Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
doc_Pedido 02024091622008176.com.exe

Overview

General Information

Sample name:doc_Pedido 02024091622008176.com.exe
Analysis ID:1512678
MD5:f5045f23c9ebfcda88db9a040544f462
SHA1:f255e8e514826f27e003e443cf319eda0198d674
SHA256:b4a61a178dfda52928802e1189f3bf1bef1c03aecf6b6fc99d2a3713f3d5e202
Tags:comexe
Infos:

Detection

Quasar
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected Quasar RAT
.NET source code contains potential unpacker
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • doc_Pedido 02024091622008176.com.exe (PID: 6932 cmdline: "C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exe" MD5: F5045F23C9EBFCDA88DB9A040544F462)
    • doc_Pedido 02024091622008176.com.exe (PID: 7396 cmdline: "C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exe" MD5: F5045F23C9EBFCDA88DB9A040544F462)
      • schtasks.exe (PID: 7528 cmdline: "schtasks" /create /tn "workbook" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\workbook.exe" /rl HIGHEST /f MD5: 48C2FE20575769DE916F48EF0676A965)
        • conhost.exe (PID: 7540 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • workbook.exe (PID: 7580 cmdline: "C:\Users\user\AppData\Roaming\SubDir\workbook.exe" MD5: F5045F23C9EBFCDA88DB9A040544F462)
        • workbook.exe (PID: 7672 cmdline: "C:\Users\user\AppData\Roaming\SubDir\workbook.exe" MD5: F5045F23C9EBFCDA88DB9A040544F462)
          • schtasks.exe (PID: 7728 cmdline: "schtasks" /create /tn "workbook" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\workbook.exe" /rl HIGHEST /f MD5: 48C2FE20575769DE916F48EF0676A965)
            • conhost.exe (PID: 7740 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • workbook.exe (PID: 7644 cmdline: C:\Users\user\AppData\Roaming\SubDir\workbook.exe MD5: F5045F23C9EBFCDA88DB9A040544F462)
    • workbook.exe (PID: 7896 cmdline: "C:\Users\user\AppData\Roaming\SubDir\workbook.exe" MD5: F5045F23C9EBFCDA88DB9A040544F462)
    • workbook.exe (PID: 7904 cmdline: "C:\Users\user\AppData\Roaming\SubDir\workbook.exe" MD5: F5045F23C9EBFCDA88DB9A040544F462)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Quasar RAT, QuasarRATQuasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult.
  • APT33
  • Dropping Elephant
  • Stone Panda
  • The Gorgon Group
https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat

Malware Configuration

Threatname: Quasar

{"Version": "1.4.1", "Host:Port": "twart.myfirewall.org:9792;", "SubDirectory": "SubDir", "InstallName": "workbook.exe", "MutexName": "0235e291-5d04-4fa3-932c-869aeec51499", "StartupKey": "workbook", "Tag": "Long Leg", "LogDirectoryName": "Logs", "ServerSignature": "XBBvS+rvDQy/NRA7cnb+1Bf2zFbsUHBtrkbS5j0N0VYcCxHngz7kKbyn5Jk5bqDEI6eX9AB+bIEClKSPSVh4o0tmRTlCyQR8n6K5WidNbCUdY2+XqfpKSeeSe+/39iGrb9ZLHaZnA9ciC9yC4PwnmFUO4AD6c2tNeWgm2PU1ohA9OikWzIuh/ks9RkLPCX2N5NbpAd+AvnufkOJwDLDXLT4MfcZlD2s7folRvVMxMcO7qQh4qI3ucP90WFCEokdbM4Rp3wOtslDricIMAIkAmogGRz4B5aLGHo+UKGsYDeV1bWBtzFi1XTWQ/6q4qfqiD4xLJpDFMICIRPNdK9raQkGcTP03+NhWNSswQU59I2Ar9A0CAUdysw34N2Kjm/UbGRrW3+j9kbJxMldClUDkeN0cGmVyyaiGpPUQBlBuqH620bBOymsxD3XZ6Ouxl9MgjTV6Il/iiq/NSebMLiET2K09Tvpmc/8DD8KLeu+5NrJnmChJat6LR2NCPqv1vp8xPgJNCm4DSv6HB78QRq0Ni/oqW7UBnQR4da5/ckoEk+1ZyMZ/TftczNdKaLoyii2gXx3EzDhVEQy9OH8iNQqevGPW/pTYqLGAkH4hRs0+kir9p7nSGZpHvgHSJL7DbCzKlTEYyAlb4VFoR4L+DhJ0+A8JWxhOkfSCX2jo3RVCcPs=", "ServerCertificate": "MIIE9DCCAtygAwIBAgIQANqzkhOLx49IztAjuviKazANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI0MDgyMDEyNDQxNVoYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAgCzkFEuivKBaTsClmq/3wI2X1uYUZUxf0vEiobTv72lQBIu1jz/r6PADg+cpeGisY1MV3VsdWhecO8dT7LosHtl/FnpTjASkUp3LF0d6cPTgeLsKbK/xJ06uq5gaKvG8Q5zXq6Jbxv+STJdEgmxCf1SPAXViD1PIiGLt2B24qZyOtsSpTSnM5cQuLAvr/6xZG7GYkCU7PRADMGFUm3Xg6L3vRUU3h6vaddoMBAW9ENXVaym1eN5aax3x4tLNUp+kerM+kb/Ab/mi01+PfutPKTptP/dqEGZuKmVrGdX9A+s2Wo6sPtSl85NJT+HT+SSrROvGbx4GH3d6MSHx71JSzy+dph46LV3brBMzY/2xvLbIuPVHqniL/Y0bsUke6aD9cfXIa4UBi7TiKBuoKJYqoYa/VgdoqB4yDaczAnzzYXov7thvPL1Rwv5TueNsPSrQbXbvEJUDxRazlLIrGLuYzeGrnbFHOTM8KKpSVnE8uiXiSEW31DRNHXyLImklMHjwtGd4sjZD5EfkUcg1v9gVCu80ggT+/l7SflY07DOLFvS1ii2ZUPu3IjcbyPtlFj6pGUYjMbIZj8AdqIKyMh6IWtbsu6TMC2yEPSk5pwXrEf7M89nIfHtuhZio+mZ0MhGyHos3nv51/dDBKQnEtcJiODik24kI3JTMGnfQsp7IMjECAwEAAaMyMDAwHQYDVR0OBBYEFFUq5ihhM0we5AVYMhcmFpT6wUKMMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBAFQvpu2xTTenJ6N6YiRWxJ1cwH673yEt60lfsF/xncTeD79qdjD371b1GzQtcYZtYuSdgajGG4YZ8gBrwthm2fOcfuWK2VRDOe7/++mJVEvvsUzzexNeB5nZCYuu1N4UA7z8RHJy6ycPTTcelqyMKUjAGTCZa2BQhkxoFq+wBrEZrY975RcEe7bNNWg0S8YpvdKXxwy/gDZUoWyWXvgmDFQ6VjzDk3jJb0fonxnP/9F7sjd1uU2t5d6aQdPXzbzgWC/IKRXpfdIIZe15uHs1o1O909ymViRRsyy36cjwZ1M2snHWsU7vO//CptldBoV6k6bKkvXA23Cg1vUT0mj0MW554Vb20afxPhyWqHQa4ffHspH2HxViicHx9YaD+WjNAER0Skdo7/sxVR9Ozms2kb8Tyd18mwtVvwmlBNdtwsw8MX9PeW0AXlJUXkHkj47TVP+yyv1dKdUaGZq+ErPjiGoQGBCeHrrtGh+WryK38T7huLnpt++Q4U+CJ6+u9Mvd+C7MCZmgsO9sn0fTL/z54j3zBaWZoRcUZg8IZ7U+C5eGCrg9VjubVdYSar5CrCQnw8x2Rl63qjLVOwpiRoNnEXxmE23yyx1hkP8r27EcTbH7PpJHI22khScfDhf0X/99HEaBqcs+GI+YnC5dpPHY9koTdT5JckCfPJ9sprOn9Ble"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000F.00000002.1436292930.000000000363C000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
    0000000A.00000002.1332597685.0000000000720000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
      00000003.00000002.1346837711.000000000BFD1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
        00000003.00000002.1329210550.000000000A471000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
          00000010.00000002.3757524186.0000000003132000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
            Click to see the 12 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            14.2.workbook.exe.2d4124c.0.raw.unpackJoeSecurity_QuasarYara detected Quasar RATJoe Security
              3.2.doc_Pedido 02024091622008176.com.exe.afd0258.3.raw.unpackJoeSecurity_QuasarYara detected Quasar RATJoe Security
                3.2.doc_Pedido 02024091622008176.com.exe.afd0258.3.raw.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                  3.2.doc_Pedido 02024091622008176.com.exe.afd0258.3.raw.unpackMAL_QuasarRAT_May19_1Detects QuasarRAT malwareFlorian Roth
                  • 0x28ef4d:$x1: Quasar.Common.Messages
                  • 0x29f276:$x1: Quasar.Common.Messages
                  • 0x2ab83a:$x4: Uninstalling... good bye :-(
                  • 0x2ad02f:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
                  3.2.doc_Pedido 02024091622008176.com.exe.afd0258.3.raw.unpackINDICATOR_SUSPICIOUS_GENInfoStealerDetects executables containing common artifcats observed in infostealersditekSHen
                  • 0x2aadec:$f1: FileZilla\recentservers.xml
                  • 0x2aae2c:$f2: FileZilla\sitemanager.xml
                  • 0x2aae6e:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions
                  • 0x2ab0ba:$b1: Chrome\User Data\
                  • 0x2ab110:$b1: Chrome\User Data\
                  • 0x2ab3e8:$b2: Mozilla\Firefox\Profiles
                  • 0x2ab4e4:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
                  • 0x2fd440:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
                  • 0x2ab63c:$b4: Opera Software\Opera Stable\Login Data
                  • 0x2ab6f6:$b5: YandexBrowser\User Data\
                  • 0x2ab764:$b5: YandexBrowser\User Data\
                  • 0x2ab438:$s4: logins.json
                  • 0x2ab16e:$a1: username_value
                  • 0x2ab18c:$a2: password_value
                  • 0x2ab478:$a3: encryptedUsername
                  • 0x2fd384:$a3: encryptedUsername
                  • 0x2ab49c:$a4: encryptedPassword
                  • 0x2fd3a2:$a4: encryptedPassword
                  • 0x2fd320:$a5: httpRealm
                  Click to see the 19 entries

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: Suspicious Add Scheduled Task Parent
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "schtasks" /create /tn "workbook" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\workbook.exe" /rl HIGHEST /f, CommandLine: "schtasks" /create /tn "workbook" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\workbook.exe" /rl HIGHEST /f, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\SubDir\workbook.exe", ParentImage: C:\Users\user\AppData\Roaming\SubDir\workbook.exe, ParentProcessId: 7672, ParentProcessName: workbook.exe, ProcessCommandLine: "schtasks" /create /tn "workbook" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\workbook.exe" /rl HIGHEST /f, ProcessId: 7728, ProcessName: schtasks.exe
                  Sigma detected: Suspicious Schtasks From Env Var Folder
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "schtasks" /create /tn "workbook" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\workbook.exe" /rl HIGHEST /f, CommandLine: "schtasks" /create /tn "workbook" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\workbook.exe" /rl HIGHEST /f, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exe", ParentImage: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exe, ParentProcessId: 7396, ParentProcessName: doc_Pedido 02024091622008176.com.exe, ProcessCommandLine: "schtasks" /create /tn "workbook" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\workbook.exe" /rl HIGHEST /f, ProcessId: 7528, ProcessName: schtasks.exe

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-09-17T18:08:19.382431+020020355951Domain Observed Used for C2 Detected213.159.74.809792192.168.2.749705TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-09-17T18:08:19.382431+020020276191Domain Observed Used for C2 Detected213.159.74.809792192.168.2.749705TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Found malware configuration
                  Source: 14.2.workbook.exe.408d2b8.1.raw.unpackMalware Configuration Extractor: Quasar {"Version": "1.4.1", "Host:Port": "twart.myfirewall.org:9792;", "SubDirectory": "SubDir", "InstallName": "workbook.exe", "MutexName": "0235e291-5d04-4fa3-932c-869aeec51499", "StartupKey": "workbook", "Tag": "Long Leg", "LogDirectoryName": "Logs", "ServerSignature": "XBBvS+rvDQy/NRA7cnb+1Bf2zFbsUHBtrkbS5j0N0VYcCxHngz7kKbyn5Jk5bqDEI6eX9AB+bIEClKSPSVh4o0tmRTlCyQR8n6K5WidNbCUdY2+XqfpKSeeSe+/39iGrb9ZLHaZnA9ciC9yC4PwnmFUO4AD6c2tNeWgm2PU1ohA9OikWzIuh/ks9RkLPCX2N5NbpAd+AvnufkOJwDLDXLT4MfcZlD2s7folRvVMxMcO7qQh4qI3ucP90WFCEokdbM4Rp3wOtslDricIMAIkAmogGRz4B5aLGHo+UKGsYDeV1bWBtzFi1XTWQ/6q4qfqiD4xLJpDFMICIRPNdK9raQkGcTP03+NhWNSswQU59I2Ar9A0CAUdysw34N2Kjm/UbGRrW3+j9kbJxMldClUDkeN0cGmVyyaiGpPUQBlBuqH620bBOymsxD3XZ6Ouxl9MgjTV6Il/iiq/NSebMLiET2K09Tvpmc/8DD8KLeu+5NrJnmChJat6LR2NCPqv1vp8xPgJNCm4DSv6HB78QRq0Ni/oqW7UBnQR4da5/ckoEk+1ZyMZ/TftczNdKaLoyii2gXx3EzDhVEQy9OH8iNQqevGPW/pTYqLGAkH4hRs0+kir9p7nSGZpHvgHSJL7DbCzKlTEYyAlb4VFoR4L+DhJ0+A8JWxhOkfSCX2jo3RVCcPs=", "ServerCertificate": "MIIE9DCCAtygAwIBAgIQANqzkhOLx49IztAjuviKazANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI0MDgyMDEyNDQxNVoYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAgCzkFEuivKBaTsClmq/3wI2X1uYUZUxf0vEiobTv72lQBIu1jz/r6PADg+cpeGisY1MV3VsdWhecO8dT7LosHtl/FnpTjASkUp3LF0d6cPTgeLsKbK/xJ06uq5gaKvG8Q5zXq6Jbxv+STJdEgmxCf1SPAXViD1PIiGLt2B24qZyOtsSpTSnM5cQuLAvr/6xZG7GYkCU7PRADMGFUm3Xg6L3vRUU3h6vaddoMBAW9ENXVaym1eN5aax3x4tLNUp+kerM+kb/Ab/mi01+PfutPKTptP/dqEGZuKmVrGdX9A+s2Wo6sPtSl85NJT+HT+SSrROvGbx4GH3d6MSHx71JSzy+dph46LV3brBMzY/2xvLbIuPVHqniL/Y0bsUke6aD9cfXIa4UBi7TiKBuoKJYqoYa/VgdoqB4yDaczAnzzYXov7thvPL1Rwv5TueNsPSrQbXbvEJUDxRazlLIrGLuYzeGrnbFHOTM8KKpSVnE8uiXiSEW31DRNHXyLImklMHjwtGd4sjZD5EfkUcg1v9gVCu80ggT+/l7SflY07DOLFvS1ii2ZUPu3IjcbyPtlFj6pGUYjMbIZj8AdqIKyMh6IWtbsu6TMC2yEPSk5pwXrEf7M89nIfHtuhZio+mZ0MhGyHos3nv51/dDBKQnEtcJiODik24kI3JTMGnfQsp7IMjECAwEAAaMyMDAwHQYDVR0OBBYEFFUq5ihhM0we5AVYMhcmFpT6wUKMMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBAFQvpu2xTTenJ6N6YiRWxJ1cwH673yEt60lfsF/xncTeD79qdjD371b1GzQtcYZtYuSdgajGG4YZ8gBrwthm2fOcfuWK2VRDOe7/++mJVEvvsUzzexNeB5nZCYuu1N4UA7z8RHJy6ycPTTcelqyMKUjAGTCZa2BQhkxoFq+wBrEZrY975RcEe7bNNWg0S8YpvdKXxwy/gDZUoWyWXvgmDFQ6VjzDk3jJb0fonxnP/9F7sjd1uU2t5d6aQdPXzbzgWC/IKRXpfdIIZe15uHs1o1O909ymViRRsyy36cjwZ1M2snHWsU7vO//CptldBoV6k6bKkvXA23Cg1vUT0mj0MW554Vb20afxPhyWqHQa4ffHspH2HxViicHx9YaD+WjNAER0Skdo7/sxVR9Ozms2kb8Tyd18mwtVvwmlBNdtwsw8MX9PeW0AXlJUXkHkj47TVP+yyv1dKdUaGZq+ErPjiGoQGBCeHrrtGh+WryK38T7huLnpt++Q4U+CJ6+u9Mvd+C7MCZmgsO9sn0fTL/z54j3zBaWZoRcUZg8IZ7U+C5eGCrg9VjubVdYSar5CrCQnw8x2Rl63qjLVOwpiRoNnEXxmE23yyx1hkP8r27EcTbH7PpJHI22khScfDhf0X/99HEaBqcs+GI+YnC5dpPHY9koTdT5JckCfPJ9sprOn9Ble"}
                  Multi AV Scanner detection for dropped file
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeReversingLabs: Detection: 50%
                  Multi AV Scanner detection for submitted file
                  Source: doc_Pedido 02024091622008176.com.exeReversingLabs: Detection: 50%
                  Yara detected Quasar RAT
                  Source: Yara matchFile source: 14.2.workbook.exe.2d4124c.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.doc_Pedido 02024091622008176.com.exe.afd0258.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 14.2.workbook.exe.408d2b8.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.doc_Pedido 02024091622008176.com.exe.afd0258.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.doc_Pedido 02024091622008176.com.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 14.2.workbook.exe.408d2b8.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000F.00000002.1436292930.000000000363C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000002.1332597685.0000000000720000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.1346837711.000000000BFD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.1329210550.000000000A471000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000010.00000002.3757524186.0000000003132000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000E.00000002.1379208411.0000000002D11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.1329210550.000000000AFD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.1308157223.000000000354E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000002.1332597685.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000E.00000002.1393535958.000000000408D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: doc_Pedido 02024091622008176.com.exe PID: 6932, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: doc_Pedido 02024091622008176.com.exe PID: 7396, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: workbook.exe PID: 7580, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: workbook.exe PID: 7644, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: workbook.exe PID: 7672, type: MEMORYSTR
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
                  Machine Learning detection for dropped file
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeJoe Sandbox ML: detected
                  Machine Learning detection for sample
                  Source: doc_Pedido 02024091622008176.com.exeJoe Sandbox ML: detected
                  Source: doc_Pedido 02024091622008176.com.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: unknownHTTPS traffic detected: 195.201.57.90:443 -> 192.168.2.7:49707 version: TLS 1.2
                  Source: doc_Pedido 02024091622008176.com.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: ivGs.pdbSHA2566 source: doc_Pedido 02024091622008176.com.exe, workbook.exe.10.dr
                  Source: Binary string: ivGs.pdb source: doc_Pedido 02024091622008176.com.exe, workbook.exe.10.dr
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeCode function: 4x nop then jmp 0556498Dh3_2_05563F29
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 4x nop then jmp 0127498Dh14_2_01273F29
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 4x nop then jmp 01BC498Dh15_2_01BC3F29

                  Networking

                  barindex
                  Suricata IDS alerts for network traffic
                  Source: Network trafficSuricata IDS: 2027619 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (Quasar CnC) : 213.159.74.80:9792 -> 192.168.2.7:49705
                  Source: Network trafficSuricata IDS: 2035595 - Severity 1 - ET MALWARE Generic AsyncRAT Style SSL Cert : 213.159.74.80:9792 -> 192.168.2.7:49705
                  C2 URLs / IPs found in malware configuration
                  Source: Malware configuration extractorURLs: twart.myfirewall.org
                  Yara detected Generic Downloader
                  Source: Yara matchFile source: 3.2.doc_Pedido 02024091622008176.com.exe.afd0258.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.doc_Pedido 02024091622008176.com.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 14.2.workbook.exe.408d2b8.1.raw.unpack, type: UNPACKEDPE
                  Source: global trafficTCP traffic: 192.168.2.7:49705 -> 213.159.74.80:9792
                  Source: Joe Sandbox ViewIP Address: 213.159.74.80 213.159.74.80
                  Source: Joe Sandbox ViewIP Address: 195.201.57.90 195.201.57.90
                  Source: Joe Sandbox ViewIP Address: 195.201.57.90 195.201.57.90
                  Source: Joe Sandbox ViewASN Name: CTINET-ASCTINETAutonomousSystemRU CTINET-ASCTINETAutonomousSystemRU
                  Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                  Source: unknownDNS query: name: ipwho.is
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0Host: ipwho.isConnection: Keep-Alive
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0Host: ipwho.isConnection: Keep-Alive
                  Source: global trafficDNS traffic detected: DNS query: twart.myfirewall.org
                  Source: global trafficDNS traffic detected: DNS query: ipwho.is
                  Source: workbook.exe, 00000010.00000002.3752724771.00000000011E1000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.16.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                  Source: workbook.exe, 00000010.00000002.3752724771.00000000011E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enn
                  Source: workbook.exe, 00000010.00000002.3757524186.00000000030E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ipwho.is
                  Source: workbook.exe, 00000010.00000002.3757524186.00000000030E6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ipwho.isd
                  Source: workbook.exe, 00000010.00000002.3757524186.0000000003132000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/
                  Source: workbook.exe, 00000010.00000002.3757524186.0000000003132000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/d
                  Source: doc_Pedido 02024091622008176.com.exe, 0000000A.00000002.1354341850.0000000003051000.00000004.00000800.00020000.00000000.sdmp, workbook.exe, 00000010.00000002.3757524186.0000000002F4B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: doc_Pedido 02024091622008176.com.exe, 00000003.00000002.1329210550.000000000A471000.00000004.00000800.00020000.00000000.sdmp, doc_Pedido 02024091622008176.com.exe, 00000003.00000002.1346837711.000000000BFD1000.00000004.00000800.00020000.00000000.sdmp, doc_Pedido 02024091622008176.com.exe, 00000003.00000002.1329210550.000000000AFD0000.00000004.00000800.00020000.00000000.sdmp, doc_Pedido 02024091622008176.com.exe, 0000000A.00000002.1332597685.0000000000402000.00000040.00000400.00020000.00000000.sdmp, workbook.exe, 0000000E.00000002.1393535958.000000000408D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                  Source: workbook.exe, 00000010.00000002.3757524186.00000000030D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ipwho.is
                  Source: doc_Pedido 02024091622008176.com.exe, 00000003.00000002.1329210550.000000000A471000.00000004.00000800.00020000.00000000.sdmp, doc_Pedido 02024091622008176.com.exe, 00000003.00000002.1346837711.000000000BFD1000.00000004.00000800.00020000.00000000.sdmp, doc_Pedido 02024091622008176.com.exe, 00000003.00000002.1329210550.000000000AFD0000.00000004.00000800.00020000.00000000.sdmp, doc_Pedido 02024091622008176.com.exe, 0000000A.00000002.1332597685.0000000000402000.00000040.00000400.00020000.00000000.sdmp, workbook.exe, 0000000E.00000002.1393535958.000000000408D000.00000004.00000800.00020000.00000000.sdmp, workbook.exe, 00000010.00000002.3757524186.00000000030D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ipwho.is/
                  Source: doc_Pedido 02024091622008176.com.exe, 00000003.00000002.1329210550.000000000A471000.00000004.00000800.00020000.00000000.sdmp, doc_Pedido 02024091622008176.com.exe, 00000003.00000002.1346837711.000000000BFD1000.00000004.00000800.00020000.00000000.sdmp, doc_Pedido 02024091622008176.com.exe, 00000003.00000002.1329210550.000000000AFD0000.00000004.00000800.00020000.00000000.sdmp, doc_Pedido 02024091622008176.com.exe, 0000000A.00000002.1332597685.0000000000402000.00000040.00000400.00020000.00000000.sdmp, workbook.exe, 0000000E.00000002.1393535958.000000000408D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/11564914/23354;
                  Source: doc_Pedido 02024091622008176.com.exe, 00000003.00000002.1329210550.000000000A471000.00000004.00000800.00020000.00000000.sdmp, doc_Pedido 02024091622008176.com.exe, 00000003.00000002.1346837711.000000000BFD1000.00000004.00000800.00020000.00000000.sdmp, doc_Pedido 02024091622008176.com.exe, 00000003.00000002.1329210550.000000000AFD0000.00000004.00000800.00020000.00000000.sdmp, doc_Pedido 02024091622008176.com.exe, 0000000A.00000002.1332597685.0000000000402000.00000040.00000400.00020000.00000000.sdmp, workbook.exe, 0000000E.00000002.1393535958.000000000408D000.00000004.00000800.00020000.00000000.sdmp, workbook.exe, 00000010.00000002.3757524186.0000000002F52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/14436606/23354
                  Source: doc_Pedido 02024091622008176.com.exe, 00000003.00000002.1329210550.000000000A471000.00000004.00000800.00020000.00000000.sdmp, doc_Pedido 02024091622008176.com.exe, 00000003.00000002.1346837711.000000000BFD1000.00000004.00000800.00020000.00000000.sdmp, doc_Pedido 02024091622008176.com.exe, 00000003.00000002.1329210550.000000000AFD0000.00000004.00000800.00020000.00000000.sdmp, doc_Pedido 02024091622008176.com.exe, 0000000A.00000002.1332597685.0000000000402000.00000040.00000400.00020000.00000000.sdmp, workbook.exe, 0000000E.00000002.1393535958.000000000408D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/2152978/23354sCannot
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
                  Source: unknownHTTPS traffic detected: 195.201.57.90:443 -> 192.168.2.7:49707 version: TLS 1.2

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Installs a global keyboard hook
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\SubDir\workbook.exeJump to behavior

                  E-Banking Fraud

                  barindex
                  Yara detected Quasar RAT
                  Source: Yara matchFile source: 14.2.workbook.exe.2d4124c.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.doc_Pedido 02024091622008176.com.exe.afd0258.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 14.2.workbook.exe.408d2b8.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.doc_Pedido 02024091622008176.com.exe.afd0258.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.doc_Pedido 02024091622008176.com.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 14.2.workbook.exe.408d2b8.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000F.00000002.1436292930.000000000363C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000002.1332597685.0000000000720000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.1346837711.000000000BFD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.1329210550.000000000A471000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000010.00000002.3757524186.0000000003132000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000E.00000002.1379208411.0000000002D11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.1329210550.000000000AFD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.1308157223.000000000354E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000002.1332597685.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000E.00000002.1393535958.000000000408D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: doc_Pedido 02024091622008176.com.exe PID: 6932, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: doc_Pedido 02024091622008176.com.exe PID: 7396, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: workbook.exe PID: 7580, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: workbook.exe PID: 7644, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: workbook.exe PID: 7672, type: MEMORYSTR

