fontbureau.com0%URL Reputationsafe
                http://www.fontbureau.com0%URL Reputationsafe
                http://www.tiro.com0%URL Reputationsafe
                http://www.fontbureau.com/designers0%URL Reputationsafe
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                http://www.fontbureau.com/designers/?0%Avira URL Cloudsafe
                https://stackoverflow.com/q/14436606/233540%Avira URL Cloudsafe
                http://www.apache.org/licenses/LICENSE-2.00%Avira URL Cloudsafe
                https://api.ipify.org/0%Avira URL Cloudsafe
                http://www.fontbureau.com/designersG0%Avira URL Cloudsafe
                http://www.founder.com.cn/cn/bThe0%Avira URL Cloudsafe
                http://schemas.datacontract.org/2004/07/0%Avira URL Cloudsafe
                https://stackoverflow.com/q/14436606/233540%VirustotalBrowse
                http://www.fontbureau.com/designers?0%Avira URL Cloudsafe
                http://www.fontbureau.com/designersG0%VirustotalBrowse
                https://api.ipify.org/0%VirustotalBrowse
                twart.myfirewall.org0%Avira URL Cloudsafe
                http://ipwho.isd0%Avira URL Cloudsafe
                http://www.fontbureau.com/designers?0%VirustotalBrowse
                http://www.goodfont.co.kr0%Avira URL Cloudsafe
                http://www.apache.org/licenses/LICENSE-2.00%VirustotalBrowse
                http://www.fontbureau.com/designers/?0%VirustotalBrowse
                twart.myfirewall.org10%VirustotalBrowse
                http://www.carterandcone.coml0%Avira URL Cloudsafe
                http://www.sajatypeworks.com0%Avira URL Cloudsafe
                http://www.sakkal.com.0%Avira URL Cloudsafe
                http://www.goodfont.co.kr0%VirustotalBrowse
                http://www.founder.com.cn/cn/bThe0%VirustotalBrowse
                http://www.typography.netD0%Avira URL Cloudsafe
                http://schemas.datacontract.org/2004/07/0%VirustotalBrowse
                http://www.fontbureau.com/designers/cabarga.htmlN0%Avira URL Cloudsafe
                http://schemas.datacontract.org/2004/07/d0%Avira URL Cloudsafe
                http://www.sajatypeworks.com0%VirustotalBrowse
                http://www.sakkal.com.0%VirustotalBrowse
                http://www.founder.com.cn/cn/cThe0%Avira URL Cloudsafe
                http://www.galapagosdesign.com/staff/dennis.htm0%Avira URL Cloudsafe
                http://www.founder.com.cn/cn0%Avira URL Cloudsafe
                http://www.fontbureau.com/designers/frere-user.html0%Avira URL Cloudsafe
                http://www.fontbureau.com/designers/cabarga.htmlN0%VirustotalBrowse
                https://stackoverflow.com/q/11564914/23354;0%Avira URL Cloudsafe
                http://www.jiyu-kobo.co.jp/0%Avira URL Cloudsafe
                http://schemas.datacontract.org/2004/07/d0%VirustotalBrowse
                http://www.galapagosdesign.com/staff/dennis.htm0%VirustotalBrowse
                http://www.founder.com.cn/cn/cThe0%VirustotalBrowse
                https://ipwho.is0%Avira URL Cloudsafe
                http://www.galapagosdesign.com/DPlease0%Avira URL Cloudsafe
                http://www.fonts.com0%Avira URL Cloudsafe
                http://www.fontbureau.com/designers80%Avira URL Cloudsafe
                https://ipwho.is0%VirustotalBrowse
                http://www.galapagosdesign.com/DPlease0%VirustotalBrowse
                http://www.fontbureau.com/designers/frere-user.html0%VirustotalBrowse
                http://www.jiyu-kobo.co.jp/0%VirustotalBrowse
                http://www.sandoll.co.kr0%Avira URL Cloudsafe
                http://www.founder.com.cn/cn0%VirustotalBrowse
                https://stackoverflow.com/q/11564914/23354;0%VirustotalBrowse
                http://www.fonts.com0%VirustotalBrowse
                http://www.urwpp.deDPlease0%Avira URL Cloudsafe
                https://stackoverflow.com/q/2152978/23354sCannot0%Avira URL Cloudsafe
                https://ipwho.is/0%Avira URL Cloudsafe
                http://www.fontbureau.com/designers80%VirustotalBrowse
                http://www.sandoll.co.kr0%VirustotalBrowse
                http://www.zhongyicts.com.cn0%Avira URL Cloudsafe
                http://www.sakkal.com0%Avira URL Cloudsafe
                http://ipwho.is0%Avira URL Cloudsafe
                http://www.zhongyicts.com.cn0%VirustotalBrowse
                https://stackoverflow.com/q/2152978/23354sCannot0%VirustotalBrowse
                http://www.sakkal.com0%VirustotalBrowse
                https://ipwho.is/0%VirustotalBrowse

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                ipwho.is
                		195.201.57.90
                		truefalseunknown
                twart.myfirewall.org
                		213.159.74.80
                		truetrueunknown
                windowsupdatebg.s.llnwi.net
                		87.248.204.0
                		truefalseunknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                twart.myfirewall.orgtrue
                • 10%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://ipwho.is/false
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                https://api.ipify.org/doc_Zapytanie - Oferta POLSKA 91044PL.com.exe, 00000000.00000002.1791185855.000000000A50F000.00000004.00000800.00020000.00000000.sdmp, doc_Zapytanie - Oferta POLSKA 91044PL.com.exe, 00000000.00000002.1791185855.00000000099B1000.00000004.00000800.00020000.00000000.sdmp, doc_Zapytanie - Oferta POLSKA 91044PL.com.exe, 00000000.00000002.1802872858.000000000B841000.00000004.00000800.00020000.00000000.sdmp, doc_Zapytanie - Oferta POLSKA 91044PL.com.exe, 00000002.00000002.1796545473.0000000000402000.00000040.00000400.00020000.00000000.sdmp, workbook.exe, 00000006.00000002.1876814149.0000000003B6C000.00000004.00000800.00020000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://www.apache.org/licenses/LICENSE-2.0doc_Zapytanie - Oferta POLSKA 91044PL.com.exe, 00000000.00000002.1789262166.0000000006F92000.00000004.00000800.00020000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://www.fontbureau.comdoc_Zapytanie - Oferta POLSKA 91044PL.com.exe, 00000000.00000002.1789262166.0000000006F92000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://www.fontbureau.com/designersGdoc_Zapytanie - Oferta POLSKA 91044PL.com.exe, 00000000.00000002.1789262166.0000000006F92000.00000004.00000800.00020000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://www.fontbureau.com/designers/?doc_Zapytanie - Oferta POLSKA 91044PL.com.exe, 00000000.00000002.1789262166.0000000006F92000.00000004.00000800.00020000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://stackoverflow.com/q/14436606/23354doc_Zapytanie - Oferta POLSKA 91044PL.com.exe, 00000000.00000002.1791185855.000000000A50F000.00000004.00000800.00020000.00000000.sdmp, doc_Zapytanie - Oferta POLSKA 91044PL.com.exe, 00000000.00000002.1791185855.00000000099B1000.00000004.00000800.00020000.00000000.sdmp, doc_Zapytanie - Oferta POLSKA 91044PL.com.exe, 00000000.00000002.1802872858.000000000B841000.00000004.00000800.00020000.00000000.sdmp, doc_Zapytanie - Oferta POLSKA 91044PL.com.exe, 00000002.00000002.1796545473.0000000000402000.00000040.00000400.00020000.00000000.sdmp, workbook.exe, 00000006.00000002.1876814149.0000000003B6C000.00000004.00000800.00020000.00000000.sdmp, workbook.exe, 00000007.00000002.2341312292.0000000003512000.00000004.00000800.00020000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://www.founder.com.cn/cn/bThedoc_Zapytanie - Oferta POLSKA 91044PL.com.exe, 00000000.00000002.1789262166.0000000006F92000.00000004.00000800.00020000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://schemas.datacontract.org/2004/07/workbook.exe, 00000007.00000002.2341312292.00000000036F5000.00000004.00000800.00020000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://www.fontbureau.com/designers?doc_Zapytanie - Oferta POLSKA 91044PL.com.exe, 00000000.00000002.1789262166.0000000006F92000.00000004.00000800.00020000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://ipwho.isdworkbook.exe, 00000007.00000002.2341312292.00000000036A8000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.tiro.comdoc_Zapytanie - Oferta POLSKA 91044PL.com.exe, 00000000.00000002.1789262166.0000000006F92000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.fontbureau.com/designersdoc_Zapytanie - Oferta POLSKA 91044PL.com.exe, 00000000.00000002.1789262166.0000000006F92000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.goodfont.co.krdoc_Zapytanie - Oferta POLSKA 91044PL.com.exe, 00000000.00000002.1789262166.0000000006F92000.00000004.00000800.00020000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://www.carterandcone.comldoc_Zapytanie - Oferta POLSKA 91044PL.com.exe, 00000000.00000002.1789262166.0000000006F92000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.sajatypeworks.comdoc_Zapytanie - Oferta POLSKA 91044PL.com.exe, 00000000.00000002.1789262166.0000000006F92000.00000004.00000800.00020000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://www.sakkal.com.doc_Zapytanie - Oferta POLSKA 91044PL.com.exe, 00000000.00000002.1789220021.0000000005810000.00000004.00000020.00020000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://www.typography.netDdoc_Zapytanie - Oferta POLSKA 91044PL.com.exe, 00000000.00000002.1789262166.0000000006F92000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://schemas.datacontract.org/2004/07/dworkbook.exe, 00000007.00000002.2341312292.00000000036F5000.00000004.00000800.00020000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://www.fontbureau.com/designers/cabarga.htmlNdoc_Zapytanie - Oferta POLSKA 91044PL.com.exe, 00000000.00000002.1789262166.0000000006F92000.00000004.00000800.00020000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://www.founder.com.cn/cn/cThedoc_Zapytanie - Oferta POLSKA 91044PL.com.exe, 00000000.00000002.1789262166.0000000006F92000.00000004.00000800.00020000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://www.galapagosdesign.com/staff/dennis.htmdoc_Zapytanie - Oferta POLSKA 91044PL.com.exe, 00000000.00000002.1789262166.0000000006F92000.00000004.00000800.00020000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://www.founder.com.cn/cndoc_Zapytanie - Oferta POLSKA 91044PL.com.exe, 00000000.00000002.1789262166.0000000006F92000.00000004.00000800.00020000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://www.fontbureau.com/designers/frere-user.htmldoc_Zapytanie - Oferta POLSKA 91044PL.com.exe, 00000000.00000002.1789262166.0000000006F92000.00000004.00000800.00020000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://stackoverflow.com/q/11564914/23354;doc_Zapytanie - Oferta POLSKA 91044PL.com.exe, 00000000.00000002.1791185855.000000000A50F000.00000004.00000800.00020000.00000000.sdmp, doc_Zapytanie - Oferta POLSKA 91044PL.com.exe, 00000000.00000002.1791185855.00000000099B1000.00000004.00000800.00020000.00000000.sdmp, doc_Zapytanie - Oferta POLSKA 91044PL.com.exe, 00000000.00000002.1802872858.000000000B841000.00000004.00000800.00020000.00000000.sdmp, doc_Zapytanie - Oferta POLSKA 91044PL.com.exe, 00000002.00000002.1796545473.0000000000402000.00000040.00000400.00020000.00000000.sdmp, workbook.exe, 00000006.00000002.1876814149.0000000003B6C000.00000004.00000800.00020000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://www.jiyu-kobo.co.jp/doc_Zapytanie - Oferta POLSKA 91044PL.com.exe, 00000000.00000002.1789262166.0000000006F92000.00000004.00000800.00020000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://ipwho.isworkbook.exe, 00000007.00000002.2341312292.0000000003696000.00000004.00000800.00020000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://www.galapagosdesign.com/DPleasedoc_Zapytanie - Oferta POLSKA 91044PL.com.exe, 00000000.00000002.1789262166.0000000006F92000.00000004.00000800.00020000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://www.fontbureau.com/designers8doc_Zapytanie - Oferta POLSKA 91044PL.com.exe, 00000000.00000002.1789262166.0000000006F92000.00000004.00000800.00020000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://www.fonts.comdoc_Zapytanie - Oferta POLSKA 91044PL.com.exe, 00000000.00000002.1789262166.0000000006F92000.00000004.00000800.00020000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://www.sandoll.co.krdoc_Zapytanie - Oferta POLSKA 91044PL.com.exe, 00000000.00000002.1789262166.0000000006F92000.00000004.00000800.00020000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://www.urwpp.deDPleasedoc_Zapytanie - Oferta POLSKA 91044PL.com.exe, 00000000.00000002.1789262166.0000000006F92000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://stackoverflow.com/q/2152978/23354sCannotdoc_Zapytanie - Oferta POLSKA 91044PL.com.exe, 00000000.00000002.1791185855.000000000A50F000.00000004.00000800.00020000.00000000.sdmp, doc_Zapytanie - Oferta POLSKA 91044PL.com.exe, 00000000.00000002.1791185855.00000000099B1000.00000004.00000800.00020000.00000000.sdmp, doc_Zapytanie - Oferta POLSKA 91044PL.com.exe, 00000000.00000002.1802872858.000000000B841000.00000004.00000800.00020000.00000000.sdmp, doc_Zapytanie - Oferta POLSKA 91044PL.com.exe, 00000002.00000002.1796545473.0000000000402000.00000040.00000400.00020000.00000000.sdmp, workbook.exe, 00000006.00000002.1876814149.0000000003B6C000.00000004.00000800.00020000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://www.zhongyicts.com.cndoc_Zapytanie - Oferta POLSKA 91044PL.com.exe, 00000000.00000002.1789262166.0000000006F92000.00000004.00000800.00020000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namedoc_Zapytanie - Oferta POLSKA 91044PL.com.exe, 00000002.00000002.1808999815.0000000002E11000.00000004.00000800.00020000.00000000.sdmp, workbook.exe, 00000007.00000002.2341312292.00000000034EC000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.sakkal.comdoc_Zapytanie - Oferta POLSKA 91044PL.com.exe, 00000000.00000002.1789262166.0000000006F92000.00000004.00000800.00020000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://ipwho.isworkbook.exe, 00000007.00000002.2341312292.00000000036A8000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown

                World Map of Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public IPs

                IPDomainCountryFlagASNASN NameMalicious
                213.159.74.80
                		twart.myfirewall.orgRussian Federation
                		13078CTINET-ASCTINETAutonomousSystemRUtrue
                195.201.57.90
                		ipwho.isGermany
                		24940HETZNER-ASDEfalse

                General Information

                Joe Sandbox version:40.0.0 Tourmaline
                Analysis ID:1509224
                Start date and time:2024-09-11 10:24:06 +02:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 7m 59s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:22
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:doc_Zapytanie - Oferta POLSKA 91044PL.com.exe
                Detection:MAL
                Classification:mal100.troj.spyw.evad.winEXE@29/7@2/2
                EGA Information:
                • Successful, ratio: 83.3%
                HCA Information:
                • Successful, ratio: 99%
                • Number of executed functions: 248
                • Number of non-executed functions: 9
                Cookbook Comments:
                • Found application associated with file extension: .exe

                Warnings

                • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                • Excluded IPs from analysis (whitelisted): 87.248.204.0
                • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, d.4.1.9.1.6.7.1.0.0.0.0.0.0.0.0.1.0.0.9.0.0.1.f.1.1.1.0.1.0.a.2.ip6.arpa, fe3cr.delivery.mp.microsoft.com
                • Execution Graph export aborted for target workbook.exe, PID 7720 because it is empty
                • Not all processes where analyzed, report is missing behavior information
                • Report size exceeded maximum capacity and may have missing behavior information.
                • Report size getting too big, too many NtOpenKeyEx calls found.
                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                • Report size getting too big, too many NtQueryValueKey calls found.
                • Report size getting too big, too many NtReadVirtualMemory calls found.

                Simulations

                Behavior and APIs

                TimeTypeDescription
                04:25:06API Interceptor1x Sleep call for process: doc_Zapytanie - Oferta POLSKA 91044PL.com.exe modified
                04:25:10API Interceptor2137x Sleep call for process: workbook.exe modified
                09:25:10Task SchedulerRun new task: workbook path: C:\Users\user\AppData\Roaming\SubDir\workbook.exe

                Joe Sandbox View / Context

                IPs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                213.159.74.80doc_Zapytanie - Oferta KH 09281.com.exeGet hashmaliciousQuasarBrowse
                  doc_rfq Oferta KH 09281.pdf.com.exeGet hashmaliciousQuasarBrowse
                    Client.exeGet hashmaliciousQuasarBrowse
                      rNuevoPedidoPO-00843.pdf.com.exeGet hashmaliciousQuasarBrowse
                        rVAKIFBANK-#U00d6demeonaymakbuzu20240826.pdf.exeGet hashmaliciousQuasarBrowse
                          ZKB - Zahlungsbest#U00e4tigung an 20240828.pdf.exeGet hashmaliciousQuasarBrowse
                            Vak#U0131fBank - #U00d6deme onay makbuzu 20240826.pdf.exeGet hashmaliciousQuasarBrowse
                              4dALKsHYFM.exeGet hashmaliciousAgentTesla, AsyncRAT, PureLog Stealer, zgRATBrowse
                                195.201.57.90SPt4FUjZMt.exeGet hashmaliciousAsyncRAT, Luca Stealer, MicroClip, PythonCryptoHijacker, RedLineBrowse
                                • /?output=json
                                765iYbgWn9.exeGet hashmaliciousLuca StealerBrowse
                                • /?output=json
                                765iYbgWn9.exeGet hashmaliciousLuca StealerBrowse
                                • /?output=json
                                WfKynArKjH.exeGet hashmaliciousAsyncRAT, Luca Stealer, MicroClip, RedLineBrowse
                                • /?output=json
                                ubes6SC7Vd.exeGet hashmaliciousUnknownBrowse
                                • ipwhois.app/xml/
                                cOQD62FceM.exeGet hashmaliciousLuca Stealer, Rusty StealerBrowse
                                • /?output=json
                                Clipper.exeGet hashmaliciousUnknownBrowse
                                • /?output=json
                                cOQD62FceM.exeGet hashmaliciousLuca StealerBrowse
                                • /?output=json
                                Cryptor.exeGet hashmaliciousLuca StealerBrowse
                                • /?output=json
                                Cryptor.exeGet hashmaliciousLuca Stealer, Rusty StealerBrowse
                                • /?output=json

                                Domains

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                ipwho.isdoc_Zapytanie - Oferta KH 09281.com.exeGet hashmaliciousQuasarBrowse
                                • 195.201.57.90
                                doc_rfq Oferta KH 09281.pdf.com.exeGet hashmaliciousQuasarBrowse
                                • 195.201.57.90
                                bin homebots io.batGet hashmaliciousUnknownBrowse
                                • 195.201.57.90
                                yJrZoOsgfl.exeGet hashmaliciousUnknownBrowse
                                • 195.201.57.90
                                IMKssbDprn.exeGet hashmaliciousUnknownBrowse
                                • 108.181.98.179
                                WBmC56ADQF.lnkGet hashmaliciousUnknownBrowse
                                • 195.201.57.90
                                uScqjqUS1m.exeGet hashmaliciousUnknownBrowse
                                • 195.201.57.90
                                CVSIyqGKKK.exeGet hashmaliciousUnknownBrowse
                                • 108.181.98.179
                                Client.exeGet hashmaliciousQuasarBrowse
                                • 195.201.57.90
                                AdjustLoader.exeGet hashmaliciousUnknownBrowse
                                • 195.201.57.90
                                twart.myfirewall.orgdoc_Zapytanie - Oferta KH 09281.com.exeGet hashmaliciousQuasarBrowse
                                • 213.159.74.80
                                doc_rfq Oferta KH 09281.pdf.com.exeGet hashmaliciousQuasarBrowse
                                • 213.159.74.80
                                Client.exeGet hashmaliciousQuasarBrowse
                                • 213.159.74.80
                                rNuevoPedidoPO-00843.pdf.com.exeGet hashmaliciousQuasarBrowse
                                • 213.159.74.80
                                rVAKIFBANK-#U00d6demeonaymakbuzu20240826.pdf.exeGet hashmaliciousQuasarBrowse
                                • 213.159.74.80
                                ZKB - Zahlungsbest#U00e4tigung an 20240828.pdf.exeGet hashmaliciousQuasarBrowse
                                • 213.159.74.80
                                Vak#U0131fBank - #U00d6deme onay makbuzu 20240826.pdf.exeGet hashmaliciousQuasarBrowse
                                • 213.159.74.80
                                4dALKsHYFM.exeGet hashmaliciousAgentTesla, AsyncRAT, PureLog Stealer, zgRATBrowse
                                • 213.159.74.80
                                doc_RFQ NEW ORDER #2400228341.pdf.exeGet hashmaliciousAsyncRATBrowse
                                • 41.151.251.119
                                doc_Rfq_TNTM #U00daj rend TM00002916620 exp_pdf.exeGet hashmaliciousXWormBrowse
                                • 103.35.191.158
                                windowsupdatebg.s.llnwi.nethttp://mipco.ae/Get hashmaliciousUnknownBrowse
                                • 87.248.202.1
                                http://brisbanepowerhouse.orgGet hashmaliciousUnknownBrowse
                                • 87.248.205.0
                                http://14792bf6.helper3002-eiir3332321.pages.dev/helpGet hashmaliciousUnknownBrowse
                                • 87.248.205.0
                                https://experthelpdesknotice.weebly.com/Get hashmaliciousUnknownBrowse
                                • 46.228.146.128
                                http://is.gd/af4MWe?US=937448/Get hashmaliciousUnknownBrowse
                                • 178.79.238.0
                                http://web.telgram.lol/Get hashmaliciousUnknownBrowse
                                • 46.228.146.0
                                https://homepage--coinbase-fec.webflow.io/Get hashmaliciousHTMLPhisherBrowse
                                • 41.63.96.0
                                https://interior.dipttiikhannadesigns.com/330856818500593584526057bi2sxgen-pgx-731993623051-ifxcperezabad-isxeversheds-sutherland.essf-1MC4wGet hashmaliciousUnknownBrowse
                                • 87.248.202.1
                                https://canadaca1.godaddysites.comGet hashmaliciousUnknownBrowse
                                • 46.228.146.0
                                https://www.tiktok.com/////link/v2?aid=1988&lang=enFSmPWg&scene=bio_url&target=google.com.////amp/s/cth.vn/.dev/JCE6X4BH/cnVzc2VsbEBhZGtjcmVkaXR1bmlvbi5jb20==$%E3%80%82Get hashmaliciousHTMLPhisher, Tycoon2FABrowse
                                • 46.228.146.0

                                ASNs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                HETZNER-ASDEfile.exeGet hashmaliciousVidarBrowse
                                • 5.75.214.132
                                file.exeGet hashmaliciousLummaC, VidarBrowse
                                • 5.75.214.132
                                http://www.viundodal.serv00.net/Get hashmaliciousUnknownBrowse
                                • 136.243.156.120
                                http://yi4xu8pw3bsb6.pages.dev/Get hashmaliciousUnknownBrowse
                                • 195.201.57.90
                                https://focuslify.com/pages/ad4eafd7-3402-4eaa-94db-5d87e99f42b2Get hashmaliciousHTMLPhisherBrowse
                                • 195.201.127.76
                                RFQ-DL32035.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                • 135.181.160.46
                                bot_library.exeGet hashmaliciousUnknownBrowse
                                • 159.69.63.226
                                bot_library.exeGet hashmaliciousUnknownBrowse
                                • 159.69.63.226
                                Quotation.xlsGet hashmaliciousUnknownBrowse
                                • 95.217.202.210
                                https://u46709706.ct.sendgrid.net/ls/click?upn=u001.DKwEP7VZOQzO0CdL8oA-2F1XfRWjdnnJf8AzT08E2sLXTgMdD9Jn8frnIecLny3eAokPJfihouroN0Bfpu-2Fc6LnrjqjViS2pLM6S7dZHOEwpuLfW-2BIU7dEMYGgaqQi-2B7ZF0pXBlOGA-2BSPzvia0EbhuUQ-3D-3D_2_r_uaJJRFhr-2BcMTvUL7itRYOkOTFwa3yBQ-2Be5ivdH2VumIL8X-2BH-2Fbr48QmarAca3fouHSsMOxgbLM7p2wkFK-2FUQL6-2FE9yCCxVee50mxUV1yVgD0jP9rXVSjBZFhWzNsNI0r917tCy3Siqu3AuAzm4HWroH5uBBAEhWW2PKqu-2B5XjabsjUwJhDJYiuP7NzEfnzrbkWW2CLIJbYvjD7vD7au-2BFw-3D-3DGet hashmaliciousPhisherBrowse
                                • 5.161.89.212
                                CTINET-ASCTINETAutonomousSystemRUdoc_Zapytanie - Oferta KH 09281.com.exeGet hashmaliciousQuasarBrowse
                                • 213.159.74.80
                                doc_rfq Oferta KH 09281.pdf.com.exeGet hashmaliciousQuasarBrowse
                                • 213.159.74.80
                                Client.exeGet hashmaliciousQuasarBrowse
                                • 213.159.74.80
                                rNuevoPedidoPO-00843.pdf.com.exeGet hashmaliciousQuasarBrowse
                                • 213.159.74.80
                                rVAKIFBANK-#U00d6demeonaymakbuzu20240826.pdf.exeGet hashmaliciousQuasarBrowse
                                • 213.159.74.80
                                ZKB - Zahlungsbest#U00e4tigung an 20240828.pdf.exeGet hashmaliciousQuasarBrowse
                                • 213.159.74.80
                                Vak#U0131fBank - #U00d6deme onay makbuzu 20240826.pdf.exeGet hashmaliciousQuasarBrowse
                                • 213.159.74.80
                                4dALKsHYFM.exeGet hashmaliciousAgentTesla, AsyncRAT, PureLog Stealer, zgRATBrowse
                                • 213.159.74.80
                                yEL4yMV0s4.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                • 213.159.64.146
                                AGREEMENT AND APPROVAL REPORT FECRWY RN & FR OF 2024-501144_6.5.24.pdfGet hashmaliciousHTMLPhisherBrowse
                                • 213.159.64.109

                                JA3 Fingerprints

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                3b5074b1b5d032e5620f69f9f700ff0ehttps://punchconsultingcomdocs.blob.core.windows.net/catherinebrien/2EQ40z6JcQ8ZrKYgbMrrRmtVQafHWHTWzkJLTUq2CjCuzBCekR7uHtqnRYRYmEhiJ2e7Y.htmlGet hashmaliciousUnknownBrowse
                                • 195.201.57.90
                                Wire-transaction073921.exeGet hashmaliciousSilverRatBrowse
                                • 195.201.57.90
                                https://online.sofitelbahrain.comGet hashmaliciousUnknownBrowse
                                • 195.201.57.90
                                018292540-SuratTeguranPPI-20230814215304.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                • 195.201.57.90
                                Q88_TAI SHAN - 11.09.24.docx.scr.exeGet hashmaliciousAgentTeslaBrowse
                                • 195.201.57.90
                                ZHONG XING HAI PARTICULARS.pdf.scr.exeGet hashmaliciousAgentTeslaBrowse
                                • 195.201.57.90
                                VlmNuDYKAv.exeGet hashmaliciousAmadey, StealcBrowse
                                • 195.201.57.90
                                Enquiry.vbsGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                                • 195.201.57.90
                                Order Quotation.exeGet hashmaliciousAgentTeslaBrowse
                                • 195.201.57.90
                                http://993.ksefilmblick.de/wp-includes/rest-api/go4biz/263-netGet hashmaliciousHTMLPhisherBrowse
                                • 195.201.57.90

                                Dropped Files

                                No context

                                Created / dropped Files

                                C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                                Download File
                                Process:C:\Users\user\AppData\Roaming\SubDir\workbook.exe
                                File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                                Category:dropped
                                Size (bytes):71954
                                Entropy (8bit):7.996617769952133
                                Encrypted:true
                                SSDEEP:1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
                                MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
                                SHA1:1723BE06719828DDA65AD804298D0431F6AFF976
                                SHA-256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
                                SHA-512:BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
                                Malicious:false
                                Preview:MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..*Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=*....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.|.c.&>?..^t. ..;..X.d.E.0G....[Q.*,*......#.Dp..L.o|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

                                C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                                Download File
                                Process:C:\Users\user\AppData\Roaming\SubDir\workbook.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):290
                                Entropy (8bit):2.9844219596585932
                                Encrypted:false
                                SSDEEP:6:kKBULlL9Usw9L+N+SkQlPlEGYRMY9z+4KlDA3RUe/:CYD9LNkPlE99SNxAhUe/
                                MD5:048D3BFDF4B7D96B8B5E9F7E0B88BEC8
                                SHA1:62D142146657E5FA8F7F67A8F6690EB6D21B3E11
                                SHA-256:3835B06988EB4435E8DFBC7268A5C1CCAF981A160FCFBA673E3AD880B54B5ECF
                                SHA-512:1B70463A8CA262103C1A5C3F6BDEB3A5F73052B2CF3366B8317ED6641B84F6ACB670F28B54DDA44050FB0419F9F4D40899BC60E328BEBC56AD8261A2B0C99658
                                Malicious:false
                                Preview:p...... ........P.?.$...(....................................................... ........G..@.......................h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...

                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\doc_Zapytanie - Oferta POLSKA 91044PL.com.exe.log

                                Download File
                                Process:C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):1216
                                Entropy (8bit):5.34331486778365
                                Encrypted:false
                                SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                Malicious:true
                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\workbook.exe.log

                                Download File
                                Process:C:\Users\user\AppData\Roaming\SubDir\workbook.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):1216
                                Entropy (8bit):5.34331486778365
                                Encrypted:false
                                SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                Malicious:false
                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                C:\Users\user\AppData\Local\Temp\WVguSISHHEaz.bat

                                Download File
                                Process:C:\Users\user\AppData\Roaming\SubDir\workbook.exe
                                File Type:DOS batch file, ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):213
                                Entropy (8bit):5.345312382054873
                                Encrypted:false
                                SSDEEP:6:hC47bxrBeLuVFOOzCZG1wknaZ539bKOZG1wkn23fol:d5r+uVEOorH39ffwl
                                MD5:E1C9708B17F18DBB276C1DE0B877E980
                                SHA1:1B6AF0A419EB6319C747F2112348D67CBCD2F9B3
                                SHA-256:60DC83FCFD8200A720149B1100B57B0D57DEA555AC9A1C81AC3F8692CECE6B21
                                SHA-512:9969254B9981FA7171444980DD4281B84F00259BAF71C1B8B4DB34BA3C8CC312F3C267B9CC60F8BC23D889AD641E02010ECAFCFF2B3AACEA20D1BA887267C75E
                                Malicious:true
                                Antivirus:
                                • Antivirus: Avira, Detection: 100%
                                Preview:@echo off..chcp 65001..echo DONT CLOSE THIS WINDOW!..ping -n 10 localhost > nul..del /a /q /f "C:\Users\user\AppData\Roaming\SubDir\workbook.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\WVguSISHHEaz.bat"

                                C:\Users\user\AppData\Roaming\SubDir\workbook.exe

                                Download File
                                Process:C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exe
                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                Category:dropped
                                Size (bytes):3701760
                                Entropy (8bit):7.995152873348778
                                Encrypted:true
                                SSDEEP:98304:sd403a+fJYbXSHFK7OVTCEr/x8TOdT2J978fB:sdxf8iZZyTq2Jp85
                                MD5:72C1F40EAFABDCDB3662D1DAD9EE2230
                                SHA1:7C7AD3BA48BF9CE3E2B487D98B6A66D4D631892A
                                SHA-256:FD3B039DF3E9A565B6964276F98C61D4555F3F3DABF1A9D76604F9FF4D4B3FB7
                                SHA-512:4F4865B93479645B0E5F52AC3EF5D91A9BA3BC89F4165B6FE595389C0D409C8352DBBC53FBA1CAF7862589D6475D4411A3794BBCFA8C04E42301EF8F11603AFE
                                Malicious:true
                                Antivirus:
                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                • Antivirus: ReversingLabs, Detection: 18%
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...d.................0..p8..........8.. ....8...@.. ........................8...........@.................................v.8.O.....8.,.....................8......u8.p............................................ ............... ..H............text....n8.. ...p8................. ..`.rsrc...,.....8......r8.............@..@.reloc........8......z8.............@..B..................8.....H........_..d;......5...H.....7...........................................{....*"..}....*..{....*"..}....*~...(2.......(......s....(.....*&.(3.....*.0............(4...r...p.(....(.....+..*..r...p}.....r-..p}......}.....(.......(......s....}....*..*.0..^.........(.......{....s6...}.....{.... .....s....o......{.... .... N...s....o......(.....{....o.....*...0..^.........(.......{....s;...}.....{.... .....s....o......{.... .... N...s....o......(.....{....o.....*...0..^.........(.

                                \Device\Null

                                Download File
                                Process:C:\Windows\SysWOW64\PING.EXE
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):502
                                Entropy (8bit):4.6048426069826895
                                Encrypted:false
                                SSDEEP:12:PhY5pTcgTcgTcgTcgTcgTcgTcgTcgTcgTLs4oS/AFSkIrxMVlmJHaVzvv:5qdUOAokItULVDv
                                MD5:EA5DD1D8BC9737245BE9D4DA99AEA3D7
                                SHA1:BD50891B148D61BC185D45580A6CACF2A38745FA
                                SHA-256:CBDB331BCF1FC83A00D431570C20765983E1790BDE2F4D9DC418041363150299
                                SHA-512:3FF2CB9E6A1500A79D19EC74645AB05A98FA45278E3D52146E7F70AC2EC92F06C8FC5F930EB51979E72C97C0B6FDB6FA620A178D1BBAFD2ADA8F36B4C14EBB68
                                Malicious:false
                                Preview:..Pinging 506013 [::1] with 32 bytes of data:..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ....Ping statistics for ::1:.. Packets: Sent = 10, Received = 10, Lost = 0 (0% loss),..Approximate round trip times in milli-seconds:.. Minimum = 0ms, Maximum = 0ms, Average = 0ms..

                                Static File Info

                                General

                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                Entropy (8bit):7.995152873348778
                                TrID:
                                • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                • Win32 Executable (generic) a (10002005/4) 49.78%
                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                • Generic Win/DOS Executable (2004/3) 0.01%
                                • DOS Executable Generic (2002/1) 0.01%
                                File name:doc_Zapytanie - Oferta POLSKA 91044PL.com.exe
                                File size:3'701'760 bytes
                                MD5:72c1f40eafabdcdb3662d1dad9ee2230
                                SHA1:7c7ad3ba48bf9ce3e2b487d98b6a66d4d631892a
                                SHA256:fd3b039df3e9a565b6964276f98c61d4555f3f3dabf1a9d76604f9ff4d4b3fb7
                                SHA512:4f4865b93479645b0e5f52ac3ef5d91a9ba3bc89f4165b6fe595389c0d409c8352dbbc53fba1caf7862589d6475d4411a3794bbcfa8c04e42301ef8f11603afe
                                SSDEEP:98304:sd403a+fJYbXSHFK7OVTCEr/x8TOdT2J978fB:sdxf8iZZyTq2Jp85
                                TLSH:1206338110798B1EEDFB46B12521B2300F2215723A61C9E95E73E3C91CDEF8E561BD9B
                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...d.................0..p8...........8.. ....8...@.. ........................8...........@................................