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 3.2.doc_Pedido 02024091622008176.com.exe.afd0258.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
                  Source: 3.2.doc_Pedido 02024091622008176.com.exe.afd0258.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                  Source: 3.2.doc_Pedido 02024091622008176.com.exe.afd0258.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Quasar infostealer Author: ditekshen
                  Source: 14.2.workbook.exe.408d2b8.1.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
                  Source: 14.2.workbook.exe.408d2b8.1.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                  Source: 14.2.workbook.exe.408d2b8.1.unpack, type: UNPACKEDPEMatched rule: Detects Quasar infostealer Author: ditekshen
                  Source: 3.2.doc_Pedido 02024091622008176.com.exe.afd0258.3.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
                  Source: 3.2.doc_Pedido 02024091622008176.com.exe.afd0258.3.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                  Source: 3.2.doc_Pedido 02024091622008176.com.exe.afd0258.3.unpack, type: UNPACKEDPEMatched rule: Detects Quasar infostealer Author: ditekshen
                  Source: 10.2.doc_Pedido 02024091622008176.com.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
                  Source: 10.2.doc_Pedido 02024091622008176.com.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                  Source: 10.2.doc_Pedido 02024091622008176.com.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Quasar infostealer Author: ditekshen
                  Source: 14.2.workbook.exe.408d2b8.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
                  Source: 14.2.workbook.exe.408d2b8.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                  Source: 14.2.workbook.exe.408d2b8.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Quasar infostealer Author: ditekshen
                  Initial sample is a PE file and has a suspicious name
                  Source: initial sampleStatic PE information: Filename: doc_Pedido 02024091622008176.com.exe
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeCode function: 3_2_01AADE343_2_01AADE34
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeCode function: 3_2_055677583_2_05567758
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeCode function: 3_2_055604783_2_05560478
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeCode function: 3_2_055667503_2_05566750
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeCode function: 3_2_055667403_2_05566740
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeCode function: 3_2_055600403_2_05560040
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeCode function: 3_2_05561B203_2_05561B20
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeCode function: 3_2_055623F83_2_055623F8
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeCode function: 3_2_078952E43_2_078952E4
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeCode function: 3_2_0789F7D83_2_0789F7D8
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeCode function: 3_2_0789F7F83_2_0789F7F8
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeCode function: 3_2_078924A93_2_078924A9
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeCode function: 3_2_078924B83_2_078924B8
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeCode function: 3_2_07DBAC903_2_07DBAC90
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeCode function: 3_2_07DBAC803_2_07DBAC80
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeCode function: 3_2_08217FCC3_2_08217FCC
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeCode function: 3_2_08211FF83_2_08211FF8
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeCode function: 10_2_0161F03C10_2_0161F03C
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeCode function: 10_2_0571906810_2_05719068
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeCode function: 10_2_0571051810_2_05710518
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeCode function: 10_2_0571050810_2_05710508
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeCode function: 10_2_05719EE010_2_05719EE0
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 14_2_010EDE3414_2_010EDE34
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 14_2_0127761814_2_01277618
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 14_2_0127000614_2_01270006
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 14_2_0127004014_2_01270040
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 14_2_01271B2014_2_01271B20
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 14_2_012723F814_2_012723F8
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 14_2_012765F814_2_012765F8
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 14_2_0127046914_2_01270469
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 14_2_0127047814_2_01270478
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 14_2_0127660814_2_01276608
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 14_2_056F7FCC14_2_056F7FCC
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 14_2_08A852E414_2_08A852E4
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 14_2_08A824A914_2_08A824A9
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 14_2_08A824B814_2_08A824B8
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 14_2_08A8F7F814_2_08A8F7F8
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 14_2_08A8F7D814_2_08A8F7D8
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 15_2_0199DE3415_2_0199DE34
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 15_2_01BC775815_2_01BC7758
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 15_2_01BC004015_2_01BC0040
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 15_2_01BC23F815_2_01BC23F8
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 15_2_01BC047815_2_01BC0478
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 15_2_01BC046915_2_01BC0469
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 15_2_01BC672A15_2_01BC672A
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 15_2_01BC675015_2_01BC6750
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 15_2_01BC1B2015_2_01BC1B20
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 15_2_07CB7FCC15_2_07CB7FCC
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 15_2_07CB9F4115_2_07CB9F41
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 15_2_07CC52E415_2_07CC52E4
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 15_2_07CCF7D815_2_07CCF7D8
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 15_2_07CCF7F815_2_07CCF7F8
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 15_2_07CC24B815_2_07CC24B8
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 15_2_07CC24B715_2_07CC24B7
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 15_2_07DFAC9015_2_07DFAC90
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 15_2_07DFAC8015_2_07DFAC80
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 16_2_0145F03C16_2_0145F03C
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 16_2_07FEB6E016_2_07FEB6E0
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 16_2_07FE7E4816_2_07FE7E48
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 20_2_02EEF03C20_2_02EEF03C
                  Source: doc_Pedido 02024091622008176.com.exe, 00000003.00000000.1278046569.000000000123C000.00000002.00000001.01000000.00000004.sdmpBinary or memory string: OriginalFilenameivGs.exe: vs doc_Pedido 02024091622008176.com.exe
                  Source: doc_Pedido 02024091622008176.com.exe, 00000003.00000002.1329210550.000000000A471000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameClient.exe. vs doc_Pedido 02024091622008176.com.exe
                  Source: doc_Pedido 02024091622008176.com.exe, 00000003.00000002.1329210550.000000000A471000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs doc_Pedido 02024091622008176.com.exe
                  Source: doc_Pedido 02024091622008176.com.exe, 00000003.00000002.1308157223.00000000034F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameGB-lesson-forms.dll@ vs doc_Pedido 02024091622008176.com.exe
                  Source: doc_Pedido 02024091622008176.com.exe, 00000003.00000002.1329210550.000000000AFD0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameClient.exe. vs doc_Pedido 02024091622008176.com.exe
                  Source: doc_Pedido 02024091622008176.com.exe, 00000003.00000002.1327656534.0000000007A00000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameGB-lesson-forms.dll@ vs doc_Pedido 02024091622008176.com.exe
                  Source: doc_Pedido 02024091622008176.com.exe, 00000003.00000002.1307091103.000000000177E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs doc_Pedido 02024091622008176.com.exe
                  Source: doc_Pedido 02024091622008176.com.exe, 00000003.00000002.1308157223.000000000354E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameClient.exe. vs doc_Pedido 02024091622008176.com.exe
                  Source: doc_Pedido 02024091622008176.com.exe, 0000000A.00000002.1332597685.0000000000720000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameClient.exe. vs doc_Pedido 02024091622008176.com.exe
                  Source: doc_Pedido 02024091622008176.com.exeBinary or memory string: OriginalFilenameivGs.exe: vs doc_Pedido 02024091622008176.com.exe
                  Source: doc_Pedido 02024091622008176.com.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: 3.2.doc_Pedido 02024091622008176.com.exe.afd0258.3.raw.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                  Source: 3.2.doc_Pedido 02024091622008176.com.exe.afd0258.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                  Source: 3.2.doc_Pedido 02024091622008176.com.exe.afd0258.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
                  Source: 14.2.workbook.exe.408d2b8.1.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                  Source: 14.2.workbook.exe.408d2b8.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                  Source: 14.2.workbook.exe.408d2b8.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
                  Source: 3.2.doc_Pedido 02024091622008176.com.exe.afd0258.3.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                  Source: 3.2.doc_Pedido 02024091622008176.com.exe.afd0258.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                  Source: 3.2.doc_Pedido 02024091622008176.com.exe.afd0258.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
                  Source: 10.2.doc_Pedido 02024091622008176.com.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                  Source: 10.2.doc_Pedido 02024091622008176.com.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                  Source: 10.2.doc_Pedido 02024091622008176.com.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
                  Source: 14.2.workbook.exe.408d2b8.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                  Source: 14.2.workbook.exe.408d2b8.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                  Source: 14.2.workbook.exe.408d2b8.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@22/5@2/2
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\doc_Pedido 02024091622008176.com.exe.logJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeMutant created: NULL
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7740:120:WilError_03
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeMutant created: \Sessions\1\BaseNamedObjects\Local\0235e291-5d04-4fa3-932c-869aeec51499
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7540:120:WilError_03
                  Source: doc_Pedido 02024091622008176.com.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: doc_Pedido 02024091622008176.com.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: doc_Pedido 02024091622008176.com.exeReversingLabs: Detection: 50%
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeFile read: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exe "C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exe"
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeProcess created: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exe "C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exe"
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeProcess created: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exe "C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exe"
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeProcess created: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exe "C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exe"
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /create /tn "workbook" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\workbook.exe" /rl HIGHEST /f
                  Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\workbook.exe "C:\Users\user\AppData\Roaming\SubDir\workbook.exe"
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\SubDir\workbook.exe C:\Users\user\AppData\Roaming\SubDir\workbook.exe
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\workbook.exe "C:\Users\user\AppData\Roaming\SubDir\workbook.exe"
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /create /tn "workbook" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\workbook.exe" /rl HIGHEST /f
                  Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\workbook.exe "C:\Users\user\AppData\Roaming\SubDir\workbook.exe"
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\workbook.exe "C:\Users\user\AppData\Roaming\SubDir\workbook.exe"
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeProcess created: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exe "C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeProcess created: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exe "C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeProcess created: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exe "C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /create /tn "workbook" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\workbook.exe" /rl HIGHEST /fJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\workbook.exe "C:\Users\user\AppData\Roaming\SubDir\workbook.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\workbook.exe "C:\Users\user\AppData\Roaming\SubDir\workbook.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\workbook.exe "C:\Users\user\AppData\Roaming\SubDir\workbook.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\workbook.exe "C:\Users\user\AppData\Roaming\SubDir\workbook.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /create /tn "workbook" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\workbook.exe" /rl HIGHEST /fJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeSection loaded: dwrite.dllJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeSection loaded: textshaping.dllJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeSection loaded: windowscodecs.dllJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: dwrite.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: textshaping.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: windowscodecs.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: dwrite.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: textshaping.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: windowscodecs.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: cryptnet.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: webio.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: cabinet.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: rtutils.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: mscoree.dll
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: version.dll
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: uxtheme.dll
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: windows.storage.dll
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: wldp.dll
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: profapi.dll
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: cryptsp.dll
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: rsaenh.dll
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: cryptbase.dll
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeSection loaded: msasn1.dll
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: doc_Pedido 02024091622008176.com.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: doc_Pedido 02024091622008176.com.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                  Source: doc_Pedido 02024091622008176.com.exeStatic file information: File size 3737600 > 1048576
                  Source: doc_Pedido 02024091622008176.com.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x388800
                  Source: doc_Pedido 02024091622008176.com.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: doc_Pedido 02024091622008176.com.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: ivGs.pdbSHA2566 source: doc_Pedido 02024091622008176.com.exe, workbook.exe.10.dr
                  Source: Binary string: ivGs.pdb source: doc_Pedido 02024091622008176.com.exe, workbook.exe.10.dr

                  Data Obfuscation

                  barindex
                  .NET source code contains potential unpacker
                  Source: doc_Pedido 02024091622008176.com.exe, EsploraPulseForm.cs.Net Code: InitializeComponent contains xor as well as GetObject
                  Source: doc_Pedido 02024091622008176.com.exe, EsploraPulseForm.cs.Net Code: InitializeComponent
                  Source: 3.2.doc_Pedido 02024091622008176.com.exe.3521280.0.raw.unpack, --.cs.Net Code: _0023Es System.Reflection.Assembly.Load(byte[])
                  Source: 3.2.doc_Pedido 02024091622008176.com.exe.7a00000.2.raw.unpack, --.cs.Net Code: _0023Es System.Reflection.Assembly.Load(byte[])
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeCode function: 3_2_07897400 pushfd ; ret 3_2_07897401
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeCode function: 3_2_07DB1618 push eax; mov dword ptr [esp], ecx3_2_07DB161C
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeCode function: 3_2_07DB5BB9 push eax; retf 3_2_07DB5BC6
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeCode function: 3_2_07DB5B10 push eax; retf 3_2_07DB5BC6
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeCode function: 3_2_082113D8 push eax; mov dword ptr [esp], edx3_2_082113EC
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 14_2_01275689 push ebp; ret 14_2_01275696
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 14_2_056F13D8 push eax; mov dword ptr [esp], edx14_2_056F13EC
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 14_2_08A8715F push eax; ret 14_2_08A8716E
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 14_2_08A87382 push eax; ret 14_2_08A87389
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 14_2_08A87400 pushfd ; ret 14_2_08A87401
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 15_2_01BC4F88 push ds; iretd 15_2_01BC501B
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 15_2_07CB13D8 push eax; mov dword ptr [esp], edx15_2_07CB13EC
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 15_2_07CCC680 push ebp; retf 5507h15_2_07CCC64E
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 15_2_07CC7400 pushfd ; ret 15_2_07CC7401
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 15_2_07CC7382 push eax; ret 15_2_07CC7389
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 15_2_07CC723E push FFFFFF8Bh; iretd 15_2_07CC7242
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeCode function: 15_2_07DF1618 push eax; mov dword ptr [esp], ecx15_2_07DF161C
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeFile created: C:\Users\user\AppData\Roaming\SubDir\workbook.exeJump to dropped file

                  Boot Survival

                  barindex
                  Uses schtasks.exe or at.exe to add and modify task schedules
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /create /tn "workbook" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\workbook.exe" /rl HIGHEST /f

                  Hooking and other Techniques for Hiding and Protection

                  barindex
                  Hides that the sample has been downloaded from the Internet (zone.identifier)
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeFile opened: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exe:Zone.Identifier read attributes | deleteJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeFile opened: C:\Users\user\AppData\Roaming\SubDir\workbook.exe:Zone.Identifier read attributes | deleteJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeFile opened: C:\Users\user\AppData\Roaming\SubDir\workbook.exe:Zone.Identifier read attributes | deleteJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess information set: NOOPENFILEERRORBOX

                  Malware Analysis System Evasion

                  barindex
                  Yara detected AntiVM3
                  Source: Yara matchFile source: Process Memory Space: doc_Pedido 02024091622008176.com.exe PID: 6932, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: workbook.exe PID: 7580, type: MEMORYSTR
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeMemory allocated: 1AA0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeMemory allocated: 34F0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeMemory allocated: 54F0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeMemory allocated: A470000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeMemory allocated: 7A40000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeMemory allocated: B7D0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeMemory allocated: C7D0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeMemory allocated: 1610000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeMemory allocated: 3050000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeMemory allocated: 5050000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeMemory allocated: 10A0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeMemory allocated: 2D10000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeMemory allocated: 1200000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeMemory allocated: 99C0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeMemory allocated: A9C0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeMemory allocated: AF60000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeMemory allocated: BF60000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeMemory allocated: C3D0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeMemory allocated: 1990000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeMemory allocated: 3600000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeMemory allocated: 1B50000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeMemory allocated: A230000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeMemory allocated: B230000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeMemory allocated: B8C0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeMemory allocated: C8C0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeMemory allocated: CD20000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeMemory allocated: 1450000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeMemory allocated: 2F20000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeMemory allocated: 4F20000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeMemory allocated: 2EE0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeMemory allocated: 30D0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeMemory allocated: 3000000 memory reserve | memory write watch
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeWindow / User API: threadDelayed 5622Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeWindow / User API: threadDelayed 4172Jump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exe TID: 6340Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exe TID: 7416Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe TID: 7604Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe TID: 7664Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe TID: 7836Thread sleep time: -25825441703193356s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe TID: 7824Thread sleep time: -30000s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exe TID: 7928Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BaseBoard
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BIOS
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeThread delayed: delay time: 922337203685477
                  Source: workbook.exe, 00000010.00000002.3776451779.0000000005896000.00000004.00000020.00020000.00000000.sdmp, workbook.exe, 00000010.00000002.3776451779.00000000058CA000.00000004.00000020.00020000.00000000.sdmp, workbook.exe, 00000010.00000002.3750892832.0000000001156000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess token adjusted: Debug
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Injects a PE file into a foreign processes
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeMemory written: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exe base: 400000 value starts with: 4D5AJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeMemory written: C:\Users\user\AppData\Roaming\SubDir\workbook.exe base: 400000 value starts with: 4D5AJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeMemory written: C:\Users\user\AppData\Roaming\SubDir\workbook.exe base: 400000 value starts with: 4D5AJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeProcess created: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exe "C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeProcess created: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exe "C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeProcess created: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exe "C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /create /tn "workbook" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\workbook.exe" /rl HIGHEST /fJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\workbook.exe "C:\Users\user\AppData\Roaming\SubDir\workbook.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\workbook.exe "C:\Users\user\AppData\Roaming\SubDir\workbook.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\workbook.exe "C:\Users\user\AppData\Roaming\SubDir\workbook.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\workbook.exe "C:\Users\user\AppData\Roaming\SubDir\workbook.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /create /tn "workbook" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\workbook.exe" /rl HIGHEST /fJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeQueries volume information: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms.DataVisualization\v4.0_4.0.0.0__31bf3856ad364e35\System.Windows.Forms.DataVisualization.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeQueries volume information: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeQueries volume information: C:\Users\user\AppData\Roaming\SubDir\workbook.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms.DataVisualization\v4.0_4.0.0.0__31bf3856ad364e35\System.Windows.Forms.DataVisualization.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeQueries volume information: C:\Users\user\AppData\Roaming\SubDir\workbook.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms.DataVisualization\v4.0_4.0.0.0__31bf3856ad364e35\System.Windows.Forms.DataVisualization.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeQueries volume information: C:\Users\user\AppData\Roaming\SubDir\workbook.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeQueries volume information: C:\Users\user\AppData\Roaming\SubDir\workbook.exe VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\SubDir\workbook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                  Source: C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected Quasar RAT
                  Source: Yara matchFile source: 14.2.workbook.exe.2d4124c.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.doc_Pedido 02024091622008176.com.exe.afd0258.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 14.2.workbook.exe.408d2b8.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.doc_Pedido 02024091622008176.com.exe.afd0258.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.doc_Pedido 02024091622008176.com.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 14.2.workbook.exe.408d2b8.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000F.00000002.1436292930.000000000363C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000002.1332597685.0000000000720000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.1346837711.000000000BFD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.1329210550.000000000A471000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000010.00000002.3757524186.0000000003132000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000E.00000002.1379208411.0000000002D11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.1329210550.000000000AFD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.1308157223.000000000354E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000002.1332597685.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000E.00000002.1393535958.000000000408D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: doc_Pedido 02024091622008176.com.exe PID: 6932, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: doc_Pedido 02024091622008176.com.exe PID: 7396, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: workbook.exe PID: 7580, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: workbook.exe PID: 7644, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: workbook.exe PID: 7672, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected Quasar RAT
                  Source: Yara matchFile source: 14.2.workbook.exe.2d4124c.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.doc_Pedido 02024091622008176.com.exe.afd0258.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 14.2.workbook.exe.408d2b8.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.doc_Pedido 02024091622008176.com.exe.afd0258.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.doc_Pedido 02024091622008176.com.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 14.2.workbook.exe.408d2b8.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000F.00000002.1436292930.000000000363C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000002.1332597685.0000000000720000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.1346837711.000000000BFD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.1329210550.000000000A471000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000010.00000002.3757524186.0000000003132000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000E.00000002.1379208411.0000000002D11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.1329210550.000000000AFD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.1308157223.000000000354E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000002.1332597685.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000E.00000002.1393535958.000000000408D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: doc_Pedido 02024091622008176.com.exe PID: 6932, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: doc_Pedido 02024091622008176.com.exe PID: 7396, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: workbook.exe PID: 7580, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: workbook.exe PID: 7644, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: workbook.exe PID: 7672, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts21
                  Windows Management Instrumentation                  		1
                  Scheduled Task/Job                  		111
                  Process Injection                  		1
                  Masquerading                  		11
                  Input Capture                  		1
                  Query Registry                  		Remote Services11
                  Input Capture                  		11
                  Encrypted Channel                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault Accounts1
                  Scheduled Task/Job                  		1
                  DLL Side-Loading                  		1
                  Scheduled Task/Job                  		1
                  Disable or Modify Tools                  		LSASS Memory111
                  Security Software Discovery                  		Remote Desktop Protocol1
                  Archive Collected Data                  		1
                  Non-Standard Port                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                  DLL Side-Loading                  		41
                  Virtualization/Sandbox Evasion                  		Security Account Manager1
                  Process Discovery                  		SMB/Windows Admin SharesData from Network Shared Drive1
                  Ingress Tool Transfer                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
                  Process Injection                  		NTDS41
                  Virtualization/Sandbox Evasion                  		Distributed Component Object ModelInput Capture2
                  Non-Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                  Hidden Files and Directories                  		LSA Secrets1
                  Application Window Discovery                  		SSHKeylogging113
                  Application Layer Protocol                  		Scheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
                  Obfuscated Files or Information                  		Cached Domain Credentials1
                  System Network Configuration Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                  Software Packing                  		DCSync23
                  System Information Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                  DLL Side-Loading                  		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1512678 Sample: doc_Pedido 0202409162200817... Startdate: 17/09/2024 Architecture: WINDOWS Score: 100 48 twart.myfirewall.org 2->48 50 ipwho.is 2->50 58 Suricata IDS alerts for network traffic 2->58 60 Found malware configuration 2->60 62 Malicious sample detected (through community Yara rule) 2->62 64 10 other signatures 2->64 11 doc_Pedido 02024091622008176.com.exe 3 2->11         started        15 workbook.exe 2 2->15         started        signatures3 process4 file5 46 doc_Pedido 02024091622008176.com.exe.log, ASCII 11->46 dropped 70 Injects a PE file into a foreign processes 11->70 17 doc_Pedido 02024091622008176.com.exe 4 11->17         started        21 doc_Pedido 02024091622008176.com.exe 11->21         started        23 doc_Pedido 02024091622008176.com.exe 11->23         started        25 workbook.exe 15->25         started        27 workbook.exe 15->27         started        signatures6 process7 file8 44 C:\Users\user\AppData\...\workbook.exe, PE32 17->44 dropped 56 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->56 29 workbook.exe 3 17->29         started        32 schtasks.exe 1 17->32         started        signatures9 process10 signatures11 72 Multi AV Scanner detection for dropped file 29->72 74 Machine Learning detection for dropped file 29->74 76 Injects a PE file into a foreign processes 29->76 34 workbook.exe 15 2 29->34         started        38 conhost.exe 32->38         started        process12 dnsIp13 52 twart.myfirewall.org 213.159.74.80, 49705, 9792 CTINET-ASCTINETAutonomousSystemRU Russian Federation 34->52 54 ipwho.is 195.201.57.90, 443, 49707 HETZNER-ASDE Germany 34->54 66 Hides that the sample has been downloaded from the Internet (zone.identifier) 34->66 68 Installs a global keyboard hook 34->68 40 schtasks.exe 1 34->40         started        signatures14 process15 process16 42 conhost.exe 40->42         started       

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  doc_Pedido 02024091622008176.com.exe50%ReversingLabsWin32.Backdoor.Quasarrat
                  doc_Pedido 02024091622008176.com.exe100%Joe Sandbox ML

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Roaming\SubDir\workbook.exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Roaming\SubDir\workbook.exe50%ReversingLabsWin32.Backdoor.Quasarrat

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                  http://schemas.datacontract.org/2004/07/d0%Avira URL Cloudsafe
                  https://api.ipify.org/0%Avira URL Cloudsafe
                  twart.myfirewall.org0%Avira URL Cloudsafe
                  https://stackoverflow.com/q/11564914/23354;0%Avira URL Cloudsafe
                  https://ipwho.is/0%Avira URL Cloudsafe
                  http://schemas.datacontract.org/2004/07/0%Avira URL Cloudsafe
                  https://stackoverflow.com/q/2152978/23354sCannot0%Avira URL Cloudsafe
                  http://ipwho.is0%Avira URL Cloudsafe
                  https://stackoverflow.com/q/14436606/233540%Avira URL Cloudsafe
                  http://ipwho.isd0%Avira URL Cloudsafe
                  https://ipwho.is0%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  ipwho.is
                  		195.201.57.90
                  		truefalse
                    		unknown
                    twart.myfirewall.org
                    		213.159.74.80
                    		truetrue
                      		unknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      https://ipwho.is/false
                      • Avira URL Cloud: safe
                      		unknown
                      twart.myfirewall.orgtrue
                      • Avira URL Cloud: safe
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      https://api.ipify.org/doc_Pedido 02024091622008176.com.exe, 00000003.00000002.1329210550.000000000A471000.00000004.00000800.00020000.00000000.sdmp, doc_Pedido 02024091622008176.com.exe, 00000003.00000002.1346837711.000000000BFD1000.00000004.00000800.00020000.00000000.sdmp, doc_Pedido 02024091622008176.com.exe, 00000003.00000002.1329210550.000000000AFD0000.00000004.00000800.00020000.00000000.sdmp, doc_Pedido 02024091622008176.com.exe, 0000000A.00000002.1332597685.0000000000402000.00000040.00000400.00020000.00000000.sdmp, workbook.exe, 0000000E.00000002.1393535958.000000000408D000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.datacontract.org/2004/07/dworkbook.exe, 00000010.00000002.3757524186.0000000003132000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://stackoverflow.com/q/14436606/23354doc_Pedido 02024091622008176.com.exe, 00000003.00000002.1329210550.000000000A471000.00000004.00000800.00020000.00000000.sdmp, doc_Pedido 02024091622008176.com.exe, 00000003.00000002.1346837711.000000000BFD1000.00000004.00000800.00020000.00000000.sdmp, doc_Pedido 02024091622008176.com.exe, 00000003.00000002.1329210550.000000000AFD0000.00000004.00000800.00020000.00000000.sdmp, doc_Pedido 02024091622008176.com.exe, 0000000A.00000002.1332597685.0000000000402000.00000040.00000400.00020000.00000000.sdmp, workbook.exe, 0000000E.00000002.1393535958.000000000408D000.00000004.00000800.00020000.00000000.sdmp, workbook.exe, 00000010.00000002.3757524186.0000000002F52000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://stackoverflow.com/q/2152978/23354sCannotdoc_Pedido 02024091622008176.com.exe, 00000003.00000002.1329210550.000000000A471000.00000004.00000800.00020000.00000000.sdmp, doc_Pedido 02024091622008176.com.exe, 00000003.00000002.1346837711.000000000BFD1000.00000004.00000800.00020000.00000000.sdmp, doc_Pedido 02024091622008176.com.exe, 00000003.00000002.1329210550.000000000AFD0000.00000004.00000800.00020000.00000000.sdmp, doc_Pedido 02024091622008176.com.exe, 0000000A.00000002.1332597685.0000000000402000.00000040.00000400.00020000.00000000.sdmp, workbook.exe, 0000000E.00000002.1393535958.000000000408D000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.datacontract.org/2004/07/workbook.exe, 00000010.00000002.3757524186.0000000003132000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namedoc_Pedido 02024091622008176.com.exe, 0000000A.00000002.1354341850.0000000003051000.00000004.00000800.00020000.00000000.sdmp, workbook.exe, 00000010.00000002.3757524186.0000000002F4B000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://ipwho.isworkbook.exe, 00000010.00000002.3757524186.00000000030E6000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://stackoverflow.com/q/11564914/23354;doc_Pedido 02024091622008176.com.exe, 00000003.00000002.1329210550.000000000A471000.00000004.00000800.00020000.00000000.sdmp, doc_Pedido 02024091622008176.com.exe, 00000003.00000002.1346837711.000000000BFD1000.00000004.00000800.00020000.00000000.sdmp, doc_Pedido 02024091622008176.com.exe, 00000003.00000002.1329210550.000000000AFD0000.00000004.00000800.00020000.00000000.sdmp, doc_Pedido 02024091622008176.com.exe, 0000000A.00000002.1332597685.0000000000402000.00000040.00000400.00020000.00000000.sdmp, workbook.exe, 0000000E.00000002.1393535958.000000000408D000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://ipwho.isdworkbook.exe, 00000010.00000002.3757524186.00000000030E6000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://ipwho.isworkbook.exe, 00000010.00000002.3757524186.00000000030D4000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown

                      World Map of Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public IPs

                      IPDomainCountryFlagASNASN NameMalicious
                      213.159.74.80
                      		twart.myfirewall.orgRussian Federation
                      		13078CTINET-ASCTINETAutonomousSystemRUtrue
                      195.201.57.90
                      		ipwho.isGermany
                      		24940HETZNER-ASDEfalse

                      General Information

                      Joe Sandbox version:41.0.0 Charoite
                      Analysis ID:1512678
                      Start date and time:2024-09-17 18:07:10 +02:00
                      Joe Sandbox product:CloudBasic
                      Overall analysis duration:0h 10m 39s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                      Number of analysed new started processes analysed:26
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Sample name:doc_Pedido 02024091622008176.com.exe
                      Detection:MAL
                      Classification:mal100.troj.spyw.evad.winEXE@22/5@2/2
                      EGA Information:
                      • Successful, ratio: 100%
                      HCA Information:
                      • Successful, ratio: 99%
                      • Number of executed functions: 330
                      • Number of non-executed functions: 14
                      Cookbook Comments:
                      • Found application associated with file extension: .exe
                      • Override analysis time to 240000 for current running targets taking high CPU consumption

                      Warnings

                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
                      • Excluded IPs from analysis (whitelisted): 93.184.221.240
                      • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, wu.ec.azureedge.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, ctldl.windowsupdate.com, time.windows.com, wu-b-net.trafficmanager.net, wu.azureedge.net, fe3cr.delivery.mp.microsoft.com
                      • Not all processes where analyzed, report is missing behavior information
                      • Report size exceeded maximum capacity and may have missing behavior information.
                      • Report size getting too big, too many NtOpenKeyEx calls found.
                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.
                      • Report size getting too big, too many NtReadVirtualMemory calls found.
                      • VT rate limit hit for: doc_Pedido 02024091622008176.com.exe

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      12:08:07API Interceptor1x Sleep call for process: doc_Pedido 02024091622008176.com.exe modified
                      12:08:12API Interceptor10403253x Sleep call for process: workbook.exe modified
                      18:08:13Task SchedulerRun new task: workbook path: C:\Users\user\AppData\Roaming\SubDir\workbook.exe

                      Joe Sandbox View / Context

                      IPs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      213.159.74.80doc_Zapytanie - Oferta POLSKA 91044PL.com.exeGet hashmaliciousQuasarBrowse
                        doc_Zapytanie - Oferta KH 09281.com.exeGet hashmaliciousQuasarBrowse
                          doc_rfq Oferta KH 09281.pdf.com.exeGet hashmaliciousQuasarBrowse
                            Client.exeGet hashmaliciousQuasarBrowse
                              rNuevoPedidoPO-00843.pdf.com.exeGet hashmaliciousQuasarBrowse
                                rVAKIFBANK-#U00d6demeonaymakbuzu20240826.pdf.exeGet hashmaliciousQuasarBrowse
                                  ZKB - Zahlungsbest#U00e4tigung an 20240828.pdf.exeGet hashmaliciousQuasarBrowse
                                    Vak#U0131fBank - #U00d6deme onay makbuzu 20240826.pdf.exeGet hashmaliciousQuasarBrowse
                                      4dALKsHYFM.exeGet hashmaliciousAgentTesla, AsyncRAT, PureLog Stealer, zgRATBrowse
                                        195.201.57.90SPt4FUjZMt.exeGet hashmaliciousAsyncRAT, Luca Stealer, MicroClip, PythonCryptoHijacker, RedLineBrowse
                                        • /?output=json
                                        765iYbgWn9.exeGet hashmaliciousLuca StealerBrowse
                                        • /?output=json
                                        765iYbgWn9.exeGet hashmaliciousLuca StealerBrowse
                                        • /?output=json
                                        WfKynArKjH.exeGet hashmaliciousAsyncRAT, Luca Stealer, MicroClip, RedLineBrowse
                                        • /?output=json
                                        ubes6SC7Vd.exeGet hashmaliciousUnknownBrowse
                                        • ipwhois.app/xml/
                                        cOQD62FceM.exeGet hashmaliciousLuca Stealer, Rusty StealerBrowse
                                        • /?output=json
                                        Clipper.exeGet hashmaliciousUnknownBrowse
                                        • /?output=json
                                        cOQD62FceM.exeGet hashmaliciousLuca StealerBrowse
                                        • /?output=json
                                        Cryptor.exeGet hashmaliciousLuca StealerBrowse
                                        • /?output=json
                                        Cryptor.exeGet hashmaliciousLuca Stealer, Rusty StealerBrowse
                                        • /?output=json