                                File Icon

                                Icon Hash:90cececece8e8eb0

                                Static PE Info

                                General

                                Entrypoint:0x788eca
                                Entrypoint Section:.text
                                Digitally signed:false
                                Imagebase:0x400000
                                Subsystem:windows gui
                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                Time Stamp:0xE9F7EC64 [Sat May 22 04:00:36 2094 UTC]
                                TLS Callbacks:
                                CLR (.Net) Version:
                                OS Version Major:4
                                OS Version Minor:0
                                File Version Major:4
                                File Version Minor:0
                                Subsystem Version Major:4
                                Subsystem Version Minor:0
                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                Entrypoint Preview

                                Instruction
                                jmp dword ptr [00402000h]
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al

                                Data Directories

                                NameVirtual AddressVirtual Size Is in Section
                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IMPORT0x388e760x4f.text
                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x38a0000x62c.rsrc
                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x38c0000xc.reloc
                                IMAGE_DIRECTORY_ENTRY_DEBUG0x3875f80x70.text
                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                Sections

                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                .text0x20000x386ed00x38700068c920812ff5da9d8451967b96621624unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                .rsrc0x38a0000x62c0x80058693a73e206c6c7082ee47627ea6ae2False0.33642578125data3.4693095596209593IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                .reloc0x38c0000xc0x2000d259a3cb9cf199ef83a091b9c47facbFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                Resources

                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                RT_VERSION0x38a0900x39cdata0.4166666666666667
                                RT_MANIFEST0x38a43c0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                Imports

                                DLLImport
                                mscoree.dll_CorExeMain

                                Network Behavior

                                Suricata IDS Alerts

                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                2024-09-11T10:25:15.454254+02002027619ET MALWARE Observed Malicious SSL Cert (Quasar CnC)1213.159.74.809792192.168.2.449735TCP
                                2024-09-11T10:25:15.454254+02002035595ET MALWARE Generic AsyncRAT Style SSL Cert1213.159.74.809792192.168.2.449735TCP

                                Network Port Distribution

                                TCP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Sep 11, 2024 10:25:14.934365988 CEST497359792192.168.2.4213.159.74.80
                                Sep 11, 2024 10:25:14.939338923 CEST979249735213.159.74.80192.168.2.4
                                Sep 11, 2024 10:25:14.939434052 CEST497359792192.168.2.4213.159.74.80
                                Sep 11, 2024 10:25:14.946537971 CEST497359792192.168.2.4213.159.74.80
                                Sep 11, 2024 10:25:14.951378107 CEST979249735213.159.74.80192.168.2.4
                                Sep 11, 2024 10:25:15.445492983 CEST979249735213.159.74.80192.168.2.4
                                Sep 11, 2024 10:25:15.445552111 CEST979249735213.159.74.80192.168.2.4
                                Sep 11, 2024 10:25:15.445612907 CEST497359792192.168.2.4213.159.74.80
                                Sep 11, 2024 10:25:15.449342966 CEST497359792192.168.2.4213.159.74.80
                                Sep 11, 2024 10:25:15.454253912 CEST979249735213.159.74.80192.168.2.4
                                Sep 11, 2024 10:25:15.551063061 CEST979249735213.159.74.80192.168.2.4
                                Sep 11, 2024 10:25:15.767590046 CEST497359792192.168.2.4213.159.74.80
                                Sep 11, 2024 10:25:16.771595955 CEST979249735213.159.74.80192.168.2.4
                                Sep 11, 2024 10:25:16.771663904 CEST497359792192.168.2.4213.159.74.80
                                Sep 11, 2024 10:25:16.773200989 CEST979249735213.159.74.80192.168.2.4
                                Sep 11, 2024 10:25:16.773260117 CEST497359792192.168.2.4213.159.74.80
                                Sep 11, 2024 10:25:16.781786919 CEST979249735213.159.74.80192.168.2.4
                                Sep 11, 2024 10:25:16.781846046 CEST497359792192.168.2.4213.159.74.80
                                Sep 11, 2024 10:25:17.718899012 CEST49737443192.168.2.4195.201.57.90
                                Sep 11, 2024 10:25:17.718947887 CEST44349737195.201.57.90192.168.2.4
                                Sep 11, 2024 10:25:17.719131947 CEST49737443192.168.2.4195.201.57.90
                                Sep 11, 2024 10:25:17.722167015 CEST49737443192.168.2.4195.201.57.90
                                Sep 11, 2024 10:25:17.722191095 CEST44349737195.201.57.90192.168.2.4
                                Sep 11, 2024 10:25:19.346656084 CEST44349737195.201.57.90192.168.2.4
                                Sep 11, 2024 10:25:19.346734047 CEST49737443192.168.2.4195.201.57.90
                                Sep 11, 2024 10:25:19.350285053 CEST49737443192.168.2.4195.201.57.90
                                Sep 11, 2024 10:25:19.350296021 CEST44349737195.201.57.90192.168.2.4
                                Sep 11, 2024 10:25:19.350693941 CEST44349737195.201.57.90192.168.2.4
                                Sep 11, 2024 10:25:19.355945110 CEST49737443192.168.2.4195.201.57.90
                                Sep 11, 2024 10:25:19.399411917 CEST44349737195.201.57.90192.168.2.4
                                Sep 11, 2024 10:25:19.550677061 CEST44349737195.201.57.90192.168.2.4
                                Sep 11, 2024 10:25:19.550834894 CEST44349737195.201.57.90192.168.2.4
                                Sep 11, 2024 10:25:19.550893068 CEST49737443192.168.2.4195.201.57.90
                                Sep 11, 2024 10:25:19.614217043 CEST49737443192.168.2.4195.201.57.90
                                Sep 11, 2024 10:25:19.775459051 CEST497359792192.168.2.4213.159.74.80
                                Sep 11, 2024 10:25:19.780613899 CEST979249735213.159.74.80192.168.2.4
                                Sep 11, 2024 10:25:19.780786037 CEST497359792192.168.2.4213.159.74.80
                                Sep 11, 2024 10:25:19.785696983 CEST979249735213.159.74.80192.168.2.4
                                Sep 11, 2024 10:25:19.908416986 CEST979249735213.159.74.80192.168.2.4
                                Sep 11, 2024 10:25:19.995028019 CEST979249735213.159.74.80192.168.2.4
                                Sep 11, 2024 10:25:19.995223045 CEST497359792192.168.2.4213.159.74.80
                                Sep 11, 2024 10:25:45.002151966 CEST497359792192.168.2.4213.159.74.80
                                Sep 11, 2024 10:25:45.007762909 CEST979249735213.159.74.80192.168.2.4
                                Sep 11, 2024 10:26:04.277453899 CEST979249735213.159.74.80192.168.2.4
                                Sep 11, 2024 10:26:04.277507067 CEST979249735213.159.74.80192.168.2.4
                                Sep 11, 2024 10:26:04.277538061 CEST979249735213.159.74.80192.168.2.4
                                Sep 11, 2024 10:26:04.277601004 CEST497359792192.168.2.4213.159.74.80
                                Sep 11, 2024 10:26:04.277612925 CEST979249735213.159.74.80192.168.2.4
                                Sep 11, 2024 10:26:04.277790070 CEST497359792192.168.2.4213.159.74.80
                                Sep 11, 2024 10:26:04.281383991 CEST497359792192.168.2.4213.159.74.80
                                Sep 11, 2024 10:26:04.286256075 CEST979249735213.159.74.80192.168.2.4
                                Sep 11, 2024 10:26:04.286314964 CEST497359792192.168.2.4213.159.74.80
                                Sep 11, 2024 10:26:04.291220903 CEST979249735213.159.74.80192.168.2.4
                                Sep 11, 2024 10:26:04.578985929 CEST497359792192.168.2.4213.159.74.80
                                Sep 11, 2024 10:26:04.584377050 CEST979249735213.159.74.80192.168.2.4
                                Sep 11, 2024 10:26:04.584480047 CEST497359792192.168.2.4213.159.74.80

                                UDP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Sep 11, 2024 10:25:14.359769106 CEST5502153192.168.2.41.1.1.1
                                Sep 11, 2024 10:25:14.929982901 CEST53550211.1.1.1192.168.2.4
                                Sep 11, 2024 10:25:17.705437899 CEST5348153192.168.2.41.1.1.1
                                Sep 11, 2024 10:25:17.712869883 CEST53534811.1.1.1192.168.2.4
                                Sep 11, 2024 10:25:50.571995974 CEST5363616162.159.36.2192.168.2.4
                                Sep 11, 2024 10:25:51.054516077 CEST53645641.1.1.1192.168.2.4

                                DNS Queries

                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                Sep 11, 2024 10:25:14.359769106 CEST192.168.2.41.1.1.10xa295Standard query (0)twart.myfirewall.orgA (IP address)IN (0x0001)false
                                Sep 11, 2024 10:25:17.705437899 CEST192.168.2.41.1.1.10xbae7Standard query (0)ipwho.isA (IP address)IN (0x0001)false

                                DNS Answers

                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                Sep 11, 2024 10:25:14.929982901 CEST1.1.1.1192.168.2.40xa295No error (0)twart.myfirewall.org213.159.74.80A (IP address)IN (0x0001)false
                                Sep 11, 2024 10:25:16.786474943 CEST1.1.1.1192.168.2.40xc777No error (0)windowsupdatebg.s.llnwi.net87.248.204.0A (IP address)IN (0x0001)false
                                Sep 11, 2024 10:25:16.786485910 CEST1.1.1.1192.168.2.40xc777No error (0)windowsupdatebg.s.llnwi.net87.248.204.0A (IP address)IN (0x0001)false
                                Sep 11, 2024 10:25:17.712869883 CEST1.1.1.1192.168.2.40xbae7No error (0)ipwho.is195.201.57.90A (IP address)IN (0x0001)false

                                HTTP Request Dependency Graph

                                • ipwho.is

                                HTTPS Proxied Packets

                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                0192.168.2.449737195.201.57.904437720C:\Users\user\AppData\Roaming\SubDir\workbook.exe
                                TimestampBytes transferredDirectionData
                                2024-09-11 08:25:19 UTC150OUTGET / HTTP/1.1
                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0
                                Host: ipwho.is
                                Connection: Keep-Alive
                                2024-09-11 08:25:19 UTC223INHTTP/1.1 200 OK
                                Date: Wed, 11 Sep 2024 08:25:19 GMT
                                Content-Type: application/json; charset=utf-8
                                Transfer-Encoding: chunked
                                Connection: close
                                Server: ipwhois
                                Access-Control-Allow-Headers: *
                                X-Robots-Tag: noindex
                                2024-09-11 08:25:19 UTC1019INData Raw: 33 65 66 0d 0a 7b 0a 20 20 20 20 22 41 62 6f 75 74 20 55 73 22 3a 20 22 68 74 74 70 73 3a 5c 2f 5c 2f 69 70 77 68 6f 69 73 2e 69 6f 22 2c 0a 20 20 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 20 20 22 73 75 63 63 65 73 73 22 3a 20 74 72 75 65 2c 0a 20 20 20 20 22 74 79 70 65 22 3a 20 22 49 50 76 34 22 2c 0a 20 20 20 20 22 63 6f 6e 74 69 6e 65 6e 74 22 3a 20 22 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 22 2c 0a 20 20 20 20 22 63 6f 6e 74 69 6e 65 6e 74 5f 63 6f 64 65 22 3a 20 22 4e 41 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f 72
                                Data Ascii: 3ef{ "About Us": "https:\/\/ipwhois.io", "ip": "8.46.123.33", "success": true, "type": "IPv4", "continent": "North America", "continent_code": "NA", "country": "United States", "country_code": "US", "region": "New Yor


                                Statistics

                                CPU Usage

                                Click to jump to process

                                Memory Usage

                                Click to jump to process

                                High Level Behavior Distribution

                                Click to dive into process behavior distribution

                                Behavior

                                Click to jump to process

                                System Behavior

                                General

                                Target ID:0
                                Start time:04:25:05
                                Start date:11/09/2024
                                Path:C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exe"
                                Imagebase:0x6d0000
                                File size:3'701'760 bytes
                                MD5 hash:72C1F40EAFABDCDB3662D1DAD9EE2230
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000002.1780683199.0000000003030000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000002.1791185855.000000000A50F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000002.1791185855.00000000099B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000002.1802872858.000000000B841000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                Reputation:low
                                Has exited:true

                                General

                                Target ID:2
                                Start time:04:25:08
                                Start date:11/09/2024
                                Path:C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\Desktop\doc_Zapytanie - Oferta POLSKA 91044PL.com.exe"
                                Imagebase:0x7d0000
                                File size:3'701'760 bytes
                                MD5 hash:72C1F40EAFABDCDB3662D1DAD9EE2230
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000002.00000002.1796545473.0000000000720000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000002.00000002.1796545473.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                Reputation:low
                                Has exited:true

                                General

                                Target ID:3
                                Start time:04:25:09
                                Start date:11/09/2024
                                Path:C:\Windows\SysWOW64\schtasks.exe
                                Wow64 process (32bit):true
                                Commandline:"schtasks" /create /tn "workbook" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\workbook.exe" /rl HIGHEST /f
                                Imagebase:0xfb0000
                                File size:187'904 bytes
                                MD5 hash:48C2FE20575769DE916F48EF0676A965
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:4
                                Start time:04:25:09
                                Start date:11/09/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff7699e0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:5
                                Start time:04:25:10
                                Start date:11/09/2024
                                Path:C:\Users\user\AppData\Roaming\SubDir\workbook.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\AppData\Roaming\SubDir\workbook.exe"
                                Imagebase:0x170000
                                File size:3'701'760 bytes
                                MD5 hash:72C1F40EAFABDCDB3662D1DAD9EE2230
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000005.00000002.1824379236.00000000028B0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                Antivirus matches:
                                • Detection: 100%, Joe Sandbox ML
                                • Detection: 18%, ReversingLabs
                                Reputation:low
                                Has exited:true

                                General

                                Target ID:6
                                Start time:04:25:11
                                Start date:11/09/2024
                                Path:C:\Users\user\AppData\Roaming\SubDir\workbook.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Users\user\AppData\Roaming\SubDir\workbook.exe
                                Imagebase:0x150000
                                File size:3'701'760 bytes
                                MD5 hash:72C1F40EAFABDCDB3662D1DAD9EE2230
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000006.00000002.1862456672.000000000282F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000006.00000002.1876814149.0000000003B6C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                Reputation:low
                                Has exited:true

                                General

                                Target ID:7
                                Start time:04:25:11
                                Start date:11/09/2024
                                Path:C:\Users\user\AppData\Roaming\SubDir\workbook.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\AppData\Roaming\SubDir\workbook.exe"
                                Imagebase:0xec0000
                                File size:3'701'760 bytes
                                MD5 hash:72C1F40EAFABDCDB3662D1DAD9EE2230
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000007.00000002.2341312292.00000000036F5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                Reputation:low
                                Has exited:true

                                General

                                Target ID:8
                                Start time:04:25:13
                                Start date:11/09/2024
                                Path:C:\Windows\SysWOW64\schtasks.exe
                                Wow64 process (32bit):true
                                Commandline:"schtasks" /create /tn "workbook" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\workbook.exe" /rl HIGHEST /f
                                Imagebase:0xfb0000
                                File size:187'904 bytes
                                MD5 hash:48C2FE20575769DE916F48EF0676A965
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:9
                                Start time:04:25:13
                                Start date:11/09/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff7699e0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:10
                                Start time:04:25:16
                                Start date:11/09/2024
                                Path:C:\Users\user\AppData\Roaming\SubDir\workbook.exe
                                Wow64 process (32bit):false
                                Commandline:"C:\Users\user\AppData\Roaming\SubDir\workbook.exe"
                                Imagebase:0x420000
                                File size:3'701'760 bytes
                                MD5 hash:72C1F40EAFABDCDB3662D1DAD9EE2230
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:low
                                Has exited:true

                                General

                                Target ID:11
                                Start time:04:25:16
                                Start date:11/09/2024
                                Path:C:\Users\user\AppData\Roaming\SubDir\workbook.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\AppData\Roaming\SubDir\workbook.exe"
                                Imagebase:0x8b0000
                                File size:3'701'760 bytes
                                MD5 hash:72C1F40EAFABDCDB3662D1DAD9EE2230
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:low
                                Has exited:true

                                General

                                Target ID:15
                                Start time:04:26:03
                                Start date:11/09/2024
                                Path:C:\Windows\SysWOW64\schtasks.exe
                                Wow64 process (32bit):true
                                Commandline:"schtasks" /delete /tn "workbook" /f
                                Imagebase:0xfb0000
                                File size:187'904 bytes
                                MD5 hash:48C2FE20575769DE916F48EF0676A965
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:16
                                Start time:04:26:03
                                Start date:11/09/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff7699e0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:17
                                Start time:04:26:04
                                Start date:11/09/2024
                                Path:C:\Windows\SysWOW64\cmd.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\WVguSISHHEaz.bat" "
                                Imagebase:0x240000
                                File size:236'544 bytes
                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:18
                                Start time:04:26:04
                                Start date:11/09/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff7699e0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:19
                                Start time:04:26:04
                                Start date:11/09/2024
                                Path:C:\Windows\SysWOW64\chcp.com
                                Wow64 process (32bit):true
                                Commandline:chcp 65001
                                Imagebase:0xea0000
                                File size:12'800 bytes
                                MD5 hash:20A59FB950D8A191F7D35C4CA7DA9CAF
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:moderate
                                Has exited:true

                                General

                                Target ID:20
                                Start time:04:26:04
                                Start date:11/09/2024
                                Path:C:\Windows\SysWOW64\PING.EXE
                                Wow64 process (32bit):true
                                Commandline:ping -n 10 localhost
                                Imagebase:0x9e0000
                                File size:18'944 bytes
                                MD5 hash:B3624DD758CCECF93A1226CEF252CA12
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                Disassembly

                                Reset < >

                                  Execution Graph

                                  Execution Coverage:8.4%
                                  Dynamic/Decrypted Code Coverage:100%
                                  Signature Coverage:0%
                                  Total number of Nodes:159
                                  Total number of Limit Nodes:14
                                  execution_graph 26976 134d660 DuplicateHandle 26977 134d6f6 26976->26977 27147 134ac90 27151 134ad77 27147->27151 27158 134ad88 27147->27158 27148 134ac9f 27152 134ad99 27151->27152 27153 134adbc 27151->27153 27152->27153 27155 134adb4 27152->27155 27165 134b011 27152->27165 27153->27148 27154 134afc0 GetModuleHandleW 27156 134afed 27154->27156 27155->27153 27155->27154 27156->27148 27159 134adbc 27158->27159 27160 134ad99 27158->27160 27159->27148 27160->27159 27161 134adb4 27160->27161 27164 134b011 GetModuleHandleW 27160->27164 27161->27159 27162 134afc0 GetModuleHandleW 27161->27162 27163 134afed 27162->27163 27163->27148 27164->27161 27166 134afba GetModuleHandleW 27165->27166 27169 134b01a 27165->27169 27168 134afed 27166->27168 27168->27155 27169->27155 26969 7a1da68 26970 7a1dbf3 26969->26970 26972 7a1da8e 26969->26972 26972->26970 26973 7a1b5f0 26972->26973 26974 7a1dce8 PostMessageW 26973->26974 26975 7a1dd54 26974->26975 26975->26972 26978 1344668 26979 134467a 26978->26979 26981 1344686 26979->26981 26982 1344778 26979->26982 26983 134479d 26982->26983 26987 1344888 26983->26987 26991 1344879 26983->26991 26989 13448af 26987->26989 26988 134498c 26988->26988 26989->26988 26995 13444b4 26989->26995 26992 13448af 26991->26992 26993 134498c 26992->26993 26994 13444b4 CreateActCtxA 26992->26994 26994->26993 26996 1345918 CreateActCtxA 26995->26996 26998 13459db 26996->26998 26998->26998 27170 134d418 27171 134d45e GetCurrentProcess 27170->27171 27173 134d4b0 GetCurrentThread 27171->27173 27175 134d4a9 27171->27175 27174 134d4ed GetCurrentProcess 27173->27174 27176 134d4e6 27173->27176 27177 134d523 27174->27177 27175->27173 27176->27174 27178 134d54b GetCurrentThreadId 27177->27178 27179 134d57c 27178->27179 26999 7a1bf3f 27001 7a1be04 26999->27001 27000 7a1bee2 27002 7a1be13 27001->27002 27004 7a1c848 27001->27004 27005 7a1c846 27004->27005 27006 7a1c852 27004->27006 27005->27000 27012 7a1c87a 27006->27012 27021 7a1cda2 27006->27021 27025 7a1cfc1 27006->27025 27030 7a1cf7e 27006->27030 27035 7a1ce5e 27006->27035 27039 7a1ceba 27006->27039 27044 7a1d3b8 27006->27044 27053 7a1cd55 27006->27053 27058 7a1d531 27006->27058 27063 7a1d16f 27006->27063 27068 7a1ccea 27006->27068 27072 7a1d588 27006->27072 27076 7a1cf07 27006->27076 27081 7a1d2c5 27006->27081 27012->27000 27089 7a1b358 27021->27089 27093 7a1b360 27021->27093 27022 7a1cdd0 27022->27012 27026 7a1cfca 27025->27026 27028 7a1b360 WriteProcessMemory 27026->27028 27029 7a1b358 WriteProcessMemory 27026->27029 27027 7a1d4d9 27028->27027 27029->27027 27031 7a1d684 27030->27031 27097 7a1a950 27031->27097 27101 7a1a958 27031->27101 27032 7a1d69f 27105 7a1b450 27035->27105 27109 7a1b44b 27035->27109 27036 7a1ce9b 27036->27012 27040 7a1cd4b 27039->27040 27041 7a1d15e 27040->27041 27113 7a1da11 27040->27113 27118 7a1da20 27040->27118 27041->27012 27045 7a1d2dc 27044->27045 27046 7a1d614 27045->27046 27051 7a1b360 WriteProcessMemory 27045->27051 27052 7a1b358 WriteProcessMemory 27045->27052 27047 7a1d15e 27047->27012 27048 7a1cd4b 27048->27047 27049 7a1da11 2 API calls 27048->27049 27050 7a1da20 2 API calls 27048->27050 27049->27048 27050->27048 27051->27048 27052->27048 27054 7a1cd4b 27053->27054 27055 7a1d15e 27054->27055 27056 7a1da11 2 API calls 27054->27056 27057 7a1da20 2 API calls 27054->27057 27055->27012 27056->27054 27057->27054 27059 7a1cd4b 27058->27059 27060 7a1d15e 27059->27060 27061 7a1da11 2 API calls 27059->27061 27062 7a1da20 2 API calls 27059->27062 27060->27012 27061->27059 27062->27059 27064 7a1cd4b 27063->27064 27065 7a1d15e 27064->27065 27066 7a1da11 2 API calls 27064->27066 27067 7a1da20 2 API calls 27064->27067 27065->27012 27066->27064 27067->27064 27131 7a1b9e8 27068->27131 27135 7a1b9df 27068->27135 27069 7a1cd20 27069->27012 27074 7a1a950 Wow64SetThreadContext 27072->27074 27075 7a1a958 Wow64SetThreadContext 27072->27075 27073 7a1d5a2 27074->27073 27075->27073 27077 7a1d61a 27076->27077 27139 7a1b2a0 27077->27139 27143 7a1b298 27077->27143 27078 7a1d638 27082 7a1d2cb 27081->27082 27087 7a1b360 WriteProcessMemory 27082->27087 27088 7a1b358 WriteProcessMemory 27082->27088 27083 7a1cd4b 27084 7a1d15e 27083->27084 27085 7a1da11 2 API calls 27083->27085 27086 7a1da20 2 API calls 27083->27086 27084->27012 27085->27083 27086->27083 27087->27083 27088->27083 27090 7a1b3a8 WriteProcessMemory 27089->27090 27092 7a1b3ff 27090->27092 27092->27022 27094 7a1b3a8 WriteProcessMemory 27093->27094 27096 7a1b3ff 27094->27096 27096->27022 27098 7a1a958 Wow64SetThreadContext 27097->27098 27100 7a1a9e5 27098->27100 27100->27032 27102 7a1a99d Wow64SetThreadContext 27101->27102 27104 7a1a9e5 27102->27104 27104->27032 27106 7a1b49b ReadProcessMemory 27105->27106 27108 7a1b4df 27106->27108 27108->27036 27110 7a1b49b ReadProcessMemory 27109->27110 27112 7a1b4df 27110->27112 27112->27036 27114 7a1da1c 27113->27114 27123 7a1a8a1 27114->27123 27127 7a1a8a8 27114->27127 27115 7a1da48 27115->27040 27119 7a1da35 27118->27119 27121 7a1a8a1 ResumeThread 27119->27121 27122 7a1a8a8 ResumeThread 27119->27122 27120 7a1da48 27120->27040 27121->27120 27122->27120 27124 7a1a8a8 ResumeThread 27123->27124 27126 7a1a919 27124->27126 27126->27115 27128 7a1a8e8 ResumeThread 27127->27128 27130 7a1a919 27128->27130 27130->27115 27132 7a1ba71 CreateProcessA 27131->27132 27134 7a1bc33 27132->27134 27134->27134 27136 7a1b9e8 CreateProcessA 27135->27136 27138 7a1bc33 27136->27138 27138->27138 27140 7a1b2e0 VirtualAllocEx 27139->27140 27142 7a1b31d 27140->27142 27142->27078 27144 7a1b2a0 VirtualAllocEx 27143->27144 27146 7a1b31d 27144->27146 27146->27078