                                        Domains

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        ipwho.ishttp://irtcge9qw9ssq.pages.dev/Get hashmaliciousUnknownBrowse
                                        • 195.201.57.90
                                        http://2204three.pages.dev/Get hashmaliciousTechSupportScamBrowse
                                        • 195.201.57.90
                                        doc_Zapytanie - Oferta POLSKA 91044PL.com.exeGet hashmaliciousQuasarBrowse
                                        • 195.201.57.90
                                        doc_Zapytanie - Oferta KH 09281.com.exeGet hashmaliciousQuasarBrowse
                                        • 195.201.57.90
                                        doc_rfq Oferta KH 09281.pdf.com.exeGet hashmaliciousQuasarBrowse
                                        • 195.201.57.90
                                        bin homebots io.batGet hashmaliciousUnknownBrowse
                                        • 195.201.57.90
                                        yJrZoOsgfl.exeGet hashmaliciousUnknownBrowse
                                        • 195.201.57.90
                                        IMKssbDprn.exeGet hashmaliciousUnknownBrowse
                                        • 108.181.98.179
                                        WBmC56ADQF.lnkGet hashmaliciousUnknownBrowse
                                        • 195.201.57.90
                                        uScqjqUS1m.exeGet hashmaliciousUnknownBrowse
                                        • 195.201.57.90
                                        twart.myfirewall.orgdoc_Zapytanie - Oferta POLSKA 91044PL.com.exeGet hashmaliciousQuasarBrowse
                                        • 213.159.74.80
                                        doc_Zapytanie - Oferta KH 09281.com.exeGet hashmaliciousQuasarBrowse
                                        • 213.159.74.80
                                        doc_rfq Oferta KH 09281.pdf.com.exeGet hashmaliciousQuasarBrowse
                                        • 213.159.74.80
                                        Client.exeGet hashmaliciousQuasarBrowse
                                        • 213.159.74.80
                                        rNuevoPedidoPO-00843.pdf.com.exeGet hashmaliciousQuasarBrowse
                                        • 213.159.74.80
                                        rVAKIFBANK-#U00d6demeonaymakbuzu20240826.pdf.exeGet hashmaliciousQuasarBrowse
                                        • 213.159.74.80
                                        ZKB - Zahlungsbest#U00e4tigung an 20240828.pdf.exeGet hashmaliciousQuasarBrowse
                                        • 213.159.74.80
                                        Vak#U0131fBank - #U00d6deme onay makbuzu 20240826.pdf.exeGet hashmaliciousQuasarBrowse
                                        • 213.159.74.80
                                        4dALKsHYFM.exeGet hashmaliciousAgentTesla, AsyncRAT, PureLog Stealer, zgRATBrowse
                                        • 213.159.74.80
                                        doc_RFQ NEW ORDER #2400228341.pdf.exeGet hashmaliciousAsyncRATBrowse
                                        • 41.151.251.119

                                        ASNs

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        HETZNER-ASDEhttps://www.google.com/url?q=https%3A%2F%2Fgoo.gl%2Fotzvm%236%261afkvsGet hashmaliciousUnknownBrowse
                                        • 136.243.216.232
                                        Unlock_Tool_5.8.exeGet hashmaliciousVidarBrowse
                                        • 91.107.146.245
                                        file.exeGet hashmaliciousLummaC, VidarBrowse
                                        • 91.107.146.245
                                        file.exeGet hashmaliciousLummaC, VidarBrowse
                                        • 91.107.146.245
                                        file.exeGet hashmaliciousLummaC, VidarBrowse
                                        • 91.107.146.245
                                        file.exeGet hashmaliciousLummaC, VidarBrowse
                                        • 91.107.146.245
                                        http://harshayerneni.github.io/Netflix-cloneGet hashmaliciousUnknownBrowse
                                        • 78.46.22.25
                                        SecuriteInfo.com.Win32.MalwareX-gen.8690.29614.exeGet hashmaliciousLummaC, VidarBrowse
                                        • 91.107.146.245
                                        9poHPPZxlB.exeGet hashmaliciousLummaC Stealer, PureLog Stealer, RedLine, Socks5Systemz, Stealc, Vidar, XmrigBrowse
                                        • 78.47.207.136
                                        https://gdzrdzrgysetgragfvasrtgfsarjk.bukuyass.com/XpfcRthbnrHirMbTaDgYoLKOcxSZUL&4CkOZrkSbfx&135228/372/zgehtiwtaf.home.php?sq=1618-2075&lk=267570-14&page=848Get hashmaliciousPhisherBrowse
                                        • 5.161.89.212
                                        CTINET-ASCTINETAutonomousSystemRUdoc_Zapytanie - Oferta POLSKA 91044PL.com.exeGet hashmaliciousQuasarBrowse
                                        • 213.159.74.80
                                        doc_Zapytanie - Oferta KH 09281.com.exeGet hashmaliciousQuasarBrowse
                                        • 213.159.74.80
                                        doc_rfq Oferta KH 09281.pdf.com.exeGet hashmaliciousQuasarBrowse
                                        • 213.159.74.80
                                        Client.exeGet hashmaliciousQuasarBrowse
                                        • 213.159.74.80
                                        rNuevoPedidoPO-00843.pdf.com.exeGet hashmaliciousQuasarBrowse
                                        • 213.159.74.80
                                        rVAKIFBANK-#U00d6demeonaymakbuzu20240826.pdf.exeGet hashmaliciousQuasarBrowse
                                        • 213.159.74.80
                                        ZKB - Zahlungsbest#U00e4tigung an 20240828.pdf.exeGet hashmaliciousQuasarBrowse
                                        • 213.159.74.80
                                        Vak#U0131fBank - #U00d6deme onay makbuzu 20240826.pdf.exeGet hashmaliciousQuasarBrowse
                                        • 213.159.74.80
                                        4dALKsHYFM.exeGet hashmaliciousAgentTesla, AsyncRAT, PureLog Stealer, zgRATBrowse
                                        • 213.159.74.80
                                        yEL4yMV0s4.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                        • 213.159.64.146

                                        JA3 Fingerprints

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        3b5074b1b5d032e5620f69f9f700ff0eQUOTATION_SEPQTRA071244#U00faPDF.scr.exeGet hashmaliciousUnknownBrowse
                                        • 195.201.57.90
                                        QUOTATION_AUGQTRA071244#U00faPDF.scr.exeGet hashmaliciousUnknownBrowse
                                        • 195.201.57.90
                                        https://hytechsms.com/o/?c3Y9bzM2NV8xX25vbSZyYW5kPVVFWXpjMHM9JnVpZD1VU0VSMTMwOTIwMjRVMDYwOTEzMTQ=Get hashmaliciousUnknownBrowse
                                        • 195.201.57.90
                                        QUOTATION_AUGQTRA071244#U00faPDF.scr.exeGet hashmaliciousUnknownBrowse
                                        • 195.201.57.90
                                        Order #SS1953pdf.exeGet hashmaliciousAgentTeslaBrowse
                                        • 195.201.57.90
                                        IMG_2110_168300pdf.exeGet hashmaliciousAgentTeslaBrowse
                                        • 195.201.57.90
                                        QUOTATION_SEPQTRA071244PDF.scr.exeGet hashmaliciousUnknownBrowse
                                        • 195.201.57.90
                                        SWIFT.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                        • 195.201.57.90
                                        QUOTATION_SEPQTRA071244PDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                        • 195.201.57.90
                                        QUOTATION_SEPQTRA071244#U00faPDF.scr.exeGet hashmaliciousUnknownBrowse
                                        • 195.201.57.90

                                        Dropped Files

                                        No context

                                        Created / dropped Files

                                        C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                                        Download File
                                        Process:C:\Users\user\AppData\Roaming\SubDir\workbook.exe
                                        File Type:Unknown
                                        Category:dropped
                                        Size (bytes):71954
                                        Entropy (8bit):7.996617769952133
                                        Encrypted:true
                                        SSDEEP:1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
                                        MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
                                        SHA1:1723BE06719828DDA65AD804298D0431F6AFF976
                                        SHA-256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
                                        SHA-512:BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
                                        Malicious:false
                                        Reputation:high, very likely benign file
                                        Preview:MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..*Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=*....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.|.c.&>?..^t. ..;..X.d.E.0G....[Q.*,*......#.Dp..L.o|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

                                        C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                                        Download File
                                        Process:C:\Users\user\AppData\Roaming\SubDir\workbook.exe
                                        File Type:Unknown
                                        Category:dropped
                                        Size (bytes):328
                                        Entropy (8bit):3.150184159866505
                                        Encrypted:false
                                        SSDEEP:6:kKAI9UswDLL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:ITDnLNkPlE99SNxAhUe/3
                                        MD5:EE4E94E8B6D4F1E182D27E6463271B90
                                        SHA1:1AD9241F1729AF32C5BF910B5FB467975FBA5990
                                        SHA-256:AB11B1F74C2D8D91C0EE7B7BB88F4F4E29B05DE1E1DA5BC159CB3CAA37D25AE9
                                        SHA-512:7692B3D2ABF543C2B620B06D67B41314949BE81F4647093E8D1C4DE2019409782FE152C443F01B477326DBD0A6CDD249BFE4150B35ED737DC4D6C98F9A9FE37A
                                        Malicious:false
                                        Reputation:low
                                        Preview:p...... ..........{.....(....................................................... ........G..@.......&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\doc_Pedido 02024091622008176.com.exe.log

                                        Download File
                                        Process:C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):1329
                                        Entropy (8bit):5.344106431119393
                                        Encrypted:false
                                        SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E49E4184j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0Hb
                                        MD5:57BFF9062A242EEA852F3E2F464AC42E
                                        SHA1:23969D574EC734C71663AB4893424CDEAC7691D7
                                        SHA-256:D254D998EB4CE21BA57C20585806244B10C31B6C23AC22A26D5BEDA91A2ADCBA
                                        SHA-512:4666420308C3EB2332AB1907A4D75B6052612A4D8C3A821EAB3ECEA642CB3F23A5A8804C933047250415B6F09AA67E920F6A19482B484BEF8EA68E8609FCE0F3
                                        Malicious:true
                                        Reputation:moderate, very likely benign file
                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\workbook.exe.log

                                        Download File
                                        Process:C:\Users\user\AppData\Roaming\SubDir\workbook.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):1329
                                        Entropy (8bit):5.344106431119393
                                        Encrypted:false
                                        SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E49E4184j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0Hb
                                        MD5:57BFF9062A242EEA852F3E2F464AC42E
                                        SHA1:23969D574EC734C71663AB4893424CDEAC7691D7
                                        SHA-256:D254D998EB4CE21BA57C20585806244B10C31B6C23AC22A26D5BEDA91A2ADCBA
                                        SHA-512:4666420308C3EB2332AB1907A4D75B6052612A4D8C3A821EAB3ECEA642CB3F23A5A8804C933047250415B6F09AA67E920F6A19482B484BEF8EA68E8609FCE0F3
                                        Malicious:false
                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                        C:\Users\user\AppData\Roaming\SubDir\workbook.exe

                                        Download File
                                        Process:C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exe
                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                        Category:dropped
                                        Size (bytes):3737600
                                        Entropy (8bit):7.997734977794224
                                        Encrypted:true
                                        SSDEEP:98304:USoojQ+OrsBIzoIqb+T8b1YfzUt/KrXcpQtiBlWK8:U9oteiIcIwy8CfzUtWcp5Y
                                        MD5:F5045F23C9EBFCDA88DB9A040544F462
                                        SHA1:F255E8E514826F27E003E443CF319EDA0198D674
                                        SHA-256:B4A61A178DFDA52928802E1189F3BF1BEF1C03AECF6B6FC99D2A3713F3D5E202
                                        SHA-512:ABCBB257049D5DE96FEA86087996D8325F70CB4499F9159E4682C9D51DB7ECF4152804249778A8FF72CFBFD173898CA6CDB2021E9415A7DCB7C92FA02D2601FE
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                        • Antivirus: ReversingLabs, Detection: 50%
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f..............0...8..~........8.. ....8...@.. .......................`9...........@................................._.8.O.....8.lz...................@9.....8.8.T............................................ ............... ..H............text.....8.. ....8................. ..`.rsrc...lz....8..|....8.............@..@.reloc.......@9.......9.............@..B..................8.....H.......d?..|<...........{..X.8..........................................0..x........r...p}.....r...p}......}.....(.......(......s$...}......|....sA...}.....{....r!..po......{.... .%..o......{.....o.....*&..(.....*...0............{....o....o......r+..ps....}.....{....o.....{....o......{.....o......{.....o......{.....o......{....o ....{....o!...o"...o#...r3..po$.....{....o ....{....o!...o"...o%...r[..po$.....{....(&...o'....*.0..[..........{....o(.....()...&.{.....o2.....{....

                                        Static File Info

                                        General

                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                        Entropy (8bit):7.997734977794224
                                        TrID:
                                        • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                        • Win32 Executable (generic) a (10002005/4) 49.78%
                                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                        • DOS Executable Generic (2002/1) 0.01%
                                        File name:doc_Pedido 02024091622008176.com.exe
                                        File size:3'737'600 bytes
                                        MD5:f5045f23c9ebfcda88db9a040544f462
                                        SHA1:f255e8e514826f27e003e443cf319eda0198d674
                                        SHA256:b4a61a178dfda52928802e1189f3bf1bef1c03aecf6b6fc99d2a3713f3d5e202
                                        SHA512:abcbb257049d5de96fea86087996d8325f70cb4499f9159e4682c9d51db7ecf4152804249778a8ff72cfbfd173898ca6cdb2021e9415a7dcb7c92fa02d2601fe
                                        SSDEEP:98304:USoojQ+OrsBIzoIqb+T8b1YfzUt/KrXcpQtiBlWK8:U9oteiIcIwy8CfzUtWcp5Y
                                        TLSH:70063352F37887A8F86FE63881584418137332701EB2D5517ECB5DBFA898B20E9D8B74
                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f..............0...8..~........8.. ....8...@.. .......................`9...........@................................

                                        File Icon

                                        Icon Hash:0f2b657d7d630f13

                                        Static PE Info

                                        General

                                        Entrypoint:0x78a6b2
                                        Entrypoint Section:.text
                                        Digitally signed:false
                                        Imagebase:0x400000
                                        Subsystem:windows gui
                                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                        Time Stamp:0x66E7FBA4 [Mon Sep 16 09:34:28 2024 UTC]
                                        TLS Callbacks:
                                        CLR (.Net) Version:
                                        OS Version Major:4
                                        OS Version Minor:0
                                        File Version Major:4
                                        File Version Minor:0
                                        Subsystem Version Major:4
                                        Subsystem Version Minor:0
                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                        Entrypoint Preview

                                        Instruction
                                        jmp dword ptr [00402000h]
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al

                                        Data Directories

                                        NameVirtual AddressVirtual Size Is in Section
                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x38a65f0x4f.text
                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x38c0000x7a6c.rsrc
                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x3940000xc.reloc
                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x3892380x54.text
                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                        Sections

                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                        .text0x20000x3886b80x388800895b46a080f5cc50dbd1f9d142ccf35cunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                        .rsrc0x38c0000x7a6c0x7c00b7666555eac55f8039a5453087bbad3eFalse0.9635521673387096data7.885617335073951IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                        .reloc0x3940000xc0x2002216e2fa6a511642cb54e943631c5a84False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                        Resources

                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                        RT_ICON0x38c1000x741bPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced1.0005383036705582
                                        RT_GROUP_ICON0x39352c0x14data1.05
                                        RT_VERSION0x3935500x31cdata0.43467336683417085
                                        RT_MANIFEST0x39387c0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                        Imports

                                        DLLImport
                                        mscoree.dll_CorExeMain

                                        Network Behavior

                                        Suricata IDS Alerts

                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                        2024-09-17T18:08:19.382431+02002027619ET MALWARE Observed Malicious SSL Cert (Quasar CnC)1213.159.74.809792192.168.2.749705TCP
                                        2024-09-17T18:08:19.382431+02002035595ET MALWARE Generic AsyncRAT Style SSL Cert1213.159.74.809792192.168.2.749705TCP

                                        Network Port Distribution

                                        TCP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Sep 17, 2024 18:08:18.809418917 CEST497059792192.168.2.7213.159.74.80
                                        Sep 17, 2024 18:08:18.815287113 CEST979249705213.159.74.80192.168.2.7
                                        Sep 17, 2024 18:08:18.815480947 CEST497059792192.168.2.7213.159.74.80
                                        Sep 17, 2024 18:08:18.821990967 CEST497059792192.168.2.7213.159.74.80
                                        Sep 17, 2024 18:08:18.827481985 CEST979249705213.159.74.80192.168.2.7
                                        Sep 17, 2024 18:08:19.335932016 CEST979249705213.159.74.80192.168.2.7
                                        Sep 17, 2024 18:08:19.336150885 CEST979249705213.159.74.80192.168.2.7
                                        Sep 17, 2024 18:08:19.336272955 CEST497059792192.168.2.7213.159.74.80
                                        Sep 17, 2024 18:08:19.376878977 CEST497059792192.168.2.7213.159.74.80
                                        Sep 17, 2024 18:08:19.382431030 CEST979249705213.159.74.80192.168.2.7
                                        Sep 17, 2024 18:08:19.485904932 CEST979249705213.159.74.80192.168.2.7
                                        Sep 17, 2024 18:08:19.573216915 CEST497059792192.168.2.7213.159.74.80
                                        Sep 17, 2024 18:08:21.321655989 CEST49707443192.168.2.7195.201.57.90
                                        Sep 17, 2024 18:08:21.321719885 CEST44349707195.201.57.90192.168.2.7
                                        Sep 17, 2024 18:08:21.321804047 CEST49707443192.168.2.7195.201.57.90
                                        Sep 17, 2024 18:08:21.382745981 CEST49707443192.168.2.7195.201.57.90
                                        Sep 17, 2024 18:08:21.382766008 CEST44349707195.201.57.90192.168.2.7
                                        Sep 17, 2024 18:08:22.386085987 CEST44349707195.201.57.90192.168.2.7
                                        Sep 17, 2024 18:08:22.386173010 CEST49707443192.168.2.7195.201.57.90
                                        Sep 17, 2024 18:08:22.389846087 CEST49707443192.168.2.7195.201.57.90
                                        Sep 17, 2024 18:08:22.389863014 CEST44349707195.201.57.90192.168.2.7
                                        Sep 17, 2024 18:08:22.390213966 CEST44349707195.201.57.90192.168.2.7
                                        Sep 17, 2024 18:08:22.395248890 CEST49707443192.168.2.7195.201.57.90
                                        Sep 17, 2024 18:08:22.435416937 CEST44349707195.201.57.90192.168.2.7
                                        Sep 17, 2024 18:08:22.585160017 CEST44349707195.201.57.90192.168.2.7
                                        Sep 17, 2024 18:08:22.585340977 CEST44349707195.201.57.90192.168.2.7
                                        Sep 17, 2024 18:08:22.585427999 CEST49707443192.168.2.7195.201.57.90
                                        Sep 17, 2024 18:08:22.844602108 CEST49707443192.168.2.7195.201.57.90
                                        Sep 17, 2024 18:08:23.097966909 CEST497059792192.168.2.7213.159.74.80
                                        Sep 17, 2024 18:08:23.103043079 CEST979249705213.159.74.80192.168.2.7
                                        Sep 17, 2024 18:08:23.103137016 CEST497059792192.168.2.7213.159.74.80
                                        Sep 17, 2024 18:08:23.108000994 CEST979249705213.159.74.80192.168.2.7
                                        Sep 17, 2024 18:08:23.321764946 CEST979249705213.159.74.80192.168.2.7
                                        Sep 17, 2024 18:08:23.385742903 CEST497059792192.168.2.7213.159.74.80
                                        Sep 17, 2024 18:08:23.403312922 CEST979249705213.159.74.80192.168.2.7
                                        Sep 17, 2024 18:08:23.573266029 CEST497059792192.168.2.7213.159.74.80
                                        Sep 17, 2024 18:08:48.417123079 CEST497059792192.168.2.7213.159.74.80
                                        Sep 17, 2024 18:08:48.521217108 CEST979249705213.159.74.80192.168.2.7
                                        Sep 17, 2024 18:09:13.526638985 CEST497059792192.168.2.7213.159.74.80
                                        Sep 17, 2024 18:09:13.531855106 CEST979249705213.159.74.80192.168.2.7
                                        Sep 17, 2024 18:09:38.542309046 CEST497059792192.168.2.7213.159.74.80
                                        Sep 17, 2024 18:09:38.547610044 CEST979249705213.159.74.80192.168.2.7
                                        Sep 17, 2024 18:10:03.558049917 CEST497059792192.168.2.7213.159.74.80
                                        Sep 17, 2024 18:10:04.187443018 CEST979249705213.159.74.80192.168.2.7
                                        Sep 17, 2024 18:10:29.198738098 CEST497059792192.168.2.7213.159.74.80
                                        Sep 17, 2024 18:10:29.203830957 CEST979249705213.159.74.80192.168.2.7
                                        Sep 17, 2024 18:10:54.345839977 CEST497059792192.168.2.7213.159.74.80
                                        Sep 17, 2024 18:10:54.350951910 CEST979249705213.159.74.80192.168.2.7
                                        Sep 17, 2024 18:11:19.430206060 CEST497059792192.168.2.7213.159.74.80
                                        Sep 17, 2024 18:11:19.581845999 CEST979249705213.159.74.80192.168.2.7
                                        Sep 17, 2024 18:11:44.589684963 CEST497059792192.168.2.7213.159.74.80
                                        Sep 17, 2024 18:11:44.595093012 CEST979249705213.159.74.80192.168.2.7
                                        Sep 17, 2024 18:12:09.605479002 CEST497059792192.168.2.7213.159.74.80
                                        Sep 17, 2024 18:12:09.610697031 CEST979249705213.159.74.80192.168.2.7

                                        UDP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Sep 17, 2024 18:08:18.726612091 CEST5577253192.168.2.71.1.1.1
                                        Sep 17, 2024 18:08:18.738641977 CEST53557721.1.1.1192.168.2.7
                                        Sep 17, 2024 18:08:21.310353041 CEST6450653192.168.2.71.1.1.1
                                        Sep 17, 2024 18:08:21.317944050 CEST53645061.1.1.1192.168.2.7

                                        DNS Queries

                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                        Sep 17, 2024 18:08:18.726612091 CEST192.168.2.71.1.1.10x503aStandard query (0)twart.myfirewall.orgA (IP address)IN (0x0001)false
                                        Sep 17, 2024 18:08:21.310353041 CEST192.168.2.71.1.1.10x495dStandard query (0)ipwho.isA (IP address)IN (0x0001)false

                                        DNS Answers

                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                        Sep 17, 2024 18:08:18.738641977 CEST1.1.1.1192.168.2.70x503aNo error (0)twart.myfirewall.org213.159.74.80A (IP address)IN (0x0001)false
                                        Sep 17, 2024 18:08:21.317944050 CEST1.1.1.1192.168.2.70x495dNo error (0)ipwho.is195.201.57.90A (IP address)IN (0x0001)false

                                        HTTP Request Dependency Graph

                                        • ipwho.is

                                        HTTPS Proxied Packets

                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        0192.168.2.749707195.201.57.904437672C:\Users\user\AppData\Roaming\SubDir\workbook.exe
                                        TimestampBytes transferredDirectionData
                                        2024-09-17 16:08:22 UTC150OUTGET / HTTP/1.1
                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0
                                        Host: ipwho.is
                                        Connection: Keep-Alive
                                        2024-09-17 16:08:22 UTC223INHTTP/1.1 200 OK
                                        Date: Tue, 17 Sep 2024 16:08:22 GMT
                                        Content-Type: application/json; charset=utf-8
                                        Transfer-Encoding: chunked
                                        Connection: close
                                        Server: ipwhois
                                        Access-Control-Allow-Headers: *
                                        X-Robots-Tag: noindex
                                        2024-09-17 16:08:22 UTC1019INData Raw: 33 65 66 0d 0a 7b 0a 20 20 20 20 22 41 62 6f 75 74 20 55 73 22 3a 20 22 68 74 74 70 73 3a 5c 2f 5c 2f 69 70 77 68 6f 69 73 2e 69 6f 22 2c 0a 20 20 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 20 20 22 73 75 63 63 65 73 73 22 3a 20 74 72 75 65 2c 0a 20 20 20 20 22 74 79 70 65 22 3a 20 22 49 50 76 34 22 2c 0a 20 20 20 20 22 63 6f 6e 74 69 6e 65 6e 74 22 3a 20 22 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 22 2c 0a 20 20 20 20 22 63 6f 6e 74 69 6e 65 6e 74 5f 63 6f 64 65 22 3a 20 22 4e 41 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f 72
                                        Data Ascii: 3ef{ "About Us": "https:\/\/ipwhois.io", "ip": "8.46.123.33", "success": true, "type": "IPv4", "continent": "North America", "continent_code": "NA", "country": "United States", "country_code": "US", "region": "New Yor


                                        Statistics

                                        CPU Usage

                                        Click to jump to process

                                        Memory Usage

                                        Click to jump to process

                                        High Level Behavior Distribution

                                        Click to dive into process behavior distribution

                                        Behavior

                                        Click to jump to process

                                        System Behavior

                                        General

                                        Target ID:3
                                        Start time:12:08:06
                                        Start date:17/09/2024
                                        Path:C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exe"
                                        Imagebase:0xeb0000
                                        File size:3'737'600 bytes
                                        MD5 hash:F5045F23C9EBFCDA88DB9A040544F462
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000003.00000002.1346837711.000000000BFD1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000003.00000002.1329210550.000000000A471000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000003.00000002.1329210550.000000000AFD0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000003.00000002.1308157223.000000000354E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        Reputation:low
                                        Has exited:true

                                        General

                                        Target ID:8
                                        Start time:12:08:09
                                        Start date:17/09/2024
                                        Path:C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exe
                                        Wow64 process (32bit):false
                                        Commandline:"C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exe"
                                        Imagebase:0x350000
                                        File size:3'737'600 bytes
                                        MD5 hash:F5045F23C9EBFCDA88DB9A040544F462
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:low
                                        Has exited:true

                                        General

                                        Target ID:9
                                        Start time:12:08:09
                                        Start date:17/09/2024
                                        Path:C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exe
                                        Wow64 process (32bit):false
                                        Commandline:"C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exe"
                                        Imagebase:0x1c0000
                                        File size:3'737'600 bytes
                                        MD5 hash:F5045F23C9EBFCDA88DB9A040544F462
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:low
                                        Has exited:true

                                        General

                                        Target ID:10
                                        Start time:12:08:09
                                        Start date:17/09/2024
                                        Path:C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\Desktop\doc_Pedido 02024091622008176.com.exe"
                                        Imagebase:0xaa0000
                                        File size:3'737'600 bytes
                                        MD5 hash:F5045F23C9EBFCDA88DB9A040544F462
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 0000000A.00000002.1332597685.0000000000720000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 0000000A.00000002.1332597685.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                        Reputation:low
                                        Has exited:true

                                        General

                                        Target ID:12
                                        Start time:12:08:11
                                        Start date:17/09/2024
                                        Path:C:\Windows\SysWOW64\schtasks.exe
                                        Wow64 process (32bit):true
                                        Commandline:"schtasks" /create /tn "workbook" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\workbook.exe" /rl HIGHEST /f
                                        Imagebase:0x530000
                                        File size:187'904 bytes
                                        MD5 hash:48C2FE20575769DE916F48EF0676A965
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:13
                                        Start time:12:08:11
                                        Start date:17/09/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff75da10000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:14
                                        Start time:12:08:11
                                        Start date:17/09/2024
                                        Path:C:\Users\user\AppData\Roaming\SubDir\workbook.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\AppData\Roaming\SubDir\workbook.exe"
                                        Imagebase:0x4b0000
                                        File size:3'737'600 bytes
                                        MD5 hash:F5045F23C9EBFCDA88DB9A040544F462
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 0000000E.00000002.1379208411.0000000002D11000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 0000000E.00000002.1393535958.000000000408D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        Antivirus matches:
                                        • Detection: 100%, Joe Sandbox ML
                                        • Detection: 50%, ReversingLabs
                                        Reputation:low
                                        Has exited:true

                                        General

                                        Target ID:15
                                        Start time:12:08:13
                                        Start date:17/09/2024
                                        Path:C:\Users\user\AppData\Roaming\SubDir\workbook.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Users\user\AppData\Roaming\SubDir\workbook.exe
                                        Imagebase:0xef0000
                                        File size:3'737'600 bytes
                                        MD5 hash:F5045F23C9EBFCDA88DB9A040544F462
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 0000000F.00000002.1436292930.000000000363C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        Reputation:low
                                        Has exited:true

                                        General

                                        Target ID:16
                                        Start time:12:08:14
                                        Start date:17/09/2024
                                        Path:C:\Users\user\AppData\Roaming\SubDir\workbook.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\AppData\Roaming\SubDir\workbook.exe"
                                        Imagebase:0x8d0000
                                        File size:3'737'600 bytes
                                        MD5 hash:F5045F23C9EBFCDA88DB9A040544F462
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000010.00000002.3757524186.0000000003132000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        Reputation:low
                                        Has exited:false

                                        General

                                        Target ID:17
                                        Start time:12:08:16
                                        Start date:17/09/2024
                                        Path:C:\Windows\SysWOW64\schtasks.exe
                                        Wow64 process (32bit):true
                                        Commandline:"schtasks" /create /tn "workbook" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\workbook.exe" /rl HIGHEST /f
                                        Imagebase:0x530000
                                        File size:187'904 bytes
                                        MD5 hash:48C2FE20575769DE916F48EF0676A965
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:18
                                        Start time:12:08:17
                                        Start date:17/09/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff75da10000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:19
                                        Start time:12:08:21
                                        Start date:17/09/2024
                                        Path:C:\Users\user\AppData\Roaming\SubDir\workbook.exe
                                        Wow64 process (32bit):false
                                        Commandline:"C:\Users\user\AppData\Roaming\SubDir\workbook.exe"
                                        Imagebase:0x180000
                                        File size:3'737'600 bytes
                                        MD5 hash:F5045F23C9EBFCDA88DB9A040544F462
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:low
                                        Has exited:true

                                        General

                                        Target ID:20
                                        Start time:12:08:21
                                        Start date:17/09/2024
                                        Path:C:\Users\user\AppData\Roaming\SubDir\workbook.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\AppData\Roaming\SubDir\workbook.exe"
                                        Imagebase:0xa30000
                                        File size:3'737'600 bytes
                                        MD5 hash:F5045F23C9EBFCDA88DB9A040544F462
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:low
                                        Has exited:true

                                        Disassembly

                                        Reset < >

                                          Execution Graph

                                          Execution Coverage:10.6%
                                          Dynamic/Decrypted Code Coverage:100%
                                          Signature Coverage:1%
                                          Total number of Nodes:307
                                          Total number of Limit Nodes:23
                                          execution_graph 54822 7890478 54823 7890492 CloseHandle 54822->54823 54824 78904df 54823->54824 54728 1aad528 DuplicateHandle 54729 1aad5be 54728->54729 54730 1aa4668 54731 1aa467a 54730->54731 54732 1aa4686 54731->54732 54734 1aa4779 54731->54734 54735 1aa479d 54734->54735 54739 1aa4888 54735->54739 54743 1aa4879 54735->54743 54741 1aa48af 54739->54741 54740 1aa498c 54740->54740 54741->54740 54747 1aa44c4 54741->54747 54744 1aa48af 54743->54744 54745 1aa498c 54744->54745 54746 1aa44c4 CreateActCtxA 54744->54746 54746->54745 54748 1aa5918 CreateActCtxA 54747->54748 54750 1aa59db 54748->54750 54761 82199c8 54762 82199f0 54761->54762 54763 82199da 54761->54763 54765 8217fcc 54763->54765 54766 8217fd7 54765->54766 54767 821a24e 54766->54767 54770 821b1c8 54766->54770 54775 821b1d8 54766->54775 54767->54762 54772 821b1f9 54770->54772 54771 821b20e 54771->54766 54772->54771 54780 8219cd8 54772->54780 54776 821b1f9 54775->54776 54777 821b20e 54776->54777 54778 8219cd8 DrawTextExW 54776->54778 54777->54766 54779 821b25e 54778->54779 54781 8219ce3 54780->54781 54784 821bdec 54781->54784 54783 821b25e 54786 821bdf7 54784->54786 54785 821cb51 54785->54783 54786->54785 54790 821d660 54786->54790 54794 821d670 54786->54794 54787 821cc55 54787->54783 54791 821d670 54790->54791 54797 821bfc4 54791->54797 54795 821bfc4 DrawTextExW 54794->54795 54796 821d68d 54795->54796 54796->54787 54798 821d6a8 DrawTextExW 54797->54798 54800 821d68d 54798->54800 54800->54787 54801 7896660 54805 7896688 54801->54805 54812 7896677 54801->54812 54802 7896676 54806 78966ac 54805->54806 54807 78966b3 54805->54807 54806->54802 54811 78966da 54807->54811 54818 789513c 54807->54818 54810 789513c GetCurrentThreadId 54810->54811 54811->54802 54813 7896688 54812->54813 54814 789513c GetCurrentThreadId 54813->54814 54817 78966ac 54813->54817 54815 78966d0 54814->54815 54816 789513c GetCurrentThreadId 54815->54816 54816->54817 54817->54802 54819 7895147 54818->54819 54820 78969ef GetCurrentThreadId 54819->54820 54821 78966d0 54819->54821 54820->54821 54821->54810 54751 1aad2e0 54752 1aad326 GetCurrentProcess 54751->54752 54754 1aad378 GetCurrentThread 54752->54754 54755 1aad371 54752->54755 54756 1aad3ae 54754->54756 54757 1aad3b5 GetCurrentProcess 54754->54757 54755->54754 54756->54757 54758 1aad3eb 54757->54758 54759 1aad413 GetCurrentThreadId 54758->54759 54760 1aad444 54759->54760 54825 1aaaf50 54829 1aab048 54825->54829 54834 1aab037 54825->54834 54826 1aaaf5f 54830 1aab059 54829->54830 54831 1aab07c 54829->54831 54830->54831 54832 1aab280 GetModuleHandleW 54830->54832 54831->54826 54833 1aab2ad 54832->54833 54833->54826 54835 1aab059 54834->54835 54836 1aab07c 54834->54836 54835->54836 54837 1aab280 GetModuleHandleW 54835->54837 54836->54826 54838 1aab2ad 54837->54838 54838->54826 54839 55631ad 54840 55630bb 54839->54840 54841 556306c 54840->54841 54845 5563ade 54840->54845 54868 5563a69 54840->54868 54890 5563a78 54840->54890 54846 5563a6c 54845->54846 54847 5563ae1 54845->54847 54848 5563a9a 54846->54848 54912 5563ff6 54846->54912 54917 55644e9 54846->54917 54925 5563ea2 54846->54925 54935 55640a5 54846->54935 54942 5564164 54846->54942 54947 5563f24 54846->54947 54956 5564024 54846->54956 54961 556461b 54846->54961 54966 55642ba 54846->54966 54971 556433a 54846->54971 54976 5563f5a 54846->54976 54987 556435d 54846->54987 54995 55642df 54846->54995 55000 55640df 54846->55000 55005 5563eff 54846->55005 55013 5563fbf 54846->55013 55026 55644b3 54846->55026 55030 55640f7 54846->55030 55035 5564117 54846->55035 54847->54841 54848->54841 54869 5563a78 54868->54869 54870 5563a9a 54869->54870 54871 5563ff6 2 API calls 54869->54871 54872 5564117 4 API calls 54869->54872 54873 55640f7 2 API calls 54869->54873 54874 55644b3 2 API calls 54869->54874 54875 5563fbf 6 API calls 54869->54875 54876 5563eff 4 API calls 54869->54876 54877 55640df 2 API calls 54869->54877 54878 55642df 2 API calls 54869->54878 54879 556435d 4 API calls 54869->54879 54880 5563f5a 4 API calls 54869->54880 54881 556433a 2 API calls 54869->54881 54882 55642ba 2 API calls 54869->54882 54883 556461b 2 API calls 54869->54883 54884 5564024 2 API calls 54869->54884 54885 5563f24 4 API calls 54869->54885 54886 5564164 2 API calls 54869->54886 54887 55640a5 4 API calls 54869->54887 54888 5563ea2 6 API calls 54869->54888 54889 55644e9 4 API calls 54869->54889 54870->54841 54871->54870 54872->54870 54873->54870 54874->54870 54875->54870 54876->54870 54877->54870 54878->54870 54879->54870 54880->54870 54881->54870 54882->54870 54883->54870 54884->54870 54885->54870 54886->54870 54887->54870 54888->54870 54889->54870 54891 5563a92 54890->54891 54892 5563a9a 54891->54892 54893 5563ff6 2 API calls 54891->54893 54894 5564117 4 API calls 54891->54894 54895 55640f7 2 API calls 54891->54895 54896 55644b3 2 API calls 54891->54896 54897 5563fbf 6 API calls 54891->54897 54898 5563eff 4 API calls 54891->54898 54899 55640df 2 API calls 54891->54899 54900 55642df 2 API calls 54891->54900 54901 556435d 4 API calls 54891->54901 54902 5563f5a 4 API calls 54891->54902 54903 556433a 2 API calls 54891->54903 54904 55642ba 2 API calls 54891->54904 54905 556461b 2 API calls 54891->54905 54906 5564024 2 API calls 54891->54906 54907 5563f24 4 API calls 54891->54907 54908 5564164 2 API calls 54891->54908 54909 55640a5 4 API calls 54891->54909 54910 5563ea2 6 API calls 54891->54910 54911 55644e9 4 API calls 54891->54911 54892->54841 54893->54892 54894->54892 54895->54892 54896->54892 54897->54892 54898->54892 54899->54892 54900->54892 54901->54892 54902->54892 54903->54892 54904->54892 54905->54892 54906->54892 54907->54892 54908->54892 54909->54892 54910->54892 54911->54892 54913 5563ffa 54912->54913 55043 55629c1 54913->55043 55047 55629c8 54913->55047 54914 5564271 54918 5563f0b 54917->54918 54919 5563f1d 54918->54919 55051 5562830 54918->55051 55055 5562828 54918->55055 55059 5562340 54919->55059 55063 5562348 54919->55063 54920 55648ee 55067 5562c45 54925->55067 55071 5562c50 54925->55071 54926 5563ed9 54927 5563f1d 54926->54927 54929 5562830 Wow64SetThreadContext 54926->54929 54930 5562828 Wow64SetThreadContext 54926->54930 54933 5562340 ResumeThread 54927->54933 54934 5562348 ResumeThread 54927->54934 54928 55648ee 54929->54927 54930->54927 54933->54928 54934->54928 54940 5562830 Wow64SetThreadContext 54935->54940 54941 5562828 Wow64SetThreadContext 54935->54941 54936 55640bf 54938 5562340 ResumeThread 54936->54938 54939 5562348 ResumeThread 54936->54939 54937 55648ee 54938->54937 54939->54937 54940->54936 54941->54936 54943 556416e 54942->54943 54945 55629c1 WriteProcessMemory 54943->54945 54946 55629c8 WriteProcessMemory 54943->54946 54944 5564060 54944->54848 54945->54944 54946->54944 54948 5563f0b 54947->54948 54949 5563f1d 54948->54949 54950 5564473 54948->54950 54952 5562830 Wow64SetThreadContext 54948->54952 54953 5562828 Wow64SetThreadContext 54948->54953 54954 5562340 ResumeThread 54949->54954 54955 5562348 ResumeThread 54949->54955 54950->54848 54951 55648ee 54952->54949 54953->54949 54954->54951 54955->54951 54957 5563ffa 54956->54957 54959 55629c1 WriteProcessMemory 54957->54959 54960 55629c8 WriteProcessMemory 54957->54960 54958 5564271 54959->54958 54960->54958 54962 55645c2 54961->54962 54963 5564622 54961->54963 54962->54961 54964 55629c1 WriteProcessMemory 54962->54964 54965 55629c8 WriteProcessMemory 54962->54965 54964->54962 54965->54962 54967 55642db 54966->54967 54968 556486e 54967->54968 55075 5562ab0 54967->55075 55079 5562ab8 54967->55079 54972 556417f 54971->54972 54973 5564060 54972->54973 54974 55629c1 WriteProcessMemory 54972->54974 54975 55629c8 WriteProcessMemory 54972->54975 54973->54848 54974->54973 54975->54973 55083 5564b27 54976->55083 55088 5564b38 54976->55088 54977 5563fb9 54978 5563f0b 54978->54977 54980 5563f1d 54978->54980 54981 5562830 Wow64SetThreadContext 54978->54981 54982 5562828 Wow64SetThreadContext 54978->54982 54979 55648ee 54985 5562340 ResumeThread 54980->54985 54986 5562348 ResumeThread 54980->54986 54981->54980 54982->54980 54985->54979 54986->54979 54988 5563f0b 54987->54988 54989 5563f1d 54988->54989 54991 5562830 Wow64SetThreadContext 54988->54991 54992 5562828 Wow64SetThreadContext 54988->54992 54993 5562340 ResumeThread 54989->54993 54994 5562348 ResumeThread 54989->54994 54990 55648ee 54991->54989 54992->54989 54993->54990 54994->54990 54996 55642e5 54995->54996 54997 556486e 54996->54997 54998 5562ab0 ReadProcessMemory 54996->54998 54999 5562ab8 ReadProcessMemory 54996->54999 54998->54996 54999->54996 55001 5564290 55000->55001 55002 5564622 55001->55002 55003 55629c1 WriteProcessMemory 55001->55003 55004 55629c8 WriteProcessMemory 55001->55004 55003->55001 55004->55001 55006 5563f0b 55005->55006 55008 5563f1d 55006->55008 55009 5562830 Wow64SetThreadContext 55006->55009 55010 5562828 Wow64SetThreadContext 55006->55010 55007 55648ee 55011 5562340 ResumeThread 55008->55011 55012 5562348 ResumeThread 55008->55012 55009->55008 55010->55008 55011->55007 55012->55007 55014 5563fcc 55013->55014 55015 55642db 55013->55015 55014->55015 55016 5563f0b 55014->55016 55018 556486e 55015->55018 55020 5562ab0 ReadProcessMemory 55015->55020 55021 5562ab8 ReadProcessMemory 55015->55021 55017 5563f1d 55016->55017 55022 5562830 Wow64SetThreadContext 55016->55022 55023 5562828 Wow64SetThreadContext 55016->55023 55024 5562340 ResumeThread 55017->55024 55025 5562348 ResumeThread 55017->55025 55019 55648ee 55020->55015 55021->55015 55022->55017 55023->55017 55024->55019 55025->55019 55027 55647c8 55026->55027 55093 5562901 55027->55093 55097 5562908 55027->55097 55032 5564104 55030->55032 55031 556486e 55032->55031 55033 5562ab0 ReadProcessMemory 55032->55033 55034 5562ab8 ReadProcessMemory 55032->55034 55033->55032 55034->55032 55036 5563f0b 55035->55036 55037 5563f1d 55036->55037 55039 5562830 Wow64SetThreadContext 55036->55039 55040 5562828 Wow64SetThreadContext 55036->55040 55041 5562340 ResumeThread 55037->55041 55042 5562348 ResumeThread 55037->55042 55038 55648ee 55039->55037 55040->55037 55041->55038 55042->55038 55044 55629c8 WriteProcessMemory 55043->55044 55046 5562a67 55044->55046 55046->54914 55048 5562a10 WriteProcessMemory 55047->55048 55050 5562a67 55048->55050 55050->54914 55052 5562875 Wow64SetThreadContext 55051->55052 55054 55628bd 55052->55054 55054->54919 55056 5562830 Wow64SetThreadContext 55055->55056 55058 55628bd 55056->55058 55058->54919 55060 5562348 ResumeThread 55059->55060 55062 55623b9 55060->55062 55062->54920 55064 5562388 ResumeThread 55063->55064 55066 55623b9 55064->55066 55066->54920 55068 5562cd9 CreateProcessA 55067->55068 55070 5562e9b 55068->55070 55072 5562cd9 CreateProcessA 55071->55072 55074 5562e9b 55072->55074 55076 5562ab8 ReadProcessMemory 55075->55076 55078 5562b47 55076->55078 55078->54967 55080 5562b03 ReadProcessMemory 55079->55080 55082 5562b47 55080->55082 55082->54967 55084 5564b38 55083->55084 55086 5562830 Wow64SetThreadContext 55084->55086 55087 5562828 Wow64SetThreadContext 55084->55087 55085 5564b63 55085->54978 55086->55085 55087->55085 55089 5564b4d 55088->55089 55091 5562830 Wow64SetThreadContext 55089->55091 55092 5562828 Wow64SetThreadContext 55089->55092 55090 5564b63 55090->54978 55091->55090 55092->55090 55094 5562908 VirtualAllocEx 55093->55094 55096 5562985 55094->55096 55096->55027 55098 5562948 VirtualAllocEx 55097->55098 55100 5562985 55098->55100 55100->55027 55101 5565428 55102 55655b3 55101->55102 55104 556544e 55101->55104 55104->55102 55105 5564d1c 55104->55105 55106 55656a8 PostMessageW 55105->55106 55107 5565714 55106->55107 55107->55104