                                  Executed Functions

                                  Function 07A1E7D0 Relevance: .4, Instructions: 410COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1790526868.0000000007A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7a10000_doc_Zapytanie - Oferta POLSKA 91044PL.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1aae6214995ba812e2d98bc18a2fe4df96736854c0b4eaa8a347dd506160b524
                                  • Instruction ID: e63f254dea18a99c5f7f9b601daca8f52ad8b6a66065ac085865e8c2d401074f
                                  • Opcode Fuzzy Hash: 1aae6214995ba812e2d98bc18a2fe4df96736854c0b4eaa8a347dd506160b524
                                  • Instruction Fuzzy Hash: 67E1DCB07042158FEB29DB79C550BAEB7FAAFC8306F14846DD9569B390DB34E801CB91
                                  Function 07A14140 Relevance: .1, Instructions: 70COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1790526868.0000000007A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7a10000_doc_Zapytanie - Oferta POLSKA 91044PL.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 61a3a0a704c972e05a4b12a8d0df6cff8639e2fc928de463604cce5fb456b90c
                                  • Instruction ID: e3fb461691264ad0c7094b3ad1cb97a2277b0657dc17b957537e4980ef5c0a94
                                  • Opcode Fuzzy Hash: 61a3a0a704c972e05a4b12a8d0df6cff8639e2fc928de463604cce5fb456b90c
                                  • Instruction Fuzzy Hash: 8821FCB1E056598FEB18CF6BC84069EFBB7AFC9300F14C0BAC458AA265EB3409458F51
                                  Function 0134D409 Relevance: 6.1, APIs: 4, Instructions: 132threadCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 294 134d409-134d4a7 GetCurrentProcess 299 134d4b0-134d4e4 GetCurrentThread 294->299 300 134d4a9-134d4af 294->300 301 134d4e6-134d4ec 299->301 302 134d4ed-134d521 GetCurrentProcess 299->302 300->299 301->302 303 134d523-134d529 302->303 304 134d52a-134d545 call 134d5e8 302->304 303->304 308 134d54b-134d57a GetCurrentThreadId 304->308 309 134d583-134d5e5 308->309 310 134d57c-134d582 308->310 310->309
                                  APIs
                                  • GetCurrentProcess.KERNEL32 ref: 0134D496
                                  • GetCurrentThread.KERNEL32 ref: 0134D4D3
                                  • GetCurrentProcess.KERNEL32 ref: 0134D510
                                  • GetCurrentThreadId.KERNEL32 ref: 0134D569
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1780011936.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1340000_doc_Zapytanie - Oferta POLSKA 91044PL.jbxd
                                  Similarity
                                  • API ID: Current$ProcessThread
                                  • String ID:
                                  • API String ID: 2063062207-0
                                  • Opcode ID: 6d5e6ce4681eb93b70a0c958bed6681904df58c0961e2e262427800838320fa4
                                  • Instruction ID: ab3c997fdbaf23cb2597dba707f115008d13ae932f15a0e30f4131f9be19771e
                                  • Opcode Fuzzy Hash: 6d5e6ce4681eb93b70a0c958bed6681904df58c0961e2e262427800838320fa4
                                  • Instruction Fuzzy Hash: 405136B0D003498FDB18DFAAD548BDEBBF1BB48318F208459D459AB360DB34A984CF65
                                  Function 0134D418 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 317 134d418-134d4a7 GetCurrentProcess 321 134d4b0-134d4e4 GetCurrentThread 317->321 322 134d4a9-134d4af 317->322 323 134d4e6-134d4ec 321->323 324 134d4ed-134d521 GetCurrentProcess 321->324 322->321 323->324 325 134d523-134d529 324->325 326 134d52a-134d545 call 134d5e8 324->326 325->326 330 134d54b-134d57a GetCurrentThreadId 326->330 331 134d583-134d5e5 330->331 332 134d57c-134d582 330->332 332->331
                                  APIs
                                  • GetCurrentProcess.KERNEL32 ref: 0134D496
                                  • GetCurrentThread.KERNEL32 ref: 0134D4D3
                                  • GetCurrentProcess.KERNEL32 ref: 0134D510
                                  • GetCurrentThreadId.KERNEL32 ref: 0134D569
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1780011936.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1340000_doc_Zapytanie - Oferta POLSKA 91044PL.jbxd
                                  Similarity
                                  • API ID: Current$ProcessThread
                                  • String ID:
                                  • API String ID: 2063062207-0
                                  • Opcode ID: 82335bdfa77fc237b8c05ca07dabaf7bbd07447b6a837ff1f8d9f361654b4895
                                  • Instruction ID: cb173350305914d6db2666cf6863664389c9b6c111502d5e514010186e03f80a
                                  • Opcode Fuzzy Hash: 82335bdfa77fc237b8c05ca07dabaf7bbd07447b6a837ff1f8d9f361654b4895
                                  • Instruction Fuzzy Hash: DF5127B0D002098FDB18DFAAD548BDEBBF1BB48318F208459D459AB360DB74A944CF65
                                  Function 07A1B9DF Relevance: 1.7, APIs: 1, Instructions: 246processCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 463 7a1b9df-7a1ba7d 466 7a1bab6-7a1bad6 463->466 467 7a1ba7f-7a1ba89 463->467 474 7a1bad8-7a1bae2 466->474 475 7a1bb0f-7a1bb3e 466->475 467->466 468 7a1ba8b-7a1ba8d 467->468 470 7a1bab0-7a1bab3 468->470 471 7a1ba8f-7a1ba99 468->471 470->466 472 7a1ba9b 471->472 473 7a1ba9d-7a1baac 471->473 472->473 473->473 476 7a1baae 473->476 474->475 477 7a1bae4-7a1bae6 474->477 481 7a1bb40-7a1bb4a 475->481 482 7a1bb77-7a1bc31 CreateProcessA 475->482 476->470 479 7a1bb09-7a1bb0c 477->479 480 7a1bae8-7a1baf2 477->480 479->475 483 7a1baf4 480->483 484 7a1baf6-7a1bb05 480->484 481->482 485 7a1bb4c-7a1bb4e 481->485 495 7a1bc33-7a1bc39 482->495 496 7a1bc3a-7a1bcc0 482->496 483->484 484->484 486 7a1bb07 484->486 487 7a1bb71-7a1bb74 485->487 488 7a1bb50-7a1bb5a 485->488 486->479 487->482 490 7a1bb5c 488->490 491 7a1bb5e-7a1bb6d 488->491 490->491 491->491 492 7a1bb6f 491->492 492->487 495->496 506 7a1bcd0-7a1bcd4 496->506 507 7a1bcc2-7a1bcc6 496->507 508 7a1bce4-7a1bce8 506->508 509 7a1bcd6-7a1bcda 506->509 507->506 510 7a1bcc8 507->510 512 7a1bcf8-7a1bcfc 508->512 513 7a1bcea-7a1bcee 508->513 509->508 511 7a1bcdc 509->511 510->506 511->508 515 7a1bd0e-7a1bd15 512->515 516 7a1bcfe-7a1bd04 512->516 513->512 514 7a1bcf0 513->514 514->512 517 7a1bd17-7a1bd26 515->517 518 7a1bd2c 515->518 516->515 517->518 519 7a1bd2d 518->519 519->519
                                  APIs
                                  • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07A1BC1E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1790526868.0000000007A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7a10000_doc_Zapytanie - Oferta POLSKA 91044PL.jbxd
                                  Similarity
                                  • API ID: CreateProcess
                                  • String ID:
                                  • API String ID: 963392458-0
                                  • Opcode ID: 035cab647c72ff98e42029621a79f24cc099d80546fb7c4af53a99db43a3a21a
                                  • Instruction ID: 241f4e59b527f14eb4ac0be98335a0280934a737d87963988bb0bd8d07421339
                                  • Opcode Fuzzy Hash: 035cab647c72ff98e42029621a79f24cc099d80546fb7c4af53a99db43a3a21a
                                  • Instruction Fuzzy Hash: 88A180B1D0021ADFEB14DF69C9417EDBBB2FF48314F1481A9E858A7240DB749985CFA2
                                  Function 07A1B9E8 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 521 7a1b9e8-7a1ba7d 523 7a1bab6-7a1bad6 521->523 524 7a1ba7f-7a1ba89 521->524 531 7a1bad8-7a1bae2 523->531 532 7a1bb0f-7a1bb3e 523->532 524->523 525 7a1ba8b-7a1ba8d 524->525 527 7a1bab0-7a1bab3 525->527 528 7a1ba8f-7a1ba99 525->528 527->523 529 7a1ba9b 528->529 530 7a1ba9d-7a1baac 528->530 529->530 530->530 533 7a1baae 530->533 531->532 534 7a1bae4-7a1bae6 531->534 538 7a1bb40-7a1bb4a 532->538 539 7a1bb77-7a1bc31 CreateProcessA 532->539 533->527 536 7a1bb09-7a1bb0c 534->536 537 7a1bae8-7a1baf2 534->537 536->532 540 7a1baf4 537->540 541 7a1baf6-7a1bb05 537->541 538->539 542 7a1bb4c-7a1bb4e 538->542 552 7a1bc33-7a1bc39 539->552 553 7a1bc3a-7a1bcc0 539->553 540->541 541->541 543 7a1bb07 541->543 544 7a1bb71-7a1bb74 542->544 545 7a1bb50-7a1bb5a 542->545 543->536 544->539 547 7a1bb5c 545->547 548 7a1bb5e-7a1bb6d 545->548 547->548 548->548 549 7a1bb6f 548->549 549->544 552->553 563 7a1bcd0-7a1bcd4 553->563 564 7a1bcc2-7a1bcc6 553->564 565 7a1bce4-7a1bce8 563->565 566 7a1bcd6-7a1bcda 563->566 564->563 567 7a1bcc8 564->567 569 7a1bcf8-7a1bcfc 565->569 570 7a1bcea-7a1bcee 565->570 566->565 568 7a1bcdc 566->568 567->563 568->565 572 7a1bd0e-7a1bd15 569->572 573 7a1bcfe-7a1bd04 569->573 570->569 571 7a1bcf0 570->571 571->569 574 7a1bd17-7a1bd26 572->574 575 7a1bd2c 572->575 573->572 574->575 576 7a1bd2d 575->576 576->576
                                  APIs
                                  • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07A1BC1E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1790526868.0000000007A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7a10000_doc_Zapytanie - Oferta POLSKA 91044PL.jbxd
                                  Similarity
                                  • API ID: CreateProcess
                                  • String ID:
                                  • API String ID: 963392458-0
                                  • Opcode ID: 4b6d7bdbd910f32ba96d520ec9127edcd124735e5bf15b6717fc6d4059f40352
                                  • Instruction ID: e6cff4ca17c48ce19e4c17ccba41014983a88345886de16511602afe30737f8a
                                  • Opcode Fuzzy Hash: 4b6d7bdbd910f32ba96d520ec9127edcd124735e5bf15b6717fc6d4059f40352
                                  • Instruction Fuzzy Hash: 409190B1D0021ADFEB14CF69C9417EDBBB2FF48314F1481A9E858A7240DB749985CFA2
                                  Function 0134AD88 Relevance: 1.7, APIs: 1, Instructions: 198COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 578 134ad88-134ad97 579 134adc3-134adc7 578->579 580 134ad99-134ada6 call 13493b4 578->580 581 134adc9-134add3 579->581 582 134addb-134ae1c 579->582 587 134adbc 580->587 588 134ada8 580->588 581->582 589 134ae1e-134ae26 582->589 590 134ae29-134ae37 582->590 587->579 636 134adae call 134b020 588->636 637 134adae call 134b011 588->637 589->590 592 134ae39-134ae3e 590->592 593 134ae5b-134ae5d 590->593 591 134adb4-134adb6 591->587 594 134aef8-134afb8 591->594 596 134ae40-134ae47 call 134a0f0 592->596 597 134ae49 592->597 595 134ae60-134ae67 593->595 629 134afc0-134afeb GetModuleHandleW 594->629 630 134afba-134afbd 594->630 599 134ae74-134ae7b 595->599 600 134ae69-134ae71 595->600 598 134ae4b-134ae59 596->598 597->598 598->595 603 134ae7d-134ae85 599->603 604 134ae88-134ae91 call 134a100 599->604 600->599 603->604 609 134ae93-134ae9b 604->609 610 134ae9e-134aea3 604->610 609->610 611 134aea5-134aeac 610->611 612 134aec1-134aec5 610->612 611->612 614 134aeae-134aebe call 134a110 call 134a120 611->614 634 134aec8 call 134b320 612->634 635 134aec8 call 134b2f1 612->635 614->612 615 134aecb-134aece 618 134aed0-134aeee 615->618 619 134aef1-134aef7 615->619 618->619 631 134aff4-134b008 629->631 632 134afed-134aff3 629->632 630->629 632->631 634->615 635->615 636->591 637->591
                                  APIs
                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 0134AFDE
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1780011936.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1340000_doc_Zapytanie - Oferta POLSKA 91044PL.jbxd
                                  Similarity
                                  • API ID: HandleModule
                                  • String ID:
                                  • API String ID: 4139908857-0
                                  • Opcode ID: e926937c539de9b23a3649098d78a48f4037f5a6d3540ffe30cc6005b0652f04
                                  • Instruction ID: e58e48d5332b43367e20e6b84a7e0179bf147785e61c3fc9b195eeb4032f35da
                                  • Opcode Fuzzy Hash: e926937c539de9b23a3649098d78a48f4037f5a6d3540ffe30cc6005b0652f04
                                  • Instruction Fuzzy Hash: 9A713470A00B058FD764DF29D45475ABBF5BF48348F008A2DD59ADBA50D735F889CB90
                                  Function 013444B4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 638 13444b4-13459d9 CreateActCtxA 641 13459e2-1345a3c 638->641 642 13459db-13459e1 638->642 649 1345a3e-1345a41 641->649 650 1345a4b-1345a4f 641->650 642->641 649->650 651 1345a60 650->651 652 1345a51-1345a5d 650->652 653 1345a61 651->653 652->651 653->653
                                  APIs
                                  • CreateActCtxA.KERNEL32(?), ref: 013459C9
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1780011936.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1340000_doc_Zapytanie - Oferta POLSKA 91044PL.jbxd
                                  Similarity
                                  • API ID: Create
                                  • String ID:
                                  • API String ID: 2289755597-0
                                  • Opcode ID: dd595c724c1fdba7f6349d3a754eadf87507d0820b69c6831046da9983ede4b3
                                  • Instruction ID: 02da7402d23368458d87af0ef11c67cbd82aef9d53ff7986c1f54905e19784e7
                                  • Opcode Fuzzy Hash: dd595c724c1fdba7f6349d3a754eadf87507d0820b69c6831046da9983ede4b3
                                  • Instruction Fuzzy Hash: 1F41B0B0C0071DCFDB28DFA9C884A9EBBF6BF49304F24806AD408AB255DB756945CF90
                                  Function 0134590C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 655 134590c-13459d9 CreateActCtxA 657 13459e2-1345a3c 655->657 658 13459db-13459e1 655->658 665 1345a3e-1345a41 657->665 666 1345a4b-1345a4f 657->666 658->657 665->666 667 1345a60 666->667 668 1345a51-1345a5d 666->668 669 1345a61 667->669 668->667 669->669
                                  APIs
                                  • CreateActCtxA.KERNEL32(?), ref: 013459C9
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1780011936.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1340000_doc_Zapytanie - Oferta POLSKA 91044PL.jbxd
                                  Similarity
                                  • API ID: Create
                                  • String ID:
                                  • API String ID: 2289755597-0
                                  • Opcode ID: a2aac4c830ab691b6365d5d9997e5ea284c451ed8fb4a5e1e4c3141151aad5e0
                                  • Instruction ID: dcfdf8f8f9bd34c08f632da49a51a50e938ec4de43507c1db75c60da712a98b2
                                  • Opcode Fuzzy Hash: a2aac4c830ab691b6365d5d9997e5ea284c451ed8fb4a5e1e4c3141151aad5e0
                                  • Instruction Fuzzy Hash: 3F41C2B1C00719CFDB24DFA9C884A9EBBF5BF49304F24815AD408AB255DB756949CF90
                                  Function 07A1B358 Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 671 7a1b358-7a1b3ae 673 7a1b3b0-7a1b3bc 671->673 674 7a1b3be-7a1b3fd WriteProcessMemory 671->674 673->674 676 7a1b406-7a1b436 674->676 677 7a1b3ff-7a1b405 674->677 677->676
                                  APIs
                                  • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07A1B3F0
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1790526868.0000000007A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7a10000_doc_Zapytanie - Oferta POLSKA 91044PL.jbxd
                                  Similarity
                                  • API ID: MemoryProcessWrite
                                  • String ID:
                                  • API String ID: 3559483778-0
                                  • Opcode ID: e9ddceff70cd50e60b3a2a7bfaa732ddbadcb6d261e9ffdceee02dff1860525c
                                  • Instruction ID: 66e0bb9714b1ef91c0a00dbe4d82ebb6a6f314abae59e0152e9584dda2d442ae
                                  • Opcode Fuzzy Hash: e9ddceff70cd50e60b3a2a7bfaa732ddbadcb6d261e9ffdceee02dff1860525c
                                  • Instruction Fuzzy Hash: BE2146B1900359DFDB10CFA9C881BEEBBF1FF88310F108429E959A7241C7789955CBA4
                                  Function 07A1B360 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 681 7a1b360-7a1b3ae 683 7a1b3b0-7a1b3bc 681->683 684 7a1b3be-7a1b3fd WriteProcessMemory 681->684 683->684 686 7a1b406-7a1b436 684->686 687 7a1b3ff-7a1b405 684->687 687->686
                                  APIs
                                  • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07A1B3F0
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1790526868.0000000007A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7a10000_doc_Zapytanie - Oferta POLSKA 91044PL.jbxd
                                  Similarity
                                  • API ID: MemoryProcessWrite
                                  • String ID:
                                  • API String ID: 3559483778-0
                                  • Opcode ID: 547eae632499f29cfa918f273cfb759054ce4ed45123c20d55008e9c0568523f
                                  • Instruction ID: 9bcbb803f1109042333495aaa70a6d1f663827ed7ed0fc205c5718fcb4b1b4ce
                                  • Opcode Fuzzy Hash: 547eae632499f29cfa918f273cfb759054ce4ed45123c20d55008e9c0568523f
                                  • Instruction Fuzzy Hash: 572169B1900359DFDB10CFA9C881BDEBBF5FF48310F108429E959A7240C7789954CBA4
                                  Function 07A1A950 Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 691 7a1a950-7a1a9a3 694 7a1a9b3-7a1a9e3 Wow64SetThreadContext 691->694 695 7a1a9a5-7a1a9b1 691->695 697 7a1a9e5-7a1a9eb 694->697 698 7a1a9ec-7a1aa1c 694->698 695->694 697->698
                                  APIs
                                  • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07A1A9D6
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1790526868.0000000007A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7a10000_doc_Zapytanie - Oferta POLSKA 91044PL.jbxd
                                  Similarity
                                  • API ID: ContextThreadWow64
                                  • String ID:
                                  • API String ID: 983334009-0
                                  • Opcode ID: c2c88338a4808230391f4d1a7d1f22a0baa1a04b979f72ff32cc8c9ef14803f3
                                  • Instruction ID: 454477ffd3cdeb948bf7f6bfc43a87c11efe5281f4eb5b368386f8e293a5cbb1
                                  • Opcode Fuzzy Hash: c2c88338a4808230391f4d1a7d1f22a0baa1a04b979f72ff32cc8c9ef14803f3
                                  • Instruction Fuzzy Hash: 50214AB19003098FDB10DFAAC5457EEBBF4EF48314F14C429D459A7241C7789984CFA5
                                  Function 0134D658 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                  Download Yara Rule
                                  APIs
                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0134D6E7
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1780011936.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1340000_doc_Zapytanie - Oferta POLSKA 91044PL.jbxd
                                  Similarity
                                  • API ID: DuplicateHandle
                                  • String ID:
                                  • API String ID: 3793708945-0
                                  • Opcode ID: 3ed96864fe6fde023c60df764be411822b3c38b3ae3e4b14134223705318a632
                                  • Instruction ID: 4b5ecf11ce47e6cb09d050f4c61ee1e1a4283a6d516bf6130336c291c7e91e8b
                                  • Opcode Fuzzy Hash: 3ed96864fe6fde023c60df764be411822b3c38b3ae3e4b14134223705318a632
                                  • Instruction Fuzzy Hash: 8C2114B5900249EFDB10CF9AD984ADEFFF4EB48320F10841AE918A7350C378A944CFA5
                                  Function 07A1B44B Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                  Download Yara Rule
                                  APIs
                                  • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07A1B4D0
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1790526868.0000000007A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7a10000_doc_Zapytanie - Oferta POLSKA 91044PL.jbxd
                                  Similarity
                                  • API ID: MemoryProcessRead
                                  • String ID:
                                  • API String ID: 1726664587-0
                                  • Opcode ID: 06db9e71c7a411c8f30b674810428b17d7c3f30023080469fc3dcf7ea148d8ab
                                  • Instruction ID: f1bcb1c95e9c02308306d0f85b03da2557e97812626b420e5371f51f4e77bb89
                                  • Opcode Fuzzy Hash: 06db9e71c7a411c8f30b674810428b17d7c3f30023080469fc3dcf7ea148d8ab
                                  • Instruction Fuzzy Hash: ED2128B18002599FDB10DFA9C881AEEFBF5FF48320F108429E558A7250C7789945CBA5
                                  Function 07A1B450 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                  Download Yara Rule
                                  APIs
                                  • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07A1B4D0
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1790526868.0000000007A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7a10000_doc_Zapytanie - Oferta POLSKA 91044PL.jbxd
                                  Similarity
                                  • API ID: MemoryProcessRead
                                  • String ID:
                                  • API String ID: 1726664587-0
                                  • Opcode ID: c090a2b19d55371f88f1d42ebef99841f63a16cc03f0a24682f9637ca693a88d
                                  • Instruction ID: 43987f20c791a5d911384d330d301116bad175bea6eaedd66267a5581e81a89d
                                  • Opcode Fuzzy Hash: c090a2b19d55371f88f1d42ebef99841f63a16cc03f0a24682f9637ca693a88d
                                  • Instruction Fuzzy Hash: 4B2137B1C003599FDB10DFAAC880AEEFBF5FF48320F10842AE558A7250C7389944CBA5
                                  Function 07A1A958 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07A1A9D6
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1790526868.0000000007A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7a10000_doc_Zapytanie - Oferta POLSKA 91044PL.jbxd
                                  Similarity
                                  • API ID: ContextThreadWow64
                                  • String ID:
                                  • API String ID: 983334009-0
                                  • Opcode ID: 5cdead2d9bc95d6471dcadefc30e147e63e5b8b85fee0c8f8de39df25e55c2d6
                                  • Instruction ID: 6e59a0069eaee88d07f10cef09642cc1fa1c7b3688bb4d572f236c4ddce0c741
                                  • Opcode Fuzzy Hash: 5cdead2d9bc95d6471dcadefc30e147e63e5b8b85fee0c8f8de39df25e55c2d6
                                  • Instruction Fuzzy Hash: 9F2138B19002098FDB10DFAAC5857EEBBF4EF88324F10C42AD459A7241C7789984CFA5
                                  Function 0134D660 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                  Download Yara Rule
                                  APIs
                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0134D6E7
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1780011936.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1340000_doc_Zapytanie - Oferta POLSKA 91044PL.jbxd
                                  Similarity
                                  • API ID: DuplicateHandle
                                  • String ID:
                                  • API String ID: 3793708945-0
                                  • Opcode ID: 75b056e437edaf996261418d4d5b9dcd78812c47a77059a9f12dc8820446f09e
                                  • Instruction ID: 9cc2690e4303c0ba282c6b243f924727988ac9415e82815ac6d42a99d8c44a7f
                                  • Opcode Fuzzy Hash: 75b056e437edaf996261418d4d5b9dcd78812c47a77059a9f12dc8820446f09e
                                  • Instruction Fuzzy Hash: 1C21E4B59002499FDB10CF9AD584ADEFFF5EB48320F14801AE958A7310C378A944CFA5
                                  Function 0134B011 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 0134AFDE
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1780011936.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1340000_doc_Zapytanie - Oferta POLSKA 91044PL.jbxd
                                  Similarity
                                  • API ID: HandleModule
                                  • String ID:
                                  • API String ID: 4139908857-0
                                  • Opcode ID: 100779c5f6ca229226dd87143fbfc973afb28d207caf0b9cd3f270f5dd71b14c
                                  • Instruction ID: 551b4958f114e0d40566c38f41de32b8933433d67e03e6c0b35b0b350e4d9f9b
                                  • Opcode Fuzzy Hash: 100779c5f6ca229226dd87143fbfc973afb28d207caf0b9cd3f270f5dd71b14c
                                  • Instruction Fuzzy Hash: 3611C171A042058FE714DF6AD8047AEFBF6EBC5218F04802AD559976A0CB75A809CBA0
                                  Function 07A1B298 Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07A1B30E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1790526868.0000000007A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7a10000_doc_Zapytanie - Oferta POLSKA 91044PL.jbxd
                                  Similarity
                                  • API ID: AllocVirtual
                                  • String ID:
                                  • API String ID: 4275171209-0
                                  • Opcode ID: a22314c212f1f24da2e6dca6b0979eee3322250e7968d1790d21326a78f0dc56
                                  • Instruction ID: 6777be2156079d88e69a5b7bf85447a4b71a30783741df4087eb0dcdb0d1e58c
                                  • Opcode Fuzzy Hash: a22314c212f1f24da2e6dca6b0979eee3322250e7968d1790d21326a78f0dc56
                                  • Instruction Fuzzy Hash: B02159B1900249DFCB14DFAAC845ADEFFF5EF88324F108829E555A7250C775A590CFA0
                                  Function 07A1B2A0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07A1B30E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1790526868.0000000007A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7a10000_doc_Zapytanie - Oferta POLSKA 91044PL.jbxd
                                  Similarity
                                  • API ID: AllocVirtual
                                  • String ID:
                                  • API String ID: 4275171209-0
                                  • Opcode ID: 971c167795d51e4f29d32e69956519c909116f4118f8204dee6c0d6982729893
                                  • Instruction ID: 0c21f7506dae734613ceca578c1e8a716ec23d948d39652854be710ead71bac1
                                  • Opcode Fuzzy Hash: 971c167795d51e4f29d32e69956519c909116f4118f8204dee6c0d6982729893
                                  • Instruction Fuzzy Hash: 781167B29002499FCB10DFAAC844BDEFFF5EF88320F108819E569A7250C735A550CFA0
                                  Function 07A1A8A1 Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1790526868.0000000007A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7a10000_doc_Zapytanie - Oferta POLSKA 91044PL.jbxd
                                  Similarity
                                  • API ID: ResumeThread
                                  • String ID:
                                  • API String ID: 947044025-0
                                  • Opcode ID: e0682f6b5c1cc1199492df10b4cc253cf31ef791393c96f1b27f1b6a6487e115
                                  • Instruction ID: 6c542d2251713e8ae4e9299a9e44667ba4b9cd2c771c58eb4654133e0bd134b2
                                  • Opcode Fuzzy Hash: e0682f6b5c1cc1199492df10b4cc253cf31ef791393c96f1b27f1b6a6487e115
                                  • Instruction Fuzzy Hash: C1115BB19042498BDB10DFAAC8457DEFBF5EF88324F208429D459A7240C775A985CBA5
                                  Function 07A1A8A8 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1790526868.0000000007A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7a10000_doc_Zapytanie - Oferta POLSKA 91044PL.jbxd
                                  Similarity
                                  • API ID: ResumeThread
                                  • String ID:
                                  • API String ID: 947044025-0
                                  • Opcode ID: 3b5d1909cbe6c626180dda43ca5284f1190870dedc35c6b37c59fc859f4ea021
                                  • Instruction ID: b1e5a8ac39aea12380b941e22829e0b2169b18bdc0ae1a271ab194ba5975bfe7
                                  • Opcode Fuzzy Hash: 3b5d1909cbe6c626180dda43ca5284f1190870dedc35c6b37c59fc859f4ea021
                                  • Instruction Fuzzy Hash: C8113AB19003498FDB10DFAAC4457EEFBF5EB88324F208419D459A7250C775A984CF95
                                  Function 07A1B5F0 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • PostMessageW.USER32(?,00000010,00000000,?), ref: 07A1DD45
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1790526868.0000000007A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7a10000_doc_Zapytanie - Oferta POLSKA 91044PL.jbxd
                                  Similarity
                                  • API ID: MessagePost
                                  • String ID:
                                  • API String ID: 410705778-0
                                  • Opcode ID: c0b6b08aafbdc5b9d1d662cb15de7e81db44f793346878267b82977943c41b04
                                  • Instruction ID: f27dc13b15fe29cfea8ffd0e176fa166fbe89c476b547add9cf7fa125a113b24
                                  • Opcode Fuzzy Hash: c0b6b08aafbdc5b9d1d662cb15de7e81db44f793346878267b82977943c41b04
                                  • Instruction Fuzzy Hash: 2B11F2B59003499FDB10DF9AD548BDEBFF8FB48320F10885AE568A7210C375A984CFA1
                                  Function 07A1DCE0 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • PostMessageW.USER32(?,00000010,00000000,?), ref: 07A1DD45
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1790526868.0000000007A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7a10000_doc_Zapytanie - Oferta POLSKA 91044PL.jbxd
                                  Similarity
                                  • API ID: MessagePost
                                  • String ID:
                                  • API String ID: 410705778-0
                                  • Opcode ID: 19ff80fa482819be4f520a1738665bd4d7a78e2f447a9f2e732b2c2547e6ba57
                                  • Instruction ID: b394bbf351a06085bf30f659eea3564594e502ee3fee414a4d53f518b04d8a08
                                  • Opcode Fuzzy Hash: 19ff80fa482819be4f520a1738665bd4d7a78e2f447a9f2e732b2c2547e6ba57
                                  • Instruction Fuzzy Hash: F111F5B5801249DFDB10DF9AC485BDEFBF8EB48310F108459D968A7610D375A984CFA1
                                  Function 0134AF78 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 0134AFDE
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1780011936.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1340000_doc_Zapytanie - Oferta POLSKA 91044PL.jbxd
                                  Similarity
                                  • API ID: HandleModule
                                  • String ID:
                                  • API String ID: 4139908857-0
                                  • Opcode ID: c65bdb89b4d85720e62c1f94b9f090900935e413b662162b8f38b6bef0aca352
                                  • Instruction ID: bf42bef15d56d82ff7c91e057bad0a33726eeb60d85973ba7de649d7cc1e7162
                                  • Opcode Fuzzy Hash: c65bdb89b4d85720e62c1f94b9f090900935e413b662162b8f38b6bef0aca352
                                  • Instruction Fuzzy Hash: 751125B5C003498FDB10CF9AC844ADEFBF4EF48314F10841AD869A7650C375A545CFA1
                                  Function 0106D1D4 Relevance: .1, Instructions: 72COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779444102.000000000106D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0106D000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_106d000_doc_Zapytanie - Oferta POLSKA 91044PL.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2449ffb4d3d97c29c432af183776c5e98407fc81ba8b5ff75bc65c2052b9a746
                                  • Instruction ID: 2e58a35c5d8cdfc13d0d82f799d63ad91c1af72b5c32a9f3684907cb17e38aca
                                  • Opcode Fuzzy Hash: 2449ffb4d3d97c29c432af183776c5e98407fc81ba8b5ff75bc65c2052b9a746
                                  • Instruction Fuzzy Hash: 64212971604201EFDB05DF98D5C0B2ABBA9FB94324F24C5ADD9C94F256C336D446CB61
                                  Function 0106D01C Relevance: .1, Instructions: 72COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779444102.000000000106D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0106D000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_106d000_doc_Zapytanie - Oferta POLSKA 91044PL.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e72f9cebe68806f0e2e4022c855a52ff52eb1f2f32f22fb7309d12cc0b26ef80
                                  • Instruction ID: ba2ba8d658a6f8d0b7acb37511c9e1cd3891788ceec671edd351b7fd2f637600
                                  • Opcode Fuzzy Hash: e72f9cebe68806f0e2e4022c855a52ff52eb1f2f32f22fb7309d12cc0b26ef80
                                  • Instruction Fuzzy Hash: 3D212571604200DFEB15DF58D584B26BFA9EB84314F20C5ADE9C94B256C337D447CB61
                                  Function 0106D006 Relevance: .1, Instructions: 62COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779444102.000000000106D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0106D000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_106d000_doc_Zapytanie - Oferta POLSKA 91044PL.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ffe0e6ff06409d33a3a9d8136f76f66a7aac57eee0d47f83bb1a5666a8e912e0
                                  • Instruction ID: 5ad7dc7ec989b58cb3a40b9f89e4aedbb1f847dfa6dc446015163a649e0a5bee
                                  • Opcode Fuzzy Hash: ffe0e6ff06409d33a3a9d8136f76f66a7aac57eee0d47f83bb1a5666a8e912e0
                                  • Instruction Fuzzy Hash: 842187755093808FD713CF64D594715BFB1EF46214F28C5DAD8898F667C33A980ACB62
                                  Function 0106D1CF Relevance: .1, Instructions: 53COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779444102.000000000106D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0106D000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_106d000_doc_Zapytanie - Oferta POLSKA 91044PL.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                  • Instruction ID: fc141815b1f4499ed341762f702b5eaff167880a61e78c0c01c6dd3586a4943e
                                  • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                  • Instruction Fuzzy Hash: D311BB75604280DFDB12CF54C5C4B15BFA1FB84224F28C6AAD8894B296C33AD44ACB61
                                  Function 0105D759 Relevance: .0, Instructions: 45COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779403952.000000000105D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0105D000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_105d000_doc_Zapytanie - Oferta POLSKA 91044PL.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8f6b04b66963b969c6cba7522ecbddcc50985273c31deece292b285ab03641a8
                                  • Instruction ID: 8a594d73a885056ecbde15d3e903c4919a82a0d9f072ebd357d9c0297a62df7e
                                  • Opcode Fuzzy Hash: 8f6b04b66963b969c6cba7522ecbddcc50985273c31deece292b285ab03641a8
                                  • Instruction Fuzzy Hash: 9301F731008388DAE7904A69CD8476BFFD8FF41320F18C56BED484A286E2399840C7B1
                                  Function 0105D758 Relevance: .0, Instructions: 36COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1779403952.000000000105D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0105D000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_105d000_doc_Zapytanie - Oferta POLSKA 91044PL.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7fc36feef610a6bdae748ccb18b6692bfa896fc493806ed5abe3fef6c2bc6c0e
                                  • Instruction ID: fab8cb7ea25035a72561edd69f8f45ef0223f5503370a77375bc34d273bc4b5c
                                  • Opcode Fuzzy Hash: 7fc36feef610a6bdae748ccb18b6692bfa896fc493806ed5abe3fef6c2bc6c0e
                                  • Instruction Fuzzy Hash: 26F0C271004384AEE7508A1ACC84B63FFE8FF40624F18C49BED484A286D2799840CBB1

                                  Non-executed Functions

                                  Function 07A185A0 Relevance: .3, Instructions: 312COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1790526868.0000000007A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7a10000_doc_Zapytanie - Oferta POLSKA 91044PL.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a70b3c96b93e3ca43674bc8143c4857f70b9d8b6e3ba16b1b7d0fdff5fbf1778
                                  • Instruction ID: 11e9f1da7462dd48315a2799d0c385c0a09be4fe8bebd60396eb11f5fda529c7
                                  • Opcode Fuzzy Hash: a70b3c96b93e3ca43674bc8143c4857f70b9d8b6e3ba16b1b7d0fdff5fbf1778
                                  • Instruction Fuzzy Hash: 83E15AB4E001198FDB14DFA9C5909AEFBB2FF89304F248569E814AB35AD730A941CF60
                                  Function 07A1A080 Relevance: .3, Instructions: 312COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1790526868.0000000007A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7a10000_doc_Zapytanie - Oferta POLSKA 91044PL.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 82060faed622a2d123e5b186c3d37497b24bd3b2c39dc9bf3fc2a87499466674
                                  • Instruction ID: 46a550c4baeb37995864114a08cdba1c1a7f040ef732a4858ea0382a5585c841
                                  • Opcode Fuzzy Hash: 82060faed622a2d123e5b186c3d37497b24bd3b2c39dc9bf3fc2a87499466674
                                  • Instruction Fuzzy Hash: 41E15BB4E011198FDB14DFA9C5909AEFBB2BF89304F24C569E815AB35AD730A941CF60
                                  Function 07A1AE68 Relevance: .3, Instructions: 312COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1790526868.0000000007A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7a10000_doc_Zapytanie - Oferta POLSKA 91044PL.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 43902d7405f34815962ff41263c59d3d3ead3acda78d5f746da151571f985998
                                  • Instruction ID: 9a002cee9be4982cfa9d8ca37ea345b4476f626a70e97bf9cee61e3c58ce2335
                                  • Opcode Fuzzy Hash: 43902d7405f34815962ff41263c59d3d3ead3acda78d5f746da151571f985998
                                  • Instruction Fuzzy Hash: 9CE11CB4E001198FDB14DFA9C5909AEFBF2FF89304F248569E815AB35AD731A941CF60
                                  Function 07A19C48 Relevance: .3, Instructions: 312COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1790526868.0000000007A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7a10000_doc_Zapytanie - Oferta POLSKA 91044PL.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 259c1021c132ed8560f7c2495e39f66e9407d80e0e474d0884cc3d49c5730d7f
                                  • Instruction ID: 796e400331d6505a71bedac475869821bdb6de410a62952097daddcd3720449c
                                  • Opcode Fuzzy Hash: 259c1021c132ed8560f7c2495e39f66e9407d80e0e474d0884cc3d49c5730d7f
                                  • Instruction Fuzzy Hash: DEE12BB4E002598FDB14DFA9C5909AEFBB2FF89304F24C169E419AB359D731A941CF60
                                  Function 07A1AA30 Relevance: .3, Instructions: 312COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1790526868.0000000007A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7a10000_doc_Zapytanie - Oferta POLSKA 91044PL.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ced202550b6fdf2eddc4d641c7ac68538ad26f93a80ffd269f27e4014a19d669
                                  • Instruction ID: 00c0ad7f19a8f00553186be9e0011bcb76630f869c7ad7bb15c5e0c02fabf762
                                  • Opcode Fuzzy Hash: ced202550b6fdf2eddc4d641c7ac68538ad26f93a80ffd269f27e4014a19d669
                                  • Instruction Fuzzy Hash: F5E117B4E011198FDB14DFA9C5909AEFBB2FF89304F24C569E815AB35AD730A941CF60
                                  Function 07A107F9 Relevance: .3, Instructions: 268COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1790526868.0000000007A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7a10000_doc_Zapytanie - Oferta POLSKA 91044PL.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4a370840dbaea5218ccc79314fc662f2853ef0bc92a069d63c0d065621bf9d34
                                  • Instruction ID: a208dda31ac8120f8ddf2062bf8f79375c63948a8ea1060a079cdd19d1731413
                                  • Opcode Fuzzy Hash: 4a370840dbaea5218ccc79314fc662f2853ef0bc92a069d63c0d065621bf9d34
                                  • Instruction Fuzzy Hash: BAD1283582065A8ECB01EBB8D964A9DF7B1FF95300F1097AAD0493B215EB706AD5CF41
                                  Function 07A10808 Relevance: .3, Instructions: 264COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1790526868.0000000007A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7a10000_doc_Zapytanie - Oferta POLSKA 91044PL.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b6ac69100f2b08f8e0d520d60498d78bc0e79eab4cd02c35a8834d7cbf0419a8
                                  • Instruction ID: 5660c1105fcd4b2968bdc182421cae2509c6885cb5448a883164c2de14cbe03e
                                  • Opcode Fuzzy Hash: b6ac69100f2b08f8e0d520d60498d78bc0e79eab4cd02c35a8834d7cbf0419a8
                                  • Instruction Fuzzy Hash: E4D1173582065A8ECB00EBB8D964A9DF3B1FFD5300F6097AAD0493B215EB706AD4CF41
                                  Function 0134D344 Relevance: .3, Instructions: 264COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1780011936.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_1340000_doc_Zapytanie - Oferta POLSKA 91044PL.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 03c613757917c07cf6a3154b6f575db029842f3e9b417cc82fdc461ba3b23d8d
                                  • Instruction ID: 66db896acca59c95f03c074526f09e3e893d3f3266fd253e34d9a636e84a0aee
                                  • Opcode Fuzzy Hash: 03c613757917c07cf6a3154b6f575db029842f3e9b417cc82fdc461ba3b23d8d
                                  • Instruction Fuzzy Hash: 75A19232E00219CFCF15DFB8C88459EBBF6FF84304B19856AE905AB265DB75E946CB40

                                  Execution Graph

                                  Execution Coverage:9.7%
                                  Dynamic/Decrypted Code Coverage:100%
                                  Signature Coverage:0%
                                  Total number of Nodes:425
                                  Total number of Limit Nodes:36
                                  execution_graph 24572 1484668 24573 1484676 24572->24573 24582 1486de0 24573->24582 24576 1484704 24591 5416b00 24576->24591 24595 5416b10 24576->24595 24599 5416ad1 24576->24599 24577 148470c 24583 1486e05 24582->24583 24604 1486edf 24583->24604 24608 1486ef0 24583->24608 24584 14846e9 24587 148421c 24584->24587 24588 1484227 24587->24588 24616 1488560 24588->24616 24590 1488806 24590->24576 24592 5416b10 24591->24592 24682 5415ad8 24592->24682 24596 5416b22 24595->24596 24597 5415ad8 7 API calls 24596->24597 24598 5416b42 24597->24598 24598->24577 24600 5416ada 24599->24600 24601 5416b19 24599->24601 24600->24577 24602 5415ad8 7 API calls 24601->24602 24603 5416b42 24602->24603 24603->24577 24606 1486f17 24604->24606 24605 1486ff4 24605->24605 24606->24605 24612 1486414 24606->24612 24610 1486f17 24608->24610 24609 1486ff4 24609->24609 24610->24609 24611 1486414 CreateActCtxA 24610->24611 24611->24609 24613 1487370 CreateActCtxA 24612->24613 24615 1487433 24613->24615 24617 148856b 24616->24617 24620 1488580 24617->24620 24619 14888dd 24619->24590 24621 148858b 24620->24621 24624 14885b0 24621->24624 24623 14889ba 24623->24619 24625 14885bb 24624->24625 24628 14885e0 24625->24628 24627 1488aad 24627->24623 24629 14885eb 24628->24629 24631 1489e93 24629->24631 24634 148bed1 24629->24634 24630 1489ed1 24630->24627 24631->24630 24640 148df70 24631->24640 24635 148beda 24634->24635 24636 148be91 24634->24636 24644 148bf08 24635->24644 24647 148bef8 24635->24647 24636->24631 24637 148bee6 24637->24631 24641 148df91 24640->24641 24642 148dfb5 24641->24642 24655 148e120 24641->24655 24642->24630 24650 148bff0 24644->24650 24645 148bf17 24645->24637 24648 148bf17 24647->24648 24649 148bff0 GetModuleHandleW 24647->24649 24648->24637 24649->24648 24651 148c011 24650->24651 24652 148c034 24650->24652 24651->24652 24653 148c238 GetModuleHandleW 24651->24653 24652->24645 24654 148c265 24653->24654 24654->24645 24656 148e12d 24655->24656 24657 148e166 24656->24657 24659 148c464 24656->24659 24657->24642 24661 148c46f 24659->24661 24660 148e1d8 24661->24660 24663 148c498 24661->24663 24664 148c4a3 24663->24664 24665 14885e0 8 API calls 24664->24665 24666 148e247 24665->24666 24673 148e2c0 24666->24673 24667 148e256 24668 148c4a8 7 API calls 24667->24668 24669 148e270 24668->24669 24670 148c4b8 7 API calls 24669->24670 24671 148e277 24670->24671 24671->24660 24674 148e2ee 24673->24674 24675 148e3bf 24674->24675 24679 148e42b 24674->24679 24680 5414630 6 API calls 24674->24680 24681 541461f 6 API calls 24674->24681 24676 148c4b8 6 API calls 24675->24676 24675->24679 24676->24679 24677 148e366 24678 148e3ba KiUserCallbackDispatcher 24677->24678 24678->24675 24680->24677 24681->24677 24683 5415ae3 24682->24683 24686 5415b14 24683->24686 24685 5416c54 24687 5415b1f 24686->24687 24690 541716e 24687->24690 24691 54172c9 24687->24691 24692 5416e00 24687->24692 24688 5416e00 7 API calls 24688->24691 24690->24688 24690->24691 24691->24685 24693 5416e0b 24692->24693 24697 5417507 24693->24697 24709 5417518 24693->24709 24694 5417504 24694->24690 24700 5417518 24697->24700 24698 5417552 24698->24694 24699 541762f 24708 148e2c0 7 API calls 24699->24708 24700->24698 24700->24699 24703 5417692 24700->24703 24701 541763d 24705 5417665 24701->24705 24721 5414630 24701->24721 24704 5414630 7 API calls 24703->24704 24703->24705 24706 5417737 24704->24706 24705->24694 24706->24705 24726 5417030 24706->24726 24708->24701 24711 541753e 24709->24711 24710 5417552 24710->24694 24711->24710 24712 541762f 24711->24712 24716 5417692 24711->24716 24720 148e2c0 7 API calls 24712->24720 24713 541763d 24714 5414630 7 API calls 24713->24714 24715 5417665 24713->24715 24714->24715 24715->24694 24716->24715 24717 5414630 7 API calls 24716->24717 24718 5417737 24717->24718 24718->24715 24719 5417030 7 API calls 24718->24719 24719->24715 24720->24713 24722 5414640 24721->24722 24723 541467d 24722->24723 24740 5417cc0 24722->24740 24759 5417cb0 24722->24759 24723->24705 24730 541703b 24726->24730 24727 5419868 24727->24705 24728 54197e1 24729 541981a 24728->24729 24732 5415a6c 7 API calls 24728->24732 24733 5415a6c 7 API calls 24729->24733 24730->24727 24730->24728 24731 5419834 24730->24731 24836 5418fe4 24730->24836 24731->24727 24736 5414630 7 API calls 24731->24736 24734 541980c 24732->24734 24735 5419826 24733->24735 24840 5418ff4 24734->24840 24738 5418ff4 7 API calls 24735->24738 24736->24727 24738->24731 24744 5417cf9 24740->24744 24742 5417e03 24743 5417030 7 API calls 24742->24743 24745 5417e0d 24743->24745 24778 54178ac 24744->24778 24782 54178bc 24745->24782 24749 5417e3c 24750 5414630 7 API calls 24749->24750 24751 5417f1f 24749->24751 24754 5417ec5 24750->24754 24800 148f01c 24751->24800 24752 5417f80 24804 541cf90 24752->24804 24808 541cf80 24752->24808 24753 5417f94 24754->24751 24793 5415a6c 24754->24793 24763 5417cf9 24759->24763 24760 54178ac 7 API calls 24761 5417e03 24760->24761 24762 5417030 7 API calls 24761->24762 24764 5417e0d 24762->24764 24763->24760 24765 54178bc 7 API calls 24764->24765 24766 5417e15 24765->24766 24767 54178cc 7 API calls 24766->24767 24768 5417e3c 24766->24768 24767->24768 24769 5414630 7 API calls 24768->24769 24770 5417f1f 24768->24770 24773 5417ec5 24769->24773 24775 148f01c 7 API calls 24770->24775 24771 5417f80 24776 541cf80 7 API calls 24771->24776 24777 541cf90 7 API calls 24771->24777 24772 5417f94 24773->24770 24774 5415a6c 7 API calls 24773->24774 24774->24770 24775->24771 24776->24772 24777->24772 24779 54178b7 24778->24779 24780 5414630 7 API calls 24779->24780 24781 54196b8 24779->24781 24780->24781 24781->24742 24783 54178c7 24782->24783 24784 5417e15 24783->24784 24785 5414630 7 API calls 24783->24785 24784->24749 24788 54178cc 24784->24788 24786 541b5ec 24785->24786 24812 5419de8 24786->24812 24790 54178d7 24788->24790 24789 541bcb6 24789->24749 24790->24789 24791 5414630 7 API calls 24790->24791 24792 541bd86 24791->24792 24792->24749 24794 5415a77 24793->24794 24795 541b4ae 24794->24795 24796 5414630 7 API calls 24794->24796 24795->24751 24797 541b508 24796->24797 24822 5419dc0 24797->24822 24801 148f027 24800->24801 24803 148f8f5 24801->24803 24825 148c4b8 24801->24825 24803->24752 24805 541cf9d 24804->24805 24806 54178bc 7 API calls 24805->24806 24807 541cfa4 24806->24807 24807->24753 24809 541cf90 24808->24809 24810 54178bc 7 API calls 24809->24810 24811 541cfa4 24810->24811 24811->24753 24813 5419df3 24812->24813 24816 5417ae8 24813->24816 24815 541b6d4 24815->24784 24818 5417af3 24816->24818 24817 541bab7 24817->24815 24818->24817 24819 5414630 7 API calls 24818->24819 24820 541b8d4 24819->24820 24820->24817 24821 54178bc 7 API calls 24820->24821 24821->24817 24823 541b530 SendMessageW 24822->24823 24824 541b519 24823->24824 24824->24751 24826 148c4c3 24825->24826 24829 148f104 24826->24829 24828 148fdcf 24828->24803 24833 148f10f 24829->24833 24830 148ff78 24830->24828 24831 148ff41 24834 541d250 7 API calls 24831->24834 24835 541d260 7 API calls 24831->24835 24832 148f104 7 API calls 24832->24833 24833->24830 24833->24831 24833->24832 24834->24830 24835->24830 24837 5418fef 24836->24837 24846 5419d94 7 API calls 24837->24846 24839 541b35d 24839->24728 24841 5418fff 24840->24841 24842 5414630 7 API calls 24841->24842 24843 541b508 24842->24843 24844 5419dc0 SendMessageW 24843->24844 24845 541b519 24844->24845 24845->24729 24846->24839 24847 5415eb3 24848 5415ebc 24847->24848 24850 5415eda 24847->24850 24849 5414630 7 API calls 24848->24849 24848->24850 24849->24850 24851 5414630 7 API calls 24850->24851 24852 5416013 24850->24852 24851->24852 24853 1486540 24854 1486586 24853->24854 24858 1486710 24854->24858 24862 1486720 24854->24862 24855 1486673 24859 1486720 24858->24859 24865 148611c 24859->24865 24863 148611c DuplicateHandle 24862->24863 24864 148674e 24863->24864 24864->24855 24866 1486788 DuplicateHandle 24865->24866 24867 148674e 24866->24867 24867->24855 24868 5412018 SetWindowLongW 24869 5412084 24868->24869 24870 54199c8 24871 54199d9 24870->24871 24874 5419a43 24871->24874 24875 5419068 24871->24875 24876 5419073 24875->24876 24877 5419a3c 24876->24877 24880 541b159 24876->24880 24886 541b168 24876->24886 24892 5419d7c 24880->24892 24883 541b18f 24883->24877 24884 541b1b8 CreateIconFromResourceEx 24885 541b236 24884->24885 24885->24877 24887 541b182 24886->24887 24888 5419d7c CreateIconFromResourceEx 24886->24888 24889 541b18f 24887->24889 24890 541b1b8 CreateIconFromResourceEx 24887->24890 24888->24887 24889->24877 24891 541b236 24890->24891 24891->24877 24893 541b1b8 CreateIconFromResourceEx 24892->24893 24894 541b182 24893->24894 24894->24883 24894->24884 24895 541c388 24896 5414630 7 API calls 24895->24896 24897 541c398 24896->24897 24898 54144b8 24899 54144c8 24898->24899 24903 5418df9 24899->24903 24909 5418e08 24899->24909 24900 54144f1 24904 5418e08 24903->24904 24915 5415c08 24904->24915 24906 5418e92 24927 5417c50 24906->24927 24908 5418e99 24908->24900 24910 5418e3d 24909->24910 24911 5415c08 7 API calls 24910->24911 24912 5418e92 24911->24912 24913 5417c50 7 API calls 24912->24913 24914 5418e99 24913->24914 24914->24900 24919 5415c34 24915->24919 24917 5414630 7 API calls 24918 5416013 24917->24918 24918->24906 24925 5415e6c 24919->24925 24937 54155fc 24919->24937 24920 5415ced 24921 5414630 7 API calls 24920->24921 24926 5415d95 24920->24926 24922 5415d5f 24921->24922 24923 5414630 7 API calls 24922->24923 24923->24926 24924 5414630 7 API calls 24924->24925 24925->24917 24925->24918 24926->24924 24928 5417c5b 24927->24928 24929 5419435 24928->24929 24930 54193fd 24928->24930 24936 5419404 24928->24936 24932 5419486 24929->24932 24933 541945a 24929->24933 24931 5414630 7 API calls 24930->24931 24931->24936 24934 5414630 7 API calls 24932->24934 24935 5414630 7 API calls 24933->24935 24934->24936 24935->24936 24936->24908 24939 5415607 24937->24939 24938 5414630 7 API calls 24941 5416169 24938->24941 24940 5414630 7 API calls 24939->24940 24939->24941 24942 54161a7 24939->24942 24940->24941 24941->24938 24941->24942 24942->24920 24943 123d01c 24944 123d034 24943->24944 24945 123d08e 24944->24945 24948 5412f18 24944->24948 24957 5412f28 24944->24957 24949 5412f28 24948->24949 24950 5412f89 24949->24950 24952 5412f79 24949->24952 24953 5412f87 24950->24953 24982 5412b64 24950->24982 24966 54130a0 24952->24966 24971 541317c 24952->24971 24977 54130b0 24952->24977 24960 5412f55 24957->24960 24958 5412f89 24959 5412b64 CallWindowProcW 24958->24959 24962 5412f87 24958->24962 24959->24962 24960->24958 24961 5412f79 24960->24961 24963 54130a0 8 API calls 24961->24963 24964 54130b0 8 API calls 24961->24964 24965 541317c 8 API calls 24961->24965 24963->24962 24964->24962 24965->24962 24968 54130b0 24966->24968 24967 5413150 24967->24953 24986 5413159 24968->24986 24992 5413168 24968->24992 24972 541318a 24971->24972 24973 541313a 24971->24973 24975 5413159 8 API calls 24973->24975 24976 5413168 8 API calls 24973->24976 24974 5413150 24974->24953 24975->24974 24976->24974 24978 54130c4 24977->24978 24980 5413159 8 API calls 24978->24980 24981 5413168 8 API calls 24978->24981 24979 5413150 24979->24953 24980->24979 24981->24979 24983 5412b6f 24982->24983 24984 54143ea CallWindowProcW 24983->24984 24985 5414399 24983->24985 24984->24985 24985->24953 24987 5413168 24986->24987 24991 5413179 24987->24991 24997 5418260 24987->24997 25014 5414320 24987->25014 25017 5418270 24987->25017 24991->24967 24993 5413179 24992->24993 24994 5418260 8 API calls 24992->24994 24995 5418270 8 API calls 24992->24995 24996 5414320 CallWindowProcW 24992->24996 24993->24967 24994->24993 24995->24993 24996->24993 24998 5418270 24997->24998 24999 541829c 24998->24999 25000 54182d0 24998->25000 25001 541828e 24998->25001 25012 54183d6 24999->25012 25048 5418a00 24999->25048 25000->24999 25004 541855c 25000->25004 25002 5418293 25001->25002 25003 54182aa 25001->25003 25002->24999 25005 54184ba 25002->25005 25003->24999 25008 5418524 25003->25008 25009 54184c8 25003->25009 25003->25012 25042 5417b88 25004->25042 25034 5417ad8 25005->25034 25038 5417b48 25008->25038 25011 5417ae8 7 API calls 25009->25011 25011->25012 25012->24991 25015 5412b64 CallWindowProcW 25014->25015 25016 541433a 25015->25016 25016->24991 25018 5418289 25017->25018 25025 541829c 25017->25025 25019 54182d0 25018->25019 25020 541828e 25018->25020 25023 541855c 25019->25023 25019->25025 25021 5418293 25020->25021 25022 54182aa 25020->25022 25024 54184ba 25021->25024 25021->25025 25022->25025 25028 5418524 25022->25028 25029 54184c8 25022->25029 25032 54183d6 25022->25032 25027 5417b88 8 API calls 25023->25027 25026 5417ad8 8 API calls 25024->25026 25025->25032 25033 5418a00 8 API calls 25025->25033 25026->25032 25027->25032 25030 5417b48 8 API calls 25028->25030 25031 5417ae8 7 API calls 25029->25031 25030->25032 25031->25032 25032->24991 25033->25032 25035 5417ae3 25034->25035 25036 5418a00 8 API calls 25035->25036 25037 5418c16 25036->25037 25037->25012 25039 5417b53 25038->25039 25040 5418a00 8 API calls 25039->25040 25041 541d0fc 25040->25041 25041->25012 25043 5417b93 25042->25043 25044 5417ae8 7 API calls 25043->25044 25045 541c980 25044->25045 25046 5418a00 8 API calls 25045->25046 25047 541c989 25046->25047 25047->25012 25049 5418a12 25048->25049 25050 5418a0b 25048->25050 25053 5418a20 25049->25053 25050->25012 25051 5418a18 25051->25012 25054 5418a60 25053->25054 25056 5418a3e 25053->25056 25055 5413720 8 API calls 25054->25055 25060 5418a67 25055->25060 25057 5418a4c 25056->25057 25061 5413720 25056->25061 25057->25051 25059 5418a88 25059->25051 25060->25051 25062 541376c 25061->25062 25063 5413edc 25062->25063 25066 54137b0 25062->25066 25069 541351c 25063->25069 25065 54137bd 25065->25059 25066->25065 25074 5418aa0 25066->25074 25078 5418a90 25066->25078 25070 5413527 25069->25070 25072 541d1cd 25070->25072 25073 148c4b8 7 API calls 25070->25073 25071 541d198 25072->25065 25073->25071 25075 5418ae6 25074->25075 25076 5412b64 CallWindowProcW 25075->25076 25077 5418b09 25075->25077 25076->25077 25077->25065 25079 5418aa0 25078->25079 25080 5412b64 CallWindowProcW 25079->25080 25081 5418b09 25079->25081 25080->25081 25081->25065