                                          Executed Functions

                                          Function 07DBAC80 Relevance: 15.6, Strings: 10, Instructions: 3085COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 495 7dbac80-7dbad0c 1195 7dbad12 call 7dbe058 495->1195 1196 7dbad12 call 7dbe068 495->1196 500 7dbad18-7dbad26 501 7dbad2f-7dbaf57 500->501 529 7dbaf5d-7dbb2e5 501->529 530 7dbe040-7dbe046 501->530 529->530 585 7dbb2eb-7dbb3c9 529->585 585->530 597 7dbb3cf-7dbb3da 585->597 597->530 598 7dbb3e0-7dbb45d 597->598 598->530 605 7dbb463-7dbb541 598->605 605->530 617 7dbb547-7dbb83e 605->617 617->530 657 7dbb844-7dbb84f 617->657 657->530 658 7dbb855-7dbc162 657->658 658->530 777 7dbc168-7dbc57a 658->777 777->530 831 7dbc580-7dbc58b 777->831 831->530 832 7dbc591-7dbc5ad 831->832 832->530 834 7dbc5b3-7dbc6ce 832->834 834->530 851 7dbc6d4-7dbc813 834->851 851->530 868 7dbc819-7dbcb6f 851->868 868->530 913 7dbcb75-7dbcd9e 868->913 913->530 942 7dbcda4-7dbd0c0 913->942 942->530 985 7dbd0c6-7dbd25c 942->985 985->530 1007 7dbd262-7dbd3f8 985->1007 1007->530 1029 7dbd3fe-7dbd5ad 1007->1029 1029->530 1052 7dbd5b3-7dbdbb7 1029->1052 1052->530 1134 7dbdbbd-7dbe03f 1052->1134 1195->500 1196->500
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1327940557.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_7db0000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: $q$$q$$q$$q$$q$$q$$q$$q$$q$$q
                                          • API String ID: 0-1298971921
                                          • Opcode ID: 33002e29962a9bd82b8c4da5f27304fe68afd6073dc8ee210929e09262f23a29
                                          • Instruction ID: 723719108e4fe2c08d2d019db2f41b6deab7a82f08455eb974a18ba003cecd7f
                                          • Opcode Fuzzy Hash: 33002e29962a9bd82b8c4da5f27304fe68afd6073dc8ee210929e09262f23a29
                                          • Instruction Fuzzy Hash: A7637E70A10225DFD724DF64D955BAABBB2FF89700F1085D9E90AAB354CB369D80CF90
                                          Function 07DBAC90 Relevance: 15.6, Strings: 10, Instructions: 3084COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1197 7dbac90-7dbad0c 1896 7dbad12 call 7dbe058 1197->1896 1897 7dbad12 call 7dbe068 1197->1897 1201 7dbad18-7dbad26 1202 7dbad2f-7dbaf57 1201->1202 1230 7dbaf5d-7dbb2e5 1202->1230 1231 7dbe040-7dbe046 1202->1231 1230->1231 1286 7dbb2eb-7dbb3c9 1230->1286 1286->1231 1298 7dbb3cf-7dbb3da 1286->1298 1298->1231 1299 7dbb3e0-7dbb45d 1298->1299 1299->1231 1306 7dbb463-7dbb541 1299->1306 1306->1231 1318 7dbb547-7dbb83e 1306->1318 1318->1231 1358 7dbb844-7dbb84f 1318->1358 1358->1231 1359 7dbb855-7dbc162 1358->1359 1359->1231 1478 7dbc168-7dbc57a 1359->1478 1478->1231 1532 7dbc580-7dbc58b 1478->1532 1532->1231 1533 7dbc591-7dbc5ad 1532->1533 1533->1231 1535 7dbc5b3-7dbc6ce 1533->1535 1535->1231 1552 7dbc6d4-7dbc813 1535->1552 1552->1231 1569 7dbc819-7dbcb6f 1552->1569 1569->1231 1614 7dbcb75-7dbcd9e 1569->1614 1614->1231 1643 7dbcda4-7dbd0c0 1614->1643 1643->1231 1686 7dbd0c6-7dbd25c 1643->1686 1686->1231 1708 7dbd262-7dbd3f8 1686->1708 1708->1231 1730 7dbd3fe-7dbd5ad 1708->1730 1730->1231 1753 7dbd5b3-7dbdbb7 1730->1753 1753->1231 1835 7dbdbbd-7dbe03f 1753->1835 1896->1201 1897->1201
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1327940557.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_7db0000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: $q$$q$$q$$q$$q$$q$$q$$q$$q$$q
                                          • API String ID: 0-1298971921
                                          • Opcode ID: 17651fecaac232b7bf79db7094c014cfc0349c068294d1f455404099ac4c9450
                                          • Instruction ID: 2e4672711132294b9e95b3ebbf3d8be852041ae64a92f450d0c1a27c82736b0c
                                          • Opcode Fuzzy Hash: 17651fecaac232b7bf79db7094c014cfc0349c068294d1f455404099ac4c9450
                                          • Instruction Fuzzy Hash: 30637E70A10225DFD724DF64D955BAABBB2FF89700F1085D9E90AAB354CB369D80CF90
                                          Function 08217FCC Relevance: .9, Instructions: 931COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1328712215.0000000008210000.00000040.00000800.00020000.00000000.sdmp, Offset: 08210000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_8210000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9d45ec00b72e885ee550bbff1f3cbcb2d0c01a5e676f898691c17ee6fd89a60b
                                          • Instruction ID: e8613669f8540a4ea15333fdb40cb8c8382eb458b85a58135addc2d6b0389314
                                          • Opcode Fuzzy Hash: 9d45ec00b72e885ee550bbff1f3cbcb2d0c01a5e676f898691c17ee6fd89a60b
                                          • Instruction Fuzzy Hash: BFA21975E102598FCB25DF68C8546EDB7B2FF89300F1482A9D90AA7355EB70AE81CF50
                                          Function 05567758 Relevance: .4, Instructions: 354COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1324780628.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_5560000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f153cdf5c60985159a966b6e141266b05794018f91572f5532ca0880d9c1af8d
                                          • Instruction ID: bda25c26bc88af1d88ad9d17c656e8aeb9546313f1fb61249bbc2c5729c38190
                                          • Opcode Fuzzy Hash: f153cdf5c60985159a966b6e141266b05794018f91572f5532ca0880d9c1af8d
                                          • Instruction Fuzzy Hash: D5D1A730B012468FEB29EB75C550BABB7F6FF88204F14886DD1468B294DF35E901CB91
                                          Function 078952E4 Relevance: .3, Instructions: 278COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1327463170.0000000007890000.00000040.00000800.00020000.00000000.sdmp, Offset: 07890000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_7890000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6bbf0e2207fa55540330cab26e9475ee2021867640d8689248ec0153bfcd0253
                                          • Instruction ID: f71af3ba359575ae17f08799a7026706b9d55097a618b43c6a0ae4cec988fc13
                                          • Opcode Fuzzy Hash: 6bbf0e2207fa55540330cab26e9475ee2021867640d8689248ec0153bfcd0253
                                          • Instruction Fuzzy Hash: BCA109B5E1021A9FDF15CFB9C844AAEBBF6AF9A300F148469D819E7341EB309945CF50
                                          Function 01AAD2D1 Relevance: 6.1, APIs: 4, Instructions: 132threadCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1898 1aad2d1-1aad36f GetCurrentProcess 1903 1aad378-1aad3ac GetCurrentThread 1898->1903 1904 1aad371-1aad377 1898->1904 1905 1aad3ae-1aad3b4 1903->1905 1906 1aad3b5-1aad3e9 GetCurrentProcess 1903->1906 1904->1903 1905->1906 1908 1aad3eb-1aad3f1 1906->1908 1909 1aad3f2-1aad40d call 1aad4b0 1906->1909 1908->1909 1912 1aad413-1aad442 GetCurrentThreadId 1909->1912 1913 1aad44b-1aad4ad 1912->1913 1914 1aad444-1aad44a 1912->1914 1914->1913
                                          APIs
                                          • GetCurrentProcess.KERNEL32 ref: 01AAD35E
                                          • GetCurrentThread.KERNEL32 ref: 01AAD39B
                                          • GetCurrentProcess.KERNEL32 ref: 01AAD3D8
                                          • GetCurrentThreadId.KERNEL32 ref: 01AAD431
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1307812590.0000000001AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01AA0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_1aa0000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID: Current$ProcessThread
                                          • String ID:
                                          • API String ID: 2063062207-0
                                          • Opcode ID: 22663a41b0109bde45ccc3c7e0cec85f873785aa29505e2228ea3893221b84ed
                                          • Instruction ID: e9618702f82ad2bdb030b561c98ffa1b175ce9cf4a38796bf2ba01ec704a0618
                                          • Opcode Fuzzy Hash: 22663a41b0109bde45ccc3c7e0cec85f873785aa29505e2228ea3893221b84ed
                                          • Instruction Fuzzy Hash: 1A5146B0900349CFEB14CFA9D548BDEBBF1EF88314F208459E449AB760D7789945CB66
                                          Function 01AAD2E0 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1921 1aad2e0-1aad36f GetCurrentProcess 1925 1aad378-1aad3ac GetCurrentThread 1921->1925 1926 1aad371-1aad377 1921->1926 1927 1aad3ae-1aad3b4 1925->1927 1928 1aad3b5-1aad3e9 GetCurrentProcess 1925->1928 1926->1925 1927->1928 1930 1aad3eb-1aad3f1 1928->1930 1931 1aad3f2-1aad40d call 1aad4b0 1928->1931 1930->1931 1934 1aad413-1aad442 GetCurrentThreadId 1931->1934 1935 1aad44b-1aad4ad 1934->1935 1936 1aad444-1aad44a 1934->1936 1936->1935
                                          APIs
                                          • GetCurrentProcess.KERNEL32 ref: 01AAD35E
                                          • GetCurrentThread.KERNEL32 ref: 01AAD39B
                                          • GetCurrentProcess.KERNEL32 ref: 01AAD3D8
                                          • GetCurrentThreadId.KERNEL32 ref: 01AAD431
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1307812590.0000000001AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01AA0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_1aa0000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID: Current$ProcessThread
                                          • String ID:
                                          • API String ID: 2063062207-0
                                          • Opcode ID: 28b82d750666b65b32ad752c226876a433673a2919c1eecb515d95a9f0246290
                                          • Instruction ID: f3626d8f65204a24d08d442e3192b8ab30e2fc84b4f0d39ef4e982b1cf774de1
                                          • Opcode Fuzzy Hash: 28b82d750666b65b32ad752c226876a433673a2919c1eecb515d95a9f0246290
                                          • Instruction Fuzzy Hash: 3B5137B0900709CFEB14CFA9D548BEEBBF1EF88314F208459E449AB760D7789945CB65
                                          Function 07DB89B0 Relevance: 6.0, Strings: 4, Instructions: 962COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1943 7db89b0-7db8a4f 1953 7db8a5a-7db8a61 1943->1953 1954 7db8a51-7db8a58 1943->1954 1956 7db8a6a 1953->1956 1957 7db8a63-7db8a68 1953->1957 1955 7db8a80-7db8a84 1954->1955 1958 7db8a86-7db8a8a 1955->1958 1959 7db8a94-7db9661 call 7dbf268 1955->1959 2182 7db8a6a call 7db9971 1956->2182 2183 7db8a6a call 7db9980 1956->2183 1957->1955 1958->1959 2178 7db9663 call 82118b0 1959->2178 2179 7db9663 call 8211b20 1959->2179 2180 7db9663 call 8211780 1959->2180 2181 7db9663 call 8211790 1959->2181 1960 7db8a70-7db8a7d 1960->1955 2142 7db9669-7db9855 2178->2142 2179->2142 2180->2142 2181->2142 2182->1960 2183->1960
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1327940557.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_7db0000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: 0EIq$+~^k^$;~^k^$}^k^
                                          • API String ID: 0-3110621912
                                          • Opcode ID: a035149c78e7571ae25d40352ede20c3b66f7d76cd1844ef599297ae2217fafd
                                          • Instruction ID: dd57a04b5ea7c6e6ad0e10931fdfbf0f14ac4925733aa72241dd3cd4dcdbad51
                                          • Opcode Fuzzy Hash: a035149c78e7571ae25d40352ede20c3b66f7d76cd1844ef599297ae2217fafd
                                          • Instruction Fuzzy Hash: 4692D474A007058FE768DB78D454B5ABBB6FF89201F1088AAE54AD7360EF35AD42CB50
                                          Function 07DB89AF Relevance: 6.0, Strings: 4, Instructions: 950COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 2184 7db89af-7db8a4f 2194 7db8a5a-7db8a61 2184->2194 2195 7db8a51-7db8a58 2184->2195 2197 7db8a6a 2194->2197 2198 7db8a63-7db8a68 2194->2198 2196 7db8a80-7db8a84 2195->2196 2199 7db8a86-7db8a8a 2196->2199 2200 7db8a94-7db8b66 2196->2200 2423 7db8a6a call 7db9971 2197->2423 2424 7db8a6a call 7db9980 2197->2424 2198->2196 2199->2200 2222 7db8b70-7db8b7f call 7dbf268 2200->2222 2201 7db8a70-7db8a7d 2201->2196 2223 7db8b85-7db8b8d 2222->2223 2225 7db8b97-7db8b9f 2223->2225 2226 7db8ba7-7db964f 2225->2226 2382 7db9659-7db9661 2226->2382 2419 7db9663 call 82118b0 2382->2419 2420 7db9663 call 8211b20 2382->2420 2421 7db9663 call 8211780 2382->2421 2422 7db9663 call 8211790 2382->2422 2383 7db9669-7db9855 2419->2383 2420->2383 2421->2383 2422->2383 2423->2201 2424->2201
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1327940557.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_7db0000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: 0EIq$+~^k^$;~^k^$}^k^
                                          • API String ID: 0-3110621912
                                          • Opcode ID: ef0c0ec192572a291739ec22549210e0bb1a858e53a8cb0cd6277310d68f88ef
                                          • Instruction ID: 8baa251b0253de396cd621128fdb6feae55c5761e5b8904d4e9cb416374613fa
                                          • Opcode Fuzzy Hash: ef0c0ec192572a291739ec22549210e0bb1a858e53a8cb0cd6277310d68f88ef
                                          • Instruction Fuzzy Hash: A192D374A007058FE768DB78D454B5ABBF6FF89201F1088AAE54AD7360EF35AD42CB50
                                          Function 07DB9980 Relevance: 5.3, Strings: 4, Instructions: 319COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 2425 7db9980-7db9995 2426 7db999f-7db99dc 2425->2426 2427 7db9997-7db999e 2425->2427 2430 7db99de-7db99f2 2426->2430 2431 7db9a26-7db9a71 2426->2431 2434 7db99fb-7db9a23 2430->2434 2435 7db99f4 2430->2435 2441 7db9abf-7db9b09 2431->2441 2442 7db9a73-7db9a87 2431->2442 2434->2431 2435->2434 2452 7db9b0b-7db9b1f 2441->2452 2453 7db9b57-7db9b9f 2441->2453 2445 7db9a89 2442->2445 2446 7db9a90-7db9abc 2442->2446 2445->2446 2446->2441 2456 7db9b28-7db9b54 2452->2456 2457 7db9b21 2452->2457 2463 7db9beb-7db9c33 2453->2463 2464 7db9ba1-7db9bb5 2453->2464 2456->2453 2457->2456 2475 7db9cca-7db9cce 2463->2475 2476 7db9c39-7db9c3c 2463->2476 2467 7db9bbe-7db9be8 2464->2467 2468 7db9bb7 2464->2468 2467->2463 2468->2467 2479 7db9cd0-7db9ce6 2475->2479 2480 7db9d34-7db9d58 2475->2480 2477 7db9d8a-7db9dd0 2476->2477 2478 7db9c42-7db9c65 2476->2478 2485 7db9c6b-7db9c6f 2478->2485 2486 7db9c67-7db9c69 2478->2486 2487 7db9ce8-7db9cea 2479->2487 2488 7db9cec-7db9cf3 2479->2488 2508 7db9d5f-7db9d83 2480->2508 2492 7db9c78-7db9c7b 2485->2492 2493 7db9c71-7db9c76 2485->2493 2491 7db9c86-7db9c88 2486->2491 2494 7db9d12-7db9d14 2487->2494 2495 7db9cfc-7db9d0d 2488->2495 2496 7db9cf5-7db9cfa 2488->2496 2497 7db9c8a-7db9c91 2491->2497 2498 7db9c93-7db9c97 2491->2498 2501 7db9c83 2492->2501 2493->2491 2499 7db9d16-7db9d1d 2494->2499 2500 7db9d25-7db9d33 2494->2500 2495->2494 2496->2494 2503 7db9ca0-7db9cb4 2497->2503 2498->2503 2504 7db9c99 2498->2504 2499->2477 2505 7db9d1f-7db9d23 2499->2505 2501->2491 2503->2477 2512 7db9cba-7db9cc4 2503->2512 2504->2503 2505->2500 2505->2508 2508->2477 2512->2475 2512->2476
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1327940557.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_7db0000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: K}^k^$[}^k^$k}^k^${}^k^
                                          • API String ID: 0-4083627305
                                          • Opcode ID: e861c56327b13d87b321a0feb55e4b304d573461ff6435d8c89f430df373ac83
                                          • Instruction ID: 5ee6e3f18aed05dd0ccbb14ca58fe7b384488e0181b322af2dbc467b8e262221
                                          • Opcode Fuzzy Hash: e861c56327b13d87b321a0feb55e4b304d573461ff6435d8c89f430df373ac83
                                          • Instruction Fuzzy Hash: 7EC18F74E00209CBDB24DF69D4907ADF7F2FF89310F648529E50AAB345DB39AD428B91
                                          Function 07DBFE70 Relevance: 2.6, Strings: 2, Instructions: 94COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 2645 7dbfe70-7dbff48 call 7dbfdf4 2653 7dbff4d-7dbffb8 call 7dbfe04 2645->2653
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1327940557.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_7db0000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: #$#
                                          • API String ID: 0-2529538431
                                          • Opcode ID: 59fa157edb4150beb145874651b3ce9efe212f26347097da28c7b1c92ac253d0
                                          • Instruction ID: 5efea115cdb74e15d5d8de10aea5be01002904df7af49588318dcaf8d218c35d
                                          • Opcode Fuzzy Hash: 59fa157edb4150beb145874651b3ce9efe212f26347097da28c7b1c92ac253d0
                                          • Instruction Fuzzy Hash: 09414775D102199BDB24DFA8D8806AEBBF6FF88310F108219E914AB255E7709946CB91
                                          Function 07DBFE80 Relevance: 2.6, Strings: 2, Instructions: 90COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 2659 7dbfe80-7dbff48 call 7dbfdf4 2666 7dbff4d-7dbffb8 call 7dbfe04 2659->2666
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1327940557.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_7db0000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: #$#
                                          • API String ID: 0-2529538431
                                          • Opcode ID: f0c04aba1e5e1b69e80f9a2b69192945bbe2aa7c450bc76731a5385d63d6eab0
                                          • Instruction ID: 3d864c3f97dbab93fdda9e30b63cdaae3028f125a9761491e0a75e7a2d7ac7f3
                                          • Opcode Fuzzy Hash: f0c04aba1e5e1b69e80f9a2b69192945bbe2aa7c450bc76731a5385d63d6eab0
                                          • Instruction Fuzzy Hash: E7315775D102199BCB24DFA8D880AEEFBF6FF88310F108219E814AB355E7709946CB91
                                          Function 05562C45 Relevance: 1.7, APIs: 1, Instructions: 247processCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 2672 5562c45-5562ce5 2674 5562ce7-5562cf1 2672->2674 2675 5562d1e-5562d3e 2672->2675 2674->2675 2676 5562cf3-5562cf5 2674->2676 2682 5562d77-5562da6 2675->2682 2683 5562d40-5562d4a 2675->2683 2677 5562cf7-5562d01 2676->2677 2678 5562d18-5562d1b 2676->2678 2680 5562d05-5562d14 2677->2680 2681 5562d03 2677->2681 2678->2675 2680->2680 2684 5562d16 2680->2684 2681->2680 2689 5562ddf-5562e99 CreateProcessA 2682->2689 2690 5562da8-5562db2 2682->2690 2683->2682 2685 5562d4c-5562d4e 2683->2685 2684->2678 2687 5562d50-5562d5a 2685->2687 2688 5562d71-5562d74 2685->2688 2691 5562d5e-5562d6d 2687->2691 2692 5562d5c 2687->2692 2688->2682 2703 5562ea2-5562f28 2689->2703 2704 5562e9b-5562ea1 2689->2704 2690->2689 2693 5562db4-5562db6 2690->2693 2691->2691 2694 5562d6f 2691->2694 2692->2691 2695 5562db8-5562dc2 2693->2695 2696 5562dd9-5562ddc 2693->2696 2694->2688 2698 5562dc6-5562dd5 2695->2698 2699 5562dc4 2695->2699 2696->2689 2698->2698 2700 5562dd7 2698->2700 2699->2698 2700->2696 2714 5562f2a-5562f2e 2703->2714 2715 5562f38-5562f3c 2703->2715 2704->2703 2714->2715 2716 5562f30 2714->2716 2717 5562f3e-5562f42 2715->2717 2718 5562f4c-5562f50 2715->2718 2716->2715 2717->2718 2719 5562f44 2717->2719 2720 5562f52-5562f56 2718->2720 2721 5562f60-5562f64 2718->2721 2719->2718 2720->2721 2724 5562f58 2720->2724 2722 5562f76-5562f7d 2721->2722 2723 5562f66-5562f6c 2721->2723 2725 5562f94 2722->2725 2726 5562f7f-5562f8e 2722->2726 2723->2722 2724->2721 2728 5562f95 2725->2728 2726->2725 2728->2728
                                          APIs
                                          • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 05562E86
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1324780628.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_5560000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID: CreateProcess
                                          • String ID:
                                          • API String ID: 963392458-0
                                          • Opcode ID: 99706bcc9b665925ce1a29495ea119a05b285a01c1fae33d0dd09f2263ebb736
                                          • Instruction ID: 258e7d1f304b60cb08f724a67a14d6cde72a76dc6e44f4cccbc6a39691cea3da
                                          • Opcode Fuzzy Hash: 99706bcc9b665925ce1a29495ea119a05b285a01c1fae33d0dd09f2263ebb736
                                          • Instruction Fuzzy Hash: 78916975D00259DFEB24CF68C841BEDBBB2FF48300F1485A9E809A7280DB749986CF91
                                          Function 05562C50 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 2729 5562c50-5562ce5 2731 5562ce7-5562cf1 2729->2731 2732 5562d1e-5562d3e 2729->2732 2731->2732 2733 5562cf3-5562cf5 2731->2733 2739 5562d77-5562da6 2732->2739 2740 5562d40-5562d4a 2732->2740 2734 5562cf7-5562d01 2733->2734 2735 5562d18-5562d1b 2733->2735 2737 5562d05-5562d14 2734->2737 2738 5562d03 2734->2738 2735->2732 2737->2737 2741 5562d16 2737->2741 2738->2737 2746 5562ddf-5562e99 CreateProcessA 2739->2746 2747 5562da8-5562db2 2739->2747 2740->2739 2742 5562d4c-5562d4e 2740->2742 2741->2735 2744 5562d50-5562d5a 2742->2744 2745 5562d71-5562d74 2742->2745 2748 5562d5e-5562d6d 2744->2748 2749 5562d5c 2744->2749 2745->2739 2760 5562ea2-5562f28 2746->2760 2761 5562e9b-5562ea1 2746->2761 2747->2746 2750 5562db4-5562db6 2747->2750 2748->2748 2751 5562d6f 2748->2751 2749->2748 2752 5562db8-5562dc2 2750->2752 2753 5562dd9-5562ddc 2750->2753 2751->2745 2755 5562dc6-5562dd5 2752->2755 2756 5562dc4 2752->2756 2753->2746 2755->2755 2757 5562dd7 2755->2757 2756->2755 2757->2753 2771 5562f2a-5562f2e 2760->2771 2772 5562f38-5562f3c 2760->2772 2761->2760 2771->2772 2773 5562f30 2771->2773 2774 5562f3e-5562f42 2772->2774 2775 5562f4c-5562f50 2772->2775 2773->2772 2774->2775 2776 5562f44 2774->2776 2777 5562f52-5562f56 2775->2777 2778 5562f60-5562f64 2775->2778 2776->2775 2777->2778 2781 5562f58 2777->2781 2779 5562f76-5562f7d 2778->2779 2780 5562f66-5562f6c 2778->2780 2782 5562f94 2779->2782 2783 5562f7f-5562f8e 2779->2783 2780->2779 2781->2778 2785 5562f95 2782->2785 2783->2782 2785->2785
                                          APIs
                                          • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 05562E86
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1324780628.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_5560000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID: CreateProcess
                                          • String ID:
                                          • API String ID: 963392458-0
                                          • Opcode ID: 6249a4fc94b03cb99f4fbf37f07a62baa854b518a21874a931bfb3752c7dc222
                                          • Instruction ID: 8b3b80d201938c8f0da1ad6d5cd8eae245f4a59d90da68ba00dcb9133f1aac91
                                          • Opcode Fuzzy Hash: 6249a4fc94b03cb99f4fbf37f07a62baa854b518a21874a931bfb3752c7dc222
                                          • Instruction Fuzzy Hash: 5B915775D00659DFEB24CF69C841BEDBBB2BF48310F1485A9E809A7280DB749986CF91
                                          Function 01AAB048 Relevance: 1.7, APIs: 1, Instructions: 198COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 01AAB29E
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1307812590.0000000001AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01AA0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_1aa0000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID: HandleModule
                                          • String ID:
                                          • API String ID: 4139908857-0
                                          • Opcode ID: aef81d1dc8a01cadca2885e18374a67c41b9e71cb0ca70e0508b663e2a83491a
                                          • Instruction ID: 64d4a6fdf8c2f76a054a1604da878d09ba3cbc31cda2893b9b22f084810aa8bb
                                          • Opcode Fuzzy Hash: aef81d1dc8a01cadca2885e18374a67c41b9e71cb0ca70e0508b663e2a83491a
                                          • Instruction Fuzzy Hash: 28713670A00B058FE764DF69D44479ABBF1FF88200F40892EE48AD7A50D775F949CBA1
                                          Function 01AA590C Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateActCtxA.KERNEL32(?), ref: 01AA59C9
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1307812590.0000000001AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01AA0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_1aa0000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID: Create
                                          • String ID:
                                          • API String ID: 2289755597-0
                                          • Opcode ID: 42fced7f539c8e4b887c8cd50419c09b5325b7e36bbe2990ea695571c083af53
                                          • Instruction ID: 5444bb03c42ee68d5891d8ad4443fe71cab3ad17eb41ff46cd9447fdec483491
                                          • Opcode Fuzzy Hash: 42fced7f539c8e4b887c8cd50419c09b5325b7e36bbe2990ea695571c083af53
                                          • Instruction Fuzzy Hash: A441F2B1D01718CFEB28CFAAC884B8DBBB1BF49304F60806AD808AB250DB755946CF54
                                          Function 01AA44C4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateActCtxA.KERNEL32(?), ref: 01AA59C9
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1307812590.0000000001AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01AA0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_1aa0000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID: Create
                                          • String ID:
                                          • API String ID: 2289755597-0
                                          • Opcode ID: 3262e1bebeb8213f07b57e01e59a07abe150c16e02ff755bdcbff5b0b3f161ce
                                          • Instruction ID: 1bd9361b689359601731f682b3fa5f1d07e13445e54d60ec73f99ee78d810acc
                                          • Opcode Fuzzy Hash: 3262e1bebeb8213f07b57e01e59a07abe150c16e02ff755bdcbff5b0b3f161ce
                                          • Instruction Fuzzy Hash: 7741F0B0D0071CCFEB24CFAAC884B9DBBB5BF49304F60806AD408AB251DB756946CF94
                                          Function 0821BFB8 Relevance: 1.6, APIs: 1, Instructions: 77COMMON
                                          Download Yara Rule
                                          APIs
                                          • DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,0821D68D,?,?), ref: 0821D73F
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1328712215.0000000008210000.00000040.00000800.00020000.00000000.sdmp, Offset: 08210000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_8210000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID: DrawText
                                          • String ID:
                                          • API String ID: 2175133113-0
                                          • Opcode ID: 88f2974ba12f793de863062ae1f2936f05100576f4ab413b399f176971a5ee1b
                                          • Instruction ID: ce6976938d940958239d11925ceff7412d4e555de3035c002bf3ba7653652282
                                          • Opcode Fuzzy Hash: 88f2974ba12f793de863062ae1f2936f05100576f4ab413b399f176971a5ee1b
                                          • Instruction Fuzzy Hash: 303103B5D10349DFDB11CF9AD884ADEBBF4EF58210F24842EE818A7210D374A945CFA5
                                          Function 055629C1 Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON
                                          Download Yara Rule
                                          APIs
                                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 05562A58
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1324780628.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_5560000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID: MemoryProcessWrite
                                          • String ID:
                                          • API String ID: 3559483778-0
                                          • Opcode ID: 0b06192c7d7033dcc803228d7c5bc7734db80039a3eb4bf17a9da2df99c34c8a
                                          • Instruction ID: 4a4ed88214709ca77fea04884b123e5b4e1362beeefee2dd77bfdd1966cdc447
                                          • Opcode Fuzzy Hash: 0b06192c7d7033dcc803228d7c5bc7734db80039a3eb4bf17a9da2df99c34c8a
                                          • Instruction Fuzzy Hash: 6A2148759003499FDB10CFAAC985BDEBBF5FF48310F10842AE919A7240C7789540CBA5
                                          Function 0821D6A1 Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                          Download Yara Rule
                                          APIs
                                          • DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,0821D68D,?,?), ref: 0821D73F
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1328712215.0000000008210000.00000040.00000800.00020000.00000000.sdmp, Offset: 08210000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_8210000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID: DrawText
                                          • String ID:
                                          • API String ID: 2175133113-0
                                          • Opcode ID: deaae96d0e9b3e7416391243274ac9743055ea89acaf378115eb7933ef380eef
                                          • Instruction ID: b00742cb66273b828dd322c6448cc59d48cd567cd691cccbe5e31092303ba546
                                          • Opcode Fuzzy Hash: deaae96d0e9b3e7416391243274ac9743055ea89acaf378115eb7933ef380eef
                                          • Instruction Fuzzy Hash: 9631D1B5D012499FDB10CF9AD884ADEBBF4EB48210F24842AE818A7210D374A945CFA1
                                          Function 0821BFC4 Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                          Download Yara Rule
                                          APIs
                                          • DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,0821D68D,?,?), ref: 0821D73F
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1328712215.0000000008210000.00000040.00000800.00020000.00000000.sdmp, Offset: 08210000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_8210000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID: DrawText
                                          • String ID:
                                          • API String ID: 2175133113-0
                                          • Opcode ID: 5ddba4412445565468ee9ce02494ca83f80fa386a9369ed298c7b780bedc1670
                                          • Instruction ID: 3e656e47b8fd9dde55ed30c73daefa11265e3f1ef22d4e971b709874289342ce
                                          • Opcode Fuzzy Hash: 5ddba4412445565468ee9ce02494ca83f80fa386a9369ed298c7b780bedc1670
                                          • Instruction Fuzzy Hash: 1A31E2B5D10349DFDF10CF9AD884A9EBBF4EB58210F24842EE919A7310D374A945CFA4
                                          Function 055629C8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                          Download Yara Rule
                                          APIs
                                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 05562A58
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1324780628.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_5560000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID: MemoryProcessWrite
                                          • String ID:
                                          • API String ID: 3559483778-0
                                          • Opcode ID: 4254d0c2af0a81ea9b192cd360f2a8b2e49be66f8e34cf0b2aa03eafa867dfe4
                                          • Instruction ID: 45cdf556dd4ab16e5b9a4339176ddd6cf493e4c6cffa5f1f90fb8364a1eb67ae
                                          • Opcode Fuzzy Hash: 4254d0c2af0a81ea9b192cd360f2a8b2e49be66f8e34cf0b2aa03eafa867dfe4
                                          • Instruction Fuzzy Hash: 98212775900349DFDB14CFAAC980BEEBBF5FF48310F10842AE919A7240C7789945CBA5
                                          Function 05562828 Relevance: 1.6, APIs: 1, Instructions: 67threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 055628AE
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1324780628.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_5560000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID: ContextThreadWow64
                                          • String ID:
                                          • API String ID: 983334009-0
                                          • Opcode ID: 2dc01e03d1bb623195c34b4c12155ed52715d571d35c45d085a19f6d6d84dfdd
                                          • Instruction ID: 991e502576d5de038ff86f5eb2cee9a70ca31151b7aeec41e6a31120bb26336c
                                          • Opcode Fuzzy Hash: 2dc01e03d1bb623195c34b4c12155ed52715d571d35c45d085a19f6d6d84dfdd
                                          • Instruction Fuzzy Hash: F0215775D003089FDB14CFAAC885BEEBBF4FB48214F14842AD519A7240CB789945CFA5
                                          Function 05562AB0 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                          Download Yara Rule
                                          APIs
                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 05562B38
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1324780628.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_5560000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID: MemoryProcessRead
                                          • String ID:
                                          • API String ID: 1726664587-0
                                          • Opcode ID: 55632c56c6fbf4b5daf7afb78d344632cb7af7a011a0bc952cb485c7f19383d7
                                          • Instruction ID: 7baee29ac6c4803c52937dd5d5ad009787185a4d3d21311f11116bae3ca1264b
                                          • Opcode Fuzzy Hash: 55632c56c6fbf4b5daf7afb78d344632cb7af7a011a0bc952cb485c7f19383d7
                                          • Instruction Fuzzy Hash: A72125B1C003499FDB14CFAAC881BEEBBF5FF48310F10842AE519A7250CB3895018BA5
                                          Function 01AAD521 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                          Download Yara Rule
                                          APIs
                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01AAD5AF
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1307812590.0000000001AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01AA0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_1aa0000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID: DuplicateHandle
                                          • String ID:
                                          • API String ID: 3793708945-0
                                          • Opcode ID: a180a4e768d3f1f5f8a7c95b3cb54131304cf5fe6ea8e2591cb8b2023513ba1c
                                          • Instruction ID: fb7a507cd232d16db2207404a14019cdd0b2bf8dfe430647e78737698ae0612d
                                          • Opcode Fuzzy Hash: a180a4e768d3f1f5f8a7c95b3cb54131304cf5fe6ea8e2591cb8b2023513ba1c
                                          • Instruction Fuzzy Hash: 3E21E6B5D00349DFDB10CFAAD984ADEBBF4EB48314F14841AE954A7350D378A944CF65
                                          Function 05562830 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 055628AE
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1324780628.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_5560000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID: ContextThreadWow64
                                          • String ID:
                                          • API String ID: 983334009-0
                                          • Opcode ID: e69503eb5f25d016ca86b208b1c87c86b38caeab4fad6171a2efdf80a44d64c0
                                          • Instruction ID: b5062b72e3617ae2679f2b876059008efec22210b13a90cc2c9c0c22e2e5b966
                                          • Opcode Fuzzy Hash: e69503eb5f25d016ca86b208b1c87c86b38caeab4fad6171a2efdf80a44d64c0
                                          • Instruction Fuzzy Hash: EB213475D003098FDB14CFAAC884BEEBBF4FB88210F14842AD519A7240CB789945CFA5
                                          Function 05562AB8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                          Download Yara Rule
                                          APIs
                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 05562B38
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1324780628.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_5560000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID: MemoryProcessRead
                                          • String ID:
                                          • API String ID: 1726664587-0
                                          • Opcode ID: ee165d3fe14fadca035dfd4294f6487ac9a0df698f4304c0765ddab8255d10ad
                                          • Instruction ID: 3e5c56eb45986a9b84e800619ef65de7f68c8a1f34a689a6f37c6801f246344c
                                          • Opcode Fuzzy Hash: ee165d3fe14fadca035dfd4294f6487ac9a0df698f4304c0765ddab8255d10ad
                                          • Instruction Fuzzy Hash: 8F211675C003499FDB14CFAAC880BEEBBF5FF48310F10842AE519A7250CB399501CBA5
                                          Function 01AAD528 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                          Download Yara Rule
                                          APIs
                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01AAD5AF
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1307812590.0000000001AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01AA0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_1aa0000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID: DuplicateHandle
                                          • String ID:
                                          • API String ID: 3793708945-0
                                          • Opcode ID: b502913f2ff23a3b2593320ca6f066149d3ec3fbe6d81e81b31b6a29155855a2
                                          • Instruction ID: b1278cf611d6380c653cda428fc66b610c1363a1e8d242d5398d14daee3f2d62
                                          • Opcode Fuzzy Hash: b502913f2ff23a3b2593320ca6f066149d3ec3fbe6d81e81b31b6a29155855a2
                                          • Instruction Fuzzy Hash: F021C4B5D00249DFDB10CFAAD984ADEBBF4EB48310F14841AE958A7350D379A944CFA5
                                          Function 05562901 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 05562976
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1324780628.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_5560000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID: AllocVirtual
                                          • String ID:
                                          • API String ID: 4275171209-0
                                          • Opcode ID: bbd7f6b224f248e232141638218f265f2456289c74805e8a9f54aaa2fd6f5102
                                          • Instruction ID: 1790e34e4dd4edaee66af3795eb00ec96be5012735c0f7a5dd7dfac2e9608c65
                                          • Opcode Fuzzy Hash: bbd7f6b224f248e232141638218f265f2456289c74805e8a9f54aaa2fd6f5102
                                          • Instruction Fuzzy Hash: 7C1159768003489FDB24DFAAC844BEFBBF5FB48310F14841AE519A7250CB359540CFA5
                                          Function 05562908 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 05562976
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1324780628.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_5560000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID: AllocVirtual
                                          • String ID:
                                          • API String ID: 4275171209-0
                                          • Opcode ID: 6f455d687c11c1d07cfcfcdc4118264a7a6b17fc496bd3432bc5761bc63124a8
                                          • Instruction ID: 1243ba6e0b4b9f0e339e3fac5a39eacbef62c40b38db0d21c205bedcb32340c1
                                          • Opcode Fuzzy Hash: 6f455d687c11c1d07cfcfcdc4118264a7a6b17fc496bd3432bc5761bc63124a8
                                          • Instruction Fuzzy Hash: 321137768003499FDB24DFAAC844BEEBBF5FF88310F148819E519A7250CB799540CFA5
                                          Function 05562340 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1324780628.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_5560000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID: ResumeThread
                                          • String ID:
                                          • API String ID: 947044025-0
                                          • Opcode ID: 1cc2d314b747ba5f8ae4a4a27311680aa45ebc9a8d0b7b98b76ecb1796501ba4
                                          • Instruction ID: b4a325f53ee71f2b666af462a0e8b29ee2d8b1b4a63d49243471a43f64538ef6
                                          • Opcode Fuzzy Hash: 1cc2d314b747ba5f8ae4a4a27311680aa45ebc9a8d0b7b98b76ecb1796501ba4
                                          • Instruction Fuzzy Hash: ED115BB5D003488FDB24DFAAC4457DEFBF4EB48210F248429D519A7640CB35A500CFA5
                                          Function 05562348 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1324780628.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_5560000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID: ResumeThread
                                          • String ID:
                                          • API String ID: 947044025-0
                                          • Opcode ID: 00ff9f42394d5dae7c7589d7768af0a2591872dbcc8efcb1f8fdd747ebc0189b
                                          • Instruction ID: 3aa778cd53d46c86868c6d0e3702e175d3ed42310fa1ba24a539f7a148436596
                                          • Opcode Fuzzy Hash: 00ff9f42394d5dae7c7589d7768af0a2591872dbcc8efcb1f8fdd747ebc0189b
                                          • Instruction Fuzzy Hash: 26113AB5D003488FDB24DFAAC4447EEFBF4EB88210F24841DD519A7240CB79A544CFA5
                                          Function 055656A0 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • PostMessageW.USER32(?,00000010,00000000,?), ref: 05565705
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1324780628.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_5560000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID: MessagePost
                                          • String ID:
                                          • API String ID: 410705778-0
                                          • Opcode ID: ec2985133f8469fa90bc55f744dd259091d003009339787f68d04b4ef39be084
                                          • Instruction ID: ac2bb102c0300ff36ff4a5bc9277a2338d6fb0b16d25d5cf2126b146b0fd27a5
                                          • Opcode Fuzzy Hash: ec2985133f8469fa90bc55f744dd259091d003009339787f68d04b4ef39be084
                                          • Instruction Fuzzy Hash: DA11F2B6800248DFDB20CF9AD885BDEBBF8FB48320F108419E558A7640D375A544CFA5
                                          Function 05564D1C Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • PostMessageW.USER32(?,00000010,00000000,?), ref: 05565705
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1324780628.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_5560000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID: MessagePost
                                          • String ID:
                                          • API String ID: 410705778-0
                                          • Opcode ID: e057c7357127d0f898cc575f0f5963b20c867ffd5666141b89620f7ab1dda839
                                          • Instruction ID: 5632168136653987d8a6af301f6f8c002c96524efa7329785b96c311c4351953
                                          • Opcode Fuzzy Hash: e057c7357127d0f898cc575f0f5963b20c867ffd5666141b89620f7ab1dda839
                                          • Instruction Fuzzy Hash: 8C11F2B6800348DFDB20CF9AD884BDEBBF8FB48320F108459E919A7200D375A944CFA5
                                          Function 01AAB238 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 01AAB29E
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1307812590.0000000001AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01AA0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_1aa0000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID: HandleModule
                                          • String ID:
                                          • API String ID: 4139908857-0
                                          • Opcode ID: 5d27433c455f9b33ada0198c77ba83532319ab8189e45b1350e3418cff7d9a8d
                                          • Instruction ID: e40021ad641ff095098854b591667ca1f92b5f1e38948ae79a44508b101ac605
                                          • Opcode Fuzzy Hash: 5d27433c455f9b33ada0198c77ba83532319ab8189e45b1350e3418cff7d9a8d
                                          • Instruction Fuzzy Hash: C511E0B6C00649CFDB24CF9AC444BDEFBF4EB88314F10842AD929A7610C379A549CFA5
                                          Function 07890470 Relevance: 1.3, APIs: 1, Instructions: 50COMMON
                                          Download Yara Rule
                                          APIs
                                          • CloseHandle.KERNELBASE(?), ref: 078904D0
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1327463170.0000000007890000.00000040.00000800.00020000.00000000.sdmp, Offset: 07890000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_7890000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID: CloseHandle
                                          • String ID:
                                          • API String ID: 2962429428-0
                                          • Opcode ID: df5baac9f6300c6e13b2c3b1bea7955d016ef20d24b9e20112505915b4d39a23
                                          • Instruction ID: a67c56a20174369b44f17b1d453fa4fd8ab7571f570b2ded63fd061afc4cd5d9
                                          • Opcode Fuzzy Hash: df5baac9f6300c6e13b2c3b1bea7955d016ef20d24b9e20112505915b4d39a23
                                          • Instruction Fuzzy Hash: 401136B6C00249CFDB20CF9AC545BEEBBF0EB48324F14846AD558A7741C338A544CFA5
                                          Function 07890478 Relevance: 1.3, APIs: 1, Instructions: 47COMMON
                                          Download Yara Rule
                                          APIs
                                          • CloseHandle.KERNELBASE(?), ref: 078904D0
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1327463170.0000000007890000.00000040.00000800.00020000.00000000.sdmp, Offset: 07890000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_7890000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID: CloseHandle
                                          • String ID:
                                          • API String ID: 2962429428-0
                                          • Opcode ID: c6873437f729c59cba8d1a238627532c05b60e46ca81f32e6910237a4341a4d0
                                          • Instruction ID: 40bd0688b8a88e7dde7ed22ae89f205e3cd0212b99d6adaa5eeb0f860ddc600f