                                  Executed Functions

                                  Function 0148BFF0 Relevance: 1.7, APIs: 1, Instructions: 200COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 754 148bff0-148c00f 755 148c03b-148c03f 754->755 756 148c011-148c01e call 148af60 754->756 757 148c041-148c04b 755->757 758 148c053-148c094 755->758 763 148c020 756->763 764 148c034 756->764 757->758 765 148c0a1-148c0af 758->765 766 148c096-148c09e 758->766 810 148c026 call 148c698 763->810 811 148c026 call 148c689 763->811 764->755 767 148c0b1-148c0b6 765->767 768 148c0d3-148c0d5 765->768 766->765 771 148c0b8-148c0bf call 148af6c 767->771 772 148c0c1 767->772 770 148c0d8-148c0df 768->770 769 148c02c-148c02e 769->764 773 148c170-148c230 769->773 774 148c0ec-148c0f3 770->774 775 148c0e1-148c0e9 770->775 777 148c0c3-148c0d1 771->777 772->777 805 148c238-148c263 GetModuleHandleW 773->805 806 148c232-148c235 773->806 778 148c100-148c109 call 148af7c 774->778 779 148c0f5-148c0fd 774->779 775->774 777->770 785 148c10b-148c113 778->785 786 148c116-148c11b 778->786 779->778 785->786 787 148c139-148c146 786->787 788 148c11d-148c124 786->788 794 148c148-148c166 787->794 795 148c169-148c16f 787->795 788->787 790 148c126-148c136 call 148af8c call 148af9c 788->790 790->787 794->795 807 148c26c-148c280 805->807 808 148c265-148c26b 805->808 806->805 808->807 810->769 811->769
                                  APIs
                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 0148C256
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1808095124.0000000001480000.00000040.00000800.00020000.00000000.sdmp, Offset: 01480000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_1480000_doc_Zapytanie - Oferta POLSKA 91044PL.jbxd
                                  Similarity
                                  • API ID: HandleModule
                                  • String ID:
                                  • API String ID: 4139908857-0
                                  • Opcode ID: ac07f38279caab60d6c2fb301aa90c1c387f8a6f1ded7caa36893c15777832e7
                                  • Instruction ID: 645fe2762b3313cf1005283038ac642c407e8675765eb4a593a3f1c128906bf2
                                  • Opcode Fuzzy Hash: ac07f38279caab60d6c2fb301aa90c1c387f8a6f1ded7caa36893c15777832e7
                                  • Instruction Fuzzy Hash: FC8136B0A00B058FD724EF69D48079BBBF5BF49240F10892ED18AD7B60D775E946CBA1
                                  Function 0541C90C Relevance: 1.6, APIs: 1, Instructions: 120threadCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 812 541c90c-541e161 816 541e163-541e16c 812->816 817 541e16e 812->817 818 541e170-541e175 816->818 817->818 819 541e195-541e22a 818->819 820 541e177-541e194 818->820 828 541e236-541e266 EnumThreadWindows 819->828 829 541e22c-541e234 819->829 830 541e268-541e26e 828->830 831 541e26f-541e29c 828->831 829->828 830->831
                                  APIs
                                  • EnumThreadWindows.USER32(?,00000000,?), ref: 0541E259
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1821889022.0000000005410000.00000040.00000800.00020000.00000000.sdmp, Offset: 05410000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_5410000_doc_Zapytanie - Oferta POLSKA 91044PL.jbxd
                                  Similarity
                                  • API ID: EnumThreadWindows
                                  • String ID:
                                  • API String ID: 2941952884-0
                                  • Opcode ID: 38d8bbb09cf76bc5db055b3459c7fe187b56477176731e6e3bc4a5ef79136ab8
                                  • Instruction ID: 0bad962640eba51549d2a169a2c3cc33431e8bdce84e1dc96b6dede0019a906a
                                  • Opcode Fuzzy Hash: 38d8bbb09cf76bc5db055b3459c7fe187b56477176731e6e3bc4a5ef79136ab8
                                  • Instruction Fuzzy Hash: 9E41CF75A042189FDB14DF99C844BEEBBF9EF88310F14842AE819E7350CB789941CB69
                                  Function 01487364 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 835 1487364-148736c 836 1487370-1487431 CreateActCtxA 835->836 838 148743a-1487494 836->838 839 1487433-1487439 836->839 846 14874a3-14874a7 838->846 847 1487496-1487499 838->847 839->838 848 14874b8 846->848 849 14874a9-14874b5 846->849 847->846 851 14874b9 848->851 849->848 851->851
                                  APIs
                                  • CreateActCtxA.KERNEL32(?), ref: 01487421
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1808095124.0000000001480000.00000040.00000800.00020000.00000000.sdmp, Offset: 01480000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_1480000_doc_Zapytanie - Oferta POLSKA 91044PL.jbxd
                                  Similarity
                                  • API ID: Create
                                  • String ID:
                                  • API String ID: 2289755597-0
                                  • Opcode ID: 796d6bc0567e2c2ccee67c48dde20901d2733d56a7c71d8f51e1bd018c247ce7
                                  • Instruction ID: 48d53e3450c145826eb8d02427ba38a6f79d513aa99e8320be0146ebc78b9562
                                  • Opcode Fuzzy Hash: 796d6bc0567e2c2ccee67c48dde20901d2733d56a7c71d8f51e1bd018c247ce7
                                  • Instruction Fuzzy Hash: 9241E2B0C00719CFDB24DFA9C854B9EFBB5BF49704F24806AD408AB265DB756985CF90
                                  Function 05412B64 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 852 5412b64-541438c 856 5414392-5414397 852->856 857 541443c-541445c 852->857 858 5414399-54143d0 856->858 859 54143ea-5414422 CallWindowProcW 856->859 864 541445f-541446c 857->864 865 54143d2-54143d8 858->865 866 54143d9-54143e8 858->866 860 5414424-541442a 859->860 861 541442b-541443a 859->861 860->861 861->864 865->866 866->864
                                  APIs
                                  • CallWindowProcW.USER32(?,?,?,?,?), ref: 05414411
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1821889022.0000000005410000.00000040.00000800.00020000.00000000.sdmp, Offset: 05410000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_5410000_doc_Zapytanie - Oferta POLSKA 91044PL.jbxd
                                  Similarity
                                  • API ID: CallProcWindow
                                  • String ID:
                                  • API String ID: 2714655100-0
                                  • Opcode ID: 2751bacfcbba8a290f9ebb5194d3c056fc7b5d47d16b797ecff3f764b9a1c591
                                  • Instruction ID: b4dd64b1f4e21cb27e4ad1e84554b68f7a823cfccfecc3a66f6682fb50233f13
                                  • Opcode Fuzzy Hash: 2751bacfcbba8a290f9ebb5194d3c056fc7b5d47d16b797ecff3f764b9a1c591
                                  • Instruction Fuzzy Hash: 3D411BB9A00209CFCB14DF99C448AAAFBF5FF88314F14C45AD519AB321D775A841CFA4
                                  Function 01486414 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 869 1486414-1487431 CreateActCtxA 872 148743a-1487494 869->872 873 1487433-1487439 869->873 880 14874a3-14874a7 872->880 881 1487496-1487499 872->881 873->872 882 14874b8 880->882 883 14874a9-14874b5 880->883 881->880 885 14874b9 882->885 883->882 885->885
                                  APIs
                                  • CreateActCtxA.KERNEL32(?), ref: 01487421
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1808095124.0000000001480000.00000040.00000800.00020000.00000000.sdmp, Offset: 01480000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_1480000_doc_Zapytanie - Oferta POLSKA 91044PL.jbxd
                                  Similarity
                                  • API ID: Create
                                  • String ID:
                                  • API String ID: 2289755597-0
                                  • Opcode ID: b19397e2cdfee59b0cf53e55b082265cdb24a96584901a409a9c8b975f466fe7
                                  • Instruction ID: 7e702925a52041fb65d1e9cea57d86bf7fed1a886d3daee6d2fd09d2e5de81e4
                                  • Opcode Fuzzy Hash: b19397e2cdfee59b0cf53e55b082265cdb24a96584901a409a9c8b975f466fe7
                                  • Instruction Fuzzy Hash: EC41E0B0C0061DCFDB24DFA9C854B9EBBB5BF48704F24806AD408AB265DBB56985CF90
                                  Function 0541B168 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 886 541b168-541b17a 887 541b182-541b18d 886->887 888 541b17d call 5419d7c 886->888 889 541b1a2-541b234 CreateIconFromResourceEx 887->889 890 541b18f-541b19f call 541ac28 887->890 888->887 895 541b236-541b23c 889->895 896 541b23d-541b25a 889->896 895->896
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1821889022.0000000005410000.00000040.00000800.00020000.00000000.sdmp, Offset: 05410000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_5410000_doc_Zapytanie - Oferta POLSKA 91044PL.jbxd
                                  Similarity
                                  • API ID: CreateFromIconResource
                                  • String ID:
                                  • API String ID: 3668623891-0
                                  • Opcode ID: ebd0e91f5f8907438a18729c3f2279982a7dbe43b41952fa6f9f230eb2f03030
                                  • Instruction ID: e7c3c9d35bef130b959bf693f70380ad808f5568452163ea8cbae65e4132807a
                                  • Opcode Fuzzy Hash: ebd0e91f5f8907438a18729c3f2279982a7dbe43b41952fa6f9f230eb2f03030
                                  • Instruction Fuzzy Hash: 64318D719043599FCB11DFAAD844AEEBFF4EF09350F14809AF954A7221C3359854CFA5
                                  Function 01486780 Relevance: 1.6, APIs: 1, Instructions: 70COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 899 1486780-1486783 901 1486788-148681c DuplicateHandle 899->901 902 148681e-1486824 901->902 903 1486825-1486842 901->903 902->903
                                  APIs
                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0148674E,?,?,?,?,?), ref: 0148680F
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1808095124.0000000001480000.00000040.00000800.00020000.00000000.sdmp, Offset: 01480000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_1480000_doc_Zapytanie - Oferta POLSKA 91044PL.jbxd
                                  Similarity
                                  • API ID: DuplicateHandle
                                  • String ID:
                                  • API String ID: 3793708945-0
                                  • Opcode ID: cb4d3cc9b32ad5e7149a5689f5c5395596a44e76c3ef3df8053dac48d7498a80
                                  • Instruction ID: 7604f6c2f293f943a041a89ef50848321476a1f2db60df6a5c718d2bb31b85ce
                                  • Opcode Fuzzy Hash: cb4d3cc9b32ad5e7149a5689f5c5395596a44e76c3ef3df8053dac48d7498a80
                                  • Instruction Fuzzy Hash: 662117B58002489FDB10CFAAD884AEEBFF4EB48310F14801AE958A7351D374A944CF61
                                  Function 0148611C Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 906 148611c-148681c DuplicateHandle 908 148681e-1486824 906->908 909 1486825-1486842 906->909 908->909
                                  APIs
                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0148674E,?,?,?,?,?), ref: 0148680F
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1808095124.0000000001480000.00000040.00000800.00020000.00000000.sdmp, Offset: 01480000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_1480000_doc_Zapytanie - Oferta POLSKA 91044PL.jbxd
                                  Similarity
                                  • API ID: DuplicateHandle
                                  • String ID:
                                  • API String ID: 3793708945-0
                                  • Opcode ID: aa004f7dda89deb8e682a28fac682a9984ec1e76f85033e79cc0673bd527d3f1
                                  • Instruction ID: 392ed17926b7419555d94a3aa69334a9e482ac834e3f759dfa23d5629618b94e
                                  • Opcode Fuzzy Hash: aa004f7dda89deb8e682a28fac682a9984ec1e76f85033e79cc0673bd527d3f1
                                  • Instruction Fuzzy Hash: 0D21E3B5901248AFDB10DF9AD984AEEBFF4EB48320F14841AE958A7310D374A944CFA5
                                  Function 0541C91C Relevance: 1.6, APIs: 1, Instructions: 62threadCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 912 541c91c-541e22a 914 541e236-541e266 EnumThreadWindows 912->914 915 541e22c-541e234 912->915 916 541e268-541e26e 914->916 917 541e26f-541e29c 914->917 915->914 916->917
                                  APIs
                                  • EnumThreadWindows.USER32(?,00000000,?), ref: 0541E259
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1821889022.0000000005410000.00000040.00000800.00020000.00000000.sdmp, Offset: 05410000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_5410000_doc_Zapytanie - Oferta POLSKA 91044PL.jbxd
                                  Similarity
                                  • API ID: EnumThreadWindows
                                  • String ID:
                                  • API String ID: 2941952884-0
                                  • Opcode ID: 9d7d1008b5177c134f2f84aba76bb5cbf3cb253d3e6d5c315516e930fc40b242
                                  • Instruction ID: 4842c72d137561da7ee08076e343fed165586a341c2d4c33b071ecaaa8a12d7c
                                  • Opcode Fuzzy Hash: 9d7d1008b5177c134f2f84aba76bb5cbf3cb253d3e6d5c315516e930fc40b242
                                  • Instruction Fuzzy Hash: B82107B59042098FDB14CF9AC844BEEFBF9EB88310F14842AE859A7250D774A945CFA5
                                  Function 05419D7C Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 921 5419d7c-541b234 CreateIconFromResourceEx 923 541b236-541b23c 921->923 924 541b23d-541b25a 921->924 923->924
                                  APIs
                                  • CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?,?,?,?,0541B182,?,?,?,?,?), ref: 0541B227
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1821889022.0000000005410000.00000040.00000800.00020000.00000000.sdmp, Offset: 05410000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_5410000_doc_Zapytanie - Oferta POLSKA 91044PL.jbxd
                                  Similarity
                                  • API ID: CreateFromIconResource
                                  • String ID:
                                  • API String ID: 3668623891-0
                                  • Opcode ID: d7168180562d95c42fa956e518f75cbceba4a16c348c2be7442905db56529fb9
                                  • Instruction ID: 27a0d5b25f3bffedcbfd061febd189b98d50cb72955215c1ec84e807d3bfa5e6
                                  • Opcode Fuzzy Hash: d7168180562d95c42fa956e518f75cbceba4a16c348c2be7442905db56529fb9
                                  • Instruction Fuzzy Hash: A31179B1800349DFCB10CF9AD844BEEBFF8EB48360F14845AE954A7210C375A954CFA5
                                  Function 0148C1F0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 927 148c1f0-148c230 928 148c238-148c263 GetModuleHandleW 927->928 929 148c232-148c235 927->929 930 148c26c-148c280 928->930 931 148c265-148c26b 928->931 929->928 931->930
                                  APIs
                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 0148C256
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1808095124.0000000001480000.00000040.00000800.00020000.00000000.sdmp, Offset: 01480000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_1480000_doc_Zapytanie - Oferta POLSKA 91044PL.jbxd
                                  Similarity
                                  • API ID: HandleModule
                                  • String ID:
                                  • API String ID: 4139908857-0
                                  • Opcode ID: d1ba5f20710a886a77b4679b1fa9f0b4e08d380f384bce2da055af78c30ba481
                                  • Instruction ID: 598678ad56325858271e0b8bf4b96875d1871f4574b8a7e108f2957ad59b8661
                                  • Opcode Fuzzy Hash: d1ba5f20710a886a77b4679b1fa9f0b4e08d380f384bce2da055af78c30ba481
                                  • Instruction Fuzzy Hash: A71110B5C002498FDB10DF9AC844ADEFBF4AB88320F10842AD429B7650C375A545CFA1
                                  Function 05419DC0 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageW.USER32(?,?,?,?), ref: 0541B58D
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1821889022.0000000005410000.00000040.00000800.00020000.00000000.sdmp, Offset: 05410000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_5410000_doc_Zapytanie - Oferta POLSKA 91044PL.jbxd
                                  Similarity
                                  • API ID: MessageSend
                                  • String ID:
                                  • API String ID: 3850602802-0
                                  • Opcode ID: 733aea502bc0806f3d84bc46c9fb9114d5e24166a848e4fd78a26287f4909a2e
                                  • Instruction ID: 76ae688ec4944c77a4095da6b07bfe9083c7b2091f1603893d535e7ac2a9a4eb
                                  • Opcode Fuzzy Hash: 733aea502bc0806f3d84bc46c9fb9114d5e24166a848e4fd78a26287f4909a2e
                                  • Instruction Fuzzy Hash: A31106B5800348DFCB10DF9AD484BEEBBF8EB48314F10845AE958A7310C3B5A944CFA5
                                  Function 0541B52A Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageW.USER32(?,?,?,?), ref: 0541B58D
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1821889022.0000000005410000.00000040.00000800.00020000.00000000.sdmp, Offset: 05410000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_5410000_doc_Zapytanie - Oferta POLSKA 91044PL.jbxd
                                  Similarity
                                  • API ID: MessageSend
                                  • String ID:
                                  • API String ID: 3850602802-0
                                  • Opcode ID: ad5fd8ead2728289f1ceadb9a1c72721ef0ae5c3f0fe490c4489140f2015433f
                                  • Instruction ID: edbe6821b41b15029a97276d76c90b2fa7cd201257466431d8c4a113172e9ec5
                                  • Opcode Fuzzy Hash: ad5fd8ead2728289f1ceadb9a1c72721ef0ae5c3f0fe490c4489140f2015433f
                                  • Instruction Fuzzy Hash: CC11D6B58003499FDB10DF9AD885BDEBFF8EB48314F10845AE558A7610C375A984CFA5
                                  Function 05412010 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetWindowLongW.USER32(?,?,?), ref: 05412075
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1821889022.0000000005410000.00000040.00000800.00020000.00000000.sdmp, Offset: 05410000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_5410000_doc_Zapytanie - Oferta POLSKA 91044PL.jbxd
                                  Similarity
                                  • API ID: LongWindow
                                  • String ID:
                                  • API String ID: 1378638983-0
                                  • Opcode ID: 26ba89cadf9a216dc17e03edbd1eead5fe67708cee6954b915844ed8851c049f
                                  • Instruction ID: 1371e9f0170360ee5088c66b656da84b06260f0cb27d2814723d14a03b977e34
                                  • Opcode Fuzzy Hash: 26ba89cadf9a216dc17e03edbd1eead5fe67708cee6954b915844ed8851c049f
                                  • Instruction Fuzzy Hash: 0A1106B58042499FDB10CF9AD445BDFBFF8EB48320F10855AE959A7310C3B5A944CFA5
                                  Function 05412018 Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetWindowLongW.USER32(?,?,?), ref: 05412075
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1821889022.0000000005410000.00000040.00000800.00020000.00000000.sdmp, Offset: 05410000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_5410000_doc_Zapytanie - Oferta POLSKA 91044PL.jbxd
                                  Similarity
                                  • API ID: LongWindow
                                  • String ID:
                                  • API String ID: 1378638983-0
                                  • Opcode ID: 62755c9521c515348589892d427709a601395c2c67c7880d943c0fc8665d78f6
                                  • Instruction ID: f5d9fab3d75eaefde893ce2dc2159165e5d898f5e31e7aca747a79c4cda69a7d
                                  • Opcode Fuzzy Hash: 62755c9521c515348589892d427709a601395c2c67c7880d943c0fc8665d78f6
                                  • Instruction Fuzzy Hash: 5A1100B58002498FDB10CF9AD484BDEBBF8EB48320F20851AE959A7310C3B5A944CFA5
                                  Function 0123D01C Relevance: .1, Instructions: 72COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1806312621.000000000123D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0123D000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_123d000_doc_Zapytanie - Oferta POLSKA 91044PL.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 216dfffbf7526093dae9621109388fc620d34c7da23b06b19bd607ff63fbcb69
                                  • Instruction ID: 31b3405fee75e47dac7146ee99faa3b008d9c183791c42f20b074ec67e3a4695
                                  • Opcode Fuzzy Hash: 216dfffbf7526093dae9621109388fc620d34c7da23b06b19bd607ff63fbcb69
                                  • Instruction Fuzzy Hash: 9B2130B0614208DFCB11DF68D980B26FBA5EB84B14F60C569E90A4B256C37AD406CA61
                                  Function 0123D006 Relevance: .1, Instructions: 63COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.1806312621.000000000123D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0123D000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_123d000_doc_Zapytanie - Oferta POLSKA 91044PL.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 33756d8b4f719ad9cca1da437ab33c0a31313b4922a9b888174b99caff0ac726
                                  • Instruction ID: 6d70480b00180710440c10c0f5cc7c3956ab1b8f4552d11b42500aadf76e8351
                                  • Opcode Fuzzy Hash: 33756d8b4f719ad9cca1da437ab33c0a31313b4922a9b888174b99caff0ac726
                                  • Instruction Fuzzy Hash: 6B2183755083849FCB02CF64D994711BF71EB86714F28C5DAD9498F2A7C33A981ACB62

                                  Execution Graph

                                  Execution Coverage:8%
                                  Dynamic/Decrypted Code Coverage:100%
                                  Signature Coverage:0%
                                  Total number of Nodes:90
                                  Total number of Limit Nodes:5
                                  execution_graph 14235 e4d660 DuplicateHandle 14236 e4d6f6 14235->14236 14237 e44668 14238 e4467a 14237->14238 14239 e44686 14238->14239 14243 e44778 14238->14243 14249 e43e34 14239->14249 14241 e446a5 14244 e4479d 14243->14244 14253 e44888 14244->14253 14257 e449ea 14244->14257 14262 e44879 14244->14262 14250 e43e3f 14249->14250 14270 e45c74 14250->14270 14252 e46ff7 14252->14241 14255 e448af 14253->14255 14254 e4498c 14255->14254 14266 e444b4 14255->14266 14258 e44982 14257->14258 14261 e447a7 14257->14261 14259 e444b4 CreateActCtxA 14258->14259 14260 e4498c 14258->14260 14259->14260 14261->14239 14263 e448af 14262->14263 14264 e444b4 CreateActCtxA 14263->14264 14265 e4498c 14263->14265 14264->14265 14267 e45918 CreateActCtxA 14266->14267 14269 e459db 14267->14269 14271 e45c7f 14270->14271 14274 e45c94 14271->14274 14273 e470c5 14273->14252 14275 e45c9f 14274->14275 14278 e45cc4 14275->14278 14277 e471a2 14277->14273 14279 e45ccf 14278->14279 14282 e45cf4 14279->14282 14281 e472a5 14281->14277 14283 e45cff 14282->14283 14285 e485ab 14283->14285 14288 e4ac58 14283->14288 14284 e485e9 14284->14281 14285->14284 14293 e4cd41 14285->14293 14289 e4ac68 14288->14289 14298 e4ac90 14289->14298 14302 e4ac8f 14289->14302 14290 e4ac6e 14290->14285 14295 e4cd71 14293->14295 14294 e4cd95 14294->14284 14295->14294 14325 e4cef0 14295->14325 14329 e4cf00 14295->14329 14299 e4ac9f 14298->14299 14306 e4ad83 14298->14306 14313 e4ad88 14298->14313 14299->14290 14304 e4ad83 2 API calls 14302->14304 14305 e4ad88 2 API calls 14302->14305 14303 e4ac9f 14303->14290 14304->14303 14305->14303 14307 e4ad99 14306->14307 14309 e4adbc 14306->14309 14308 e4adb4 14307->14308 14307->14309 14320 e4b011 14307->14320 14308->14309 14310 e4afc0 GetModuleHandleW 14308->14310 14309->14299 14311 e4afed 14310->14311 14311->14299 14314 e4ad99 14313->14314 14315 e4adbc 14313->14315 14314->14315 14316 e4adb4 14314->14316 14319 e4b011 GetModuleHandleW 14314->14319 14315->14299 14316->14315 14317 e4afc0 GetModuleHandleW 14316->14317 14318 e4afed 14317->14318 14318->14299 14319->14316 14321 e4afba GetModuleHandleW 14320->14321 14322 e4b01a 14320->14322 14324 e4afed 14321->14324 14322->14308 14324->14308 14326 e4cf0d 14325->14326 14327 e4cf47 14326->14327 14333 e4b760 14326->14333 14327->14294 14330 e4cf0d 14329->14330 14331 e4cf47 14330->14331 14332 e4b760 3 API calls 14330->14332 14331->14294 14332->14331 14335 e4b76b 14333->14335 14334 e4dc58 14335->14334 14337 e4d064 14335->14337 14338 e4d06f 14337->14338 14339 e45cf4 3 API calls 14338->14339 14340 e4dcc7 14339->14340 14340->14334 14341 e4d418 14342 e4d45e GetCurrentProcess 14341->14342 14344 e4d4b0 GetCurrentThread 14342->14344 14345 e4d4a9 14342->14345 14346 e4d4e6 14344->14346 14347 e4d4ed GetCurrentProcess 14344->14347 14345->14344 14346->14347 14348 e4d523 GetCurrentThreadId 14347->14348 14350 e4d57c 14348->14350