                                          • Opcode Fuzzy Hash: c6873437f729c59cba8d1a238627532c05b60e46ca81f32e6910237a4341a4d0
                                          • Instruction Fuzzy Hash: 751133B6800349CFDB20CF9AC544BDEBBF4EB48320F14846AD958A7740C338A544CFA5
                                          Function 07DB9DF9 Relevance: 1.3, Strings: 1, Instructions: 36COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1327940557.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_7db0000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: 4'q
                                          • API String ID: 0-1807707664
                                          • Opcode ID: b9a41d55e35e04e145ca0ca72702a826abcb00d4f139349c582aeccbce14680c
                                          • Instruction ID: ad3a7fe13088dbc3f09a3045d2c0e08e43f18cefba408480bad1caff3f8ab9c7
                                          • Opcode Fuzzy Hash: b9a41d55e35e04e145ca0ca72702a826abcb00d4f139349c582aeccbce14680c
                                          • Instruction Fuzzy Hash: 0601A270A4134AEFCB19EFB8E84415C7FF2FF48200B6085A9D8099B241EE386E45CF55
                                          Function 07DB9E08 Relevance: 1.3, Strings: 1, Instructions: 32COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1327940557.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_7db0000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: 4'q
                                          • API String ID: 0-1807707664
                                          • Opcode ID: f6510dcdeeeba455188b8ce5b9500d129fbb3f2bc2a436f6c5c8f99af205b3f6
                                          • Instruction ID: 5b3b14c890013aaebae75f9fd88cb332d0394731e5789496a61ab5f7615ae8a9
                                          • Opcode Fuzzy Hash: f6510dcdeeeba455188b8ce5b9500d129fbb3f2bc2a436f6c5c8f99af205b3f6
                                          • Instruction Fuzzy Hash: 00F03C30A5120AEFCB19EFB8E94459C7BF2FF58200B6085A8D8099B315EB386E15CB55
                                          Function 07DB3090 Relevance: .7, Instructions: 727COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1327940557.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_7db0000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 85f5957a014c09a0e0face11ef6a5004d15894a85194ccd68382c2f4b2d7b35c
                                          • Instruction ID: 8e5f97887f4ec7c997c2ae1e3f77fd89d16ea2072afd732cd7b406c7c4f570a4
                                          • Opcode Fuzzy Hash: 85f5957a014c09a0e0face11ef6a5004d15894a85194ccd68382c2f4b2d7b35c
                                          • Instruction Fuzzy Hash: E5724035910609CFDB15EF68C894AEDBBB1FF45305F008299D54AA7265EF30AAC6CF81
                                          Function 07DB0040 Relevance: .6, Instructions: 551COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1327940557.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_7db0000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4a66dc78615ed091876c38375c5f87eabd055799b748428ecaec1ad9caff49de
                                          • Instruction ID: 84b8fc7fdfe45795f3da7c8c1953ef2dfb42b9f4c26ef0ed907baa29e15b768f
                                          • Opcode Fuzzy Hash: 4a66dc78615ed091876c38375c5f87eabd055799b748428ecaec1ad9caff49de
                                          • Instruction Fuzzy Hash: 2D42C671E1061ACBCB25DF68C894ADDF7B1FF89304F108699D45ABB251EB30AA85CF50
                                          Function 07DB4960 Relevance: .5, Instructions: 500COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1327940557.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_7db0000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 807e87a857622d9a0308a55bae2bc5e6b1a12d9cb8f18c7c91c5ae01ce1d64b6
                                          • Instruction ID: 1707f888310e9e072780243aa78acd969913ef3ed804ea9d38f1c0d312183550
                                          • Opcode Fuzzy Hash: 807e87a857622d9a0308a55bae2bc5e6b1a12d9cb8f18c7c91c5ae01ce1d64b6
                                          • Instruction Fuzzy Hash: 0A221774A10255CFDB24DF68C884BADB7B2FF89300F1486A9E44AAB365DB30E945CF50
                                          Function 07DBE517 Relevance: .5, Instructions: 498COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1327940557.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_7db0000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2998304f3b9d112f9bb06baa83d9e40134b31da35831cb107fe89f5f96aee9e3
                                          • Instruction ID: 60d49962b65b1c6d67d3b785db3046bc91f377bea1f06336908a030e3793641b
                                          • Opcode Fuzzy Hash: 2998304f3b9d112f9bb06baa83d9e40134b31da35831cb107fe89f5f96aee9e3
                                          • Instruction Fuzzy Hash: EF32AAB9B40111DFEB54DFA8E984E5A7BB2FB8C714B104198E6099B361C77AEC25CF10
                                          Function 07DB0007 Relevance: .3, Instructions: 349COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1327940557.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_7db0000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: fe2116d736afeef0e4e5ce9fd937ce5db8463d599311bc453cf0c70ab70ea3b3
                                          • Instruction ID: 9a0d5c1fb8326dc35c1d665acc24de8d692e8e9222f70db130f7c2089482727d
                                          • Opcode Fuzzy Hash: fe2116d736afeef0e4e5ce9fd937ce5db8463d599311bc453cf0c70ab70ea3b3
                                          • Instruction Fuzzy Hash: 33F1F771E00619CFCB25DF68C894ADDF7B1FF49310F1186AAD45AAB261EB30A985CF50
                                          Function 07DBF268 Relevance: .2, Instructions: 227COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1327940557.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_7db0000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 871010c54b56673f66a9299e8d3f62e3e4bba1cdc9bfa35679245f97fb7ae129
                                          • Instruction ID: 1f9ca4ab4f9d75381d7fe7d301b541d7aa244415b8158b660394b7bc7bc3de6d
                                          • Opcode Fuzzy Hash: 871010c54b56673f66a9299e8d3f62e3e4bba1cdc9bfa35679245f97fb7ae129
                                          • Instruction Fuzzy Hash: 8991A1359003128BEB54EF78D48029D77A2FFC5204B54896CD80A9F359EFB9AD0BC7A5
                                          Function 07DB5480 Relevance: .2, Instructions: 198COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1327940557.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_7db0000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3d5ecf851cb828a3aab8f08306591d8b0de24811ed754fcf04b37a63aba74988
                                          • Instruction ID: 744096d9907ef776511c044896cfc7cd3a02c24d91e488a85194980c600f3a1e
                                          • Opcode Fuzzy Hash: 3d5ecf851cb828a3aab8f08306591d8b0de24811ed754fcf04b37a63aba74988
                                          • Instruction Fuzzy Hash: 5C711474B00249CFCF15DFB8D4989ADFBF2AF89210F10826AE41AAB354DB70D845CB90
                                          Function 07DB2A20 Relevance: .2, Instructions: 197COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1327940557.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_7db0000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e04397cab5ce675ce7ca21f0e908d50d6e99d1016035af7aa948c9e858c33f46
                                          • Instruction ID: 92f53cdff30221a87acc138bdef4ad9f9b970b62c3911e98de9ded6751b21e19
                                          • Opcode Fuzzy Hash: e04397cab5ce675ce7ca21f0e908d50d6e99d1016035af7aa948c9e858c33f46
                                          • Instruction Fuzzy Hash: 4D91F67591060ADFCB51DF68C8809D9FBF5FF89310B14879AE819EB255EB30E985CB80
                                          Function 07DB1D99 Relevance: .2, Instructions: 177COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1327940557.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_7db0000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0ac67862867b5010254d66f4253f94f73f6c923e36220f5333918c97d795a3cd
                                          • Instruction ID: 3c8382b22782b78650a6bf64a1961ae4bc0aefabbd26450bb8bd012786ca4f97
                                          • Opcode Fuzzy Hash: 0ac67862867b5010254d66f4253f94f73f6c923e36220f5333918c97d795a3cd
                                          • Instruction Fuzzy Hash: EE71D2B9700600CFC718DF29C498959BBF2FF8921471589A9E54ACB772DB72EC45CB50
                                          Function 07DB1DA8 Relevance: .2, Instructions: 176COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1327940557.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_7db0000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 122072fbc5650ea004492eac454419475e3e55027adb5bcb394aadc333373d98
                                          • Instruction ID: 577b2cdd63653030ec0706067227b74da0243d64c50aba09bf90465551b4978b
                                          • Opcode Fuzzy Hash: 122072fbc5650ea004492eac454419475e3e55027adb5bcb394aadc333373d98
                                          • Instruction Fuzzy Hash: 5771BEB9700A01CFC718DF29C498959BBF2FF8921471589A9E54ACB372DB72EC41CB50
                                          Function 07DB1BB8 Relevance: .2, Instructions: 172COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1327940557.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_7db0000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: fdfcc4aa0207a9b91ba94946a78bbe4981e059cfb8139ac2f8faf6bd64467a7b
                                          • Instruction ID: e40368a698dfcaed6f52564c2af312ec9c27a79236c8da2fbc94a4dff9186eb9
                                          • Opcode Fuzzy Hash: fdfcc4aa0207a9b91ba94946a78bbe4981e059cfb8139ac2f8faf6bd64467a7b
                                          • Instruction Fuzzy Hash: A37190B4A0020ACFCB14CF68D594999FBF1FF49310B5986A9E84ADB312D735EC85CB90
                                          Function 07DB4950 Relevance: .2, Instructions: 170COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1327940557.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_7db0000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b7712e8aebd76754337a8c601877887b8e0f8c75338dbe2a26dbadb05d04952e
                                          • Instruction ID: 3f177dacea7c646dbd7105223627460c5ba4f3d830c4f65a4d0ee286f1c879ec
                                          • Opcode Fuzzy Hash: b7712e8aebd76754337a8c601877887b8e0f8c75338dbe2a26dbadb05d04952e
                                          • Instruction Fuzzy Hash: 00616B70A10640CFDB24DF79C898B99B7E2FF89210F1485B8E54A9B3A2DB709905CB61
                                          Function 07DB5473 Relevance: .2, Instructions: 160COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1327940557.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_7db0000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c049f358a7ec490ccc0547f91619dc98137273171766a456a36d304b8a0991dc
                                          • Instruction ID: 6b3c6aab54767d54f9dd29d64fd398e68f3902707cca75815bd542699dd8e49b
                                          • Opcode Fuzzy Hash: c049f358a7ec490ccc0547f91619dc98137273171766a456a36d304b8a0991dc
                                          • Instruction Fuzzy Hash: 0B510775B00219CFCF15DFB8D49499CF7F2AF89211B14856AE41AAB364EB70D845CB90
                                          Function 07DB2A13 Relevance: .1, Instructions: 144COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1327940557.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_7db0000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: edc925c0e29cd41381a1e2a20fd27499f00a8f6ca5142ebaa1e79d379721f812
                                          • Instruction ID: 8270918f6129230ebda443012afd443943ed3631d80528b1b403c9c960f9de68
                                          • Opcode Fuzzy Hash: edc925c0e29cd41381a1e2a20fd27499f00a8f6ca5142ebaa1e79d379721f812
                                          • Instruction Fuzzy Hash: 9851F77591070ACFCB51DF68C880AD9FBB1FF49310B14875AE859EB255EB30E985CB80
                                          Function 07DB52C8 Relevance: .1, Instructions: 139COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1327940557.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_7db0000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 915a632f04f158d1bf389dd8644629d4a2b985077ad675fb24b97f19611b44e7
                                          • Instruction ID: a7f0c255f5c376303d24570860fcd8aae2daedadf535613c74e646c6ab0e3068
                                          • Opcode Fuzzy Hash: 915a632f04f158d1bf389dd8644629d4a2b985077ad675fb24b97f19611b44e7
                                          • Instruction Fuzzy Hash: AB4104B1B04651CBDB29A778B41466EB7E3EFC9510728446ED80BCB385EF24DC0683E2
                                          Function 07DB0CC9 Relevance: .1, Instructions: 106COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1327940557.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_7db0000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 53a0d553dbfd9262503e8cf253df5ea1de547279bfea5c59bca7139d059432f3
                                          • Instruction ID: 60afb2cc77cd4ed85650e27d1e606c466f3fe86ed993632492bddf1f514a6e5d
                                          • Opcode Fuzzy Hash: 53a0d553dbfd9262503e8cf253df5ea1de547279bfea5c59bca7139d059432f3
                                          • Instruction Fuzzy Hash: 62411C34A10709CFCB14EFB8C894ADEBBB6FF89304F008559E5156B325EB71A946CB91
                                          Function 07DB0CD8 Relevance: .1, Instructions: 101COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1327940557.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_7db0000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 16dccc6c83d0fcd1812995a6b08d9c4f1d25c997e7b99cd7bd2be4c0b2fd0b3f
                                          • Instruction ID: d13e218f97fbe717cdc01ae5056fe812674d621c89c8d808d7de315e59c6bccc
                                          • Opcode Fuzzy Hash: 16dccc6c83d0fcd1812995a6b08d9c4f1d25c997e7b99cd7bd2be4c0b2fd0b3f
                                          • Instruction Fuzzy Hash: 93411A34A1070ACFCB14EFB8C8949DDBBB6FF89304F008559E515AB325EB71A946CB81
                                          Function 07DB1BA8 Relevance: .1, Instructions: 96COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1327940557.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_7db0000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3ee56b255f5e7ce78a979e59030d8d2973d79c86974bf7852d4053ee6cb35642
                                          • Instruction ID: 11b47f49f2bbbb79c86e89f170ed6a57b336b023e7fc8b929d26e2bd0aeff54d
                                          • Opcode Fuzzy Hash: 3ee56b255f5e7ce78a979e59030d8d2973d79c86974bf7852d4053ee6cb35642
                                          • Instruction Fuzzy Hash: 72411CB4A0020ACFC715CF68D5949A9FBF1FF49310B5986AAD44ADB361E731EC85CB90
                                          Function 07DB0BD0 Relevance: .1, Instructions: 92COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1327940557.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_7db0000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6b324b26a27b20f20633b23acdeb9dd01bc2899953ec2dc66f570cdfc4326eec
                                          • Instruction ID: bbdb4fda4955e54e4ae35a00db70232064155361c6513bbd82325eb51273ac96
                                          • Opcode Fuzzy Hash: 6b324b26a27b20f20633b23acdeb9dd01bc2899953ec2dc66f570cdfc4326eec
                                          • Instruction Fuzzy Hash: E3314F35B01219DFCF14EF64E8548DDF7B6FF88224B158269E906AB314EB31AD46CB90
                                          Function 0192D1FC Relevance: .1, Instructions: 76COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1307535600.000000000192D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0192D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_192d000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ffff4bc113b2f28aea4fa78ffab5ad36e037daf6e9c4d8983a495e0224f40849
                                          • Instruction ID: 39772ddd3e6c202d9fefd3b567e29ca62c0ac89235ec3eb4caaf51b8ffb8d00f
                                          • Opcode Fuzzy Hash: ffff4bc113b2f28aea4fa78ffab5ad36e037daf6e9c4d8983a495e0224f40849
                                          • Instruction Fuzzy Hash: E721D372504240EFDF15DF94D9C4F26BBA5FB89324F24C569ED090B25AC336D416CBA2
                                          Function 0192D4C4 Relevance: .1, Instructions: 75COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1307535600.000000000192D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0192D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_192d000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3c7bbdddf78e34a5c913c0d7ab131fa865270ab18f2e9fcca904efb27b297ed5
                                          • Instruction ID: deef46736d5ba8d1167b9d24748868701e24dcc794b27ae16b09b4cd5eabb306
                                          • Opcode Fuzzy Hash: 3c7bbdddf78e34a5c913c0d7ab131fa865270ab18f2e9fcca904efb27b297ed5
                                          • Instruction Fuzzy Hash: 1A21D372504240EFDB15DF54D9C0F26BFA5FB88318F24C569E9090B25EC376D456CAA2
                                          Function 07DB5230 Relevance: .1, Instructions: 74COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1327940557.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_7db0000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f0a81d9fca16fc2d45e62d6dabe109cf3450588b51d46dcc38e1c0903b3eff6b
                                          • Instruction ID: c3acee98a058dfb08e2ce0720d88d84e2e131508c68139b8ac6a7150e3e0eaa6
                                          • Opcode Fuzzy Hash: f0a81d9fca16fc2d45e62d6dabe109cf3450588b51d46dcc38e1c0903b3eff6b
                                          • Instruction Fuzzy Hash: 9611D575B14250CFCB199B79E49876EBBA6EFC9210B1484AEE406CB356DE35DC02C750
                                          Function 0193D1D4 Relevance: .1, Instructions: 72COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1307589945.000000000193D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0193D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_193d000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5ef158a14421b2b010b4dcf8268ab6541ebecc94ad9f34be25189825f7cd8715
                                          • Instruction ID: 0a56f307ace55b1d80030214e5f6d2ea3a422648881a95523233cd0033b18d16
                                          • Opcode Fuzzy Hash: 5ef158a14421b2b010b4dcf8268ab6541ebecc94ad9f34be25189825f7cd8715
                                          • Instruction Fuzzy Hash: 7521F271904200EFEB15DFA4D9D0F26BBA5FBC4324F60C96DE90D4B292C336D846CA62
                                          Function 0193D01C Relevance: .1, Instructions: 72COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1307589945.000000000193D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0193D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_193d000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: de7f9ddf335a29195b53fcf90186587e0d1f36eac74542e6e4546217af344a5d
                                          • Instruction ID: 93719b0b7ec406167646d721606ca101466fcaf4878378289b5f8996a286b7b1
                                          • Opcode Fuzzy Hash: de7f9ddf335a29195b53fcf90186587e0d1f36eac74542e6e4546217af344a5d
                                          • Instruction Fuzzy Hash: F721FFB1604200EFDB15DF64D990B26FBA5EB84614F60C96DE80E0B292C336D807CA62
                                          Function 07DB3BD0 Relevance: .1, Instructions: 70COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1327940557.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_7db0000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c2ec83b15e838dd3b775223f9e6985be5b3b47736c8a4258597c9860506ca09a
                                          • Instruction ID: d27ede2307bb5b7d442d2a168446a70799ebc4181723d7433f8e861073566811
                                          • Opcode Fuzzy Hash: c2ec83b15e838dd3b775223f9e6985be5b3b47736c8a4258597c9860506ca09a
                                          • Instruction Fuzzy Hash: D9213071A10609DFCB10EF6CD94159EFBB4FF59310F50C26AE958AB200FB30A998CB91
                                          Function 0193D006 Relevance: .1, Instructions: 62COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1307589945.000000000193D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0193D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_193d000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 8235708b58901a95733cf463bcd2683bb137e0a4daa24af5093a81711633f728
                                          • Instruction ID: 47c880da27861f6b3ee9bdc75189ed5c5b6c3f2e53898905dd99e2b396d4d94e
                                          • Opcode Fuzzy Hash: 8235708b58901a95733cf463bcd2683bb137e0a4daa24af5093a81711633f728
                                          • Instruction Fuzzy Hash: 172183755093809FDB13CF64D590715FFB1EB46214F28C5EAD8498F6A7C33A980ACB62
                                          Function 0192D1F7 Relevance: .1, Instructions: 57COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1307535600.000000000192D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0192D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_192d000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 63590c6d4b85089a62ccbb5b73be6abf778bad766966e0b930af7b7dfcf8d66b
                                          • Instruction ID: d9483a970515f441d5f751201a8ddbc5c7e87bc3170b2ad05a4dad644ccb8f15
                                          • Opcode Fuzzy Hash: 63590c6d4b85089a62ccbb5b73be6abf778bad766966e0b930af7b7dfcf8d66b
                                          • Instruction Fuzzy Hash: AE219D76504240DFDB16CF54D9C4B16BFA2FB85324F24C5A9DD090B65AC33AD426CBA2
                                          Function 0192D4BF Relevance: .1, Instructions: 56COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1307535600.000000000192D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0192D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_192d000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0d9143a8ff6c40554208124bd87d7ebbaad978752f52efe449982275cc027c51
                                          • Instruction ID: 18923051a6c9801034e92b6d50e9019147444c696d94aeb929d249fa11027dd0
                                          • Opcode Fuzzy Hash: 0d9143a8ff6c40554208124bd87d7ebbaad978752f52efe449982275cc027c51
                                          • Instruction Fuzzy Hash: 13110372404280DFDB16CF54D5C0B16BFB1FB84314F24C6A9D8090B65BC336D456CBA2
                                          Function 07DB2040 Relevance: .1, Instructions: 55COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1327940557.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_7db0000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4186093025f51f85a4401b2f3bcda160ecc72bb9350a5e43a582a830253740f7
                                          • Instruction ID: be1673d9ea35cf71f82a32d5260a10d96f2632017b24f8c756ae635e1a73af1e
                                          • Opcode Fuzzy Hash: 4186093025f51f85a4401b2f3bcda160ecc72bb9350a5e43a582a830253740f7
                                          • Instruction Fuzzy Hash: 6F01D8B360431ACEEF34AAB5A4407EAB7E9EB40221F40456BD90AD7581EE31F448C3A5
                                          Function 07DB5C90 Relevance: .1, Instructions: 54COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1327940557.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_7db0000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 47d6e9be6d82eaa4a519fe2131e6592565a6314e0edee16eacd031ddf6e37416
                                          • Instruction ID: abfb32c901ab95ed6c3d68ca9d2eaecb7158b280533e4efe6f135b17353358d9
                                          • Opcode Fuzzy Hash: 47d6e9be6d82eaa4a519fe2131e6592565a6314e0edee16eacd031ddf6e37416
                                          • Instruction Fuzzy Hash: C9117932D00B5186EB009F29D840281B3A5FF95324F1A8BBACC4D3F346EB717994C7A0
                                          Function 0193D1CF Relevance: .1, Instructions: 53COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1307589945.000000000193D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0193D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_193d000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9e088ad8a07711d9d3566a887b1f888bc4d4e2f61ff705deeaaa2a632ac83149
                                          • Instruction ID: 88eaa5cd3240b3b70dac405faa18732fe6cb16e571e9fe35a70926e64c163b22
                                          • Opcode Fuzzy Hash: 9e088ad8a07711d9d3566a887b1f888bc4d4e2f61ff705deeaaa2a632ac83149
                                          • Instruction Fuzzy Hash: 4111BB75904280DFDB16CF54D5D0B15FFA1FB84324F24C6A9D8494B697C33AD80ACB62
                                          Function 07DB9FE9 Relevance: .1, Instructions: 53COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1327940557.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_7db0000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3c44c3500b50052563bf2d176bfc1f73f70a4a632ba13d0851875324e2c49cd4
                                          • Instruction ID: 41c07856e4c78450e928de341fb60897bc7a265b3f0d554ef89ca9e5214fcb65
                                          • Opcode Fuzzy Hash: 3c44c3500b50052563bf2d176bfc1f73f70a4a632ba13d0851875324e2c49cd4
                                          • Instruction Fuzzy Hash: 6411A975A41309EFDB15DFB4D8408DDBBF9FF89311B1080A6E90597214DB35AE11CB94
                                          Function 07DB5C8F Relevance: .1, Instructions: 52COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1327940557.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_7db0000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 718c54ac085d77d17e61d4ad458cd3cadce3e7d3f1aa48214dd345fbb5c9d2bd
                                          • Instruction ID: e750dfd0a64c6f574368101cd5b13d8030765e1bc94d6338c1ad822a2e7bb928
                                          • Opcode Fuzzy Hash: 718c54ac085d77d17e61d4ad458cd3cadce3e7d3f1aa48214dd345fbb5c9d2bd
                                          • Instruction Fuzzy Hash: F5113772D00B5186EB009F68D850281B3A5FF94324F1A8ABACC4D3F246EB756994C7A0
                                          Function 07DB66E0 Relevance: .1, Instructions: 51COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1327940557.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_7db0000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 42406255c514f9c86a4e5fde371e7fb51feb6b713553940576ab41f1dfe294f6
                                          • Instruction ID: 9bed3444c4a6f69792dec38383c62d0ddc1e324c67aec9379f8a9dfba73801d0
                                          • Opcode Fuzzy Hash: 42406255c514f9c86a4e5fde371e7fb51feb6b713553940576ab41f1dfe294f6
                                          • Instruction Fuzzy Hash: AA11E1303003118BE724AB78D41539B7AE6EB89314F10845DE1898F2C3CEFAA84A47E2
                                          Function 07DB62A0 Relevance: .1, Instructions: 51COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1327940557.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_7db0000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 231698a3f1822a78846b79ccd7831a1b7f8eea71c9369c87c00291cf21ce8cf8
                                          • Instruction ID: 2c337c02f63c39b527b920bc90f44bbb5c82bb407b57852036fdc4cdae8f3700
                                          • Opcode Fuzzy Hash: 231698a3f1822a78846b79ccd7831a1b7f8eea71c9369c87c00291cf21ce8cf8
                                          • Instruction Fuzzy Hash: 7511D6707003118BE714A778D4147DB76D6EB84314F10841DE18A8F3C3CEFAA84A47E6
                                          Function 07DB5240 Relevance: .0, Instructions: 45COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1327940557.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_7db0000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d038a7cac42034e4ec507ce9b8ae1fb6eed6a3c60121f9e5cbc02389936faa0c
                                          • Instruction ID: b905c5af8b831e1fa6018783881090473429a5f0cae08ba2f9ec21fe35e5e50b
                                          • Opcode Fuzzy Hash: d038a7cac42034e4ec507ce9b8ae1fb6eed6a3c60121f9e5cbc02389936faa0c
                                          • Instruction Fuzzy Hash: 8F011E74710211DFD718DB69E48896AB7E6EFC8614B148469E41ACB365CB71EC05CB50
                                          Function 0192D795 Relevance: .0, Instructions: 45COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1307535600.000000000192D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0192D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_192d000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4663478a00e7b7d7699c1e5da25fc251b4613a91259ee9e0f867e2a16d82d9fe
                                          • Instruction ID: c9db276189ac514738a8d616c5e222baa7070119830539bc14b669d4738a872f
                                          • Opcode Fuzzy Hash: 4663478a00e7b7d7699c1e5da25fc251b4613a91259ee9e0f867e2a16d82d9fe
                                          • Instruction Fuzzy Hash: F801A7B14053949EF7204F69CD84B66BBDCEF41625F14855AED0D1E28AC37D9444CAB2
                                          Function 07DB0F10 Relevance: .0, Instructions: 44COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1327940557.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_7db0000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c3d9b8032b561a53bb3eafc2982a15235602be986f3ae3f54efa8c2024c36ff8
                                          • Instruction ID: 06fe4f38f5edf138574dbe80931105eca7b736f8c51cf8d0dc707201fb4c1a35
                                          • Opcode Fuzzy Hash: c3d9b8032b561a53bb3eafc2982a15235602be986f3ae3f54efa8c2024c36ff8
                                          • Instruction Fuzzy Hash: A1012D70A01B06CFC724EF39C45459AB7B6EF85310F50C56EE9468B260EB30E942CF50
                                          Function 07DB0F00 Relevance: .0, Instructions: 43COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1327940557.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_7db0000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: cd6d8915a801219ed9cdab563f064cc65a33696d40b4b661ab9e298805d7f30c
                                          • Instruction ID: 1b0b81636deb5c7a2004865e74f51cf3731d3a09cfa720b1dc7a12aba3b6affb
                                          • Opcode Fuzzy Hash: cd6d8915a801219ed9cdab563f064cc65a33696d40b4b661ab9e298805d7f30c
                                          • Instruction Fuzzy Hash: B2014F71601B06CFC724EF79C454A9AB7B5EF8A350F4085AEE9469B260EF30E942CF51
                                          Function 07DB12D9 Relevance: .0, Instructions: 42COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1327940557.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_7db0000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f3fbcd4f4921ee1aca9ca06731519959016922c39407517fa934144b6688c2ba
                                          • Instruction ID: f09b0267563cc26f60b7c635e1cd952b52b603efc3c104b7474b763993f0d9e1
                                          • Opcode Fuzzy Hash: f3fbcd4f4921ee1aca9ca06731519959016922c39407517fa934144b6688c2ba
                                          • Instruction Fuzzy Hash: BE01ADBA7007058BCB15AB6494146AEB735EFC1320F44462ED9495B200EF31A982C7A6
                                          Function 07DB1358 Relevance: .0, Instructions: 38COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1327940557.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_7db0000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d10cd650b006633bc3c5e8531a904f17d81f666e8e5c05032a8311dfceac3669
                                          • Instruction ID: 7eea1af308368846f170d72282a5029015009869bc0a7897bccb240892bfcf49
                                          • Opcode Fuzzy Hash: d10cd650b006633bc3c5e8531a904f17d81f666e8e5c05032a8311dfceac3669
                                          • Instruction Fuzzy Hash: 13F0C2313007048FC7249B2AE484A5EB7FAFF89321F40096DE40687360DB39AC46CB54
                                          Function 07DB16F0 Relevance: .0, Instructions: 37COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1327940557.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_7db0000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 8ba6c2e606889bf32090c0a63bd7f9a85db13a08c1f0c79ebee69374cf820df7
                                          • Instruction ID: a0be5df0415b1988ab6cd65d9177626ed6ed21529bab5d519793d5bebd56d1f8
                                          • Opcode Fuzzy Hash: 8ba6c2e606889bf32090c0a63bd7f9a85db13a08c1f0c79ebee69374cf820df7
                                          • Instruction Fuzzy Hash: 6BF054767007154B97249A7EF88485AB7E9EBC8235310463AE10AC7310EE619C068790
                                          Function 07DB12E8 Relevance: .0, Instructions: 37COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1327940557.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_7db0000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f25aa5fdfa7c4fd53f3fee2a06ee6b1889051ddc749797a1745bb95e3fa38fb4
                                          • Instruction ID: d3c82d7fb36e63cb1afc16aec56b958ef47d443f6e59c2ac2190f23122963941
                                          • Opcode Fuzzy Hash: f25aa5fdfa7c4fd53f3fee2a06ee6b1889051ddc749797a1745bb95e3fa38fb4
                                          • Instruction Fuzzy Hash: 46F0AFB57007058BCB15BB7484145AEB779EFC1620F44456ED84A5B300EF31A586C6E6
                                          Function 0192D794 Relevance: .0, Instructions: 36COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1307535600.000000000192D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0192D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_192d000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9d871e631b5335f0b83df25052f48fde83e2100c7cf5f608bac8f8f36e8210c1
                                          • Instruction ID: 63671b5e5114032218ab329cea7bd096c24c3fd1fbb0dcb0c9d2be650473a556
                                          • Opcode Fuzzy Hash: 9d871e631b5335f0b83df25052f48fde83e2100c7cf5f608bac8f8f36e8210c1
                                          • Instruction Fuzzy Hash: B3F0C272405390AEEB208E1ACD84B62FFDCEB41725F18C55AED0C0F28BC3789844CAB1
                                          Function 07DB56A7 Relevance: .0, Instructions: 34COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1327940557.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_7db0000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e72126179ab1f84ab554ad2b18cb685a83b7144e40eda755abeaf5a8d228d932
                                          • Instruction ID: 5758bff989464541dc0cbd4d772ec5d72c8ab289862e0c611c266de19feb50c9
                                          • Opcode Fuzzy Hash: e72126179ab1f84ab554ad2b18cb685a83b7144e40eda755abeaf5a8d228d932
                                          • Instruction Fuzzy Hash: CFF03037B00019DFCF106BECFC559EDB7A6EBC9225B544067E609DB224DA214C129761
                                          Function 07DBA730 Relevance: .0, Instructions: 32COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1327940557.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_7db0000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 344fe5d596f4976da09bcaa00d6328d638295063460ebc703989dbe266ed9699
                                          • Instruction ID: 92e44c50df87b2e13ad91f31c81bbb244ffd4785e028e030f7aa9c39a7ec765b
                                          • Opcode Fuzzy Hash: 344fe5d596f4976da09bcaa00d6328d638295063460ebc703989dbe266ed9699
                                          • Instruction Fuzzy Hash: 33F0E9B15096618FE3215738A8656D57FA1FB8B200B44C08BE082CF266EA558C0A8791
                                          Function 07DB16E1 Relevance: .0, Instructions: 32COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1327940557.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_7db0000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b5e0bb2b4f16a5528cca95000a9d8ac0d550f2bd71de4ee86479330dd4bcc259
                                          • Instruction ID: 4aad823aa5da4579ceb1ce9a4d976af271a6329d5a8fd9efe258282da13e2731
                                          • Opcode Fuzzy Hash: b5e0bb2b4f16a5528cca95000a9d8ac0d550f2bd71de4ee86479330dd4bcc259
                                          • Instruction Fuzzy Hash: 04F0E276B007158FC7119B7CE898A6D7BAAEF88231700897EE0068B321EE20DC068791
                                          Function 07DB1B51 Relevance: .0, Instructions: 32COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1327940557.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_7db0000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c91d3b965fbc1fd3aa3cf21133f3f9ff71509f317344419d2aeaa1ae90442c3e
                                          • Instruction ID: 2608a64a54ca0cb81b35affa9732942dfec351e4be4c00fc92ef32ca3d117cd3
                                          • Opcode Fuzzy Hash: c91d3b965fbc1fd3aa3cf21133f3f9ff71509f317344419d2aeaa1ae90442c3e
                                          • Instruction Fuzzy Hash: C5F0F430200614CFC714DB2CD898E58BBE5EF4A719B1544A9E50ACB332DB72EC41CB50
                                          Function 07DB67E0 Relevance: .0, Instructions: 31COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1327940557.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_7db0000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 026bd73f9b69ef4431cae344d418ca2d853dd2f176139e84fdaec87deb760fcd
                                          • Instruction ID: 259329bf7ead0a73469e0783defd943184be341e9fb70dad6fc1a1c8584960e9
                                          • Opcode Fuzzy Hash: 026bd73f9b69ef4431cae344d418ca2d853dd2f176139e84fdaec87deb760fcd
                                          • Instruction Fuzzy Hash: 95F05EB5610305CFEF28CF18D482A9577E5FB042187204969E45ACF342D772E8038B84
                                          Function 07DB9FF8 Relevance: .0, Instructions: 29COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1327940557.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_7db0000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2c4245c60d59ff01b712313444cfbb03fa9b90af80b51be38c87ec61cbd5ea04
                                          • Instruction ID: a10bf58a08e2266ea6828bbeb721c7606b359d9e27ca8be1349bf48e987ce09f
                                          • Opcode Fuzzy Hash: 2c4245c60d59ff01b712313444cfbb03fa9b90af80b51be38c87ec61cbd5ea04
                                          • Instruction Fuzzy Hash: B1F08C35201306DBE715AF39D4408AA37AAFF853513108469E1008B224CE76AC118B94
                                          Function 07DB1B60 Relevance: .0, Instructions: 28COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1327940557.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_7db0000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 711f0eb2017a7c3dfcac1829d64ebea0e4d03d0b6c9bea3d5f19f42cde9125f5
                                          • Instruction ID: d24613922da4e31e022614f9893a1e2dfc7558056e788cc879c1e0d81c303b82
                                          • Opcode Fuzzy Hash: 711f0eb2017a7c3dfcac1829d64ebea0e4d03d0b6c9bea3d5f19f42cde9125f5
                                          • Instruction Fuzzy Hash: 93F0DF34200614CFC718DB2CD598D99BBE6EF4AB1971185A9E10ACB332DB72EC41CB80
                                          Function 07DBE4CB Relevance: .0, Instructions: 27COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1327940557.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_7db0000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3c37a0cf232e8853979cfb98a56736e24dbef2ae86fca53bca01931fe4a40d49
                                          • Instruction ID: 395a26b998180b6bc21cb080be5b3806e994f742f9a693e35bde515c3bfb10e8
                                          • Opcode Fuzzy Hash: 3c37a0cf232e8853979cfb98a56736e24dbef2ae86fca53bca01931fe4a40d49
                                          • Instruction Fuzzy Hash: 78F06D3160E3D58FE317D734A8650E57F71AE5710070D45EFE089CF293EA598D0A87A2
                                          Function 07DB9FA0 Relevance: .0, Instructions: 24COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1327940557.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_7db0000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4cc2ebb2194a310a6e51c01f0bf85e391fc060e21a8016b06e8df28f90d86d20
                                          • Instruction ID: bdb2d71afa6b93bbeeb1d674b1b3f304c63e4cfca08fd33882667771442257fe
                                          • Opcode Fuzzy Hash: 4cc2ebb2194a310a6e51c01f0bf85e391fc060e21a8016b06e8df28f90d86d20
                                          • Instruction Fuzzy Hash: 3CF01571D40209EFCB51DFA4E84449EBBB5EB08301F2081EAD915E2200EA341B098B80
                                          Function 07DB66A1 Relevance: .0, Instructions: 23COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1327940557.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_7db0000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1cac063d4ecb1ed64adaac55b6cca2bcb34edc08b6b41a475e9abbcfa4ec6f2b
                                          • Instruction ID: 55b0a952620f34a36e3a167fbea82ba200e19773dfa14a719569e24a358ad5ed
                                          • Opcode Fuzzy Hash: 1cac063d4ecb1ed64adaac55b6cca2bcb34edc08b6b41a475e9abbcfa4ec6f2b
                                          • Instruction Fuzzy Hash: 1CE02B363402145BDB0CA65CD4117CAB2D9CFCC750F44807AE10DCB390D9E8DD0143EA
                                          Function 07DB67DF Relevance: .0, Instructions: 20COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1327940557.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_7db0000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 956b047c7969d4b83e4fd95866d50ca5d23edd04cbdf828d062f442b15b9bce2
                                          • Instruction ID: 942c0336a36b2826049328658a3b1f85c1b7fb446206eea68b9619e67bd2335e
                                          • Opcode Fuzzy Hash: 956b047c7969d4b83e4fd95866d50ca5d23edd04cbdf828d062f442b15b9bce2
                                          • Instruction Fuzzy Hash: 3AE08676600201CB9F28CF58E4835997791E7042143144969E40ACF341DB21D8038B80
                                          Function 07DBE058 Relevance: .0, Instructions: 19COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1327940557.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_7db0000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 346a53aea3f9bfa1c29dc7c3f493224136f57705f7d75cdde75689488cd83193
                                          • Instruction ID: 3365fea35a93588ddc7c1a6e8cb505b5de86e77ebf80fda579cc7aadf9a3717a
                                          • Opcode Fuzzy Hash: 346a53aea3f9bfa1c29dc7c3f493224136f57705f7d75cdde75689488cd83193
                                          • Instruction Fuzzy Hash: 80E012357151249FE3046B5CF4909653BB7EB8D735F1040A6E50DCB3A5CA79DC11CB90
                                          Function 07DB9FB0 Relevance: .0, Instructions: 19COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1327940557.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_7db0000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 073dd9b80bd45c03c2aaa5a2ff13b60d765afbc4c9a4dccd3726c7a9c734abaa
                                          • Instruction ID: fccc41a6cd4996abc883e11c4c29885ea24d8fc00b0b602549e6d6d46246340c
                                          • Opcode Fuzzy Hash: 073dd9b80bd45c03c2aaa5a2ff13b60d765afbc4c9a4dccd3726c7a9c734abaa
                                          • Instruction Fuzzy Hash: 50E07E75D4020DEFCB55DFA4E9458DDBBB9EB48200F2082AA9919A2204EA346B559B80
                                          Function 07DBA6F0 Relevance: .0, Instructions: 18COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1327940557.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_7db0000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a46fbb7c961e603f57096d56bf1e06b11bd4cad047c853fcd446213d8a57a786
                                          • Instruction ID: 36cdc2f80aed636e714a00fb838372865d887709db02656e4865c4bbdecf6465
                                          • Opcode Fuzzy Hash: a46fbb7c961e603f57096d56bf1e06b11bd4cad047c853fcd446213d8a57a786
                                          • Instruction Fuzzy Hash: B4E0C2302012248BE654AB28F4522D937A2FB8A310F10841AE1458F346EFA49D0647C4
                                          Function 07DB66B0 Relevance: .0, Instructions: 18COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1327940557.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_7db0000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 8a3a35b122e5415732f3b8c753a8f2a0facfd50dcebc9056bfbb12648816d026
                                          • Instruction ID: 9e774ade6304e2146f4f811c6065d2ff219fe09d00755948820eca94864a3dc8
                                          • Opcode Fuzzy Hash: 8a3a35b122e5415732f3b8c753a8f2a0facfd50dcebc9056bfbb12648816d026
                                          • Instruction Fuzzy Hash: F6D05E317046145BD70D664C90107DAB6DA8FCD750F04806AE50A8B3A1CAA19C0142EA
                                          Function 07DBE068 Relevance: .0, Instructions: 16COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1327940557.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_7db0000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 86147bb286c674bbb572245aa643dbe5be096edf4000b95edcc16cbbfe9cb327
                                          • Instruction ID: 28f474435f057674ec30057dc2a57fb856598207829f91d2ef72b1eb55959515
                                          • Opcode Fuzzy Hash: 86147bb286c674bbb572245aa643dbe5be096edf4000b95edcc16cbbfe9cb327
                                          • Instruction Fuzzy Hash: CDD05E353100249BA304AA5CE440C563BB9EB8D73471040A6E10887365CA69EC108B90
                                          Function 07DB20C8 Relevance: .0, Instructions: 15COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1327940557.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_7db0000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e734d477e143793a80ef5de7a1066cc0cb7e89647a49ab0c44eeef2646e49c75
                                          • Instruction ID: afa54b473cbf1eb77f6907825b92c1134495fffa1be6eba7eb5d4224e14d8fed
                                          • Opcode Fuzzy Hash: e734d477e143793a80ef5de7a1066cc0cb7e89647a49ab0c44eeef2646e49c75
                                          • Instruction Fuzzy Hash: F4D0A9B22002088FC700CB84C886F243774BF4B765F64008CE94B8B222C322FC00CB10
                                          Function 07DB20D8 Relevance: .0, Instructions: 13COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1327940557.0000000007DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_7db0000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 297dc1e80638cb8261d32d7afade5006b2f7425a309055fc63825cecf9193c78
                                          • Instruction ID: 97d3db385c041ec6213fc5792ee8575d5e068bc48062fdd398b6abd2f1b4189b
                                          • Opcode Fuzzy Hash: 297dc1e80638cb8261d32d7afade5006b2f7425a309055fc63825cecf9193c78
                                          • Instruction Fuzzy Hash: 46C012713406088FCB04DAA8E88086233A8BF88A1930400A8E10E8B621D722F811CA00

                                          Non-executed Functions

                                          Function 08211FF8 Relevance: .4, Instructions: 373COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1328712215.0000000008210000.00000040.00000800.00020000.00000000.sdmp, Offset: 08210000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_8210000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5cb4cc88b02c3153a7daf970e1ebcdac7b50e75edadd630cf6e4785786d71cd7
                                          • Instruction ID: bcd3c8d5d178bf3cdbc29eb523765afba2625af2ef7e679844913d807da422c6
                                          • Opcode Fuzzy Hash: 5cb4cc88b02c3153a7daf970e1ebcdac7b50e75edadd630cf6e4785786d71cd7
                                          • Instruction Fuzzy Hash: 1FD1C170A043498FDB15EBB8C45476FBBF2EF89210F24856AD449DB395CA389D02C7A1
                                          Function 05560040 Relevance: .3, Instructions: 312COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1324780628.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_5560000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c4b60140f6253b1e646d2fba9e6d634a251ab6786c25d03b032f5b7f7de371ec
                                          • Instruction ID: 5ba5e081ea65530342326fcb68b2905bd5d4926b528370417fb7aed495e9c976
                                          • Opcode Fuzzy Hash: c4b60140f6253b1e646d2fba9e6d634a251ab6786c25d03b032f5b7f7de371ec
                                          • Instruction Fuzzy Hash: E1E11874E002598FDB14CFA8C584AAEFBB2FF89315F248569D818AB355D734AD41CFA0
                                          Function 05560478 Relevance: .3, Instructions: 312COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1324780628.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_5560000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ad3c6394a589a55645162d2bde2b1d161d3706a74ecbfefb0ed3ead9ea9643cd
                                          • Instruction ID: b013a274906ab7f9f96aab7889f4cde85079d100c607d42e5d57c2dea674f272
                                          • Opcode Fuzzy Hash: ad3c6394a589a55645162d2bde2b1d161d3706a74ecbfefb0ed3ead9ea9643cd
                                          • Instruction Fuzzy Hash: 58E10774E002598FDB14DFA9C584AAEFBB2FF88305F248569D814AB355D734AD41CFA0
                                          Function 05561B20 Relevance: .3, Instructions: 312COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1324780628.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_5560000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6113bd25ecf680801cad6b793804a516bc22020825811efe287c10faaf494b42
                                          • Instruction ID: e876db6e6367b360831ce2748f730f8f70697045e05b33ef2be250fa6241abec
                                          • Opcode Fuzzy Hash: 6113bd25ecf680801cad6b793804a516bc22020825811efe287c10faaf494b42
                                          • Instruction Fuzzy Hash: 44E11974E006598FDB14CFA9C580AAEFBB2FF89305F248569D814AB355D734AD41CFA0
                                          Function 055623F8 Relevance: .3, Instructions: 312COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1324780628.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_5560000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ef9671449ed6da6f054c116de401fb86472714bf866cd874a8945e492a67b035
                                          • Instruction ID: d3fa4b21001cc01723ae66e68335e883dd888d640abf4704a41dc5b11c587c2e
                                          • Opcode Fuzzy Hash: ef9671449ed6da6f054c116de401fb86472714bf866cd874a8945e492a67b035
                                          • Instruction Fuzzy Hash: 25E11874E042598FDB14CFA9C580AAEFBB2FF88305F248169D814AB355DB34AD41CFA1
                                          Function 0789F7F8 Relevance: .3, Instructions: 312COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1327463170.0000000007890000.00000040.00000800.00020000.00000000.sdmp, Offset: 07890000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_7890000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3f6a64219d0ced4f23bce501de36f04b3be3691413584bf84b354e3197b8d602
                                          • Instruction ID: 1fb937288ddd43146316088f9d2bd7597f318fa234b0d83012d92699f19c35db
                                          • Opcode Fuzzy Hash: 3f6a64219d0ced4f23bce501de36f04b3be3691413584bf84b354e3197b8d602
                                          • Instruction Fuzzy Hash: 3FE1E6B4E002198FDB14CFA9C580AAEFBB2FF89315F248569D914EB355D734A941CFA0
                                          Function 078924A9 Relevance: .3, Instructions: 273COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1327463170.0000000007890000.00000040.00000800.00020000.00000000.sdmp, Offset: 07890000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_7890000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e42e64ce77a444d3d2a89c0ee94dacb4d54f788087133e089d5c6356dadd00d8
                                          • Instruction ID: 9545f0a10ef9e87442c8c5250d63cac18c9cd0a482622cd98c8ceee0ee5f47fb
                                          • Opcode Fuzzy Hash: e42e64ce77a444d3d2a89c0ee94dacb4d54f788087133e089d5c6356dadd00d8
                                          • Instruction Fuzzy Hash: 5ED11535C2075A8ADB10EB68D9506DDB771FFDA300F10879AE0093B255EB706AE5CF91
                                          Function 078924B8 Relevance: .3, Instructions: 264COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1327463170.0000000007890000.00000040.00000800.00020000.00000000.sdmp, Offset: 07890000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_7890000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 22c891491cdfd449b1986065da839b5dd832afaba52612488eccb3a4089bf158
                                          • Instruction ID: 2593c0db4f99d261d6b7febcf6b4b2810c440042e35b0a701b46ba89337df93a
                                          • Opcode Fuzzy Hash: 22c891491cdfd449b1986065da839b5dd832afaba52612488eccb3a4089bf158
                                          • Instruction Fuzzy Hash: 5BD10535C2075A8ADB10EB68D9506DDB371FFDA300F1087AAE0093B255EB706AE5CF91
                                          Function 01AADE34 Relevance: .3, Instructions: 264COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1307812590.0000000001AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01AA0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_1aa0000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0c71993d7ac33df1a1699da4a83fc577b51cd647aacd8a0d9fbbf55dbb9090cd
                                          • Instruction ID: e850785b9f5a6b8746ad9a46195723ea7fbe414b696dfc09499c4b5e45361873
                                          • Opcode Fuzzy Hash: 0c71993d7ac33df1a1699da4a83fc577b51cd647aacd8a0d9fbbf55dbb9090cd
                                          • Instruction Fuzzy Hash: 7DA19336E00216CFCF19DFB4C9845DEBBB2FF94300B55856AE905AB265DB31E946CB80
                                          Function 05566740 Relevance: .1, Instructions: 145COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1324780628.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_5560000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 66b3db540a4a34531afd9210265b6dbad2b22e52250afc954ff5b5867e2190a2
                                          • Instruction ID: 8d220c65235e034e0eba8a50741ce8d826aa6e7ff9430e51c87d56c3ff0ae527
                                          • Opcode Fuzzy Hash: 66b3db540a4a34531afd9210265b6dbad2b22e52250afc954ff5b5867e2190a2
                                          • Instruction Fuzzy Hash: C151F175700A408FE728DF3AC594B6AB7E2BFC8704F19846DE55A8B366DB31E801CB10
                                          Function 05566750 Relevance: .1, Instructions: 139COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1324780628.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_5560000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 8652aa2292e617fe22ecb36d8d51f0e5cb277e4c48bb463de059d36bb4294fa3
                                          • Instruction ID: 0dead7f128415f1c21a8a08ccc843de356bdc621943a7a88bc65e2c540af9f16
                                          • Opcode Fuzzy Hash: 8652aa2292e617fe22ecb36d8d51f0e5cb277e4c48bb463de059d36bb4294fa3
                                          • Instruction Fuzzy Hash: 7951C075704A408FE728DF3AC594B6AB7E2BFC8710F19846DD59A8B366DB31E8058B10
                                          Function 0789F7D8 Relevance: .1, Instructions: 139COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1327463170.0000000007890000.00000040.00000800.00020000.00000000.sdmp, Offset: 07890000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_7890000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d6de2d4b279f5f37d8cfadfd637c97816cbb42f4b1b80f88c8e6180e79273b7d
                                          • Instruction ID: 5e5f897e49fb6cbfd126687ad72337272a75fbf0b0540ab4a5ab702b6a81beaa
                                          • Opcode Fuzzy Hash: d6de2d4b279f5f37d8cfadfd637c97816cbb42f4b1b80f88c8e6180e79273b7d
                                          • Instruction Fuzzy Hash: 97512AB4E002198FDB14CFA9C540AAEFBF2EF89304F248569D558AB355D7349941CFA1
                                          Function 05563F29 Relevance: .0, Instructions: 39COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.1324780628.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_5560000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 07818dacc8b2ba97e556edaba9d2afd7ec7e5375b0791fbeec0c2f093cce4ee7
                                          • Instruction ID: 682448b412151ed0f795981da3db241f5b14b0627a7b1b16e3d5fd2115b7d740
                                          • Opcode Fuzzy Hash: 07818dacc8b2ba97e556edaba9d2afd7ec7e5375b0791fbeec0c2f093cce4ee7
                                          • Instruction Fuzzy Hash: BAF0C939849298CFCF20DF54E4882F8B7B9FB4A355F0064AED60EA3262D7305A84CE44