                                  Executed Functions

                                  Function 00E4D418 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 295 e4d418-e4d4a7 GetCurrentProcess 299 e4d4b0-e4d4e4 GetCurrentThread 295->299 300 e4d4a9-e4d4af 295->300 301 e4d4e6-e4d4ec 299->301 302 e4d4ed-e4d521 GetCurrentProcess 299->302 300->299 301->302 303 e4d523-e4d529 302->303 304 e4d52a-e4d542 302->304 303->304 308 e4d54b-e4d57a GetCurrentThreadId 304->308 309 e4d583-e4d5e5 308->309 310 e4d57c-e4d582 308->310 310->309
                                  APIs
                                  • GetCurrentProcess.KERNEL32 ref: 00E4D496
                                  • GetCurrentThread.KERNEL32 ref: 00E4D4D3
                                  • GetCurrentProcess.KERNEL32 ref: 00E4D510
                                  • GetCurrentThreadId.KERNEL32 ref: 00E4D569
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1822145705.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_e40000_workbook.jbxd
                                  Similarity
                                  • API ID: Current$ProcessThread
                                  • String ID:
                                  • API String ID: 2063062207-0
                                  • Opcode ID: cfc3c70a7c0727919dd263565a51896dca2eec4f213e88beec0f355c7cedc6b8
                                  • Instruction ID: aad4f57f63a762de487ba40176ddaf5d05daeafb866f23dd0dc83f38a3d129ee
                                  • Opcode Fuzzy Hash: cfc3c70a7c0727919dd263565a51896dca2eec4f213e88beec0f355c7cedc6b8
                                  • Instruction Fuzzy Hash: B35148B4900209CFDB14DFA9D548B9EBBF1EF88314F208459E459B72A0D774A944CF65
                                  Function 00E4AD88 Relevance: 1.7, APIs: 1, Instructions: 194COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 363 e4ad88-e4ad97 364 e4adc3-e4adc7 363->364 365 e4ad99-e4ada6 call e493b4 363->365 367 e4adc9-e4add3 364->367 368 e4addb-e4ae1c 364->368 372 e4adbc 365->372 373 e4ada8 365->373 367->368 374 e4ae1e-e4ae26 368->374 375 e4ae29-e4ae37 368->375 372->364 420 e4adae call e4b020 373->420 421 e4adae call e4b011 373->421 374->375 376 e4ae39-e4ae3e 375->376 377 e4ae5b-e4ae5d 375->377 379 e4ae40-e4ae47 call e4a0f0 376->379 380 e4ae49 376->380 381 e4ae60-e4ae67 377->381 378 e4adb4-e4adb6 378->372 382 e4aef8-e4afb8 378->382 383 e4ae4b-e4ae59 379->383 380->383 385 e4ae74-e4ae7b 381->385 386 e4ae69-e4ae71 381->386 413 e4afc0-e4afeb GetModuleHandleW 382->413 414 e4afba-e4afbd 382->414 383->381 389 e4ae7d-e4ae85 385->389 390 e4ae88-e4ae91 call e4a100 385->390 386->385 389->390 394 e4ae93-e4ae9b 390->394 395 e4ae9e-e4aea3 390->395 394->395 397 e4aea5-e4aeac 395->397 398 e4aec1-e4aec5 395->398 397->398 399 e4aeae-e4aebe call e4a110 call e4a120 397->399 418 e4aec8 call e4b320 398->418 419 e4aec8 call e4b31f 398->419 399->398 402 e4aecb-e4aece 404 e4aed0-e4aeee 402->404 405 e4aef1-e4aef7 402->405 404->405 415 e4aff4-e4b008 413->415 416 e4afed-e4aff3 413->416 414->413 416->415 418->402 419->402 420->378 421->378
                                  APIs
                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 00E4AFDE
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1822145705.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_e40000_workbook.jbxd
                                  Similarity
                                  • API ID: HandleModule
                                  • String ID:
                                  • API String ID: 4139908857-0
                                  • Opcode ID: 5919303a444d1338debc07f4d9bc4ba1dbbc0b64d87fa4d1d037b0b613e8b33c
                                  • Instruction ID: aec1bc473402e25e2e2f121375f5f5c8c759f9f7dcb1d40e035468bc892fb140
                                  • Opcode Fuzzy Hash: 5919303a444d1338debc07f4d9bc4ba1dbbc0b64d87fa4d1d037b0b613e8b33c
                                  • Instruction Fuzzy Hash: BD714570A00B458FD724DF2AE44475ABBF1BF88314F048A2DD096E7B50DB74E949CB91
                                  Function 00E4590C Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 422 e4590c-e4598c 423 e4598f-e459d9 CreateActCtxA 422->423 425 e459e2-e45a3c 423->425 426 e459db-e459e1 423->426 433 e45a3e-e45a41 425->433 434 e45a4b-e45a4f 425->434 426->425 433->434 435 e45a60 434->435 436 e45a51-e45a5d 434->436 438 e45a61 435->438 436->435 438->438
                                  APIs
                                  • CreateActCtxA.KERNEL32(?), ref: 00E459C9
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1822145705.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_e40000_workbook.jbxd
                                  Similarity
                                  • API ID: Create
                                  • String ID:
                                  • API String ID: 2289755597-0
                                  • Opcode ID: 7431993d1563e73275552ddd41d8bb4ede87c904568c3a1f1b2fa2a22470b89a
                                  • Instruction ID: fc637f21e2fe62dcc1936e8aa30fc6dfabe90173743dd891ec30926217ea1a66
                                  • Opcode Fuzzy Hash: 7431993d1563e73275552ddd41d8bb4ede87c904568c3a1f1b2fa2a22470b89a
                                  • Instruction Fuzzy Hash: F441F1B1C00719DFDB24DFA9C88468EBBF5BF49304F24819AD418AB251DB75698ACF90
                                  Function 00E444B4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 439 e444b4-e459d9 CreateActCtxA 443 e459e2-e45a3c 439->443 444 e459db-e459e1 439->444 451 e45a3e-e45a41 443->451 452 e45a4b-e45a4f 443->452 444->443 451->452 453 e45a60 452->453 454 e45a51-e45a5d 452->454 456 e45a61 453->456 454->453 456->456
                                  APIs
                                  • CreateActCtxA.KERNEL32(?), ref: 00E459C9
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1822145705.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_e40000_workbook.jbxd
                                  Similarity
                                  • API ID: Create
                                  • String ID:
                                  • API String ID: 2289755597-0
                                  • Opcode ID: 599ca05716a44752ae5b252d44fc568008a5bc6b18359681237e6e161e63ac6b
                                  • Instruction ID: 87fbdbaca7e36f3023f6571e61e480720b1d8c4f7d9c8f6b75440aedf6c56594
                                  • Opcode Fuzzy Hash: 599ca05716a44752ae5b252d44fc568008a5bc6b18359681237e6e161e63ac6b
                                  • Instruction Fuzzy Hash: E841F1B1C00719DBDB24DFA9C884B9EBBF5BF48304F20806AD408AB251DBB56949CF90
                                  Function 00E45A84 Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 457 e45a84-e45b14
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1822145705.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_e40000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c73bc1c75a4c75c3fde0899ef64b1132f3eb95f3878e5c916dc9f1389f9ff0bf
                                  • Instruction ID: 8a7026558d474b91fc271b33a33cca3a8ff4dc315207c1631a301116d43e4faf
                                  • Opcode Fuzzy Hash: c73bc1c75a4c75c3fde0899ef64b1132f3eb95f3878e5c916dc9f1389f9ff0bf
                                  • Instruction Fuzzy Hash: C531BF76C00A49CFCB11CFA8D8457EDBBF0EF95314F248289C055AB292D775A94ACF51
                                  Function 00E4D660 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 460 e4d660-e4d6f4 DuplicateHandle 461 e4d6f6-e4d6fc 460->461 462 e4d6fd-e4d71a 460->462 461->462
                                  APIs
                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00E4D6E7
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1822145705.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_e40000_workbook.jbxd
                                  Similarity
                                  • API ID: DuplicateHandle
                                  • String ID:
                                  • API String ID: 3793708945-0
                                  • Opcode ID: 311056e9c910090c343e98f21c56a95a8a68eb839f727fa398bc5fbc73843638
                                  • Instruction ID: fdb21d002656fd38bd074e6baf12cd42061adab3334204e026a04e6921640dbc
                                  • Opcode Fuzzy Hash: 311056e9c910090c343e98f21c56a95a8a68eb839f727fa398bc5fbc73843638
                                  • Instruction Fuzzy Hash: 1D21E2B59002589FDB10CFAAD984ADEBBF8FB48320F14801AE958A3350D374A940CFA4
                                  Function 00E4B011 Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 465 e4b011-e4b018 466 e4afba-e4afeb GetModuleHandleW 465->466 467 e4b01a-e4b029 465->467 471 e4aff4-e4b008 466->471 472 e4afed-e4aff3 466->472 468 e4b034-e4b036 467->468 469 e4b02f call e493b4 467->469 473 e4b066-e4b06b 468->473 474 e4b038-e4b049 call e4a13c 468->474 469->468 472->471 478 e4b05d-e4b064 call e4a154 474->478 479 e4b04b-e4b054 call e4a148 474->479 478->473 482 e4b059-e4b05b 479->482 482->473
                                  APIs
                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 00E4AFDE
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1822145705.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_e40000_workbook.jbxd
                                  Similarity
                                  • API ID: HandleModule
                                  • String ID:
                                  • API String ID: 4139908857-0
                                  • Opcode ID: fcd9fbd966fedacd58e986ba12546d862d3a55f26aa8f316ddb3d2ab533c0fc5
                                  • Instruction ID: 3a11b5d068d4ca03e2aa84c23ec31a97fda863663341fa4809c01341fc00a5cf
                                  • Opcode Fuzzy Hash: fcd9fbd966fedacd58e986ba12546d862d3a55f26aa8f316ddb3d2ab533c0fc5
                                  • Instruction Fuzzy Hash: 7A11E3B1A002418FD714DF69E8407EBBBF5AFC5324F0880AAE558B72A2CB749905CB61
                                  Function 00E4AF78 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 484 e4af78-e4afb8 485 e4afc0-e4afeb GetModuleHandleW 484->485 486 e4afba-e4afbd 484->486 487 e4aff4-e4b008 485->487 488 e4afed-e4aff3 485->488 486->485 488->487
                                  APIs
                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 00E4AFDE
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1822145705.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_e40000_workbook.jbxd
                                  Similarity
                                  • API ID: HandleModule
                                  • String ID:
                                  • API String ID: 4139908857-0
                                  • Opcode ID: 782a411249bed6872593404ce1c9a6a87f3a392709f66d6836148c3c7c084e5c
                                  • Instruction ID: fef92643c787ae4170ea997cbe83b2e11b2f2c932953935fa23e1e58da141e5d
                                  • Opcode Fuzzy Hash: 782a411249bed6872593404ce1c9a6a87f3a392709f66d6836148c3c7c084e5c
                                  • Instruction Fuzzy Hash: 1E1110B6D002498FDB10CF9AD444ADEFBF4AF88328F14842AD869B7610C379A545CFA1
                                  Function 00DED3D8 Relevance: .1, Instructions: 75COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1821461575.0000000000DED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DED000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_ded000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ab10ce3288314894dcf22c7106e36ee56733b0efab5f06ee364a91c8fbd4e1c6
                                  • Instruction ID: 0532aa4e0a3e169025bb4eb790262ade1ffe547130a7963bdfc44826c0c69e43
                                  • Opcode Fuzzy Hash: ab10ce3288314894dcf22c7106e36ee56733b0efab5f06ee364a91c8fbd4e1c6
                                  • Instruction Fuzzy Hash: 31213A71500284DFDB05EF15D9C0B16BFA6FBA4314F24C169E9094F296C736E856C7B2
                                  Function 00DED4C4 Relevance: .1, Instructions: 75COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1821461575.0000000000DED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DED000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_ded000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: cc15e9de8455415006a8b02cdc91a5ca3b7d233e29df638eed201bf7142935ea
                                  • Instruction ID: c17dcdca8d2039c3ec5caa5631421da32bcfd7fe9ad7b30e2836c3201f688351
                                  • Opcode Fuzzy Hash: cc15e9de8455415006a8b02cdc91a5ca3b7d233e29df638eed201bf7142935ea
                                  • Instruction Fuzzy Hash: 12213472504280DFCB05EF15D9C0B2BBF66FB98318F24C569E8490B256C736D856CBB2
                                  Function 00DFD01C Relevance: .1, Instructions: 72COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1821622768.0000000000DFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DFD000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_dfd000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ce452e7e752fb1102c322bd9b1f03cce4c1010dd8e3f84d90c5a582ac848d875
                                  • Instruction ID: 32dc8e2fbd3e997a44b86d1d9da508d5457a3eb193aa07b4c601be531f133e8a
                                  • Opcode Fuzzy Hash: ce452e7e752fb1102c322bd9b1f03cce4c1010dd8e3f84d90c5a582ac848d875
                                  • Instruction Fuzzy Hash: 00212271604208DFCB14DF14D984B26BBA7EB84314F24C569EA4A4B296CB3AD847CA71
                                  Function 00DFD1D4 Relevance: .1, Instructions: 72COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1821622768.0000000000DFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DFD000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_dfd000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 49a9eeb2a7cba23c5f605eb5e470ce49963ab05a3472faa9caac125966bbc4f1
                                  • Instruction ID: e0bc45ca324525f43f12f3ae973f139539760d9dccc2ecb0fc79dfb7205fffaf
                                  • Opcode Fuzzy Hash: 49a9eeb2a7cba23c5f605eb5e470ce49963ab05a3472faa9caac125966bbc4f1
                                  • Instruction Fuzzy Hash: B2210471504208EFDB05DF14D9C4B3ABBA7FB84314F24C66DEA494B296C336D846CAB5
                                  Function 00DFD005 Relevance: .1, Instructions: 62COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1821622768.0000000000DFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DFD000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_dfd000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5a19b1b1af01678754224f8eac02d19f6384b022621c12ed3724590c53971841
                                  • Instruction ID: 2ad754b2eec5b818ac0703a610dafc42a7c0bc9d472fa7e9d09439b9f9fb5238
                                  • Opcode Fuzzy Hash: 5a19b1b1af01678754224f8eac02d19f6384b022621c12ed3724590c53971841
                                  • Instruction Fuzzy Hash: CA218E755093C48FCB02CF24D994715BF72EB46314F29C5EAD9498F2A7C33A980ACB62
                                  Function 00DED3D3 Relevance: .1, Instructions: 56COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1821461575.0000000000DED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DED000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_ded000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                  • Instruction ID: 74e174b4fe6efc8294f55629f2a85145a31b9b3628f5ae1e2b70ab48f8b53417
                                  • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                  • Instruction Fuzzy Hash: EF112676404280CFCB02DF00D5C4B16BF72FBA4324F28C2A9DC090B256C33AE85ACBA1
                                  Function 00DED4BF Relevance: .1, Instructions: 56COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1821461575.0000000000DED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DED000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_ded000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                  • Instruction ID: 0d59845e3553249de934e9719e44572b6d0cd34d2d550a3bd7052375c08e17c3
                                  • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                  • Instruction Fuzzy Hash: B411E676504280CFCB16DF14D9C4B16BF72FB94318F28C6AADC490B656C336D85ACBA1
                                  Function 00DFD1CF Relevance: .1, Instructions: 53COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1821622768.0000000000DFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DFD000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_dfd000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                  • Instruction ID: e25d882142be2dfaac293c162e195f41fc23226bff45a4a5b67f6ec4f692c83f
                                  • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                  • Instruction Fuzzy Hash: C311BB75504284DFCB02CF10D5C4B25BBA2FB84314F28C6AAD9494B296C33AD80ACBA1
                                  Function 00DED759 Relevance: .0, Instructions: 45COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1821461575.0000000000DED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DED000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_ded000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a00e6d87b76b32352bdd0572f1a10fa192fcdef66c9494ecff57d142085c23ac
                                  • Instruction ID: d8d6d702a7e97bffc3bbed522e23475ac79c5c0251b5e15d39549b9113410d8a
                                  • Opcode Fuzzy Hash: a00e6d87b76b32352bdd0572f1a10fa192fcdef66c9494ecff57d142085c23ac
                                  • Instruction Fuzzy Hash: 6A01A7711093809AE7107B27CD84767BFD9EF55325F1CC92AED4A4A286CA79DC40C6B1
                                  Function 00DED758 Relevance: .0, Instructions: 36COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1821461575.0000000000DED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DED000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_ded000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3707d5ad6bef1f2d29a4b896679f29a341b17562bb5130446c189124a31160bc
                                  • Instruction ID: b596a907f231a78fc87fb301329ccb45d33b91883bf20c7e92c29e5d32459959
                                  • Opcode Fuzzy Hash: 3707d5ad6bef1f2d29a4b896679f29a341b17562bb5130446c189124a31160bc
                                  • Instruction Fuzzy Hash: 7EF0C272004380AEE7109B16CCC4B66FFE8EF50728F18C45AED090A286C2799C40CAB0

                                  Execution Graph

                                  Execution Coverage:8.8%
                                  Dynamic/Decrypted Code Coverage:100%
                                  Signature Coverage:0%
                                  Total number of Nodes:46
                                  Total number of Limit Nodes:3
                                  execution_graph 16035 26c4668 16036 26c467a 16035->16036 16037 26c4686 16036->16037 16039 26c4778 16036->16039 16040 26c479d 16039->16040 16044 26c4888 16040->16044 16048 26c4879 16040->16048 16041 26c47a7 16041->16037 16045 26c48af 16044->16045 16047 26c498c 16045->16047 16052 26c44b4 16045->16052 16047->16041 16050 26c48af 16048->16050 16049 26c498c 16049->16041 16050->16049 16051 26c44b4 CreateActCtxA 16050->16051 16051->16049 16053 26c5918 CreateActCtxA 16052->16053 16055 26c59db 16053->16055 16056 26cd418 16057 26cd45e GetCurrentProcess 16056->16057 16059 26cd4a9 16057->16059 16060 26cd4b0 GetCurrentThread 16057->16060 16059->16060 16061 26cd4ed GetCurrentProcess 16060->16061 16062 26cd4e6 16060->16062 16063 26cd523 16061->16063 16062->16061 16064 26cd54b GetCurrentThreadId 16063->16064 16065 26cd57c 16064->16065 16066 26cd660 DuplicateHandle 16067 26cd6f6 16066->16067 16068 26cac90 16069 26cac9f 16068->16069 16072 26cad88 16068->16072 16079 26cad87 16068->16079 16073 26cad99 16072->16073 16074 26cadbc 16072->16074 16073->16074 16075 26cadb4 16073->16075 16086 26cb011 16073->16086 16074->16069 16075->16074 16076 26cafc0 GetModuleHandleW 16075->16076 16077 26cafed 16076->16077 16077->16069 16080 26cad99 16079->16080 16081 26cadbc 16079->16081 16080->16081 16082 26cadb4 16080->16082 16085 26cb011 GetModuleHandleW 16080->16085 16081->16069 16082->16081 16083 26cafc0 GetModuleHandleW 16082->16083 16084 26cafed 16083->16084 16084->16069 16085->16082 16087 26cafba GetModuleHandleW 16086->16087 16090 26cb01a 16086->16090 16089 26cafed 16087->16089 16089->16075 16090->16075

                                  Executed Functions

                                  Function 026CD409 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 526 26cd409-26cd4a7 GetCurrentProcess 530 26cd4a9-26cd4af 526->530 531 26cd4b0-26cd4e4 GetCurrentThread 526->531 530->531 532 26cd4ed-26cd521 GetCurrentProcess 531->532 533 26cd4e6-26cd4ec 531->533 535 26cd52a-26cd545 call 26cd5e8 532->535 536 26cd523-26cd529 532->536 533->532 538 26cd54b-26cd57a GetCurrentThreadId 535->538 536->535 540 26cd57c-26cd582 538->540 541 26cd583-26cd5e5 538->541 540->541
                                  APIs
                                  • GetCurrentProcess.KERNEL32 ref: 026CD496
                                  • GetCurrentThread.KERNEL32 ref: 026CD4D3
                                  • GetCurrentProcess.KERNEL32 ref: 026CD510
                                  • GetCurrentThreadId.KERNEL32 ref: 026CD569
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.1861927170.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_26c0000_workbook.jbxd
                                  Similarity
                                  • API ID: Current$ProcessThread
                                  • String ID:
                                  • API String ID: 2063062207-0
                                  • Opcode ID: 4e33f49a25e58f61e4e7971a18a6553dad39509deb83709dda3cd942be08c6b6
                                  • Instruction ID: 5529b0514606be67a43b153dd2ea411753547474ad5a459d1f3eac8634f65a6f
                                  • Opcode Fuzzy Hash: 4e33f49a25e58f61e4e7971a18a6553dad39509deb83709dda3cd942be08c6b6
                                  • Instruction Fuzzy Hash: C45167B49003498FDB04DFAAD5487EEBBF1EB48318F20C069D049AB3A0D734A944CF66
                                  Function 026CD418 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 548 26cd418-26cd4a7 GetCurrentProcess 552 26cd4a9-26cd4af 548->552 553 26cd4b0-26cd4e4 GetCurrentThread 548->553 552->553 554 26cd4ed-26cd521 GetCurrentProcess 553->554 555 26cd4e6-26cd4ec 553->555 557 26cd52a-26cd545 call 26cd5e8 554->557 558 26cd523-26cd529 554->558 555->554 560 26cd54b-26cd57a GetCurrentThreadId 557->560 558->557 562 26cd57c-26cd582 560->562 563 26cd583-26cd5e5 560->563 562->563
                                  APIs
                                  • GetCurrentProcess.KERNEL32 ref: 026CD496
                                  • GetCurrentThread.KERNEL32 ref: 026CD4D3
                                  • GetCurrentProcess.KERNEL32 ref: 026CD510
                                  • GetCurrentThreadId.KERNEL32 ref: 026CD569
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.1861927170.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_26c0000_workbook.jbxd
                                  Similarity
                                  • API ID: Current$ProcessThread
                                  • String ID:
                                  • API String ID: 2063062207-0
                                  • Opcode ID: 5ae57be77a7847a664654efbf0c7f6ff66ec1f29747f5701449d1fd46cc6e3be
                                  • Instruction ID: 90c77cda20675981651fa6cc30552e50098cb21491d9ad1fd8d334b2c412301a
                                  • Opcode Fuzzy Hash: 5ae57be77a7847a664654efbf0c7f6ff66ec1f29747f5701449d1fd46cc6e3be
                                  • Instruction Fuzzy Hash: 8A5158B09006098FDB14DFAAD548BEEBBF1EF48318F20C469D019A7360D734A944CF65
                                  Function 026CAD88 Relevance: 1.7, APIs: 1, Instructions: 194COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 623 26cad88-26cad97 624 26cad99-26cada6 call 26c93b4 623->624 625 26cadc3-26cadc7 623->625 630 26cadbc 624->630 631 26cada8 624->631 627 26cadc9-26cadd3 625->627 628 26caddb-26cae1c 625->628 627->628 634 26cae1e-26cae26 628->634 635 26cae29-26cae37 628->635 630->625 680 26cadae call 26cb020 631->680 681 26cadae call 26cb011 631->681 634->635 636 26cae39-26cae3e 635->636 637 26cae5b-26cae5d 635->637 639 26cae49 636->639 640 26cae40-26cae47 call 26ca0f0 636->640 642 26cae60-26cae67 637->642 638 26cadb4-26cadb6 638->630 641 26caef8-26cafb8 638->641 644 26cae4b-26cae59 639->644 640->644 673 26cafba-26cafbd 641->673 674 26cafc0-26cafeb GetModuleHandleW 641->674 645 26cae69-26cae71 642->645 646 26cae74-26cae7b 642->646 644->642 645->646 648 26cae7d-26cae85 646->648 649 26cae88-26cae91 call 26ca100 646->649 648->649 654 26cae9e-26caea3 649->654 655 26cae93-26cae9b 649->655 656 26caea5-26caeac 654->656 657 26caec1-26caec5 654->657 655->654 656->657 659 26caeae-26caebe call 26ca110 call 26ca120 656->659 678 26caec8 call 26cb31f 657->678 679 26caec8 call 26cb320 657->679 659->657 662 26caecb-26caece 664 26caed0-26caeee 662->664 665 26caef1-26caef7 662->665 664->665 673->674 675 26cafed-26caff3 674->675 676 26caff4-26cb008 674->676 675->676 678->662 679->662 680->638 681->638
                                  APIs
                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 026CAFDE
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.1861927170.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_26c0000_workbook.jbxd
                                  Similarity
                                  • API ID: HandleModule
                                  • String ID:
                                  • API String ID: 4139908857-0
                                  • Opcode ID: 56fb938f25eafc494ba93f3a9c3667249b7638533d6a4bcc5a39fa25324fc618
                                  • Instruction ID: 660788732a32be391b493ea6de1225661595a695da8743f82df3903c48ffaacd
                                  • Opcode Fuzzy Hash: 56fb938f25eafc494ba93f3a9c3667249b7638533d6a4bcc5a39fa25324fc618
                                  • Instruction Fuzzy Hash: A17113B0A00B098FDB24EF69D44476ABBF2FB48304F108A2DD48AD7B50DB34E945CB94
                                  Function 026C590C Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 682 26c590c-26c598c 683 26c598f-26c59d9 CreateActCtxA 682->683 685 26c59db-26c59e1 683->685 686 26c59e2-26c5a3c 683->686 685->686 693 26c5a3e-26c5a41 686->693 694 26c5a4b-26c5a4f 686->694 693->694 695 26c5a60 694->695 696 26c5a51-26c5a5d 694->696 698 26c5a61 695->698 696->695 698->698
                                  APIs
                                  • CreateActCtxA.KERNEL32(?), ref: 026C59C9
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.1861927170.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_26c0000_workbook.jbxd
                                  Similarity
                                  • API ID: Create
                                  • String ID:
                                  • API String ID: 2289755597-0
                                  • Opcode ID: 33a5832672c2d9c431c953b9e3667ccb479517f28f1852da4aa498d7361d38d0
                                  • Instruction ID: 7e3a6935f9f9b6bdc422c9ec945bbcdfd6a4860700bf230d49522fcce91b0598
                                  • Opcode Fuzzy Hash: 33a5832672c2d9c431c953b9e3667ccb479517f28f1852da4aa498d7361d38d0
                                  • Instruction Fuzzy Hash: E441F4B0D00719CFDB24DFAAC88469DBBB6FF48304F60806AD409AB250DB75694ACF90
                                  Function 026C44B4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 699 26c44b4-26c59d9 CreateActCtxA 703 26c59db-26c59e1 699->703 704 26c59e2-26c5a3c 699->704 703->704 711 26c5a3e-26c5a41 704->711 712 26c5a4b-26c5a4f 704->712 711->712 713 26c5a60 712->713 714 26c5a51-26c5a5d 712->714 716 26c5a61 713->716 714->713 716->716
                                  APIs
                                  • CreateActCtxA.KERNEL32(?), ref: 026C59C9
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.1861927170.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_26c0000_workbook.jbxd
                                  Similarity
                                  • API ID: Create
                                  • String ID:
                                  • API String ID: 2289755597-0
                                  • Opcode ID: e28d2b7c81d03835f5612cea98316ba7b78d1a335add4b713b52a2d8271bf75d
                                  • Instruction ID: dbfeb1ba2762dcb5c86419415502f221a5b07746feb3754ef495116be453e998
                                  • Opcode Fuzzy Hash: e28d2b7c81d03835f5612cea98316ba7b78d1a335add4b713b52a2d8271bf75d
                                  • Instruction Fuzzy Hash: 3741D3B0D00719CBDB24DFAAC84469EBBF6FF48304F64806AD409BB255DB756945CF90
                                  Function 026C5A84 Relevance: 1.6, APIs: 1, Instructions: 90COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 717 26c5a84-26c5a90 718 26c5a42-26c5a47 717->718 719 26c5a92-26c5b14 717->719 722 26c5a4b-26c5a4f 718->722 723 26c5a60 722->723 724 26c5a51-26c5a5d 722->724 726 26c5a61 723->726 724->723 726->726
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.1861927170.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_26c0000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4c2d43830c6cd4ba3c5d5e52411ca3da0fbe7c02df2f01d368f35a6f4fb01c6e
                                  • Instruction ID: 4f7a09b66c17e3ef160e66c2e8b431382b4a121bcf27dbbb70a02923d516730b
                                  • Opcode Fuzzy Hash: 4c2d43830c6cd4ba3c5d5e52411ca3da0fbe7c02df2f01d368f35a6f4fb01c6e
                                  • Instruction Fuzzy Hash: 9831BCB1804289CFDB04DFE9C8557EDBFF1EF46308FA44189D006AB265CB75A94ACB41
                                  Function 026CD660 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 727 26cd660-26cd6f4 DuplicateHandle 728 26cd6fd-26cd71a 727->728 729 26cd6f6-26cd6fc 727->729 729->728
                                  APIs
                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 026CD6E7
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.1861927170.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_26c0000_workbook.jbxd
                                  Similarity
                                  • API ID: DuplicateHandle
                                  • String ID:
                                  • API String ID: 3793708945-0
                                  • Opcode ID: 408e162daac4b0d374f84d5c1461c332cfc71110dca73dc06144d7bcde654939
                                  • Instruction ID: 22fac6fbfa04dbe1df265d8d1b7c940184fcb00e783f5b3b6656179f81826e70
                                  • Opcode Fuzzy Hash: 408e162daac4b0d374f84d5c1461c332cfc71110dca73dc06144d7bcde654939
                                  • Instruction Fuzzy Hash: 6121E4B5900208DFDB10DF9AD984ADEBBF4EB48320F24802AE958A7310C374A940CFA5
                                  Function 026CD658 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 732 26cd658-26cd6f4 DuplicateHandle 733 26cd6fd-26cd71a 732->733 734 26cd6f6-26cd6fc 732->734 734->733
                                  APIs
                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 026CD6E7
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.1861927170.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_26c0000_workbook.jbxd
                                  Similarity
                                  • API ID: DuplicateHandle
                                  • String ID:
                                  • API String ID: 3793708945-0
                                  • Opcode ID: b25e14083a227364af99ba41b18c7b6ec7ce7a85d9d95516aeea6d249da2f691
                                  • Instruction ID: 38c701a588819850977f2e17e11b1bf3dd95006ecb19acbdd44718dc394268fc
                                  • Opcode Fuzzy Hash: b25e14083a227364af99ba41b18c7b6ec7ce7a85d9d95516aeea6d249da2f691
                                  • Instruction Fuzzy Hash: B921E4B5900349DFDB10DFAAD584AEEBBF5EB08310F24842AE958A7350C774A944CF65
                                  Function 026CB011 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 737 26cb011-26cb018 738 26cafba-26cafeb GetModuleHandleW 737->738 739 26cb01a-26cb029 737->739 745 26cafed-26caff3 738->745 746 26caff4-26cb008 738->746 741 26cb034-26cb036 739->741 742 26cb02f call 26c93b4 739->742 743 26cb038-26cb049 call 26ca13c 741->743 744 26cb066-26cb06b 741->744 742->741 750 26cb05d-26cb064 call 26ca154 743->750 751 26cb04b-26cb054 call 26ca148 743->751 745->746 750->744 754 26cb059-26cb05b 751->754 754->744
                                  APIs
                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 026CAFDE
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.1861927170.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_26c0000_workbook.jbxd
                                  Similarity
                                  • API ID: HandleModule
                                  • String ID:
                                  • API String ID: 4139908857-0
                                  • Opcode ID: 3685180ed532bfc9fc0f9e71266a8f960c62f3a68fefffa1d5136afbdc83ea43
                                  • Instruction ID: e47c5a45ce0c2835fff53f7c0487c81e1eb20df1200a8610e4e961f14c8227d0
                                  • Opcode Fuzzy Hash: 3685180ed532bfc9fc0f9e71266a8f960c62f3a68fefffa1d5136afbdc83ea43
                                  • Instruction Fuzzy Hash: 6C11B2B1A002498FD710EF99D8447AEBBF5EF85318F24806ED558D7251C7749805CBA4
                                  Function 026CAF78 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 756 26caf78-26cafb8 757 26cafba-26cafbd 756->757 758 26cafc0-26cafeb GetModuleHandleW 756->758 757->758 759 26cafed-26caff3 758->759 760 26caff4-26cb008 758->760 759->760
                                  APIs
                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 026CAFDE
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.1861927170.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_26c0000_workbook.jbxd
                                  Similarity
                                  • API ID: HandleModule
                                  • String ID:
                                  • API String ID: 4139908857-0
                                  • Opcode ID: d0d3fec61f1bd5cc3a2fb31793e731edd3b38c543e2696347f2c8afa8987e438
                                  • Instruction ID: 6b9f0d40779bc7393f52348aaa3bbf2871e7ce7ad8cbf75e7619eed631343327
                                  • Opcode Fuzzy Hash: d0d3fec61f1bd5cc3a2fb31793e731edd3b38c543e2696347f2c8afa8987e438
                                  • Instruction Fuzzy Hash: EC1102B6C002498FCB10DF9AC444ADEFBF4EB48224F20842AD469A7610C375A545CFA5
                                  Function 025808C1 Relevance: .5, Instructions: 470COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.1861754248.0000000002580000.00000040.00000800.00020000.00000000.sdmp, Offset: 02580000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_2580000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9f1a2d1d0624065897ee926d6be90979d8aa9f0018bdfdfd2b9e8a3ecede2c06
                                  • Instruction ID: 90c5f4bb0ac91898573f1dff4724c939bf81e99b8425c87a0937e6def08adefa
                                  • Opcode Fuzzy Hash: 9f1a2d1d0624065897ee926d6be90979d8aa9f0018bdfdfd2b9e8a3ecede2c06
                                  • Instruction Fuzzy Hash: 47F0EDB0D04249AFC740EFBC88113EEBFF4BF89324F0049A9D014E7141E7B4020A8B98
                                  Function 00A7D3D8 Relevance: .1, Instructions: 75COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.1858486912.0000000000A7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A7D000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_a7d000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 30d29bd2d1cf031917b3d28a22d74c4e947fb35df210b162272ba7a989188413
                                  • Instruction ID: 07762ee4aec9cbdb267b4059c080900b1027d7b5cefd9ddd9f88d2136d042552
                                  • Opcode Fuzzy Hash: 30d29bd2d1cf031917b3d28a22d74c4e947fb35df210b162272ba7a989188413
                                  • Instruction Fuzzy Hash: 6D210372500204EFDB05DF14DAC4B26BF75FF98324F20C569E90D4B256C336E856CAA2
                                  Function 00A9D01C Relevance: .1, Instructions: 72COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.1858711031.0000000000A9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A9D000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_a9d000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: db3158fefc6dd0cd89e1e72277a62503e9e6c09e2e9d7129668ad117bd1016c9
                                  • Instruction ID: e82f58213f7cf145e21c89291028a6053b91c0a5cdfd802579cff8209caf8c85
                                  • Opcode Fuzzy Hash: db3158fefc6dd0cd89e1e72277a62503e9e6c09e2e9d7129668ad117bd1016c9
                                  • Instruction Fuzzy Hash: 6921F271604200DFDF14DF24D984B26BFA5FB84314F20C569D84A4B296C33AD887CA61
                                  Function 00A9D1D4 Relevance: .1, Instructions: 72COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.1858711031.0000000000A9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A9D000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_a9d000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 220c32914305e936536ae75dc70c676ce125968041ba7767575a48cf85a12144
                                  • Instruction ID: 11ff36cd81b55e6ff391f4e54bb0b142ac455fd2b69db261c359837aeba0f9c5
                                  • Opcode Fuzzy Hash: 220c32914305e936536ae75dc70c676ce125968041ba7767575a48cf85a12144
                                  • Instruction Fuzzy Hash: 81210475604200EFDF05DF14DAC0B66BBE5FB94314F20C66DE9094F296C336D886CA61
                                  Function 00A9D006 Relevance: .1, Instructions: 60COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.1858711031.0000000000A9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A9D000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_a9d000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: acfa77bc75365cacc06245143c4caf6885f7799c388615246dc10b5452d572d1
                                  • Instruction ID: 2131cd848caa22af9e16bd82cc1d5241d8c0641d9ab49bcad835a521e0998366
                                  • Opcode Fuzzy Hash: acfa77bc75365cacc06245143c4caf6885f7799c388615246dc10b5452d572d1
                                  • Instruction Fuzzy Hash: 3F21A4755093808FDB02CF24D594715BFB1EB45314F28C5DAD8498B297C33AD84ACB62
                                  Function 0258084C Relevance: .1, Instructions: 58COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.1861754248.0000000002580000.00000040.00000800.00020000.00000000.sdmp, Offset: 02580000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_2580000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0f63db0df3353a4e07159db8c7507af6f86e71f94b04fec47b83c6405c1175fb
                                  • Instruction ID: be5d79e480b7eacb65b9c2599916ff82ff6d5f5da85bb66439239d5db99bff13
                                  • Opcode Fuzzy Hash: 0f63db0df3353a4e07159db8c7507af6f86e71f94b04fec47b83c6405c1175fb
                                  • Instruction Fuzzy Hash: AE111770E0120ACFDB14EF69C044AAEFBF1BF48314F1484AA9418AB361E775E945CB94
                                  Function 02580C8F Relevance: .1, Instructions: 58COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.1861754248.0000000002580000.00000040.00000800.00020000.00000000.sdmp, Offset: 02580000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_2580000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 08548e701d8ac4363ca55e1e0b07f9f656af7123beca7486f795e54acfe37e08
                                  • Instruction ID: d523241ba425dc4ae181fd765ab3455322ec78ed7416850d6e47980ae9df01ad
                                  • Opcode Fuzzy Hash: 08548e701d8ac4363ca55e1e0b07f9f656af7123beca7486f795e54acfe37e08
                                  • Instruction Fuzzy Hash: 4B116D70E01205CFDB14EF68C054AAEFBF1BF89314F1584A9D854AB361D7759842CF90
                                  Function 00A7D3D3 Relevance: .1, Instructions: 56COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.1858486912.0000000000A7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A7D000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_a7d000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                  • Instruction ID: 62417d4936cf678db72456c9e69d3dddae97bbc8acdb2ca3dbb3f0624a45ee71
                                  • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                  • Instruction Fuzzy Hash: 0511D076504280DFDB16CF14D9C4B16BF72FF94324F24C6A9D9090B656C33AE85ACBA2
                                  Function 00A9D1CF Relevance: .1, Instructions: 53COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.1858711031.0000000000A9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A9D000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_a9d000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                  • Instruction ID: 4a20418663811efc3227c5eed09deef8da66bd764653ce9b45ae88a6d0201c56
                                  • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                  • Instruction Fuzzy Hash: 7B11BB75604280DFCB02CF10C5C4B55BBA1FB84314F24C6AAD8494F296C33AD84ACB61
                                  Function 00A7D759 Relevance: .0, Instructions: 45COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.1858486912.0000000000A7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A7D000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_a7d000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f752be03ef7da71926314df98ec45322935a99925329e3995b6576424c24e55e
                                  • Instruction ID: cbea473d5d28278ba8415f361a14f32beddca66d1edb5266f85731dd1c59c0a8
                                  • Opcode Fuzzy Hash: f752be03ef7da71926314df98ec45322935a99925329e3995b6576424c24e55e
                                  • Instruction Fuzzy Hash: 2C01A2711083409AE7148B2ACD84B67BFB8EF51724F28C92AED0D4E286C7799844C6B1
                                  Function 00A7D758 Relevance: .0, Instructions: 36COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.1858486912.0000000000A7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A7D000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_a7d000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1d292c0017761a3b12f044e26e274882b098b765aad35b0aefcb73e13dc93483
                                  • Instruction ID: 2c6613d522bbad5cb0b1c9270c5b4fef9ccb47e2432fc63cc03d857a863c8a80
                                  • Opcode Fuzzy Hash: 1d292c0017761a3b12f044e26e274882b098b765aad35b0aefcb73e13dc93483
                                  • Instruction Fuzzy Hash: F4F062714083449EE7148B1ADCC4B62FFA8EF51734F18C45AED4C4F286C3799844CAB1
                                  Function 02580C50 Relevance: .0, Instructions: 16COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.1861754248.0000000002580000.00000040.00000800.00020000.00000000.sdmp, Offset: 02580000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_2580000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 04908978e576aa2db028167238ced61c996739660de3051858f3188f3334dfe9
                                  • Instruction ID: 2375d5ba61218c288a3bc11025a7773a78790ed77277b9f06cedca028daa69dc
                                  • Opcode Fuzzy Hash: 04908978e576aa2db028167238ced61c996739660de3051858f3188f3334dfe9
                                  • Instruction Fuzzy Hash: ACD062B0D4430ADED780FFB9850575EBFF5BB44300F108965C515F6241E7B442498F99

                                  Executed Functions

                                  Function 085CDC50 Relevance: .6, Instructions: 628COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2379086224.00000000085C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_85c0000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0bcbd6c24b14b6380919bc009f3b18ffb9cb9e3a29f68cb9a1c03310911940ad
                                  • Instruction ID: 5ff56ab070412272727c97df4f41a1a75f58420ff24c9d63c6a5b6dfee6e5870
                                  • Opcode Fuzzy Hash: 0bcbd6c24b14b6380919bc009f3b18ffb9cb9e3a29f68cb9a1c03310911940ad
                                  • Instruction Fuzzy Hash: AA327A70B012059FDB29EBA9C590BAEBBF6BF89301F14446DE106DB3A1DB35E901CB51
                                  Function 018874E0 Relevance: 90.7, Strings: 72, Instructions: 732COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2337493254.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_1880000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q
                                  • API String ID: 0-1605395142
                                  • Opcode ID: 1a9ad2644173b01d541548d60499e0904eb2a4c1746c1e75b9ab59b4a94dd995
                                  • Instruction ID: 54f610681b8b834b9ae6d230ee93207a3be2bb1081e39dda835ec065dcbcd60d
                                  • Opcode Fuzzy Hash: 1a9ad2644173b01d541548d60499e0904eb2a4c1746c1e75b9ab59b4a94dd995
                                  • Instruction Fuzzy Hash: 8772EA70A4020A8FDB19EF75E9586EDBBF2FF44304F1085A9D049AB269DF305D8A8F51
                                  Function 01887570 Relevance: 90.7, Strings: 72, Instructions: 688COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2337493254.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_1880000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q
                                  • API String ID: 0-1605395142
                                  • Opcode ID: a1d08b44920e705886bebd28856080aaf1e5305a2a91ff9de5b41581e90fc0dc
                                  • Instruction ID: b64d128afdd2d6906328d723649e121cf5dd60b65f0325ce4bf038de0b5049d1
                                  • Opcode Fuzzy Hash: a1d08b44920e705886bebd28856080aaf1e5305a2a91ff9de5b41581e90fc0dc
                                  • Instruction Fuzzy Hash: F872DA70A4010A8FDB18EF75E9586EDBBF2FF44704F1085A9D049AB269DF306D8A8F51
                                  Function 085C28A0 Relevance: 4.1, Strings: 3, Instructions: 366COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2379086224.00000000085C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_85c0000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: (bq$(bq$Hbq
                                  • API String ID: 0-2835675688
                                  • Opcode ID: a1560c7d0a9f715e9ddf2b6662d80d5aa02a1456d050342ef1cfcbc1919147e1
                                  • Instruction ID: 083ea3a602e43a9ac92a6b85dcf4040b55917ed031672d160b93591a5e8211f7
                                  • Opcode Fuzzy Hash: a1560c7d0a9f715e9ddf2b6662d80d5aa02a1456d050342ef1cfcbc1919147e1
                                  • Instruction Fuzzy Hash: 69E15534A00209DFCB54EFA4D8949AEBBB6FF89310F108569E4156B365DB34ED82CF90
                                  Function 018871D0 Relevance: 3.8, Strings: 3, Instructions: 72COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2337493254.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_1880000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: `Q^q$`Q^q$`Q^q
                                  • API String ID: 0-846367443
                                  • Opcode ID: 94f1991db459930530d465e715c123f79d0a12f16ca8207524d16583e90917f4
                                  • Instruction ID: 43e2d632b58748be692311166c4560a9cfce54b8c3e904e9499d4f0cfddadc3a
                                  • Opcode Fuzzy Hash: 94f1991db459930530d465e715c123f79d0a12f16ca8207524d16583e90917f4
                                  • Instruction Fuzzy Hash: 49212931F002559BEB26EB78C80876EBBF2BB45F04F24005DD245EB284C7B4598587E2
                                  Function 085C7920 Relevance: 2.8, Strings: 2, Instructions: 295COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2379086224.00000000085C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_85c0000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 4'^q$4'^q
                                  • API String ID: 0-2697143702
                                  • Opcode ID: 480c8f3ef108b77c2b52008a544f76235ff0d279d541b6350f9e28a1eb5a531c
                                  • Instruction ID: c58c4606dd2f21b2bbbdb981704293c8abdee11c091f6f826971ff826adad628
                                  • Opcode Fuzzy Hash: 480c8f3ef108b77c2b52008a544f76235ff0d279d541b6350f9e28a1eb5a531c
                                  • Instruction Fuzzy Hash: BCC1B374A00618CFCB44EFA8C994AADB7B6BF89300F504568E506AB3A5DB71ED42CF50
                                  Function 085C7912 Relevance: 2.8, Strings: 2, Instructions: 278COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2379086224.00000000085C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_85c0000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 4'^q$4'^q
                                  • API String ID: 0-2697143702
                                  • Opcode ID: 9880f63a8c79724c38e1cfdcda565f67b35b611b6faffc4b5ffc047a872b5631
                                  • Instruction ID: b5729a83184e76e8cb594657cb3a52dcf88afa2e3cec97044ae96d9302d6fe6a
                                  • Opcode Fuzzy Hash: 9880f63a8c79724c38e1cfdcda565f67b35b611b6faffc4b5ffc047a872b5631
                                  • Instruction Fuzzy Hash: 27C1C674B00618CFCB44EFA8C994AADB7B6BF89301F504568E506AB3A5DB71ED42CF50
                                  Function 085C0E88 Relevance: 2.7, Strings: 2, Instructions: 218COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2379086224.00000000085C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_85c0000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: (bq$Hbq
                                  • API String ID: 0-4081012451
                                  • Opcode ID: a28d4487196a22f07ffbdc9a3af5fc26ee47aff321b858a1216381d62e320e6a
                                  • Instruction ID: 239f6efcb35ebb8de331b1207783f09fe583e8b27083a19411f005f052a4f9c4
                                  • Opcode Fuzzy Hash: a28d4487196a22f07ffbdc9a3af5fc26ee47aff321b858a1216381d62e320e6a
                                  • Instruction Fuzzy Hash: 0D71DF30B046158FC740EBA8C95496EBBB6FF89701B1041AEE506DB3A1DF34ED46CBA1
                                  Function 085C73E8 Relevance: 2.7, Strings: 2, Instructions: 198COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2379086224.00000000085C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_85c0000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: (bq$Hbq
                                  • API String ID: 0-4081012451
                                  • Opcode ID: 5c3ef7aa47783ba78b5f05f14fcf5e7f51a83a6e8b51c8507f5f525f23671c45
                                  • Instruction ID: bb2038553279a266af3e313de6d37fb77b44173e461fbe53e447d28b6ef15998
                                  • Opcode Fuzzy Hash: 5c3ef7aa47783ba78b5f05f14fcf5e7f51a83a6e8b51c8507f5f525f23671c45
                                  • Instruction Fuzzy Hash: 4261DB307042958FCB25DFBD845426EBFE2BF89201B1485ADD546CB791DE34ED068F91
                                  Function 085CAE38 Relevance: 2.7, Strings: 2, Instructions: 170COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2379086224.00000000085C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_85c0000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: (bq$Hbq
                                  • API String ID: 0-4081012451
                                  • Opcode ID: c970e04b454a247896e1b95de06fa673ba6d727be13195944a29cd036aa92f44
                                  • Instruction ID: c0a336a68ca24a41a98a5c1a41f64f5cf80013c956bea8bfbce266ee28f8fbf0
                                  • Opcode Fuzzy Hash: c970e04b454a247896e1b95de06fa673ba6d727be13195944a29cd036aa92f44
                                  • Instruction Fuzzy Hash: EC510E713007558FD325DF6AC88475BBBE2FF84320F108A2EE55A8B3A0DB74E8458B90
                                  Function 085C7238 Relevance: 2.7, Strings: 2, Instructions: 162COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2379086224.00000000085C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_85c0000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: (bq$,bq
                                  • API String ID: 0-1616511919
                                  • Opcode ID: a3d60fd699259a179e9281a41d48ee1f84fcad03acc03929ca8a35ccf37826ab
                                  • Instruction ID: 0af028b5a50506560c8b3dfc5d9426a2fd3149adb2ca1e6b72b89ee2fd0af177
                                  • Opcode Fuzzy Hash: a3d60fd699259a179e9281a41d48ee1f84fcad03acc03929ca8a35ccf37826ab
                                  • Instruction Fuzzy Hash: 8A41C3327001596FCF029EEA9C508FFBBEAFF8D251B04406AFA19D3251DA35C9159BA0
                                  Function 085C6680 Relevance: 1.6, Strings: 1, Instructions: 309COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2379086224.00000000085C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_85c0000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: Pl^q
                                  • API String ID: 0-2831078282
                                  • Opcode ID: 807e209e868789651f933a6d8d8cd1302493f22829ee101d9405e0a1a4d79de9
                                  • Instruction ID: ed9fd3a81869753a45ea8d71f47f5762611eaeb19f8bad9866882be21d1c65eb
                                  • Opcode Fuzzy Hash: 807e209e868789651f933a6d8d8cd1302493f22829ee101d9405e0a1a4d79de9
                                  • Instruction Fuzzy Hash: F8D1FB74B102189FCB44EFA8D994EAEB7F7BF88700F104558E406AB3A5CA75ED42CB50
                                  Function 085C2E38 Relevance: 1.5, Strings: 1, Instructions: 289COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2379086224.00000000085C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_85c0000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: (bq
                                  • API String ID: 0-149360118
                                  • Opcode ID: be264a4f5197e5fa41fc51842c8964e6591f22439065b146fa95ee418f698cde
                                  • Instruction ID: 91914f67802566132fc894409ad14df48991a709f42692d77964709759593ff3
                                  • Opcode Fuzzy Hash: be264a4f5197e5fa41fc51842c8964e6591f22439065b146fa95ee418f698cde
                                  • Instruction Fuzzy Hash: B2A17F35304204DFD7159F64D854A2A7BB3FFC9311B1585ADE10A8F3A2CA36EC46DB51
                                  Function 085C6650 Relevance: 1.5, Strings: 1, Instructions: 272COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2379086224.00000000085C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_85c0000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: Pl^q
                                  • API String ID: 0-2831078282
                                  • Opcode ID: c5100da0f34f0cbb1cda1f57c4e8db7221e0f76f4baa91bb8d4b4c577ce21544
                                  • Instruction ID: b2f4991ead8886fd970b885eb1fc9d6cf01ce579da7477b4f67de6fbafce766f
                                  • Opcode Fuzzy Hash: c5100da0f34f0cbb1cda1f57c4e8db7221e0f76f4baa91bb8d4b4c577ce21544
                                  • Instruction Fuzzy Hash: B4B13E74B102189FCB44EFA8D894EAEBBF6BF89700F104558E405AB3A5CB75ED42CB50
                                  Function 0188F01C Relevance: 1.4, Strings: 1, Instructions: 162COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2337493254.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_1880000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: Hbq
                                  • API String ID: 0-1245868
                                  • Opcode ID: 264350b4019b873035482a612f658434f6a4370ad1e90930de0a5d52ae7ce64d
                                  • Instruction ID: fbe42e52e4e460790b3272b76c858fce5182ad0164869e0ac315e52343d9deac
                                  • Opcode Fuzzy Hash: 264350b4019b873035482a612f658434f6a4370ad1e90930de0a5d52ae7ce64d
                                  • Instruction Fuzzy Hash: A3518C303006118FD719AB2DC854B2E77E6FFC5710F248469E206CB7A5CB75DE0687A5
                                  Function 01889EF0 Relevance: 1.4, Strings: 1, Instructions: 158COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2337493254.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_1880000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: `Q^q
                                  • API String ID: 0-1948671464
                                  • Opcode ID: 14522bf8274019320887f5dea3e5f1ef9266b70138cf4288046f7ef1537def6e
                                  • Instruction ID: 25c4021a2e770baccce4b9aa2b9bae09a9e9a0022da3916eb63e628da1e4add5
                                  • Opcode Fuzzy Hash: 14522bf8274019320887f5dea3e5f1ef9266b70138cf4288046f7ef1537def6e
                                  • Instruction Fuzzy Hash: 17512570604249CFE726EF39E41876A7FE2FB9A308F0440A9D044DB789DB76C945CBA5
                                  Function 085C1F70 Relevance: 1.4, Strings: 1, Instructions: 134COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2379086224.00000000085C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_85c0000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 4'^q
                                  • API String ID: 0-1614139903
                                  • Opcode ID: 481d6c43493a908b06820ca15c31cd97b36fc8f13d1814ecd0037b0cd518e60e
                                  • Instruction ID: 32fd99f3eb358a8a6286c27d8997eaf9532623c3314e7d6187a2ca6323bb0b9a
                                  • Opcode Fuzzy Hash: 481d6c43493a908b06820ca15c31cd97b36fc8f13d1814ecd0037b0cd518e60e
                                  • Instruction Fuzzy Hash: B7416F30B106188FCB94AB68C858A7DB7EBBFC9700F50451ED512AB398DF749D46CB91
                                  Function 085C3CD9 Relevance: 1.4, Strings: 1, Instructions: 113COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2379086224.00000000085C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_85c0000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 4'^q
                                  • API String ID: 0-1614139903
                                  • Opcode ID: 985af16b2de3ac44558aaac80f9cc0a08fadcb9559f4b7d9b38f1fd84a09aa8e
                                  • Instruction ID: 3762eaa9b46ce613460550de72da357db81e6e81c10d81c5aa89674a8258ac7b
                                  • Opcode Fuzzy Hash: 985af16b2de3ac44558aaac80f9cc0a08fadcb9559f4b7d9b38f1fd84a09aa8e
                                  • Instruction Fuzzy Hash: 1E416D357406049FD318DB68C954F6A7BEAAFC8710F1044ACE10A8F3A6CE75EC42CBA1
                                  Function 085C3CE8 Relevance: 1.4, Strings: 1, Instructions: 109COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2379086224.00000000085C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_85c0000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 4'^q
                                  • API String ID: 0-1614139903
                                  • Opcode ID: f50397c6df666198a925fd88c196ebbfbb9b9e1c06e9bec108b53c1b8d81ed43
                                  • Instruction ID: 6b96371bcc164385b81b1766c123d478b3be5eef1b0419f5f3064063a8889210
                                  • Opcode Fuzzy Hash: f50397c6df666198a925fd88c196ebbfbb9b9e1c06e9bec108b53c1b8d81ed43
                                  • Instruction Fuzzy Hash: 21314A757406149FD358DB69C994B2A77EABBC8714F104468E20A8B3A5CE75EC42CB90
                                  Function 085C1F4F Relevance: 1.4, Strings: 1, Instructions: 102COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2379086224.00000000085C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_85c0000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 4'^q
                                  • API String ID: 0-1614139903
                                  • Opcode ID: f8eab304adac75d09fa1950195777d57025ff282ce21205fc192a1a56c520000
                                  • Instruction ID: 91cd93cb91527624de4b37e0e8c993c34f2fe827376604b00289588506e1b2d4
                                  • Opcode Fuzzy Hash: f8eab304adac75d09fa1950195777d57025ff282ce21205fc192a1a56c520000
                                  • Instruction Fuzzy Hash: 4031A330B042549FC755ABA8CC58A7EBBABBFC9701F14046EE016EB395CEB44C45CB92
                                  Function 0188DBCC Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2337493254.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_1880000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: LR^q
                                  • API String ID: 0-2625958711
                                  • Opcode ID: 95290a7b405576abee930a4f7c07a0c377c7ae4cf62a560ea1cd2959a0612ba1
                                  • Instruction ID: e0136f42f9ef1a71c075db9fac628a8164fa901ddb15261db93ee9650ae4fc0c
                                  • Opcode Fuzzy Hash: 95290a7b405576abee930a4f7c07a0c377c7ae4cf62a560ea1cd2959a0612ba1
                                  • Instruction Fuzzy Hash: F931FF70B002058FDB18EF68D484AAEBBF6FB88711F104669E506D7391DF70AD01CBA1
                                  Function 018854B8 Relevance: 1.3, Strings: 1, Instructions: 72COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2337493254.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_1880000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 4'^q
                                  • API String ID: 0-1614139903
                                  • Opcode ID: c2cf8920a64055cf6d852d0a034f5283edd150f28b3ed475bbd3c6a5eaec9871
                                  • Instruction ID: 270a94426ee797bcb42976fd9fd1ea1802b96e7eaa91349d5945fccdb80ecd07
                                  • Opcode Fuzzy Hash: c2cf8920a64055cf6d852d0a034f5283edd150f28b3ed475bbd3c6a5eaec9871
                                  • Instruction Fuzzy Hash: 9E21287074428A8FDB56EBBCE4946BDBFB2EF41314F1504A9C005EF2A2DB245E0787A1
                                  Function 01887120 Relevance: 1.3, Strings: 1, Instructions: 33COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2337493254.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_1880000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: `Q^q
                                  • API String ID: 0-1948671464
                                  • Opcode ID: eae66183d83f43b0ae848c0bc772b8cc9e4f1ee40ee85de88934d1950b055abb
                                  • Instruction ID: c9c01023db7c55c1fb2d2337edf6b82c2bbdaf6813964d1e1d5493f7df4fbb3c
                                  • Opcode Fuzzy Hash: eae66183d83f43b0ae848c0bc772b8cc9e4f1ee40ee85de88934d1950b055abb
                                  • Instruction Fuzzy Hash: E2F06571740211AFD3094A6A9C98BB667E6EFCA620F19017AE10DDB2A1CA619C074764
                                  Function 01887130 Relevance: 1.3, Strings: 1, Instructions: 27COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2337493254.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_1880000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: `Q^q
                                  • API String ID: 0-1948671464
                                  • Opcode ID: 09cb958813fb710cef1ff46a5f63de123417b02f017d4e7874727ea8c499eaf8
                                  • Instruction ID: ad9ff1c2a6a07e8e38b5668b9d95ffe67b2a5fa867fb41fc9d508c68463aa498
                                  • Opcode Fuzzy Hash: 09cb958813fb710cef1ff46a5f63de123417b02f017d4e7874727ea8c499eaf8
                                  • Instruction Fuzzy Hash: 91E086327401146BD318556FEC58F67B6DEEBC9A20F55007AF20DDB3A0CC91EC0542A4
                                  Function 085CA551 Relevance: 1.3, Strings: 1, Instructions: 27COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2379086224.00000000085C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_85c0000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: xbq
                                  • API String ID: 0-73991425
                                  • Opcode ID: 099a68af46b97bdf2211ce2c9b968a521d4336837b1bb4c525a9cef0cf0c7068
                                  • Instruction ID: b4187fcef051d3fcc9cddf90e185e5ebd1d94c2747ea8e743de6307fe7d1f4d5
                                  • Opcode Fuzzy Hash: 099a68af46b97bdf2211ce2c9b968a521d4336837b1bb4c525a9cef0cf0c7068
                                  • Instruction Fuzzy Hash: FAF0ED387401149FDB04CB58D945A69BBF2FF88324F1580A9E109AF3A2C732FC028F90
                                  Function 085C21B0 Relevance: .4, Instructions: 437COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2379086224.00000000085C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_85c0000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a3de01814fec948e5b0e2b7bf9c535549f1b72384e47bfd29cb56acdb1529cc6
                                  • Instruction ID: a6e82943372525b05d01b6a473635f47360558e8ef30d80b4fa5202c72c2a88b
                                  • Opcode Fuzzy Hash: a3de01814fec948e5b0e2b7bf9c535549f1b72384e47bfd29cb56acdb1529cc6
                                  • Instruction Fuzzy Hash: 8B120B34A002198FCB54EF68C894BADB7B2BF89301F5095A8D54AAB365DF70ED85CF50
                                  Function 0188E2C0 Relevance: .3, Instructions: 332COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2337493254.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_1880000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3c7f36e942115e2269b32a06af91f5c8295388ce97567051c6eb4369e6eaaf88
                                  • Instruction ID: 81b021b874a376efe2173c19e525acc7a898aab08892e774b581101248301b7b
                                  • Opcode Fuzzy Hash: 3c7f36e942115e2269b32a06af91f5c8295388ce97567051c6eb4369e6eaaf88
                                  • Instruction Fuzzy Hash: 3AE13F71A00619CFDB25EF68C884B9DBBB2FF45304F1144A8E909BB265DB71AE85CF50
                                  Function 0188B7A0 Relevance: .3, Instructions: 311COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2337493254.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_1880000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5bef44e8d9968bfa3ec73a29deaa1d0644654c2c0daf0e9557e923d647ab4eb5
                                  • Instruction ID: 86796a32a431729a531c7b0b6861ca73c503add8b1e2487ac4496a41bc06afd4
                                  • Opcode Fuzzy Hash: 5bef44e8d9968bfa3ec73a29deaa1d0644654c2c0daf0e9557e923d647ab4eb5
                                  • Instruction Fuzzy Hash: 86D14E31A0061ACFCB15DF58C8C09AAB7F5FF84314B598869D956EB256E330FE95CB80
                                  Function 01889BB0 Relevance: .3, Instructions: 261COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2337493254.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_1880000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4a1dc42fcc2fd352c134aca97b8325ca9de667db44a824661179f003c405ed14
                                  • Instruction ID: 0da1700ca690352bf40ec0f64ad349855128414d5d02ff0c4ae31f63f95d26db
                                  • Opcode Fuzzy Hash: 4a1dc42fcc2fd352c134aca97b8325ca9de667db44a824661179f003c405ed14
                                  • Instruction Fuzzy Hash: E4B19631A10606CFCB04EF6CC4949ADBBB1FF89314F1186A9E505AB366EB71ED45CB90
                                  Function 085C6B38 Relevance: .3, Instructions: 261COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2379086224.00000000085C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_85c0000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1d956a7ad86f2c64f4526fad83c1734b8a7bedd9873fabf7732db85c188117fb
                                  • Instruction ID: c7845e213be18c61b9561e5a94664c959c9a9d0e99152916996bbafa7e1941e7
                                  • Opcode Fuzzy Hash: 1d956a7ad86f2c64f4526fad83c1734b8a7bedd9873fabf7732db85c188117fb
                                  • Instruction Fuzzy Hash: BFA148347006188FCB44EBA8C894A6E7BB6BF89700B40456CE5169B3A4DF75AD82CB91
                                  Function 085C6B48 Relevance: .3, Instructions: 256COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2379086224.00000000085C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_85c0000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 151d56e352bb9513890e71994685ea0333a001a8e377e43dd6908853b4d07cb9
                                  • Instruction ID: b90dc139efe8dfc6d86955c8f5dfd08aa6513e4728b5ecaee36b06ebf03b473e
                                  • Opcode Fuzzy Hash: 151d56e352bb9513890e71994685ea0333a001a8e377e43dd6908853b4d07cb9
                                  • Instruction Fuzzy Hash: 70A149347006188FCB44EFA8C894A6E77B2BF89700B50496CE5169B3A4DF75ED86CB91
                                  Function 085C6B14 Relevance: .2, Instructions: 249COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2379086224.00000000085C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_85c0000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9a8a3bba31953123fab2c417902e51dc4b9e189811e04e296b9dd54556cdaca6
                                  • Instruction ID: 66bc50b2cf4d7bf280cf5d331e37702715fab5cae8ea9a1e5a281dd520e3e2f2
                                  • Opcode Fuzzy Hash: 9a8a3bba31953123fab2c417902e51dc4b9e189811e04e296b9dd54556cdaca6
                                  • Instruction Fuzzy Hash: BA915C34700A188FCB44EFA8C894A6E77B2BFC9700B50456CE5169B3A5DF35ED86CB91
                                  Function 018885E0 Relevance: .2, Instructions: 240COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2337493254.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_1880000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5b4eb595c1b1c2ff2a8973334e80e572cd72958d49b5ee312275db122bb8bfab
                                  • Instruction ID: 76b8b3cf4a23d3a9ed3ce8882f5f98d2cad63887fdb1c0898d683e76d69e6d10
                                  • Opcode Fuzzy Hash: 5b4eb595c1b1c2ff2a8973334e80e572cd72958d49b5ee312275db122bb8bfab
                                  • Instruction Fuzzy Hash: 92A15631A10606CFCB04EF6DC4849ADBBB1FF89314F1186A9E505AB365EB71ED85CB90
                                  Function 085C21A1 Relevance: .2, Instructions: 235COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2379086224.00000000085C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_85c0000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: de5fa00e938a597a9a10fea18d1eb2489d2e926ac5437c688add7c12599a3022
                                  • Instruction ID: d01bc0c76c70004da5faf6d0576d5e7104f2d778741e1b42274d6ed04e81a72d
                                  • Opcode Fuzzy Hash: de5fa00e938a597a9a10fea18d1eb2489d2e926ac5437c688add7c12599a3022
                                  • Instruction Fuzzy Hash: 65A11C74A002188FCB54DF68C894BA9B7B2BF89301F5085A8E44AAB355DF70ED85CF50
                                  Function 085C3170 Relevance: .2, Instructions: 226COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2379086224.00000000085C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_85c0000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8b301f359f979aa1dc2b6c354d71f2b3af20d5b0622dd6a7b909ec1370b0da2d
                                  • Instruction ID: b4ad4056dcc72d9e8c8363aa2c8c2a193e434a6b015fe025cc955f5505de6ee7
                                  • Opcode Fuzzy Hash: 8b301f359f979aa1dc2b6c354d71f2b3af20d5b0622dd6a7b909ec1370b0da2d
                                  • Instruction Fuzzy Hash: 8E913D347002189FCB45DF68D894AADB7B6BF89601F1481ADE506DB3A5CB74EC41CF90
                                  Function 0188BBC8 Relevance: .2, Instructions: 222COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2337493254.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_1880000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9475d5a06ac58a5415f6057bcbec23346a00b401fe1a72272ed7964ee2547675
                                  • Instruction ID: b2dca50285eafb63a41e2706058b9538bb31f0dbb7f5a81c93dd339a1b3df84f
                                  • Opcode Fuzzy Hash: 9475d5a06ac58a5415f6057bcbec23346a00b401fe1a72272ed7964ee2547675
                                  • Instruction Fuzzy Hash: C3815930700A029FEB29FF2CC45176A77E6FF85304F140569E606CB695EB34EA51CBA2
                                  Function 085C5AC8 Relevance: .2, Instructions: 204COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2379086224.00000000085C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_85c0000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: db2752f01a793b74965e9687d8df8ef2a8fadd4d662aa2e0bbf24c1c03497521
                                  • Instruction ID: 170f076b22612eb4e199b937040062b0245cdb886d55841ba720b0c1bfc22df6
                                  • Opcode Fuzzy Hash: db2752f01a793b74965e9687d8df8ef2a8fadd4d662aa2e0bbf24c1c03497521
                                  • Instruction Fuzzy Hash: EB816D74B006099FDB48EBA4D854BAE7BB2BF88700F10446CD402AB390DF75AD82CF91
                                  Function 0188BFF0 Relevance: .2, Instructions: 201COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2337493254.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_1880000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 063af3798b3837a38382f8ba955d33cc7e15b5d1363b4cff724066e04881afbd
                                  • Instruction ID: 97111c38f8d658d0f72aceba6590bfdc76b4cca1e35cc81396e4eb42c2574831
                                  • Opcode Fuzzy Hash: 063af3798b3837a38382f8ba955d33cc7e15b5d1363b4cff724066e04881afbd
                                  • Instruction Fuzzy Hash: 708148B0A00B058FD724EF69C44479ABBF1FF48340F008A2ED18ADBA55D775E946CBA1
                                  Function 085CA6CB Relevance: .2, Instructions: 199COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2379086224.00000000085C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_85c0000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f723d8143b82ae6333ecfb47bba50c218a7d1224ebc991513a927763399e5e62
                                  • Instruction ID: b284f6ec8bf0fd0bfcc51d59bcb51188423d10a2f9e20fe49baa3e889c012e95
                                  • Opcode Fuzzy Hash: f723d8143b82ae6333ecfb47bba50c218a7d1224ebc991513a927763399e5e62
                                  • Instruction Fuzzy Hash: 6C81E274A21228AFCB55CF98D984E9DBBF2BF88310F164559E505AB361D731EC41CF80
                                  Function 085C3161 Relevance: .2, Instructions: 167COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2379086224.00000000085C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_85c0000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 823a3b374213f7a66062f859c40ac8ad3724d4365f477cb47fa92449866474e9
                                  • Instruction ID: 58ccb25a359897920f2b4930efc2dc103c53e260ce05ac4205fb8d5931bb51fe
                                  • Opcode Fuzzy Hash: 823a3b374213f7a66062f859c40ac8ad3724d4365f477cb47fa92449866474e9
                                  • Instruction Fuzzy Hash: 9E611B74710618DFCB44EFA8D894AADB7B6BF88601F1481ADE4169B365CB70EC42CF90
                                  Function 085C5AB8 Relevance: .2, Instructions: 167COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2379086224.00000000085C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_85c0000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6183ea24617c0bdca764bea096537e657114301a9d541e6c5bdf79f0ff58442d
                                  • Instruction ID: 26bf34e30f65501273bdeb80a0097f98ca5b9c4a4fe1ed8b4d442e250c76f298
                                  • Opcode Fuzzy Hash: 6183ea24617c0bdca764bea096537e657114301a9d541e6c5bdf79f0ff58442d
                                  • Instruction Fuzzy Hash: 7F518F74B006099FDB19EFA4D854BAE7BB2BF88301F14456DD402AB391DB74AD82CF91
                                  Function 085CD430 Relevance: .1, Instructions: 145COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2379086224.00000000085C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_85c0000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8528af285bb4b1dca72d0528d902e21ef701e538296c7d31d68d5c8d622d1e9b
                                  • Instruction ID: f0006649245c825c1325de8f936ed6836dddd60dfb4172e3623e69badf2d891c
                                  • Opcode Fuzzy Hash: 8528af285bb4b1dca72d0528d902e21ef701e538296c7d31d68d5c8d622d1e9b
                                  • Instruction Fuzzy Hash: DF519071E012059FDB14DFA9D884A9EBBF2FF88306F558129E405EB290DB71AD06CF60
                                  Function 0188E2B0 Relevance: .1, Instructions: 139COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2337493254.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_1880000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 561b690736cd5898385e79e6f0e03a93890dcab74960735be2dbee7e4d998f8f
                                  • Instruction ID: 392883aa73a8305853a0337f706f23c2146ddb86e84ccd5631c48c1458917cd0
                                  • Opcode Fuzzy Hash: 561b690736cd5898385e79e6f0e03a93890dcab74960735be2dbee7e4d998f8f
                                  • Instruction Fuzzy Hash: 2A516530900219CFDB25EF68C984B9DB7B2FF85304F5044A8E509AB365DB71AE85CF60
                                  Function 085CD420 Relevance: .1, Instructions: 138COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2379086224.00000000085C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_85c0000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 66d59d00ff9412232921792cc39406512d36d1b0cf6b3fdbf35de8d3122e197b
                                  • Instruction ID: ff5139e656338713b81683526e3af66896dca3ed235d2a7abf1ac85cd0a33e45
                                  • Opcode Fuzzy Hash: 66d59d00ff9412232921792cc39406512d36d1b0cf6b3fdbf35de8d3122e197b
                                  • Instruction Fuzzy Hash: 38516E71E012159FDB14DFA9C984A9DBBF2BF88306F558169E404EB2A4DB70AD06CF60
                                  Function 085CCE70 Relevance: .1, Instructions: 132COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2379086224.00000000085C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_85c0000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 68ab0e0adeb369e09200f7eab922a585b53a95afdceabb6fcd6de203db4985b6
                                  • Instruction ID: 08a68b7950d123b4586009745f83dd374e0d6063ffafdf1b314a0873118f42be
                                  • Opcode Fuzzy Hash: 68ab0e0adeb369e09200f7eab922a585b53a95afdceabb6fcd6de203db4985b6
                                  • Instruction Fuzzy Hash: 8E41C431B003159FCB15DBA5D4586AEBBE3FFC4204F54852DD40AAB384EF70AC8A8B91
                                  Function 01886540 Relevance: .1, Instructions: 128COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2337493254.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_1880000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 77ed78f1727e54372f6da941afba294cc0644a21831a3f9d019adf3bbf153b29
                                  • Instruction ID: 67df36cc9e8ca2feb649db220d05beb7b387f17f85cb41db9d5b672e3e01d5fb
                                  • Opcode Fuzzy Hash: 77ed78f1727e54372f6da941afba294cc0644a21831a3f9d019adf3bbf153b29
                                  • Instruction Fuzzy Hash: D45135B090024ACFDB14DFA9D548B9EBFF1EF48304F248469E519A7360DB34A945CF65
                                  Function 085CAA70 Relevance: .1, Instructions: 123COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2379086224.00000000085C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_85c0000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 40fa16f863706d8d42a902120b7dca1af3b8ee7595480d07875532fecde76b24
                                  • Instruction ID: 3a279dc69ff16301cf9f4ef7fc68b74a74742f6f1ba4d604a7a10487b0f2150c
                                  • Opcode Fuzzy Hash: 40fa16f863706d8d42a902120b7dca1af3b8ee7595480d07875532fecde76b24
                                  • Instruction Fuzzy Hash: 75417D71B006159FC705DBA9D854A9EBBF6FFCC310B2585AAD509DB361DB31AC01CB80
                                  Function 018887B7 Relevance: .1, Instructions: 119COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2337493254.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_1880000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 52dbf9705cc1e0266f311cd0ab847c2a4ae43bd1f8bb5986becd963ab79c56a4
                                  • Instruction ID: 4706d1046c7e441f806e827baa0cb737213568832d590fefbcadc49100b05f36
                                  • Opcode Fuzzy Hash: 52dbf9705cc1e0266f311cd0ab847c2a4ae43bd1f8bb5986becd963ab79c56a4
                                  • Instruction Fuzzy Hash: 693109316042424FD706EF6CD850398BBE1EFC6320F0985BAD409DF396DA749D4687A1
                                  Function 0188F104 Relevance: .1, Instructions: 119COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2337493254.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_1880000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d122a5b77250609a459b69f468279cc868361d9f067d12c00b15b0ed504e7936
                                  • Instruction ID: 02c14dc87bdb737713a86ec9cc73afdb79850a4f4cf04d3dcdd9d65c366dfab1
                                  • Opcode Fuzzy Hash: d122a5b77250609a459b69f468279cc868361d9f067d12c00b15b0ed504e7936
                                  • Instruction Fuzzy Hash: 9E415C34A10619CFDB15EF69D884AAEBBF1BF89704F1040A9E601EB3A6CB31D941CB50
                                  Function 085C73DA Relevance: .1, Instructions: 115COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2379086224.00000000085C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_85c0000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b0168bc8775147ae5c3588441935983aec33097ac54e2e1bc086522ba3b69a24
                                  • Instruction ID: c4f0b898bcbb3e6bca1e15312d850535f402cefb715e324015077377d6357389
                                  • Opcode Fuzzy Hash: b0168bc8775147ae5c3588441935983aec33097ac54e2e1bc086522ba3b69a24
                                  • Instruction Fuzzy Hash: 6941E2342002458FCB24CFBDC88466A7FF6BF89216F04856DE891CB691E770D949CF90
                                  Function 085CDAF0 Relevance: .1, Instructions: 111COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2379086224.00000000085C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_85c0000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7ac283b533b3d8752863597a466f50690411e46d0f1138b454b3ad7082d61b32
                                  • Instruction ID: 6e09fffc97f3c717ef3c4f20916f5913cbadc2da1843dbec61eea1b4dad4ed3d
                                  • Opcode Fuzzy Hash: 7ac283b533b3d8752863597a466f50690411e46d0f1138b454b3ad7082d61b32
                                  • Instruction Fuzzy Hash: 72413A793006058FC709DB68C458AAABBB2BFC931AB1544ADE5199F372CB35EC42CF51
                                  Function 085CCE6F Relevance: .1, Instructions: 108COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2379086224.00000000085C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_85c0000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 92b6ef80a5b98b5a73115440b4f2f8576ea04402318c059dead2fba0e701a850
                                  • Instruction ID: bc340a36fd93bc65cf93138ddec25623039cb09dc3c63f828b83fe68568d3d1f
                                  • Opcode Fuzzy Hash: 92b6ef80a5b98b5a73115440b4f2f8576ea04402318c059dead2fba0e701a850
                                  • Instruction Fuzzy Hash: 7641A871B003169FDB15DBA5D4546AEB7E3FFC8204F54852DD40AAB384EF70AC8A8B91
                                  Function 085C5E11 Relevance: .1, Instructions: 97COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2379086224.00000000085C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_85c0000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e3308c44c61c2b8a288b7ed4d70689558aa5a97eb428e705e18da57b101784a0
                                  • Instruction ID: 1076e5356821e716e21added7c8888306617850404099ffbe5cf9a32f0b52ff4
                                  • Opcode Fuzzy Hash: e3308c44c61c2b8a288b7ed4d70689558aa5a97eb428e705e18da57b101784a0
                                  • Instruction Fuzzy Hash: 78319C34B006088FCB45EFA8C85496EBBB6BFC9700B00859ED406DB365EF749D46CBA1
                                  Function 01886414 Relevance: .1, Instructions: 96COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2337493254.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_1880000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 28f7d53eaae9f31f7bb59722a5e008b9daffb02be5653f6dced3c9968eb54ec6
                                  • Instruction ID: 84634f7e963259770715718503dd7952c10d02fa130f5d3cb57b3b041610bea8
                                  • Opcode Fuzzy Hash: 28f7d53eaae9f31f7bb59722a5e008b9daffb02be5653f6dced3c9968eb54ec6
                                  • Instruction Fuzzy Hash: 6F41E0B0C0061DDFDB24DFA9C884BDEBBB5BF48304F24806AD408AB255DB756985CFA0
                                  Function 01887364 Relevance: .1, Instructions: 96COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2337493254.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_1880000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: befd2c0263e91a972b47795f47bdf09240c1e1a0fdaad84433cea81f71f974d5
                                  • Instruction ID: aea19feb6bf8bf747201659359b8ec67e140ca01ef73df1fe1eb3494de6a353b
                                  • Opcode Fuzzy Hash: befd2c0263e91a972b47795f47bdf09240c1e1a0fdaad84433cea81f71f974d5
                                  • Instruction Fuzzy Hash: CC41C3B1C00619CFDB24DFA9C984BDDBBB5BF44304F24806AD418AB255DB756945CF90
                                  Function 085C34A0 Relevance: .1, Instructions: 94COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2379086224.00000000085C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_85c0000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b89e9f07348e6be1d9140078063f7741701bceaca952a63941fa380540027ba9
                                  • Instruction ID: 68e208fadd6da21f49e2a00d26a27593ffcd608e145415fdf4df928a45be5c96
                                  • Opcode Fuzzy Hash: b89e9f07348e6be1d9140078063f7741701bceaca952a63941fa380540027ba9
                                  • Instruction Fuzzy Hash: ED311935A0011D9FDB54DFA8D854AEEB7B6FF88312F108069E805B73A4CA75AD05CFA0
                                  Function 085C5E28 Relevance: .1, Instructions: 93COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2379086224.00000000085C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_85c0000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8bbd68d828806c5b6ea327814eda83d7a9dc14c5cac8abf6cbfc252b5ec5eb88
                                  • Instruction ID: 96a3e4ef6eff729d31f2ef54965e04fc881e0621f0402ea09d81786f628a18a2
                                  • Opcode Fuzzy Hash: 8bbd68d828806c5b6ea327814eda83d7a9dc14c5cac8abf6cbfc252b5ec5eb88
                                  • Instruction Fuzzy Hash: A0318034B106088FCB84EF64C894A6EB7BABFC8700F10855AD5169B368DF70AD42CBD1
                                  Function 01886EDF Relevance: .1, Instructions: 92COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2337493254.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_1880000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: dc5e1826fbc966faf47c5f2fd7e9cfdb9907458c74118ce81f4a01093480b8a9
                                  • Instruction ID: 9c43a72ce9993b556b80db82d512287e5b6427c9fae866ef419794a013a85083
                                  • Opcode Fuzzy Hash: dc5e1826fbc966faf47c5f2fd7e9cfdb9907458c74118ce81f4a01093480b8a9
                                  • Instruction Fuzzy Hash: 4F311035A002458BE706DFB9D514669BBF2AFC9300B2A8569D104EB396DB38D941CBA1
                                  Function 01886EF0 Relevance: .1, Instructions: 89COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2337493254.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_1880000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3d7a81c6f00930ad95f60bd116606dc9418a3d081184fe4752155ac2b9fd6ea3
                                  • Instruction ID: 173b4e5f88c539cd9551e27b7dbbf841c8f52fc3bb9aaec19e4ae80cbc99852f
                                  • Opcode Fuzzy Hash: 3d7a81c6f00930ad95f60bd116606dc9418a3d081184fe4752155ac2b9fd6ea3
                                  • Instruction Fuzzy Hash: 0F310131A001458BE706DFB9D5506AEBBF2FFC9300B268169D105EB396DB38ED41CBA1
                                  Function 0188DF70 Relevance: .1, Instructions: 87COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2337493254.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_1880000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8bc72a7f31fe3c94e69abc953a1e8236d219a57078d68bfd1f596fafadfe284d
                                  • Instruction ID: 99a4f22b5339bcdf018a2c83181c79b411d2d9347572f6569d62e63512f34234
                                  • Opcode Fuzzy Hash: 8bc72a7f31fe3c94e69abc953a1e8236d219a57078d68bfd1f596fafadfe284d
                                  • Instruction Fuzzy Hash: 502109317006059FE714BBB994083AFBED2BB85350F844868C645D73D5EF348A46C7E2
                                  Function 085CD0E8 Relevance: .1, Instructions: 80COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2379086224.00000000085C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_85c0000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d2aa1b056f0b5d400d1a774f01a942c42739f4e7078bc8a69aa87031c542a693
                                  • Instruction ID: ebb6b580e36d444f33cc570c228915bcdb896bbe57604f48cb1044d02f0de5b5
                                  • Opcode Fuzzy Hash: d2aa1b056f0b5d400d1a774f01a942c42739f4e7078bc8a69aa87031c542a693
                                  • Instruction Fuzzy Hash: 4321F3343002409FD709677D981872FAAEFFFC9200F18446ED50AC73A5DD69DC8A83A2
                                  Function 01886780 Relevance: .1, Instructions: 77COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2337493254.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_1880000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2e8a21df470ca6e3083cc76291c7e210b29f3e62aab706e820c0a31fec87c4fa
                                  • Instruction ID: 364af190635411b31915d25a66ae36322caf881a09130ce569c75f87f6328bf9
                                  • Opcode Fuzzy Hash: 2e8a21df470ca6e3083cc76291c7e210b29f3e62aab706e820c0a31fec87c4fa
                                  • Instruction Fuzzy Hash: 8C3136B5A00259DFCB10DF99D484AEEBFF5FB88320F14802AE914A7350D334A950CFA0
                                  Function 0188F958 Relevance: .1, Instructions: 76COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2337493254.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_1880000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f46c487babb62ba3eafc7a5dc5cc0c20c81b97bbb1b632c072400adb7d8aeda1
                                  • Instruction ID: 23de2b1ebc19ce02158c1588570464c4192e37c8f9882075dae868d404686f48
                                  • Opcode Fuzzy Hash: f46c487babb62ba3eafc7a5dc5cc0c20c81b97bbb1b632c072400adb7d8aeda1
                                  • Instruction Fuzzy Hash: 01216D303006129FE718EB2DD854B2E77A6FFC8714F508169E205CB3A4CB75EE4287A6
                                  Function 0188E4C4 Relevance: .1, Instructions: 74COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2337493254.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_1880000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f2105f7ecafcf551e7d295942de1c8f34aec1799f3986aef5cb47a3151ff3538
                                  • Instruction ID: 526aca5857844f3269cd5af307491b78ab6c086fa360e91174556132314b8b59
                                  • Opcode Fuzzy Hash: f2105f7ecafcf551e7d295942de1c8f34aec1799f3986aef5cb47a3151ff3538
                                  • Instruction Fuzzy Hash: 80315E30600215CFDB24EF28C584BA9B7B2FF85304F5044A8D119AB7A6DB74EE85CF61
                                  Function 0188C4A8 Relevance: .1, Instructions: 73COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2337493254.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_1880000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: bf259a37e6754dd43fbcd07766234e8241cd8a39d138c03ba15282e6b89fee06
                                  • Instruction ID: 7a44d610f76b657e501f01e2df0239615278d25cd633b3aab5833fdb90ef28cc
                                  • Opcode Fuzzy Hash: bf259a37e6754dd43fbcd07766234e8241cd8a39d138c03ba15282e6b89fee06
                                  • Instruction Fuzzy Hash: BB11E131B053959FE7197B3C441807E7EA6AFC5310B1844AADB06CB295DE248A0787A2
                                  Function 085CD0F8 Relevance: .1, Instructions: 73COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2379086224.00000000085C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_85c0000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a96aa3e8ae01f320b549b49e9ed83e9c153815420e52647e61d6dae555e06f4f
                                  • Instruction ID: 6142fb4e87035a031e5bd21800e5a44d6060cda22a976fb1a35957e80096d72a
                                  • Opcode Fuzzy Hash: a96aa3e8ae01f320b549b49e9ed83e9c153815420e52647e61d6dae555e06f4f
                                  • Instruction Fuzzy Hash: 5511D3343002019FD709667D981872FA9DFEFC8640F14447ED50AC77A4DE69EC8A87A6
                                  Function 017FD01C Relevance: .1, Instructions: 72COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2337130035.00000000017FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017FD000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_17fd000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 070495c94f2216181fab0a64e83170832dd2156c07169d10763e196270f1792c
                                  • Instruction ID: 8772a58081507cc769176612ebb76f959d903a0a34f9735c5624f424fc3f3de6
                                  • Opcode Fuzzy Hash: 070495c94f2216181fab0a64e83170832dd2156c07169d10763e196270f1792c
                                  • Instruction Fuzzy Hash: 0921D071604204DFDB25DF58D984B27FBA5EB88354F20C5ADEA0A4B356C33AD446CA62
                                  Function 085CABB8 Relevance: .1, Instructions: 71COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2379086224.00000000085C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_85c0000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e5c81d3fac143eec6d34cdb4660b3c153310b81a3e47c8da31d9c9a30e5ccfeb
                                  • Instruction ID: 517307ad4aec19e597d1843f63ac67292639e5d9ba9aec8ce51711c79977fe6f
                                  • Opcode Fuzzy Hash: e5c81d3fac143eec6d34cdb4660b3c153310b81a3e47c8da31d9c9a30e5ccfeb
                                  • Instruction Fuzzy Hash: C3213971A102189FCB169FA8C844AEE7FB6BB8D320F14462DE415BB391DB319945CFA0
                                  Function 01888560 Relevance: .1, Instructions: 69COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2337493254.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_1880000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6a49086d310fee11b402d781f6a37ee2fdac952f6e419e396c14e4d30ce0225e
                                  • Instruction ID: 4e98c211798646941adeea9bcc42ff75d73c816ef5e99e471915b8440fb26041
                                  • Opcode Fuzzy Hash: 6a49086d310fee11b402d781f6a37ee2fdac952f6e419e396c14e4d30ce0225e
                                  • Instruction Fuzzy Hash: CC2162716002068BD755EF2DC880395F7E2FF9A310F54C6B9E509DF389EA74AD458B90
                                  Function 01888848 Relevance: .1, Instructions: 69COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2337493254.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_1880000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 443fdcc01604b79f8f1d9c6cc0112910fcf53d5d3c04acd55f1da54835d23359
                                  • Instruction ID: 7edc4cf3c6aea55f83a15a4b571f04d9c64e1ae7bda2f83fbf2d4606ee4d8823
                                  • Opcode Fuzzy Hash: 443fdcc01604b79f8f1d9c6cc0112910fcf53d5d3c04acd55f1da54835d23359
                                  • Instruction Fuzzy Hash: 042192716002068BD715EF6DC840795F7E2FF9A310F58C6BAE909DF386E674AC458BA0
                                  Function 0188BF08 Relevance: .1, Instructions: 67COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2337493254.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_1880000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b0c3a309e0cf05a2cc6ba2604b31403766d20027bd0d72c6738f9cca60bca896
                                  • Instruction ID: 1cb1fd3edef269a9d7150a74511293582fa6c5d89701008c4a67e0972b2275de
                                  • Opcode Fuzzy Hash: b0c3a309e0cf05a2cc6ba2604b31403766d20027bd0d72c6738f9cca60bca896
                                  • Instruction Fuzzy Hash: 75216D70200B409FE716DF28C049755BBE1FF81308F144A6DE166CF6A1C7B6E99ACB95
                                  Function 085CABC8 Relevance: .1, Instructions: 67COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2379086224.00000000085C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_85c0000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 294300a9121613ccc5d34d7910b669a80bf163513ef452a05022bb325f805d6b
                                  • Instruction ID: 8e46f696645f14bcc0aa303d08fb3f24722545e903989701afdbaf42e28afbac
                                  • Opcode Fuzzy Hash: 294300a9121613ccc5d34d7910b669a80bf163513ef452a05022bb325f805d6b
                                  • Instruction Fuzzy Hash: F3214971A102189FCB169FA9C844AEEBFB6FF8C320F148629E515B7390DB319841CF90
                                  Function 0188E184 Relevance: .1, Instructions: 66COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2337493254.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_1880000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 523a031f3a4be110fbfd8f960b064e3bc4248653bab453c99a894ffe9a3d6e99
                                  • Instruction ID: c099189d08f8d052b68510260b5f034a4ac892820207174f157e8e8dd4fd3984
                                  • Opcode Fuzzy Hash: 523a031f3a4be110fbfd8f960b064e3bc4248653bab453c99a894ffe9a3d6e99
                                  • Instruction Fuzzy Hash: 1811C031B406198FDF15EBACC9407EDBBB2BF88301F044929D015EB295EB389A448BA1
                                  Function 0188611C Relevance: .1, Instructions: 65COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2337493254.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_1880000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: cbf68cb006d6f1ee9076f07356086e8317ecf3fcdd00887fd35288b968bdd719
                                  • Instruction ID: 71f243b106b9a72f6ff322986d80f4881c67b887b9cf38b8fc0f529ccf840adc
                                  • Opcode Fuzzy Hash: cbf68cb006d6f1ee9076f07356086e8317ecf3fcdd00887fd35288b968bdd719
                                  • Instruction Fuzzy Hash: AA21E3B5900218DFDB10DF9AD984ADEBFF4EB48320F14841AE958A7310D374AA54CFA5
                                  Function 085C2D78 Relevance: .1, Instructions: 65COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2379086224.00000000085C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_85c0000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 28086e1cf3093986a48a889498ea6aa11128caf36bcf6c31d2098933c230ddf7
                                  • Instruction ID: f4a844fc76cf8769feabc664f722cd6a0bdc237d95dfafcbbd7d43f76651306b
                                  • Opcode Fuzzy Hash: 28086e1cf3093986a48a889498ea6aa11128caf36bcf6c31d2098933c230ddf7
                                  • Instruction Fuzzy Hash: 0921DE307002048FCB50DF64D984AAABBF6BF89300F04456AE402DB361DB70ED05CB61
                                  Function 0188BEF8 Relevance: .1, Instructions: 64COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2337493254.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_1880000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b8f90ae87be890db408e85501646c4d4b2e28b290417d227aa290fc7771d649c
                                  • Instruction ID: 223cc1422ff34a7a0081088c9693e6f41d288576af488b89b368cd20367230c5
                                  • Opcode Fuzzy Hash: b8f90ae87be890db408e85501646c4d4b2e28b290417d227aa290fc7771d649c
                                  • Instruction Fuzzy Hash: 53215A302007409FE726DF28C059755BBE1EF81308F144AADD156CF6A6C7B6E99ACB91
                                  Function 018889F9 Relevance: .1, Instructions: 63COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2337493254.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_1880000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9b4a085e1be7d7cc6de36d5cf86ce2fe2149d0a5ad041316e4fdbb529d0ce79e
                                  • Instruction ID: 0953da015b0c759420f21de13703727c83907527878d0d1b2ff9e8c109378c3f
                                  • Opcode Fuzzy Hash: 9b4a085e1be7d7cc6de36d5cf86ce2fe2149d0a5ad041316e4fdbb529d0ce79e
                                  • Instruction Fuzzy Hash: 4321C331A003068BDB01AFA8C840391B3B1FFD9320F1486B5D84C7B286EB717D85C7A1
                                  Function 085CCD4F Relevance: .1, Instructions: 62COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2379086224.00000000085C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_85c0000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: fb27d563ceeea51c206d57a26d296818a3459c0d1e32f35f8731b06c8ae1b716
                                  • Instruction ID: 05039175f17e1380b7ee2f2445209ded7d25fd87ae920411cdb0b1ba187afa94
                                  • Opcode Fuzzy Hash: fb27d563ceeea51c206d57a26d296818a3459c0d1e32f35f8731b06c8ae1b716
                                  • Instruction Fuzzy Hash: BD112FB8A002455FCB45EBB885842EDBFE6FF8D200B14496EC509E7345DB30AD06CBA1
                                  Function 018885B0 Relevance: .1, Instructions: 61COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2337493254.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_1880000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 13462b14c8c34d9038ef7f1d8c05a820ac4fdb8cbf625cbc72f8beb3fe837cd9
                                  • Instruction ID: f2d8945abf115e47adb4ee7039f60be484d0ebfe19670160587641625febbe0c
                                  • Opcode Fuzzy Hash: 13462b14c8c34d9038ef7f1d8c05a820ac4fdb8cbf625cbc72f8beb3fe837cd9
                                  • Instruction Fuzzy Hash: D0218172A007068BDB01AFACC840395B3B1FF99320F108675E94C7B285EB71B98487A1
                                  Function 085CCCB0 Relevance: .1, Instructions: 59COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2379086224.00000000085C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_85c0000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2ca0064ac116346d7f2a5ee42cc799ace3b485ecef3bbe587e035012f2cb9bfc
                                  • Instruction ID: 19da602b807b30f36ad6f1ccde0a96d62d3f19ec5f520f0305a1e48b924ad7b8
                                  • Opcode Fuzzy Hash: 2ca0064ac116346d7f2a5ee42cc799ace3b485ecef3bbe587e035012f2cb9bfc
                                  • Instruction Fuzzy Hash: 8701C4717042819F8769AAAD494053E7E9BBFC5251B5444AEDB0FCB354DE20DC42CB91
                                  Function 085C2D88 Relevance: .1, Instructions: 59COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2379086224.00000000085C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_85c0000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7a09081f02d4e5765d94cb3b20c386dfc0ae21e3f3ea14f6cc4482b8d6d8d3bf
                                  • Instruction ID: a36f7cc6e7cd4d6e9dfdc982da2f369c0c8d82c9f6ce712cf4654ef4f004a48e
                                  • Opcode Fuzzy Hash: 7a09081f02d4e5765d94cb3b20c386dfc0ae21e3f3ea14f6cc4482b8d6d8d3bf
                                  • Instruction Fuzzy Hash: C0119D34B006088FCB64EF68D894AAEB7F6FF88300F144569E5069B364DB70ED05CBA1
                                  Function 085CCD60 Relevance: .1, Instructions: 56COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2379086224.00000000085C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_85c0000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1495905380fba4ca426824eab40b77069c112ad0569bfbfb4f2cbcd1bd9e1609
                                  • Instruction ID: 59c9f2804143f2ee59b3f0227a0136f9ac866dd942142ba04ed58869a63870cd
                                  • Opcode Fuzzy Hash: 1495905380fba4ca426824eab40b77069c112ad0569bfbfb4f2cbcd1bd9e1609
                                  • Instruction Fuzzy Hash: CF11CA74A002599FCB44EBA885446AEBBE6FF88200B14856DD909A7305DF30AD45CBE5
                                  Function 0188C294 Relevance: .1, Instructions: 55COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2337493254.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_1880000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4010def09bd6505cdf0d2f9f86a0bbe34df3548969b821227ffa2acf1d0dac87
                                  • Instruction ID: fe622ebff8c86c31d32b1a780c519612055ce0ea15cad0d3cd2ee3081d94c16a
                                  • Opcode Fuzzy Hash: 4010def09bd6505cdf0d2f9f86a0bbe34df3548969b821227ffa2acf1d0dac87
                                  • Instruction Fuzzy Hash: 651123B6D003099FDB10DF9AD444AEEFFF4EB88320F10842AE519A7210C375A645CFA4
                                  Function 0188670F Relevance: .1, Instructions: 54COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2337493254.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_1880000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d4783b31bb5f1a92d4d65bce06731faf951b2fd2fbbaa57c262bf2acef9bb61a
                                  • Instruction ID: 4738965ea6904eb12d91d714fa11dee2f863ef469c12ec1ded7c2d388400d9ad
                                  • Opcode Fuzzy Hash: d4783b31bb5f1a92d4d65bce06731faf951b2fd2fbbaa57c262bf2acef9bb61a
                                  • Instruction Fuzzy Hash: 9F118F7A6001199FCB02CF94D8048A9BFF2FF893207158096EA04DB322D732DD15DF60
                                  Function 01884658 Relevance: .1, Instructions: 53COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2337493254.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_1880000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1ce5d8a501afaba4862f9947965dfd75fe8516e3524f72fe7c0c7b87dc488c05
                                  • Instruction ID: 76210878fd8e920f14ab5080a2baf999ebdeb102d61c4363debd4282df89e08c
                                  • Opcode Fuzzy Hash: 1ce5d8a501afaba4862f9947965dfd75fe8516e3524f72fe7c0c7b87dc488c05
                                  • Instruction Fuzzy Hash: 081188306403018FC729AB78D05856EBBE2FF85310701896ED146CBBA4DF78AD058B82
                                  Function 0188C870 Relevance: .1, Instructions: 53COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2337493254.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_1880000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 67f4e9548a9ad90e509e2c4dafa2d6f5409920e60b6e842d06578a24d13ce66c
                                  • Instruction ID: 22af1413e397b0fcc47a5de3d23de7bf2d390e5af3f71c28b175b57f06ed01ee
                                  • Opcode Fuzzy Hash: 67f4e9548a9ad90e509e2c4dafa2d6f5409920e60b6e842d06578a24d13ce66c
                                  • Instruction Fuzzy Hash: ED11EFB6D002098FDB10DFAAD544ADEFBF4AB88320F14842AD519A7610C379A645CFA5
                                  Function 085CB6F7 Relevance: .1, Instructions: 53COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2379086224.00000000085C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_85c0000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b246b916f7d051bb61cca835fe9c4441ecb3a888fc425f2b2385a2596a4d3045
                                  • Instruction ID: 9b63fd4d81bab66c26c5fb98f6ca0e0f2f38a72d040cf73623b54dbc8a38fcce
                                  • Opcode Fuzzy Hash: b246b916f7d051bb61cca835fe9c4441ecb3a888fc425f2b2385a2596a4d3045
                                  • Instruction Fuzzy Hash: 12117035B50609AFCB109BB4D941FADBBB6BF89B01F108069F6069B2A0EB719506CF51
                                  Function 017FD017 Relevance: .1, Instructions: 53COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2337130035.00000000017FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017FD000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_17fd000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                  • Instruction ID: 061a631cc2e9f67696d5bd13750d38576f73e2b114031e831ac02e21b2ccf302
                                  • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                  • Instruction Fuzzy Hash: 6A11A975504280CFDB26CF58D5C4B16FBA2FB88214F24C6AED9094B756C33AD40ACBA2
                                  Function 085CA8C8 Relevance: .0, Instructions: 49COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2379086224.00000000085C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_85c0000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 695c1413caa97dd20f8d04ad9cf1bc93eaf1cfc76a233d56ad718f2ce0db6df3
                                  • Instruction ID: afc5431ed723b14546ffc2d8affc61ddb73d8616cccda011b3d0f11039aa76aa
                                  • Opcode Fuzzy Hash: 695c1413caa97dd20f8d04ad9cf1bc93eaf1cfc76a233d56ad718f2ce0db6df3
                                  • Instruction Fuzzy Hash: 7C115E74A10229DFCB55CBA8D895EAD7BB2FF84320F150159F416AB3A2CB349C41CF40
                                  Function 085C35D9 Relevance: .0, Instructions: 48COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2379086224.00000000085C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_85c0000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: fa703b1c89351ed2fbd5b7f36f1e1143aa3860463af17874579bafb2418bbd9d
                                  • Instruction ID: b1a2772f5bf372af7631c0c2625dc6614242cebd5e64c93f45c5374e3ca54565
                                  • Opcode Fuzzy Hash: fa703b1c89351ed2fbd5b7f36f1e1143aa3860463af17874579bafb2418bbd9d
                                  • Instruction Fuzzy Hash: BE1104313006448FC3269B74D454B2AB7A2FFC9311F0885ADD0468B7E1CB34EC82DB80
                                  Function 0188C1F0 Relevance: .0, Instructions: 47COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2337493254.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_1880000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 78ae8c7e9984e947e983c07ece853e20026726bfc8e95a1991f2dadb2590ef14
                                  • Instruction ID: 57e7f8756f053fee07cdfd77fcffa4994f0d8576180e6a2956dcfea290782207
                                  • Opcode Fuzzy Hash: 78ae8c7e9984e947e983c07ece853e20026726bfc8e95a1991f2dadb2590ef14
                                  • Instruction Fuzzy Hash: 8F1110B5C002498FDB10DF9AC444ADEFBF4AB88320F10852AD529B7650C375A645CFA5
                                  Function 0188C464 Relevance: .0, Instructions: 47COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2337493254.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_1880000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 414d18312a0b9502be7b7d524e7d809961745aa2e8d2c6e083be600c82e892d2
                                  • Instruction ID: 73755ef2401e31e39a6d6e7da4fde299cdc7129f9fbd252f1b95946ca3f3200c
                                  • Opcode Fuzzy Hash: 414d18312a0b9502be7b7d524e7d809961745aa2e8d2c6e083be600c82e892d2
                                  • Instruction Fuzzy Hash: 6E019631A406699BDF14EB6CC8947EEBAF5BF88301F040929E442F7294DB785A44CBA1
                                  Function 085CD058 Relevance: .0, Instructions: 46COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2379086224.00000000085C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_85c0000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 103fde8d1e661a1b3c85b1018adde1b995be364f7ab89d2a41d47557cfa59634
                                  • Instruction ID: a1ac14da17c3cb8f3ddb89e3168bc96b7e9bba0f0c8dee5a3b1144768f8d1ebc
                                  • Opcode Fuzzy Hash: 103fde8d1e661a1b3c85b1018adde1b995be364f7ab89d2a41d47557cfa59634
                                  • Instruction Fuzzy Hash: FE01BC313003548FC721E768E00479ABBE7EBC5319F04856DD44A87352EB7AAC8A87A2
                                  Function 085CD6A8 Relevance: .0, Instructions: 46COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2379086224.00000000085C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_85c0000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 25d700070911f849fb980cadba20e17db4d99fdf1cba3e558d9e94bb93019867
                                  • Instruction ID: da90d8aac668953b80df9e1db924ba7215f4e31c9b097c2ca81d07eec32c622a
                                  • Opcode Fuzzy Hash: 25d700070911f849fb980cadba20e17db4d99fdf1cba3e558d9e94bb93019867
                                  • Instruction Fuzzy Hash: A711E0B9800288DFDB10DF9AD584BDEBFF4EB48320F248459D559A7210C375A584CFA1
                                  Function 01884668 Relevance: .0, Instructions: 45COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2337493254.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_1880000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9b13854630ab52bb08741f3dd18ce51723f45e2e53e849ffb1a2070f45f75664
                                  • Instruction ID: 27b7e6939a06825bdc1228245269517dd1ecca4079665aef98d6f8d8c6dd8811
                                  • Opcode Fuzzy Hash: 9b13854630ab52bb08741f3dd18ce51723f45e2e53e849ffb1a2070f45f75664
                                  • Instruction Fuzzy Hash: 370165312007018FC729AB78D058A6EBBE2FF883107008969E50BCB798DF75ED048BC6
                                  Function 01888950 Relevance: .0, Instructions: 45COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2337493254.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_1880000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5c4762878b68e32af7c99e3176ac8e0f270d6ad7f2dcbe96c60ef3d463b93279
                                  • Instruction ID: 95e9328f3b19d124278ac8d075ea979c8c819371a19565b2907fffeb575e3d70
                                  • Opcode Fuzzy Hash: 5c4762878b68e32af7c99e3176ac8e0f270d6ad7f2dcbe96c60ef3d463b93279
                                  • Instruction Fuzzy Hash: 3F01D6313053018BD701AF6C885078577A6FF96320F1482B5E90CAF7C6DB755D4687B1
                                  Function 085C0E51 Relevance: .0, Instructions: 45COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2379086224.00000000085C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_85c0000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 955a45d347159de9fb0ca3b5ca81287aa6df35be7e66c4234f4b6e0e9ca0ec57
                                  • Instruction ID: 02a71d88b932209091bbab2122e27f6f85744eced14dbcfc0acb2e2e436a1a81
                                  • Opcode Fuzzy Hash: 955a45d347159de9fb0ca3b5ca81287aa6df35be7e66c4234f4b6e0e9ca0ec57
                                  • Instruction Fuzzy Hash: C1F022B2340B509FC75526A85814A6F3BAAAFC6251B04406FE000CB380DA669D42C7A0
                                  Function 0188C4B8 Relevance: .0, Instructions: 44COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2337493254.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_1880000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a5a44dd7487db97790107fb439353fe5c85f9c84cd98a1468a940754be442e70
                                  • Instruction ID: e6c64813a04884568f7979dc9fd3ef2e964a338c910fafb61b15cf3fcf68fe18
                                  • Opcode Fuzzy Hash: a5a44dd7487db97790107fb439353fe5c85f9c84cd98a1468a940754be442e70
                                  • Instruction Fuzzy Hash: 41018F35A002099FDB50EF79C84479DBBF9FF45705F1084A9E605CB292D774DA54CB40
                                  Function 085C35E8 Relevance: .0, Instructions: 44COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2379086224.00000000085C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_85c0000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: deb28914ebf8df0fdef05b2ad1fa32569f0ab4382d8c5d78348f1c11079936a1
                                  • Instruction ID: 77195cd4281c712ecda96982081a6757c067920c2374e94cce4ae5c2c5d9f49d
                                  • Opcode Fuzzy Hash: deb28914ebf8df0fdef05b2ad1fa32569f0ab4382d8c5d78348f1c11079936a1
                                  • Instruction Fuzzy Hash: DE01BC343006089FC3259A64D454A6ABBA2FBC9321F5489ACE5564B7D0CB75EC82DB80
                                  Function 085C0991 Relevance: .0, Instructions: 44COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2379086224.00000000085C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_85c0000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: bf5d35658189d6ca5ac17b94cfca14f5cfa379e8c520cd06b2df006ef90b7afc
                                  • Instruction ID: f1a9fdbb88899344b53e17757a43cc03a1d8a4135e0e25692b655e4eede67ad4
                                  • Opcode Fuzzy Hash: bf5d35658189d6ca5ac17b94cfca14f5cfa379e8c520cd06b2df006ef90b7afc
                                  • Instruction Fuzzy Hash: E801D4753006049FC3069B24D45496A7BB2EFCD71071081AEE906CB7A1CB36EC02CBA1
                                  Function 085CD6B0 Relevance: .0, Instructions: 44COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2379086224.00000000085C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_85c0000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 17b5956e358bf286363026ed4648772e0f9bd93bf17e554592a48b58fb2635bc
                                  • Instruction ID: 3fe5eb0903ce45d6760befc8de0a8b5c344b82df88e8993a538916576b591852
                                  • Opcode Fuzzy Hash: 17b5956e358bf286363026ed4648772e0f9bd93bf17e554592a48b58fb2635bc
                                  • Instruction Fuzzy Hash: 6611C2B5800249DFDB10DF9AD585BDEBBF8EB48320F108459D558A7250C375A544CFA5
                                  Function 085CD048 Relevance: .0, Instructions: 43COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2379086224.00000000085C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_85c0000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6bba2bc032551ab934358ceb6cbf1b52390b4c1b9815226934b430b04a824264
                                  • Instruction ID: 1d63ac98ceb01b1ca445fa765790ffa601b8bbac014439030253e9570d035458
                                  • Opcode Fuzzy Hash: 6bba2bc032551ab934358ceb6cbf1b52390b4c1b9815226934b430b04a824264
                                  • Instruction Fuzzy Hash: 490175312087908FD712D728D4547596FE7EB85315F0845ADD0858B353DB6AAC46C7A2
                                  Function 01888580 Relevance: .0, Instructions: 40COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2337493254.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_1880000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: bfb44e5e54c38c764dbe2949f2d84069eb49d0c48cb2a3e65e720cc297eaeb56
                                  • Instruction ID: b9d2c10fdf25a060c513245c1efdcb2720283609dc6bf1ae171727f21b380a52
                                  • Opcode Fuzzy Hash: bfb44e5e54c38c764dbe2949f2d84069eb49d0c48cb2a3e65e720cc297eaeb56
                                  • Instruction Fuzzy Hash: A3F0A47130020547E700AF6D8890756B7A5FB95320F504675E908AF3C9DB71694487B5
                                  Function 0188E220 Relevance: .0, Instructions: 39COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2337493254.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_1880000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9a76bf4ef05e97950f841bd3481766441c9ce6dd05b9cea6d175a50431e8fd72
                                  • Instruction ID: 6574b07599a1360e908e139882ff7aac56abf3ed8cd7a800ba96bf16e4561741
                                  • Opcode Fuzzy Hash: 9a76bf4ef05e97950f841bd3481766441c9ce6dd05b9cea6d175a50431e8fd72
                                  • Instruction Fuzzy Hash: 83F0FF303192504FC70AA77C89656593BA2AF87710F4680EAD145CFBB7CE688C0687A2
                                  Function 085C09A0 Relevance: .0, Instructions: 39COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2379086224.00000000085C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_85c0000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 072b81a42737b5f8dad69da81a38819b71d23149d51e4c59c2834151c2098208
                                  • Instruction ID: e82584963fc1bde037d94a94d31f200b93940357ec19f6186bf2f4468b632bbd
                                  • Opcode Fuzzy Hash: 072b81a42737b5f8dad69da81a38819b71d23149d51e4c59c2834151c2098208
                                  • Instruction Fuzzy Hash: 750181793005189FC7059B24D45491AB7A7EFCC7117108169E90687790CF36ED02CBD0
                                  Function 085C0718 Relevance: .0, Instructions: 39COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2379086224.00000000085C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_85c0000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0f6224c4a7cbc377d872a934fbc999f7dc5077d4f851ca111ed6bb281cc86a2c
                                  • Instruction ID: f29de57fa7fd41ad81facfdf07f2b63fe91377796a6031ba60669151b74bfbd3
                                  • Opcode Fuzzy Hash: 0f6224c4a7cbc377d872a934fbc999f7dc5077d4f851ca111ed6bb281cc86a2c
                                  • Instruction Fuzzy Hash: F6F0AF79300300AFC3159B29D854D2B7BBAEF8A720B1540AEF946CB372CA31DC02CB60
                                  Function 0188E110 Relevance: .0, Instructions: 37COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2337493254.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_1880000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c1793df1428c0fe081e9436cf8b85970b063fc45284d91a59dbfedef5374dc5f
                                  • Instruction ID: ac1408cedb0bd0ded904fe2e467e1518443e3db7dbd088e004fb1e0e2cdc74bb
                                  • Opcode Fuzzy Hash: c1793df1428c0fe081e9436cf8b85970b063fc45284d91a59dbfedef5374dc5f
                                  • Instruction Fuzzy Hash: F3F02431B803061FDB15A77C891069EBFA5AF80320F048671D018CB269EF28DE4987D0
                                  Function 017ED603 Relevance: .0, Instructions: 37COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2337054563.00000000017ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 017ED000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_17ed000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d6476e7a2d1cce8f6231461f2afafdcca46446c5d9642220db812b3e75e27ec1
                                  • Instruction ID: 3e666834758494e31d58dd3805b558b67d59fbe82a018e4a8286eac66ead09d9
                                  • Opcode Fuzzy Hash: d6476e7a2d1cce8f6231461f2afafdcca46446c5d9642220db812b3e75e27ec1
                                  • Instruction Fuzzy Hash: 97F0FF75600610AF97208F0AD984C23FBEDFBD4770715C59AE84A4B615C671FC41CEA0
                                  Function 085C0E78 Relevance: .0, Instructions: 37COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2379086224.00000000085C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_85c0000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5c7411eb8f36b5eed4a4b73813358ebe99bb34143f376cd847b7f47a526342a5
                                  • Instruction ID: 75f891488d3dc50489215f2a9ea2ec1a4d543804441f3aa22731de246789089a
                                  • Opcode Fuzzy Hash: 5c7411eb8f36b5eed4a4b73813358ebe99bb34143f376cd847b7f47a526342a5
                                  • Instruction Fuzzy Hash: 77F02761344B90EFC75126B85914A7F2FAE6FC6562B0840AFE441CF3D2CE698D42C3B1
                                  Function 0188BED1 Relevance: .0, Instructions: 36COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2337493254.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_1880000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 762573bb69ae87af3a8992e3a0519356b08d996a4a4f99b60d8cd900202460bd
                                  • Instruction ID: 3a5aab29ac4ce72ed442bb11393360801420bd3bfe09a89e3a5faf21956e6301
                                  • Opcode Fuzzy Hash: 762573bb69ae87af3a8992e3a0519356b08d996a4a4f99b60d8cd900202460bd
                                  • Instruction Fuzzy Hash: 21F0CD32B116418FC704CF2CE8947897BF1FF84210B0901FAE518CB252E330E990CBA2
                                  Function 017ED5F4 Relevance: .0, Instructions: 35COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2337054563.00000000017ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 017ED000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_17ed000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6b929315ca024fd7fcfb7c5d992372278951a02715e40e286bbf4d21d66b3b40
                                  • Instruction ID: 5b94e52b58cc12a5ec2ec91b24701385be3c127a92f617f5f7f8a53cbd2ff329
                                  • Opcode Fuzzy Hash: 6b929315ca024fd7fcfb7c5d992372278951a02715e40e286bbf4d21d66b3b40
                                  • Instruction Fuzzy Hash: BFF03C75104640AFD325CF06C984C22BFF9FF897607198489E84A4B352C631FC42CF60
                                  Function 01885470 Relevance: .0, Instructions: 34COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2337493254.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_1880000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 56892cdafcd9647092a12b9f729583eacecc1d7904a94b4b5c0e5cf2a22147c0
                                  • Instruction ID: 7d8ea416e42c959648e61920a9780f5f73850eafabb441b5fc2437bac756766d
                                  • Opcode Fuzzy Hash: 56892cdafcd9647092a12b9f729583eacecc1d7904a94b4b5c0e5cf2a22147c0
                                  • Instruction Fuzzy Hash: 71F0E9613493D28FD753777CA4909BA3FA65F41321B05049AD045EF2A7D6098D02CBB2
                                  Function 0188E120 Relevance: .0, Instructions: 32COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2337493254.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_1880000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c251e564a09cbaa1f5a150ceb156ee41b72a604dd4f4de7950051ade1131bb08
                                  • Instruction ID: eeeecedd7c37bcb23bbf7b6717314687df8ca29636d19e989a435425c8b57cdd
                                  • Opcode Fuzzy Hash: c251e564a09cbaa1f5a150ceb156ee41b72a604dd4f4de7950051ade1131bb08
                                  • Instruction Fuzzy Hash: 89E0E531B407192BDB20B67D8900A9FBF99DF80760F004634D518CB358EF25EE4947D0
                                  Function 0188C498 Relevance: .0, Instructions: 32COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2337493254.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_1880000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 482f2b07e04f10878e4383e5ff3818f7738f1db8800f03f2b5b2a0e1f7f61aff
                                  • Instruction ID: a4301a427fd534993550f475bb1edc08efb33f6dc8176b659101aa94042473ee
                                  • Opcode Fuzzy Hash: 482f2b07e04f10878e4383e5ff3818f7738f1db8800f03f2b5b2a0e1f7f61aff
                                  • Instruction Fuzzy Hash: 5CF030303500154BDB08B76CD494B6E779AEFDAB00F4084AAF10ACB7A9CE65DD4147E2
                                  Function 01886720 Relevance: .0, Instructions: 32COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2337493254.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_1880000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 44d7b0131e6f90fa143841b9bfaba8dad7ee0350378acf1395bfca94b2d9968a
                                  • Instruction ID: 77059bdb7f9e91389391d2af1984883cc92e2059d1760dfa48fb866bf94ce2c4
                                  • Opcode Fuzzy Hash: 44d7b0131e6f90fa143841b9bfaba8dad7ee0350378acf1395bfca94b2d9968a
                                  • Instruction Fuzzy Hash: 36F0543A200559AFCF029F85C804CAD7FAAFB8D3107098065FA05CB275D736D9259BA0
                                  Function 085C388F Relevance: .0, Instructions: 32COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2379086224.00000000085C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_85c0000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 412b8ddeb0185d800cdc3a2ec938eb4372e5ad55c01a48cfad7daa2319d1e0a7
                                  • Instruction ID: a6510bbf97e4d3d6a3644fe655d968e8f39d3675016b2a7249b2f7bace526dcd
                                  • Opcode Fuzzy Hash: 412b8ddeb0185d800cdc3a2ec938eb4372e5ad55c01a48cfad7daa2319d1e0a7
                                  • Instruction Fuzzy Hash: 0FF0396904A384AFD30367B0D964881BF74AE6321575A80EBD04A8B673D626895BCB35
                                  Function 085CA96C Relevance: .0, Instructions: 32COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2379086224.00000000085C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_85c0000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6cf24c5adec8eef3c1a00efefd0d9da815df77954cd74e026e5602f31a3ac14d
                                  • Instruction ID: 2bdb8b4af8b1c5922780444b3e90cdddbbd6f2c35e6e3f1eac92da87633a582e
                                  • Opcode Fuzzy Hash: 6cf24c5adec8eef3c1a00efefd0d9da815df77954cd74e026e5602f31a3ac14d
                                  • Instruction Fuzzy Hash: DDF090B0A40129EFDB519F94CC9ABEEBBB6FF84611F06401CE006A72A0CB704C05CF40
                                  Function 085CC560 Relevance: .0, Instructions: 32COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2379086224.00000000085C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_85c0000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2143ce4497934b2d4d8786dac8ceb407c412eb6fae18c4b3207bf756b727bea8
                                  • Instruction ID: d1359e9b8354e196bb6cd97c9ca1e986dfa2e293b4ff358d1fbfdc4ea53b0867
                                  • Opcode Fuzzy Hash: 2143ce4497934b2d4d8786dac8ceb407c412eb6fae18c4b3207bf756b727bea8
                                  • Instruction Fuzzy Hash: 8AF0A0737002846F8250A69D600256BFBCAABE9233B1848AFE14AC7211CA61DC47CBA0
                                  Function 085C0728 Relevance: .0, Instructions: 32COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2379086224.00000000085C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_85c0000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 528e63cb7936322fe5c7ec1586298cd319784d03281f36618c45cb9592ec3519
                                  • Instruction ID: 10a64ed3d579da233a9a04498478d29d6beb25b77b8b197d5edf8e33e8a112e7
                                  • Opcode Fuzzy Hash: 528e63cb7936322fe5c7ec1586298cd319784d03281f36618c45cb9592ec3519
                                  • Instruction Fuzzy Hash: 6AF05E393003049FC714DB19D854D3A77AAEFC9721B104169FA068B361CA31EC42CF90
                                  Function 0188C698 Relevance: .0, Instructions: 31COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2337493254.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_1880000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7e5c31756b7d9d3ac4eca2c26b3885147f4e6a49fa7269c782549781e9ce08fc
                                  • Instruction ID: 7491a7323e4a172f716fd099a7333b4cc8df02e97785f7d9e396891a9a09b7de
                                  • Opcode Fuzzy Hash: 7e5c31756b7d9d3ac4eca2c26b3885147f4e6a49fa7269c782549781e9ce08fc
                                  • Instruction Fuzzy Hash: 59E0D83171410617B758F17F9C109B7338FDBC07A4B08843DA609CB2C9EF909E0242B1
                                  Function 0188AA88 Relevance: .0, Instructions: 30COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2337493254.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_1880000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 88c722d65e7cfab43e669f26cdf9622fd2aeddfb7b8af3940aac43cb3b72b26a
                                  • Instruction ID: 3f33c34b41530e35b0f2643be9c99105c23dec6d97d904f3bd99adc69b8b39db
                                  • Opcode Fuzzy Hash: 88c722d65e7cfab43e669f26cdf9622fd2aeddfb7b8af3940aac43cb3b72b26a
                                  • Instruction Fuzzy Hash: 82F06230115384CFE3276FBAE5453657F959B52314F084096D441C79E6DB698A86CF32
                                  Function 01887178 Relevance: .0, Instructions: 30COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2337493254.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_1880000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b7b9cf8f1902a4a359e17527328e3086e957dd733b8570fa8496e62df85a84d8
                                  • Instruction ID: 28f91b82e42539e28fed0a6de351c9c1bb3197a8117003cfe5a71c733893d12d
                                  • Opcode Fuzzy Hash: b7b9cf8f1902a4a359e17527328e3086e957dd733b8570fa8496e62df85a84d8
                                  • Instruction Fuzzy Hash: 87E0D8363406354BD311AA7DD800AA673AEDF54765B508076EA04CB761EA31DD82D3D1
                                  Function 0188D9D8 Relevance: .0, Instructions: 30COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2337493254.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_1880000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7493de77afd5c0a4a60f61b73120917cf1a1d68207a152855319c07b80433b03
                                  • Instruction ID: f8e38f337dc8070334bc69be0707487695c71b9108fc0c74759771f2b8cb30d4
                                  • Opcode Fuzzy Hash: 7493de77afd5c0a4a60f61b73120917cf1a1d68207a152855319c07b80433b03
                                  • Instruction Fuzzy Hash: F0E092323005148BEF21A7FEF8006E9B39CEB41369B180566F60EE7281EB51ED108791
                                  Function 0188421C Relevance: .0, Instructions: 29COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2337493254.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_1880000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1249fa7367839f3a68dd33b3c3e85e170850434b30c914d055cd61489e5e661d
                                  • Instruction ID: 9dd3434eca662de68569624ac5de859d0e75517f015cdf32bc921232fef82b62
                                  • Opcode Fuzzy Hash: 1249fa7367839f3a68dd33b3c3e85e170850434b30c914d055cd61489e5e661d
                                  • Instruction Fuzzy Hash: B7E092322401061BC904F32CA8949BEAADBCFC2360B800839E11ADB358DE20AE4643E6
                                  Function 085C92BF Relevance: .0, Instructions: 29COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2379086224.00000000085C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_85c0000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 856a80f72b36da2d7fcc93e9c0cbee26038708fc5ee7e77e032a13f0ef3f8606
                                  • Instruction ID: acc205c40e64c9fc2d0d39302b7dd754993024594ebda241ce727548bfbac906
                                  • Opcode Fuzzy Hash: 856a80f72b36da2d7fcc93e9c0cbee26038708fc5ee7e77e032a13f0ef3f8606
                                  • Instruction Fuzzy Hash: 64F089757101059FD720CF98D485EAABB79FF89714B10805DF105E7262CA31E806CBA1
                                  Function 018897A8 Relevance: .0, Instructions: 28COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2337493254.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_1880000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: cf64d4d76593789fa8a68e0c6913e16591d8726d01eccf7272978f0296cfd080
                                  • Instruction ID: 4fc82c35b7d394ffffbd4e0bd33f61078979d0aa515abf78a0f67f1b86ca4225
                                  • Opcode Fuzzy Hash: cf64d4d76593789fa8a68e0c6913e16591d8726d01eccf7272978f0296cfd080
                                  • Instruction Fuzzy Hash: 16F08220111345CAE73BBAFEF685339BF98EB61314F044096E405C79DADBA48A90CF72
                                  Function 085CC74C Relevance: .0, Instructions: 28COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2379086224.00000000085C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_85c0000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: cc89f02124ee70e9035155284e2c98e11bedd0196943714ad95f2441d7925424
                                  • Instruction ID: 28b7cf46ff68f2d95f7b0cf0ee30e6077779c9dafb5d013d5f10ec6063013bed
                                  • Opcode Fuzzy Hash: cc89f02124ee70e9035155284e2c98e11bedd0196943714ad95f2441d7925424
                                  • Instruction Fuzzy Hash: DEF0B234A02209DFDB66DFA0E599BAEBBB2FF48642F21402CF406A2254CB305E44CF40
                                  Function 01887167 Relevance: .0, Instructions: 26COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2337493254.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_1880000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ecad108c4f1d63eb357076909ad5d32202fe378da08efa6546f95c376858e7a6
                                  • Instruction ID: cffccfcd549151545fd99704099f9b061a4f83055c89cc0e719a8196107d39f6
                                  • Opcode Fuzzy Hash: ecad108c4f1d63eb357076909ad5d32202fe378da08efa6546f95c376858e7a6
                                  • Instruction Fuzzy Hash: DBF0223A24A7618FC3028F7CC9106943BB18F06324B1500A2D880CB762D636CC82D781
                                  Function 085CB26F Relevance: .0, Instructions: 26COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2379086224.00000000085C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_85c0000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 232e5890f287fd5e8e494d6516f3410b7531a0c5ab737ee621d2f948c77498ed
                                  • Instruction ID: eb13971e3e1eca6e8c0542f238dc5a57f1b2307b12b8efb9eb9e915fb33030b7
                                  • Opcode Fuzzy Hash: 232e5890f287fd5e8e494d6516f3410b7531a0c5ab737ee621d2f948c77498ed
                                  • Instruction Fuzzy Hash: 0AE01276714B004BD764CA6EF551257B3E2EFC4261748C92EE59AC7B54DA30F8418F40
                                  Function 0188D940 Relevance: .0, Instructions: 25COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2337493254.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_1880000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 56cc9f0be4afc0ac644165525d597ad076ee9766bdce824a08779b9a407e207f
                                  • Instruction ID: 3907e95f1b73f0619f61226fb10d474954c0c70deeff3c394057d7ea19eebe3f
                                  • Opcode Fuzzy Hash: 56cc9f0be4afc0ac644165525d597ad076ee9766bdce824a08779b9a407e207f
                                  • Instruction Fuzzy Hash: CBE0C2323006248B9B04FAEDF8408E977DCFB48A6530400EAF60CC7A50CB51ED008791
                                  Function 085CD038 Relevance: .0, Instructions: 24COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2379086224.00000000085C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_85c0000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 76c700b5c63f12473e5803b8821e718b209c5f7a32f34651c3ebeb37f720fcbf
                                  • Instruction ID: f38ca3f59a4da97c105d5f96e4ece1acf3cf585eeeef74d2834aa96bc6352f91
                                  • Opcode Fuzzy Hash: 76c700b5c63f12473e5803b8821e718b209c5f7a32f34651c3ebeb37f720fcbf
                                  • Instruction Fuzzy Hash: DAE092316042504EDB11D3B4A41939DBBE3EB84314F40086AC25A97640DFB6698983D2
                                  Function 085CAA20 Relevance: .0, Instructions: 19COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2379086224.00000000085C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_85c0000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 88a129e1c597cb879a3d4d488f2713637a5766d695ceb9c6c822da2d939973e0
                                  • Instruction ID: b7f8a29122cbbe4aec33e3afb60269798e74edf307716288ebd137a4da7d751b
                                  • Opcode Fuzzy Hash: 88a129e1c597cb879a3d4d488f2713637a5766d695ceb9c6c822da2d939973e0
                                  • Instruction Fuzzy Hash: F0E0C2213056904FD34AA3749C2819A3B87DB8722134981DF914A8BAA3CA644C028B55
                                  Function 01884F69 Relevance: .0, Instructions: 18COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2337493254.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_1880000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ac2a9f74d035811cfb06694f42ceab863d63cbffc65681379f4d8eb445510d4b
                                  • Instruction ID: 906d236d9aa7890754cf39ec82f72ad369e9da554bbec5d2bb1fe652913f1cc4
                                  • Opcode Fuzzy Hash: ac2a9f74d035811cfb06694f42ceab863d63cbffc65681379f4d8eb445510d4b
                                  • Instruction Fuzzy Hash: 9AE0EC71A083428FEB07EB35DB4A6657BB0EB422647094BA5E0048A566E66C5D0B8B91
                                  Function 085CC519 Relevance: .0, Instructions: 18COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2379086224.00000000085C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_85c0000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7223d46c0ea33e95d359782dea5405d7328e0e7c305587aec2ba573bb9552895
                                  • Instruction ID: a3d2fbf1ee63b6f9a30fa9612357c78591602b7cc4d276b51f33dd3e47f8d5b3
                                  • Opcode Fuzzy Hash: 7223d46c0ea33e95d359782dea5405d7328e0e7c305587aec2ba573bb9552895
                                  • Instruction Fuzzy Hash: 82E0127200D3846FC352D664E851896BF65AF52224349C8CFE489CF167C7368843D762
                                  Function 01886DE0 Relevance: .0, Instructions: 17COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2337493254.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_1880000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 92f2d5dd7fd78db9fc20bb9195c14ac562d230a0540f1620c7b884718cc6bf46
                                  • Instruction ID: acad4ea8019233b4bbb5bd1de45f84714bfe4fe93fb1d2623f37549cc94124c1
                                  • Opcode Fuzzy Hash: 92f2d5dd7fd78db9fc20bb9195c14ac562d230a0540f1620c7b884718cc6bf46
                                  • Instruction Fuzzy Hash: 2BD05E72F0451443C31BAA8CB0092EAFBD2BBD9221F854066D90883298FEA44C4203A2
                                  Function 01889788 Relevance: .0, Instructions: 17COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2337493254.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_1880000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 53e6e58a63a886111e708651c49f1f64a6d55add431c6ebcfb33509fe8c99429
                                  • Instruction ID: ea924cc88399977c2246c39a3817cfa380b59959d3dac032c41b637d16ab435e
                                  • Opcode Fuzzy Hash: 53e6e58a63a886111e708651c49f1f64a6d55add431c6ebcfb33509fe8c99429
                                  • Instruction Fuzzy Hash: 41D0A732164510078A14B22CA58486EF6A9EDC4710780493AE04BC322C9E50DA894194
                                  Function 085CAA30 Relevance: .0, Instructions: 16COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2379086224.00000000085C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_85c0000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 880bb2497b63f41a17f43e3973fa7dda96dfa08161b8eb2887dce41678396273
                                  • Instruction ID: ad6c9d0d3f014dfeebd23ff1e3cd2a89a0c38a26786764f5d66130ffcd55b884
                                  • Opcode Fuzzy Hash: 880bb2497b63f41a17f43e3973fa7dda96dfa08161b8eb2887dce41678396273
                                  • Instruction Fuzzy Hash: B2D0C97531021847C708A6BAA8185AF72CFDBCA661B55806E960A83B55CE749C0287AA
                                  Function 085C06F1 Relevance: .0, Instructions: 16COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2379086224.00000000085C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_85c0000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8926c182a4a6a3081465e7ad1db67142105f52dcd99e503def6bd972d3015d94
                                  • Instruction ID: e1b47322e67be836808413cff5e48c3febf8275958314cf0e6df223acdc0242b
                                  • Opcode Fuzzy Hash: 8926c182a4a6a3081465e7ad1db67142105f52dcd99e503def6bd972d3015d94
                                  • Instruction Fuzzy Hash: 40D052B2109780BFC3429B64DC44C823FB89B172A130A40C3E088CF233C2228804D732
                                  Function 01885480 Relevance: .0, Instructions: 15COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2337493254.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_1880000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 252efbe82c7d5f8f2a0e4d5eb11607f53e95096eb62d6f0be4dacdcd788f7db5
                                  • Instruction ID: 82662ce20633f0b44cc6e253d0452cf94bb50b43290730e5efa77a41a21f7318
                                  • Opcode Fuzzy Hash: 252efbe82c7d5f8f2a0e4d5eb11607f53e95096eb62d6f0be4dacdcd788f7db5
                                  • Instruction Fuzzy Hash: 7BD0125230052247E65A776CA950FAB26CBEB81655F4100A8D605DB7E6EA04CD4107D1
                                  Function 0188748F Relevance: .0, Instructions: 14COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2337493254.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_1880000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f9109e6dd9bf08d2669265f0b45441361bd45ef65f1926d0f9513b4400ba1359
                                  • Instruction ID: e7b6ea49efe58f656d3b5f395eae85b3a40e3f8402900385ab25203d369c565f
                                  • Opcode Fuzzy Hash: f9109e6dd9bf08d2669265f0b45441361bd45ef65f1926d0f9513b4400ba1359
                                  • Instruction Fuzzy Hash: ABD0677090431DCADB18DBEDC9987ACBBB2AF84315F604429C009AB294D779894ACB61
                                  Function 085CB120 Relevance: .0, Instructions: 14COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2379086224.00000000085C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_85c0000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 773000d3a5f621c6e3d6b21f9a398adcb273993fb457fa266cb8eaa081baa4c8
                                  • Instruction ID: 22fc8c6e13481ee39f29280768e49948747a257b0a6a70fb0f3f4ca068d72b54
                                  • Opcode Fuzzy Hash: 773000d3a5f621c6e3d6b21f9a398adcb273993fb457fa266cb8eaa081baa4c8
                                  • Instruction Fuzzy Hash: 9ED0926410E2C06EC342DB688890846BF69AE9721071984CBB484DF2A7C6228D16D732
                                  Function 0188A7E5 Relevance: .0, Instructions: 13COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2337493254.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_1880000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8ec07fe4f9a9f1340404aafbe069b8ab37cfedc81532a70252e46231c08c187b
                                  • Instruction ID: bba890958ebd0a4dffeaf52befe7a34d1c1bfee87b99f267ee7a10ae3e420fe7
                                  • Opcode Fuzzy Hash: 8ec07fe4f9a9f1340404aafbe069b8ab37cfedc81532a70252e46231c08c187b
                                  • Instruction Fuzzy Hash: 86C08032270A110BC605F33CF64098DF351EDC03507808634C46F4AB2CDB60F68E4545
                                  Function 01884F78 Relevance: .0, Instructions: 11COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2337493254.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_1880000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 71158c8f33ab5d58bebec2b24904bd30cf90b26ed681578ee858e8183aaf5ef2
                                  • Instruction ID: 0fb99d6c9a24ce0ced8857da33b262db41f0d54e1d055dcc662069550872de3d
                                  • Opcode Fuzzy Hash: 71158c8f33ab5d58bebec2b24904bd30cf90b26ed681578ee858e8183aaf5ef2
                                  • Instruction Fuzzy Hash: BAD0C9703002028FEA12EF3AE74862A3BA1E7813847454854A1049B15ADB289D068B80
                                  Function 085CAA43 Relevance: .0, Instructions: 11COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2379086224.00000000085C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_85c0000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a586d5c5371147339f1e56c306d4579ac1f6a923036b624876dc706c1206ad4d
                                  • Instruction ID: cb58c18b204cf5abac8fb18708a685a4155fb60f624beaedaf74015aed2127d4
                                  • Opcode Fuzzy Hash: a586d5c5371147339f1e56c306d4579ac1f6a923036b624876dc706c1206ad4d
                                  • Instruction Fuzzy Hash: 7BB012E7AD09154B48020DF4BC1C6CA5713EC710FA75C4076E58DCA716D20FC6121550
                                  Function 0188D910 Relevance: .0, Instructions: 9COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2337493254.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_1880000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 610b4c4f960054dd37fd9c5f382fd6e51e892644056e7ab51aa12caf0efcc1ac
                                  • Instruction ID: f7a291c1511a1b76ad2d93ed913685c5c4c35527d9592fa214d780edab3a9610
                                  • Opcode Fuzzy Hash: 610b4c4f960054dd37fd9c5f382fd6e51e892644056e7ab51aa12caf0efcc1ac
                                  • Instruction Fuzzy Hash: FCC09B341093C04FDB034B71555D0443F605D5211171558F6C0A58B492C95D8C47DF31
                                  Function 085C8F08 Relevance: .0, Instructions: 9COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2379086224.00000000085C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_85c0000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9957fe10f10e76d753c4a6f4543c02ba8fa4c71bf70a3ebf237bae6fb2b83848
                                  • Instruction ID: d8a64502d5e7542dd4694fd42dae96c0e5b05e980fc58807a77eefdcbf6453f1
                                  • Opcode Fuzzy Hash: 9957fe10f10e76d753c4a6f4543c02ba8fa4c71bf70a3ebf237bae6fb2b83848
                                  • Instruction Fuzzy Hash: A8C012745082805FC321DA24CC10C00BFA0AFA6305B19C4EEA8858B257D736DC12DB51
                                  Function 085C0700 Relevance: .0, Instructions: 8COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2379086224.00000000085C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_85c0000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9145439845d19ed285ef8ed2e2731e53e84310996d3e08af64ba1494253e8755
                                  • Instruction ID: a5ced1602b898661de329531365079a034e3d75a808f59c5ffcbefa728424f66
                                  • Opcode Fuzzy Hash: 9145439845d19ed285ef8ed2e2731e53e84310996d3e08af64ba1494253e8755
                                  • Instruction Fuzzy Hash: 58C0927A140208EFC700DF69E848C85BBB8EF1977171180A1FA088B332C732EC60DA94
                                  Function 085C38C0 Relevance: .0, Instructions: 7COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2379086224.00000000085C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_85c0000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a31560664698bd3fe5e0308a1fa232f074b39ef59a954cefc94cf9ddd5b1fba7
                                  • Instruction ID: 6c4f017cdf089b687c20802177dc88b1c5f9a4704078cbdf5d99b04b08d92171
                                  • Opcode Fuzzy Hash: a31560664698bd3fe5e0308a1fa232f074b39ef59a954cefc94cf9ddd5b1fba7
                                  • Instruction Fuzzy Hash: 33B0923200420CAB8602AA84E904855BB69AB586417008025B609061218B32A922DB94
                                  Function 085CB6BC Relevance: .0, Instructions: 5COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2379086224.00000000085C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_85c0000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f4a324d078c0adc19fb02720193295204c4e4c236ed9b9fc6bbe10baf6aa0956
                                  • Instruction ID: 137ef57aeb8cd6576910239ce11fb3171bd9d3c0c3f4a18f8b6e40d48497c031
                                  • Opcode Fuzzy Hash: f4a324d078c0adc19fb02720193295204c4e4c236ed9b9fc6bbe10baf6aa0956
                                  • Instruction Fuzzy Hash: 68A012B272010103F100855059467102F10C3B0323F004601622AA01C4DA5080048521
                                  Function 085C9F85 Relevance: .0, Instructions: 5COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2379086224.00000000085C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_85c0000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 88409fdbae89628996eb890b98939854c36d79e28c9594b95b6d0c9621d135e9
                                  • Instruction ID: 87a0d14235027bebb15cc19d1aa170aa70a13e687c359aeefddf1add71a3c01c
                                  • Opcode Fuzzy Hash: 88409fdbae89628996eb890b98939854c36d79e28c9594b95b6d0c9621d135e9
                                  • Instruction Fuzzy Hash: 17A0112222E288AAAA208AA0A80A0383F28CA02022B0082CAFC0C00200882200208282

                                  Non-executed Functions

                                  Function 085C1108 Relevance: 5.2, Strings: 4, Instructions: 183COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.2379086224.00000000085C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_85c0000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: (_^q$(_^q$(_^q$(_^q
                                  • API String ID: 0-2697572114
                                  • Opcode ID: 1e4369268a258273aaff4d6a0f12876c6b8fb39f54dd3df609fe5295939af647
                                  • Instruction ID: 5db608011480c59af414a2023b57c46b5aea904618b0d519880c603a92648d58
                                  • Opcode Fuzzy Hash: 1e4369268a258273aaff4d6a0f12876c6b8fb39f54dd3df609fe5295939af647
                                  • Instruction Fuzzy Hash: C361E078B046448FC704DFB8D4548AE7BF2BF8A211B2444AED446AF762DB35DC86CB91

                                  Execution Graph

                                  Execution Coverage:6.8%
                                  Dynamic/Decrypted Code Coverage:100%
                                  Signature Coverage:0%
                                  Total number of Nodes:80
                                  Total number of Limit Nodes:9
                                  execution_graph 14429 2db4668 14430 2db4676 14429->14430 14435 2db6de0 14430->14435 14433 2db4704 14436 2db6e05 14435->14436 14444 2db6edf 14436->14444 14448 2db6ef0 14436->14448 14437 2db46e9 14440 2db421c 14437->14440 14441 2db4227 14440->14441 14456 2db8560 14441->14456 14443 2db8806 14443->14433 14446 2db6f17 14444->14446 14445 2db6ff4 14446->14445 14452 2db6414 14446->14452 14449 2db6f17 14448->14449 14450 2db6ff4 14449->14450 14451 2db6414 CreateActCtxA 14449->14451 14451->14450 14453 2db7370 CreateActCtxA 14452->14453 14455 2db7433 14453->14455 14455->14455 14457 2db856b 14456->14457 14460 2db8580 14457->14460 14459 2db88dd 14459->14443 14461 2db858b 14460->14461 14464 2db85b0 14461->14464 14463 2db89ba 14463->14459 14465 2db85bb 14464->14465 14468 2db85e0 14465->14468 14467 2db8aad 14467->14463 14469 2db85eb 14468->14469 14470 2db9e93 14469->14470 14472 2dbbed1 14469->14472 14470->14467 14473 2dbbeda 14472->14473 14475 2dbbe91 14472->14475 14478 2dbbef8 14473->14478 14481 2dbbf08 14473->14481 14474 2dbbee6 14474->14470 14475->14470 14484 2dbbff0 14478->14484 14479 2dbbf17 14479->14474 14482 2dbbf17 14481->14482 14483 2dbbff0 GetModuleHandleW 14481->14483 14482->14474 14483->14482 14485 2dbc011 14484->14485 14486 2dbc034 14484->14486 14485->14486 14487 2dbc238 GetModuleHandleW 14485->14487 14486->14479 14488 2dbc265 14487->14488 14488->14479 14489 2db6788 14490 2db67cb DuplicateHandle 14489->14490 14491 2db681e 14490->14491 14492 2db6540 14493 2db6586 GetCurrentProcess 14492->14493 14495 2db65d8 GetCurrentThread 14493->14495 14496 2db65d1 14493->14496 14497 2db660e 14495->14497 14498 2db6615 GetCurrentProcess 14495->14498 14496->14495 14497->14498 14501 2db664b 14498->14501 14499 2db6673 GetCurrentThreadId 14500 2db66a4 14499->14500 14501->14499 14502 2dbe120 14503 2dbe12d 14502->14503 14504 2dbe166 14503->14504 14506 2dbc464 14503->14506 14507 2dbc46f 14506->14507 14508 2dbe1d8 14507->14508 14510 2dbc498 14507->14510 14511 2dbc4a3 14510->14511 14512 2db85e0 GetModuleHandleW 14511->14512 14513 2dbe247 14512->14513 14516 2dbe2c0 14513->14516 14514 2dbe256 14514->14508 14517 2dbe2ee 14516->14517 14519 2dbe317 14517->14519 14521 2dbe3bf 14517->14521 14522 2dbc530 14517->14522 14520 2dbe3ba KiUserCallbackDispatcher 14519->14520 14519->14521 14520->14521 14523 2dbc53b 14522->14523 14526 2dbc5a4 14523->14526 14525 2dbe8d5 14525->14519 14527 2dbc5af 14526->14527 14528 2dbe990 GetFocus 14527->14528 14529 2dbe989 14527->14529 14528->14529 14529->14525

                                  Executed Functions

                                  Function 02DB6518 Relevance: 6.1, APIs: 4, Instructions: 141threadCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 536 2db6518-2db6531 538 2db657b-2db65cf GetCurrentProcess 536->538 539 2db6533-2db6579 536->539 543 2db65d8-2db660c GetCurrentThread 538->543 544 2db65d1-2db65d7 538->544 539->538 545 2db660e-2db6614 543->545 546 2db6615-2db6649 GetCurrentProcess 543->546 544->543 545->546 547 2db664b-2db6651 546->547 548 2db6652-2db666d call 2db670f 546->548 547->548 552 2db6673-2db66a2 GetCurrentThreadId 548->552 553 2db66ab-2db670d 552->553 554 2db66a4-2db66aa 552->554 554->553
                                  APIs
                                  • GetCurrentProcess.KERNEL32 ref: 02DB65BE
                                  • GetCurrentThread.KERNEL32 ref: 02DB65FB
                                  • GetCurrentProcess.KERNEL32 ref: 02DB6638
                                  • GetCurrentThreadId.KERNEL32 ref: 02DB6691
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.1881855059.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_11_2_2db0000_workbook.jbxd
                                  Similarity
                                  • API ID: Current$ProcessThread
                                  • String ID:
                                  • API String ID: 2063062207-0
                                  • Opcode ID: f71588ad9e1ad369c4d1b07e52cd067988f9722ac67246b18e94de4dcf9324c4
                                  • Instruction ID: 28a7a6b41cbfd468ab59946cddd332c178a09efab5a9b83e94f5ed3db74fc189
                                  • Opcode Fuzzy Hash: f71588ad9e1ad369c4d1b07e52cd067988f9722ac67246b18e94de4dcf9324c4
                                  • Instruction Fuzzy Hash: 345166B0910249CFDB18DFAAC549BDEBFF5AF88304F248459D049A73A0DB349884CFA5
                                  Function 02DB6540 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 561 2db6540-2db65cf GetCurrentProcess 565 2db65d8-2db660c GetCurrentThread 561->565 566 2db65d1-2db65d7 561->566 567 2db660e-2db6614 565->567 568 2db6615-2db6649 GetCurrentProcess 565->568 566->565 567->568 569 2db664b-2db6651 568->569 570 2db6652-2db666d call 2db670f 568->570 569->570 574 2db6673-2db66a2 GetCurrentThreadId 570->574 575 2db66ab-2db670d 574->575 576 2db66a4-2db66aa 574->576 576->575
                                  APIs
                                  • GetCurrentProcess.KERNEL32 ref: 02DB65BE
                                  • GetCurrentThread.KERNEL32 ref: 02DB65FB
                                  • GetCurrentProcess.KERNEL32 ref: 02DB6638
                                  • GetCurrentThreadId.KERNEL32 ref: 02DB6691
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.1881855059.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_11_2_2db0000_workbook.jbxd
                                  Similarity
                                  • API ID: Current$ProcessThread
                                  • String ID:
                                  • API String ID: 2063062207-0
                                  • Opcode ID: 2ebd091fee538a19802a7c71aafc79b9931d2f80b59bed774ace046dd1dbfdbc
                                  • Instruction ID: 49faf73a6328e85fadc8a7711ba29bc6aadcf96b88fe0c67eab0f5e4100f1126
                                  • Opcode Fuzzy Hash: 2ebd091fee538a19802a7c71aafc79b9931d2f80b59bed774ace046dd1dbfdbc
                                  • Instruction Fuzzy Hash: C65135B0910249CFDB18DFAAD549BDEBFF5AF88304F208459E419A7360DB34A944CFA5
                                  Function 02DBBFF0 Relevance: 1.7, APIs: 1, Instructions: 199COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 605 2dbbff0-2dbc00f 606 2dbc03b-2dbc03f 605->606 607 2dbc011-2dbc01e call 2dbaf60 605->607 609 2dbc053-2dbc094 606->609 610 2dbc041-2dbc04b 606->610 613 2dbc020 607->613 614 2dbc034 607->614 616 2dbc0a1-2dbc0af 609->616 617 2dbc096-2dbc09e 609->617 610->609 660 2dbc026 call 2dbc689 613->660 661 2dbc026 call 2dbc698 613->661 614->606 618 2dbc0d3-2dbc0d5 616->618 619 2dbc0b1-2dbc0b6 616->619 617->616 624 2dbc0d8-2dbc0df 618->624 621 2dbc0b8-2dbc0bf call 2dbaf6c 619->621 622 2dbc0c1 619->622 620 2dbc02c-2dbc02e 620->614 623 2dbc170-2dbc230 620->623 626 2dbc0c3-2dbc0d1 621->626 622->626 655 2dbc238-2dbc263 GetModuleHandleW 623->655 656 2dbc232-2dbc235 623->656 627 2dbc0ec-2dbc0f3 624->627 628 2dbc0e1-2dbc0e9 624->628 626->624 629 2dbc100-2dbc109 call 2dbaf7c 627->629 630 2dbc0f5-2dbc0fd 627->630 628->627 636 2dbc10b-2dbc113 629->636 637 2dbc116-2dbc11b 629->637 630->629 636->637 638 2dbc139-2dbc146 637->638 639 2dbc11d-2dbc124 637->639 646 2dbc169-2dbc16f 638->646 647 2dbc148-2dbc166 638->647 639->638 641 2dbc126-2dbc136 call 2dbaf8c call 2dbaf9c 639->641 641->638 647->646 657 2dbc26c-2dbc280 655->657 658 2dbc265-2dbc26b 655->658 656->655 658->657 660->620 661->620
                                  APIs
                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 02DBC256
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.1881855059.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_11_2_2db0000_workbook.jbxd
                                  Similarity
                                  • API ID: HandleModule
                                  • String ID:
                                  • API String ID: 4139908857-0
                                  • Opcode ID: 0a3b01f44c7dc27b00c3de3c4fc757705fcb65921ac9505cd07b5dbb2d64b0f2
                                  • Instruction ID: 57870a67eeecd395da98c17af4e2234f012c3a57fcfcc99a5cefe52eced7e20e
                                  • Opcode Fuzzy Hash: 0a3b01f44c7dc27b00c3de3c4fc757705fcb65921ac9505cd07b5dbb2d64b0f2
                                  • Instruction Fuzzy Hash: DC8133B0A10B05CFD725DF69C56479ABBF1FF88204F108A2AD48AD7B50DB35E845CB91
                                  Function 02DB6414 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 662 2db6414-2db7431 CreateActCtxA 665 2db743a-2db7494 662->665 666 2db7433-2db7439 662->666 673 2db74a3-2db74a7 665->673 674 2db7496-2db7499 665->674 666->665 675 2db74a9-2db74b5 673->675 676 2db74b8 673->676 674->673 675->676 678 2db74b9 676->678 678->678
                                  APIs
                                  • CreateActCtxA.KERNEL32(?), ref: 02DB7421
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.1881855059.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_11_2_2db0000_workbook.jbxd
                                  Similarity
                                  • API ID: Create
                                  • String ID:
                                  • API String ID: 2289755597-0
                                  • Opcode ID: 3c15ac9e51f8ca60d72f274c83af87920da8f2980f689ff2a37e224cf8bc7a49
                                  • Instruction ID: fa09c438d9fff00f2f10787f7013f33a4edc3203b631abaa49c9d9d9ade93c70
                                  • Opcode Fuzzy Hash: 3c15ac9e51f8ca60d72f274c83af87920da8f2980f689ff2a37e224cf8bc7a49
                                  • Instruction Fuzzy Hash: E341DFB1C00619CFDB25CFA9C844BDEFBB5BF88304F20806AD409AB255DB756989CF90
                                  Function 02DB7364 Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 679 2db7364-2db7431 CreateActCtxA 681 2db743a-2db7494 679->681 682 2db7433-2db7439 679->682 689 2db74a3-2db74a7 681->689 690 2db7496-2db7499 681->690 682->681 691 2db74a9-2db74b5 689->691 692 2db74b8 689->692 690->689 691->692 694 2db74b9 692->694 694->694
                                  APIs
                                  • CreateActCtxA.KERNEL32(?), ref: 02DB7421
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.1881855059.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_11_2_2db0000_workbook.jbxd
                                  Similarity
                                  • API ID: Create
                                  • String ID:
                                  • API String ID: 2289755597-0
                                  • Opcode ID: dc6963f6c6be232ac24ec17506e616a405a7e076ad2b15177c6d2cc81be1da0e
                                  • Instruction ID: 8146c0e3cb623c2a9ad0ad98a1227e69cc3a49575e2a88c73753ef46ef215929
                                  • Opcode Fuzzy Hash: dc6963f6c6be232ac24ec17506e616a405a7e076ad2b15177c6d2cc81be1da0e
                                  • Instruction Fuzzy Hash: 0C41F2B1C00619CFDB25CFA9C944BCDFBB5BF88304F2480AAD409AB255DB755989CF90
                                  Function 02DB6780 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 695 2db6780-2db6781 696 2db67cb-2db681c DuplicateHandle 695->696 697 2db6783-2db67c7 695->697 699 2db681e-2db6824 696->699 700 2db6825-2db6842 696->700 697->696 699->700
                                  APIs
                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02DB680F
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.1881855059.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_11_2_2db0000_workbook.jbxd
                                  Similarity
                                  • API ID: DuplicateHandle
                                  • String ID:
                                  • API String ID: 3793708945-0
                                  • Opcode ID: c3f439f41c11ac7027c93e3d7faf5dfd67b2c18d99d4ba9ade2c9e50113bf7de
                                  • Instruction ID: 9e45dd286630e0d5e056ee5146f88ebec775ab47bd36fa5cc74656c5b1cbedcf
                                  • Opcode Fuzzy Hash: c3f439f41c11ac7027c93e3d7faf5dfd67b2c18d99d4ba9ade2c9e50113bf7de
                                  • Instruction Fuzzy Hash: 3621E3B5D00258EFDB11CF9AD984ADEBFF8EB48320F14801AE954A3350D774A944CFA5
                                  Function 02DB6788 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 703 2db6788-2db681c DuplicateHandle 705 2db681e-2db6824 703->705 706 2db6825-2db6842 703->706 705->706
                                  APIs
                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02DB680F
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.1881855059.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_11_2_2db0000_workbook.jbxd
                                  Similarity
                                  • API ID: DuplicateHandle
                                  • String ID:
                                  • API String ID: 3793708945-0
                                  • Opcode ID: f913a37c3bf34c37de2f31914dfbb9a9df416acfb199ea360ef20163b62ce351
                                  • Instruction ID: 51b9a3638f01ecd888249252a739c07698883267c7492389b7e1d7b6790ede43
                                  • Opcode Fuzzy Hash: f913a37c3bf34c37de2f31914dfbb9a9df416acfb199ea360ef20163b62ce351
                                  • Instruction Fuzzy Hash: A121B0B5900258DFDB10CFAAD984ADEBBF8EB48320F14841AE958A7350D374A944CFA5
                                  Function 02DBC1F0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 709 2dbc1f0-2dbc230 710 2dbc238-2dbc263 GetModuleHandleW 709->710 711 2dbc232-2dbc235 709->711 712 2dbc26c-2dbc280 710->712 713 2dbc265-2dbc26b 710->713 711->710 713->712
                                  APIs
                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 02DBC256
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.1881855059.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_11_2_2db0000_workbook.jbxd
                                  Similarity
                                  • API ID: HandleModule
                                  • String ID:
                                  • API String ID: 4139908857-0
                                  • Opcode ID: 7d8e6f9d0d4425680ec0550977359db30a0cd71f5571152623a306ce21ceb614
                                  • Instruction ID: f40894f986abdb4453999424219abe9bedfb9790e2198610f6adfb3de2601d55
                                  • Opcode Fuzzy Hash: 7d8e6f9d0d4425680ec0550977359db30a0cd71f5571152623a306ce21ceb614
                                  • Instruction Fuzzy Hash: 0111DCB6D00249CFCB10DF9AC444ADEFBF4AF89624F10856AD869B7310C379A945CFA5
                                  Function 02CED01C Relevance: .1, Instructions: 72COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.1881206667.0000000002CED000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CED000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_11_2_2ced000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 43c05dfd0ebe2560da0aedc583fee654da7af5ffdb0f60c113b9ae04eca4780d
                                  • Instruction ID: a2d86a9fc4a81ca5237ef1b4b2b6482b15b325debbc885e339fb072b4570562a
                                  • Opcode Fuzzy Hash: 43c05dfd0ebe2560da0aedc583fee654da7af5ffdb0f60c113b9ae04eca4780d
                                  • Instruction Fuzzy Hash: D921F271604240DFDF14DF14D9C4B26BBA9FB84314F28C569E80B4B256C33AD447CAA1
                                  Function 02CED005 Relevance: .1, Instructions: 62COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.1881206667.0000000002CED000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CED000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_11_2_2ced000_workbook.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 74f5d0f15643b8a85068936da99cd30cef5ffd529dc3359ea6e7ecf147e8ce6c
                                  • Instruction ID: d2f122acdeff4ff5a213d4095ba0b299170f1c1956d8c41d330b7af0c957d326
                                  • Opcode Fuzzy Hash: 74f5d0f15643b8a85068936da99cd30cef5ffd529dc3359ea6e7ecf147e8ce6c
                                  • Instruction Fuzzy Hash: C42187755093C08FDB12CF24D594715BF71EB86214F28C5DAD84A8F6A7C33A950ACB62