                                          Execution Graph

                                          Execution Coverage:9.2%
                                          Dynamic/Decrypted Code Coverage:100%
                                          Signature Coverage:0%
                                          Total number of Nodes:431
                                          Total number of Limit Nodes:36
                                          execution_graph 26515 15cd01c 26516 15cd034 26515->26516 26517 15cd08e 26516->26517 26520 5712f28 26516->26520 26529 5712f18 26516->26529 26521 5712f55 26520->26521 26522 5712f89 26521->26522 26524 5712f79 26521->26524 26554 5712b64 26522->26554 26538 571317c 26524->26538 26544 57130a0 26524->26544 26549 57130b0 26524->26549 26525 5712f87 26530 5712f28 26529->26530 26531 5712f89 26530->26531 26534 5712f79 26530->26534 26532 5712b64 CallWindowProcW 26531->26532 26533 5712f87 26532->26533 26535 57130b0 10 API calls 26534->26535 26536 57130a0 10 API calls 26534->26536 26537 571317c 10 API calls 26534->26537 26535->26533 26536->26533 26537->26533 26539 571313a 26538->26539 26540 571318a 26538->26540 26558 5713159 26539->26558 26564 5713168 26539->26564 26541 5713150 26541->26525 26546 57130c4 26544->26546 26545 5713150 26545->26525 26547 5713159 10 API calls 26546->26547 26548 5713168 10 API calls 26546->26548 26547->26545 26548->26545 26551 57130c4 26549->26551 26550 5713150 26550->26525 26552 5713159 10 API calls 26551->26552 26553 5713168 10 API calls 26551->26553 26552->26550 26553->26550 26555 5712b6f 26554->26555 26556 57143ea CallWindowProcW 26555->26556 26557 5714399 26555->26557 26556->26557 26557->26525 26559 5713168 26558->26559 26560 5713179 26559->26560 26569 5714321 26559->26569 26572 5718260 26559->26572 26590 5718270 26559->26590 26560->26541 26565 5713179 26564->26565 26566 5714321 CallWindowProcW 26564->26566 26567 5718270 10 API calls 26564->26567 26568 5718260 10 API calls 26564->26568 26565->26541 26566->26565 26567->26565 26568->26565 26570 5712b64 CallWindowProcW 26569->26570 26571 571433a 26570->26571 26571->26560 26573 571826c 26572->26573 26574 57182d0 26573->26574 26575 571828e 26573->26575 26580 571829c 26573->26580 26578 571855c 26574->26578 26574->26580 26576 5718293 26575->26576 26577 57182aa 26575->26577 26579 57184ba 26576->26579 26576->26580 26577->26580 26583 5718524 26577->26583 26584 57184c8 26577->26584 26587 57183d6 26577->26587 26616 5717b88 26578->26616 26608 5717ad8 26579->26608 26580->26587 26622 57189f0 26580->26622 26627 5718a00 26580->26627 26612 5717b48 26583->26612 26632 5717ae8 26584->26632 26587->26560 26591 5718271 26590->26591 26592 57182d0 26591->26592 26593 571828e 26591->26593 26594 571829c 26591->26594 26592->26594 26597 571855c 26592->26597 26595 5718293 26593->26595 26596 57182aa 26593->26596 26605 57183d6 26594->26605 26606 57189f0 10 API calls 26594->26606 26607 5718a00 10 API calls 26594->26607 26595->26594 26598 57184ba 26595->26598 26596->26594 26601 5718524 26596->26601 26602 57184c8 26596->26602 26596->26605 26600 5717b88 10 API calls 26597->26600 26599 5717ad8 10 API calls 26598->26599 26599->26605 26600->26605 26603 5717b48 10 API calls 26601->26603 26604 5717ae8 9 API calls 26602->26604 26603->26605 26604->26605 26605->26560 26606->26605 26607->26605 26609 5717ae3 26608->26609 26610 5718a00 10 API calls 26609->26610 26611 5718c16 26610->26611 26611->26587 26613 5717b53 26612->26613 26614 5718a00 10 API calls 26613->26614 26615 571d0fc 26614->26615 26615->26587 26617 5717b93 26616->26617 26618 5717ae8 9 API calls 26617->26618 26619 571c980 26618->26619 26620 5718a00 10 API calls 26619->26620 26621 571c989 26620->26621 26621->26587 26623 57189f4 26622->26623 26624 57189e4 26623->26624 26638 5718a20 26623->26638 26624->26587 26625 5718a18 26625->26587 26628 5718a01 26627->26628 26629 5718a0b 26628->26629 26631 5718a20 10 API calls 26628->26631 26629->26587 26630 5718a18 26630->26587 26631->26630 26634 5717af3 26632->26634 26633 571bab7 26633->26587 26634->26633 26679 5714630 26634->26679 26636 571b8d4 26636->26633 26684 57178bc 26636->26684 26639 5718a24 26638->26639 26640 5718a60 26639->26640 26641 5718a3e 26639->26641 26642 5713720 10 API calls 26640->26642 26644 5718a4c 26641->26644 26647 5713720 26641->26647 26646 5718a67 26642->26646 26644->26625 26645 5718a88 26645->26625 26646->26625 26648 571376c 26647->26648 26649 5713edc 26648->26649 26652 57137b0 26648->26652 26655 571351c 26649->26655 26651 5713a0c 26651->26645 26652->26651 26660 5718a90 26652->26660 26664 5718aa0 26652->26664 26656 5713527 26655->26656 26657 571d1cd 26656->26657 26668 161c4b8 26656->26668 26657->26651 26658 571d198 26658->26658 26661 5718a94 26660->26661 26662 5712b64 CallWindowProcW 26661->26662 26663 5718b09 26661->26663 26662->26663 26663->26651 26665 5718aa1 26664->26665 26666 5712b64 CallWindowProcW 26665->26666 26667 5718b09 26665->26667 26666->26667 26667->26651 26669 161c4c3 26668->26669 26672 161f104 26669->26672 26671 161fdcf 26671->26658 26675 161f10f 26672->26675 26673 161ff78 26673->26671 26674 161ff41 26677 571d260 9 API calls 26674->26677 26678 571d250 9 API calls 26674->26678 26675->26673 26675->26674 26676 161f104 9 API calls 26675->26676 26676->26675 26677->26673 26678->26673 26680 5714640 26679->26680 26681 571467d 26680->26681 26690 5717cc0 26680->26690 26709 5717cb0 26680->26709 26681->26636 26685 57178c7 26684->26685 26686 571b600 26685->26686 26687 5714630 9 API calls 26685->26687 26686->26633 26688 571b5ec 26687->26688 26788 5719de8 26688->26788 26694 5717cc1 26690->26694 26692 5717e03 26732 5717030 26692->26732 26728 57178ac 26694->26728 26695 5717e0d 26696 57178bc 9 API calls 26695->26696 26697 5717e15 26696->26697 26699 5717e3c 26697->26699 26746 57178cc 26697->26746 26700 5714630 9 API calls 26699->26700 26701 5717f1f 26699->26701 26703 5717ec5 26700->26703 26705 5717f80 26701->26705 26762 161f01c 26701->26762 26702 5717f94 26703->26701 26751 5715a6c 26703->26751 26766 571cf80 26705->26766 26770 571cf90 26705->26770 26713 5717cb4 26709->26713 26710 57178ac 9 API calls 26711 5717e03 26710->26711 26712 5717030 9 API calls 26711->26712 26714 5717e0d 26712->26714 26713->26710 26715 57178bc 9 API calls 26714->26715 26716 5717e15 26715->26716 26717 57178cc 9 API calls 26716->26717 26718 5717e3c 26716->26718 26717->26718 26719 5714630 9 API calls 26718->26719 26720 5717f1f 26718->26720 26723 5717ec5 26719->26723 26721 5717f80 26720->26721 26725 161f01c 9 API calls 26720->26725 26726 571cf90 9 API calls 26721->26726 26727 571cf80 9 API calls 26721->26727 26722 5717f94 26723->26720 26724 5715a6c 9 API calls 26723->26724 26724->26720 26725->26721 26726->26722 26727->26722 26729 57178b7 26728->26729 26730 5714630 9 API calls 26729->26730 26731 57196b8 26729->26731 26730->26731 26731->26692 26734 571703b 26732->26734 26733 5719868 26733->26695 26734->26733 26735 57197e1 26734->26735 26738 5719834 26734->26738 26774 5718fe4 26734->26774 26736 571981a 26735->26736 26739 5715a6c 9 API calls 26735->26739 26737 5715a6c 9 API calls 26736->26737 26740 5719826 26737->26740 26738->26733 26744 5714630 9 API calls 26738->26744 26741 571980c 26739->26741 26743 5718ff4 9 API calls 26740->26743 26778 5718ff4 26741->26778 26743->26738 26744->26733 26747 57178d7 26746->26747 26748 571bcb6 26747->26748 26749 5714630 9 API calls 26747->26749 26748->26699 26750 571bd86 26749->26750 26750->26699 26753 5715a77 26751->26753 26752 571b4ae 26752->26701 26753->26752 26754 571b4f3 26753->26754 26755 571b566 SendMessageW 26753->26755 26758 5714630 8 API calls 26754->26758 26757 571b59c 26755->26757 26757->26701 26759 571b508 26758->26759 26760 5719dc0 SendMessageW 26759->26760 26761 571b519 26760->26761 26761->26701 26763 161f027 26762->26763 26764 161c4b8 9 API calls 26763->26764 26765 161f8f5 26763->26765 26764->26765 26765->26705 26767 571cf90 26766->26767 26768 57178bc 9 API calls 26767->26768 26769 571cfa4 26768->26769 26769->26702 26771 571cf9d 26770->26771 26772 57178bc 9 API calls 26771->26772 26773 571cfa4 26772->26773 26773->26702 26775 5718fef 26774->26775 26784 5719d94 9 API calls 26775->26784 26777 571b35d 26777->26735 26779 5718fff 26778->26779 26780 5714630 9 API calls 26779->26780 26781 571b508 26780->26781 26785 5719dc0 26781->26785 26784->26777 26786 571b530 SendMessageW 26785->26786 26787 571b519 26786->26787 26787->26736 26789 5719df3 26788->26789 26790 5717ae8 9 API calls 26789->26790 26791 571b6d4 26790->26791 26791->26686 26792 1616540 26793 1616586 26792->26793 26797 1616720 26793->26797 26800 161670f 26793->26800 26794 1616673 26807 161611c 26797->26807 26801 1616713 26800->26801 26803 161677b DuplicateHandle 26800->26803 26802 161611c DuplicateHandle 26801->26802 26804 161674e 26801->26804 26802->26804 26806 161681e 26803->26806 26804->26794 26806->26794 26808 1616788 DuplicateHandle 26807->26808 26810 161674e 26808->26810 26810->26794 26811 5715eb3 26812 5715ebc 26811->26812 26814 5715eda 26811->26814 26813 5714630 9 API calls 26812->26813 26812->26814 26813->26814 26815 5714630 9 API calls 26814->26815 26816 5716013 26814->26816 26815->26816 26817 1614668 26818 1614676 26817->26818 26827 1616de0 26818->26827 26821 1614704 26836 5716b00 26821->26836 26840 5716b10 26821->26840 26844 5716ad1 26821->26844 26822 161470c 26828 1616e05 26827->26828 26849 1616ef0 26828->26849 26853 1616edf 26828->26853 26829 16146e9 26832 161421c 26829->26832 26833 1614227 26832->26833 26861 1618560 26833->26861 26835 1618806 26835->26821 26837 5716b04 26836->26837 26907 5715ad8 26837->26907 26841 5716b11 26840->26841 26842 5715ad8 9 API calls 26841->26842 26843 5716b42 26842->26843 26843->26822 26845 5716ad9 26844->26845 26846 5716ad4 26844->26846 26845->26822 26846->26845 26847 5715ad8 9 API calls 26846->26847 26848 5716b42 26847->26848 26848->26822 26851 1616f17 26849->26851 26850 1616ff4 26850->26850 26851->26850 26857 1616414 26851->26857 26854 1616f17 26853->26854 26855 1616414 CreateActCtxA 26854->26855 26856 1616ff4 26854->26856 26855->26856 26858 1617370 CreateActCtxA 26857->26858 26860 1617433 26858->26860 26860->26860 26862 161856b 26861->26862 26865 1618580 26862->26865 26864 16188dd 26864->26835 26866 161858b 26865->26866 26869 16185b0 26866->26869 26868 16189ba 26868->26864 26870 16185bb 26869->26870 26873 16185e0 26870->26873 26872 1618aad 26872->26868 26875 16185eb 26873->26875 26874 1619ed1 26874->26872 26875->26874 26877 161df70 26875->26877 26878 161df91 26877->26878 26879 161dfb5 26878->26879 26881 161e120 26878->26881 26879->26874 26882 161e12d 26881->26882 26883 161e166 26882->26883 26885 161c464 26882->26885 26883->26879 26886 161c46f 26885->26886 26887 161e1d8 26886->26887 26889 161c498 26886->26889 26890 161c4a3 26889->26890 26891 16185e0 9 API calls 26890->26891 26892 161e247 26891->26892 26899 161e2c0 26892->26899 26893 161e256 26894 161c4a8 9 API calls 26893->26894 26895 161e270 26894->26895 26896 161c4b8 9 API calls 26895->26896 26897 161e277 26896->26897 26897->26887 26900 161e2ee 26899->26900 26901 161e3bf 26900->26901 26905 161e42b 26900->26905 26906 5714630 8 API calls 26900->26906 26902 161c4b8 8 API calls 26901->26902 26901->26905 26902->26905 26903 161e366 26904 161e3ba KiUserCallbackDispatcher 26903->26904 26904->26901 26906->26903 26908 5715ae3 26907->26908 26911 5715b14 26908->26911 26910 5716c54 26913 5715b1f 26911->26913 26912 5716e00 9 API calls 26916 57172c9 26912->26916 26915 571716e 26913->26915 26913->26916 26917 5716e00 26913->26917 26915->26912 26915->26916 26916->26910 26918 5716e0b 26917->26918 26922 5717507 26918->26922 26934 5717518 26918->26934 26919 5717504 26919->26915 26926 571750c 26922->26926 26923 5717552 26923->26919 26924 571762f 26933 161e2c0 9 API calls 26924->26933 26925 571763d 26927 5714630 9 API calls 26925->26927 26928 5717665 26925->26928 26926->26923 26926->26924 26929 5717692 26926->26929 26927->26928 26928->26919 26929->26928 26930 5714630 9 API calls 26929->26930 26931 5717737 26930->26931 26931->26928 26932 5717030 9 API calls 26931->26932 26932->26928 26933->26925 26937 5717519 26934->26937 26935 5717552 26935->26919 26936 571762f 26945 161e2c0 9 API calls 26936->26945 26937->26935 26937->26936 26941 5717692 26937->26941 26938 571763d 26939 5714630 9 API calls 26938->26939 26940 5717665 26938->26940 26939->26940 26940->26919 26941->26940 26942 5714630 9 API calls 26941->26942 26943 5717737 26942->26943 26943->26940 26944 5717030 9 API calls 26943->26944 26944->26940 26945->26938 26946 161bf08 26949 161bff0 26946->26949 26947 161bf17 26950 161c034 26949->26950 26951 161c011 26949->26951 26950->26947 26951->26950 26952 161c238 GetModuleHandleW 26951->26952 26953 161c265 26952->26953 26953->26947 26954 5712018 SetWindowLongW 26955 5712084 26954->26955 26956 57199c8 26957 57199c9 26956->26957 26960 5719a43 26957->26960 26961 5719068 26957->26961 26963 5719073 26961->26963 26962 5719a3c 26963->26962 26966 571b159 26963->26966 26973 571b168 26963->26973 26967 571b15c 26966->26967 26980 5719d7c 26967->26980 26969 571b18f 26969->26962 26971 571b1b8 CreateIconFromResourceEx 26972 571b236 26971->26972 26972->26962 26974 571b169 26973->26974 26975 5719d7c CreateIconFromResourceEx 26974->26975 26976 571b182 26975->26976 26977 571b18f 26976->26977 26978 571b1b8 CreateIconFromResourceEx 26976->26978 26977->26962 26979 571b236 26978->26979 26979->26962 26981 571b1b8 CreateIconFromResourceEx 26980->26981 26982 571b182 26981->26982 26982->26969 26982->26971 26983 57144b8 26984 57144c8 26983->26984 26988 5718df9 26984->26988 26994 5718e08 26984->26994 26985 57144f1 26989 5718dfc 26988->26989 27000 5715c08 26989->27000 26991 5718e92 27012 5717c50 26991->27012 26993 5718e99 26993->26985 26995 5718e09 26994->26995 26996 5715c08 9 API calls 26995->26996 26997 5718e92 26996->26997 26998 5717c50 9 API calls 26997->26998 26999 5718e99 26998->26999 26999->26985 27004 5715c34 27000->27004 27002 5714630 9 API calls 27003 5716013 27002->27003 27003->26991 27010 5715e6c 27004->27010 27022 57155fc 27004->27022 27005 5715ced 27006 5714630 9 API calls 27005->27006 27011 5715d95 27005->27011 27007 5715d5f 27006->27007 27008 5714630 9 API calls 27007->27008 27008->27011 27009 5714630 9 API calls 27009->27010 27010->27002 27010->27003 27011->27009 27013 5717c5b 27012->27013 27014 5719435 27013->27014 27015 57193fd 27013->27015 27021 5719404 27013->27021 27017 5719486 27014->27017 27018 571945a 27014->27018 27016 5714630 9 API calls 27015->27016 27016->27021 27019 5714630 9 API calls 27017->27019 27020 5714630 9 API calls 27018->27020 27019->27021 27020->27021 27021->26993 27024 5715607 27022->27024 27023 5714630 9 API calls 27027 5716169 27023->27027 27025 5714630 9 API calls 27024->27025 27026 57161a7 27024->27026 27024->27027 27025->27027 27026->27005 27027->27023 27027->27026 27028 571c388 27029 5714630 9 API calls 27028->27029 27030 571c398 27029->27030

                                          Executed Functions

                                          Function 0161BFF0 Relevance: 1.7, APIs: 1, Instructions: 201COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 558 161bff0-161c00f 559 161c011-161c01e call 161af60 558->559 560 161c03b-161c03f 558->560 567 161c020 559->567 568 161c034 559->568 561 161c041-161c04b 560->561 562 161c053-161c094 560->562 561->562 569 161c0a1-161c0af 562->569 570 161c096-161c09e 562->570 613 161c026 call 161c689 567->613 614 161c026 call 161c698 567->614 568->560 571 161c0b1-161c0b6 569->571 572 161c0d3-161c0d5 569->572 570->569 575 161c0c1 571->575 576 161c0b8-161c0bf call 161af6c 571->576 574 161c0d8-161c0df 572->574 573 161c02c-161c02e 573->568 577 161c170-161c230 573->577 578 161c0e1-161c0e9 574->578 579 161c0ec-161c0f3 574->579 581 161c0c3-161c0d1 575->581 576->581 608 161c232-161c235 577->608 609 161c238-161c263 GetModuleHandleW 577->609 578->579 582 161c100-161c109 call 161af7c 579->582 583 161c0f5-161c0fd 579->583 581->574 589 161c116-161c11b 582->589 590 161c10b-161c113 582->590 583->582 591 161c139-161c146 589->591 592 161c11d-161c124 589->592 590->589 598 161c169-161c16f 591->598 599 161c148-161c166 591->599 592->591 594 161c126-161c136 call 161af8c call 161af9c 592->594 594->591 599->598 608->609 610 161c265-161c26b 609->610 611 161c26c-161c280 609->611 610->611 613->573 614->573
                                          APIs
                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 0161C256
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1353251328.0000000001610000.00000040.00000800.00020000.00000000.sdmp, Offset: 01610000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_1610000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID: HandleModule
                                          • String ID:
                                          • API String ID: 4139908857-0
                                          • Opcode ID: 3b0cf20756549717f4fd54f3fe7e2e3498b6c6f3c2859dcc628e2d46c87cff25
                                          • Instruction ID: 7b1e9c0347499f8f5fffceaaeda034d27c02e2334422bef04b732a29531ae9a6
                                          • Opcode Fuzzy Hash: 3b0cf20756549717f4fd54f3fe7e2e3498b6c6f3c2859dcc628e2d46c87cff25
                                          • Instruction Fuzzy Hash: E78156B0A00B458FE724DF69D84179ABBF6FF88200F04892ED44ADBB54D775E846CB91
                                          Function 0571C90C Relevance: 1.6, APIs: 1, Instructions: 118threadCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 615 571c90c-571e161 619 571e163-571e16c 615->619 620 571e16e 615->620 621 571e170-571e175 619->621 620->621 622 571e195-571e22a 621->622 623 571e177-571e194 621->623 630 571e236-571e266 EnumThreadWindows 622->630 631 571e22c-571e234 622->631 632 571e268-571e26e 630->632 633 571e26f-571e29c 630->633 631->630 632->633
                                          APIs
                                          • EnumThreadWindows.USER32(?,00000000,?), ref: 0571E259
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1365405677.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_5710000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID: EnumThreadWindows
                                          • String ID:
                                          • API String ID: 2941952884-0
                                          • Opcode ID: 7d6bd5913a50c712386aa94df2ecaf971e933c500dbd88289863b8230ec6f5ce
                                          • Instruction ID: 8282b734a6dd14f61210363480429f1fab4170f60ba767821c34573ee306d874
                                          • Opcode Fuzzy Hash: 7d6bd5913a50c712386aa94df2ecaf971e933c500dbd88289863b8230ec6f5ce
                                          • Instruction Fuzzy Hash: DC418071A042099FDB14DF99C844BAEBBF9EF88310F14842AE819E7350DB78A845DB65
                                          Function 0161670F Relevance: 1.6, APIs: 1, Instructions: 105COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 637 161670f-1616711 638 1616713-1616747 637->638 639 161677b-161681c DuplicateHandle 637->639 641 161674e-1616774 638->641 642 1616749 call 161611c 638->642 646 1616825-1616842 639->646 647 161681e-1616824 639->647 642->641 647->646
                                          APIs
                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0161674E,?,?,?,?,?), ref: 0161680F
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1353251328.0000000001610000.00000040.00000800.00020000.00000000.sdmp, Offset: 01610000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_1610000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID: DuplicateHandle
                                          • String ID:
                                          • API String ID: 3793708945-0
                                          • Opcode ID: e139a23a62c64a3c7a953265710900341218510ad69c93735d9046d9563975a6
                                          • Instruction ID: 222863c441aae4b7400ca434e859e9b344640633eebee5cd224fc218f041304b
                                          • Opcode Fuzzy Hash: e139a23a62c64a3c7a953265710900341218510ad69c93735d9046d9563975a6
                                          • Instruction Fuzzy Hash: 2D416F7A900248AFCB01CF99D844AEEBFF9FF49310F15805AE914A7351D7799915CFA0
                                          Function 05712B64 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 651 5712b64-571438c 656 5714392-5714397 651->656 657 571443c-571445c 651->657 658 5714399-57143d0 656->658 659 57143ea-5714422 CallWindowProcW 656->659 663 571445f-571446c 657->663 665 57143d2-57143d8 658->665 666 57143d9-57143e8 658->666 661 5714424-571442a 659->661 662 571442b-571443a 659->662 661->662 662->663 665->666 666->663
                                          APIs
                                          • CallWindowProcW.USER32(?,?,?,?,?), ref: 05714411
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1365405677.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_5710000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID: CallProcWindow
                                          • String ID:
                                          • API String ID: 2714655100-0
                                          • Opcode ID: ed4432af2201edab6b618d598e127a16b52bbc54fde1bf5ed2e25a8a9348bbf6
                                          • Instruction ID: 599e4b28d2d4851136c6650f461275e86a1a84d3f766f50934ffc4e15d804357
                                          • Opcode Fuzzy Hash: ed4432af2201edab6b618d598e127a16b52bbc54fde1bf5ed2e25a8a9348bbf6
                                          • Instruction Fuzzy Hash: 674119B5900305DFDB14CF99C488BAABBF6FF88314F24C459E919AB321D775A841CBA4
                                          Function 01616414 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 669 1616414-1617431 CreateActCtxA 672 1617433-1617439 669->672 673 161743a-1617494 669->673 672->673 680 16174a3-16174a7 673->680 681 1617496-1617499 673->681 682 16174a9-16174b5 680->682 683 16174b8 680->683 681->680 682->683 685 16174b9 683->685 685->685
                                          APIs
                                          • CreateActCtxA.KERNEL32(?), ref: 01617421
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1353251328.0000000001610000.00000040.00000800.00020000.00000000.sdmp, Offset: 01610000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_1610000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID: Create
                                          • String ID:
                                          • API String ID: 2289755597-0
                                          • Opcode ID: cc058d0b34b47a18b6eaaea106f50f63a7c381bed791d2785541c06ed5efcd8b
                                          • Instruction ID: 9dc80fafafa84cc2793054011960943dc5b7b1c863a2b1fe966e3baa15973513
                                          • Opcode Fuzzy Hash: cc058d0b34b47a18b6eaaea106f50f63a7c381bed791d2785541c06ed5efcd8b
                                          • Instruction Fuzzy Hash: 7641CF70C04719CFEB28DFA9C844B9EBBB5BF49304F24806AD408AB255DB75694ACF90
                                          Function 01617364 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 686 1617364-1617431 CreateActCtxA 688 1617433-1617439 686->688 689 161743a-1617494 686->689 688->689 696 16174a3-16174a7 689->696 697 1617496-1617499 689->697 698 16174a9-16174b5 696->698 699 16174b8 696->699 697->696 698->699 701 16174b9 699->701 701->701
                                          APIs
                                          • CreateActCtxA.KERNEL32(?), ref: 01617421
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1353251328.0000000001610000.00000040.00000800.00020000.00000000.sdmp, Offset: 01610000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_1610000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID: Create
                                          • String ID:
                                          • API String ID: 2289755597-0
                                          • Opcode ID: 0aa69f9b794f0c69ae35648f9ce2f5da813a8d7785eacb6f6ecf59f341bb7771
                                          • Instruction ID: 75409a73cfd8e8840eab3daf061f71b68ecbe446ebc0d2605a3962507f0b0f66
                                          • Opcode Fuzzy Hash: 0aa69f9b794f0c69ae35648f9ce2f5da813a8d7785eacb6f6ecf59f341bb7771
                                          • Instruction Fuzzy Hash: EF41EFB1C00719CFEB29CFA9C944B8DBBF5BF49304F24806AD408AB265D775694ACF90
                                          Function 05715A6C Relevance: 1.6, APIs: 1, Instructions: 87COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 702 5715a6c-571b4ac 706 571b4b2-571b4f1 702->706 707 571b4ae-571b4b1 702->707 714 571b4f3-571b514 call 5714630 call 5719dc0 706->714 715 571b566-571b573 706->715 725 571b519-571b51c 714->725 716 571b575-571b578 715->716 717 571b57d-571b59a SendMessageW 715->717 716->717 719 571b5a3-571b5b7 717->719 720 571b59c-571b5a2 717->720 720->719
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1365405677.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_5710000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d6a4ea6afaece07ce547e00319703e29a6908a30e8909cec7573345432a372f3
                                          • Instruction ID: 93d5c874a7284845db86d7dccb021cf76aa6bcdef053df372a94aba74dafc715
                                          • Opcode Fuzzy Hash: d6a4ea6afaece07ce547e00319703e29a6908a30e8909cec7573345432a372f3
                                          • Instruction Fuzzy Hash: 70210772B043089FDB149F6ED848BAEBFF9EF85310F14805AE809D7251CA349D45D7A5
                                          Function 0571B168 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 726 571b168-571b18d call 5719d7c 730 571b1a2-571b234 CreateIconFromResourceEx 726->730 731 571b18f-571b19f call 571ac28 726->731 736 571b236-571b23c 730->736 737 571b23d-571b25a 730->737 736->737
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1365405677.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_5710000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID: CreateFromIconResource
                                          • String ID:
                                          • API String ID: 3668623891-0
                                          • Opcode ID: d3ee67dd0f9e34b49fd8920b97eb3ff4154c2a6262c64328c0ce991d202d892e
                                          • Instruction ID: f7a0e5a62c88cb0ca35a5d7735d0b28ee95397443c4f01d6cdbc28079a519f69
                                          • Opcode Fuzzy Hash: d3ee67dd0f9e34b49fd8920b97eb3ff4154c2a6262c64328c0ce991d202d892e
                                          • Instruction Fuzzy Hash: EA31AB72900348DFCB11DFA9C804AEEBFF8EF09250F14805AE954AB221C335A854DFA5
                                          Function 0161611C Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 740 161611c-161681c DuplicateHandle 743 1616825-1616842 740->743 744 161681e-1616824 740->744 744->743
                                          APIs
                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0161674E,?,?,?,?,?), ref: 0161680F
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1353251328.0000000001610000.00000040.00000800.00020000.00000000.sdmp, Offset: 01610000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_1610000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID: DuplicateHandle
                                          • String ID:
                                          • API String ID: 3793708945-0
                                          • Opcode ID: 2fd58f45bc29b831414c1d125015238487756bb69a12ba7ecaea1624f897904c
                                          • Instruction ID: 1cc514131fbee9fbb739f984281bd751de5587128b504870164461750429bd10
                                          • Opcode Fuzzy Hash: 2fd58f45bc29b831414c1d125015238487756bb69a12ba7ecaea1624f897904c
                                          • Instruction Fuzzy Hash: 0921E5B5D00248EFDB10CF9AD984ADEBBF8EB48310F14841AE914A7350D379A944CFA5
                                          Function 01616780 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 747 1616780-16167f5 750 16167f8-161681c DuplicateHandle 747->750 751 1616825-1616842 750->751 752 161681e-1616824 750->752 752->751
                                          APIs
                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0161674E,?,?,?,?,?), ref: 0161680F
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1353251328.0000000001610000.00000040.00000800.00020000.00000000.sdmp, Offset: 01610000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_1610000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID: DuplicateHandle
                                          • String ID:
                                          • API String ID: 3793708945-0
                                          • Opcode ID: 2d297adf6d0e914fb5164c5b2bcfc6b0c9e3efa5ff7b233bd7b46e037fcc5c45
                                          • Instruction ID: a46c60c0e11628a168658e05c4ed5caae4208abc40caab20b9112171708430dc
                                          • Opcode Fuzzy Hash: 2d297adf6d0e914fb5164c5b2bcfc6b0c9e3efa5ff7b233bd7b46e037fcc5c45
                                          • Instruction Fuzzy Hash: 9A21E5B5D00248DFDB10CF9AD984AEEBBF8EB48310F14841AE914A7351D379A944CFA5
                                          Function 0571C91C Relevance: 1.6, APIs: 1, Instructions: 62threadCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 755 571c91c-571e22a 757 571e236-571e266 EnumThreadWindows 755->757 758 571e22c-571e234 755->758 759 571e268-571e26e 757->759 760 571e26f-571e29c 757->760 758->757 759->760
                                          APIs
                                          • EnumThreadWindows.USER32(?,00000000,?), ref: 0571E259
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1365405677.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_5710000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID: EnumThreadWindows
                                          • String ID:
                                          • API String ID: 2941952884-0
                                          • Opcode ID: 673115d480c06398439d16da819dda6c6103453daca3d76faa179ddc5ea471fd
                                          • Instruction ID: d9c2ca3964b686befdba41bb1dd11da3e7a5246e57073cea6c6154489da21373
                                          • Opcode Fuzzy Hash: 673115d480c06398439d16da819dda6c6103453daca3d76faa179ddc5ea471fd
                                          • Instruction Fuzzy Hash: 20213571900609CFDB14CF9AC844BEEFBF8FB88310F14842AE815A7240D778A944CFA5
                                          Function 05719D7C Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 764 5719d7c-571b234 CreateIconFromResourceEx 766 571b236-571b23c 764->766 767 571b23d-571b25a 764->767 766->767
                                          APIs
                                          • CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?,?,?,?,0571B182,?,?,?,?,?), ref: 0571B227
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1365405677.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_5710000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID: CreateFromIconResource
                                          • String ID:
                                          • API String ID: 3668623891-0
                                          • Opcode ID: 5a8facdcdedb0111dfd77ce2684ee46441d6e07414e98ed622a3973bc7ff8455
                                          • Instruction ID: 0345e5fd012b384b085bf3bb9720e9358ded6ad28508f0f706c8fc3682bbc7e1
                                          • Opcode Fuzzy Hash: 5a8facdcdedb0111dfd77ce2684ee46441d6e07414e98ed622a3973bc7ff8455
                                          • Instruction Fuzzy Hash: 7B113A75800349DFDB10CF9AD844BEEBFF8EB48310F14841AE955A7250C379A954DFA5
                                          Function 0161C1F0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 0161C256
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1353251328.0000000001610000.00000040.00000800.00020000.00000000.sdmp, Offset: 01610000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_1610000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID: HandleModule
                                          • String ID:
                                          • API String ID: 4139908857-0
                                          • Opcode ID: 8ecd86b9d80c228b4cccdc06b40bbdc446d3abac3c03c007ad28265b702df82c
                                          • Instruction ID: 445f0b928b0f266543ff0a364267556a69ea45616452bec9f60accd2b941bbb8
                                          • Opcode Fuzzy Hash: 8ecd86b9d80c228b4cccdc06b40bbdc446d3abac3c03c007ad28265b702df82c
                                          • Instruction Fuzzy Hash: 1611E0B6C006498FDB24DF9AC844BDEFBF4EB88210F14852AD929A7710C379A545CFA5
                                          Function 05719DC0 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SendMessageW.USER32(?,?,?,?), ref: 0571B58D
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1365405677.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_5710000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID: MessageSend
                                          • String ID:
                                          • API String ID: 3850602802-0
                                          • Opcode ID: a54a60af43ea0f5cd3db423a084a1d2f7d498ab6294c35e9e194686cca23417c
                                          • Instruction ID: a15c0bea9fef3a4d890e5849c20e6c85d2b6c99c60356a9c05a70f2f7c346003
                                          • Opcode Fuzzy Hash: a54a60af43ea0f5cd3db423a084a1d2f7d498ab6294c35e9e194686cca23417c
                                          • Instruction Fuzzy Hash: 691103B5800348DFDB20DF9AD485BDEBBF8EB48310F10841AE919A7300C375A944CFA5
                                          Function 0571B52B Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SendMessageW.USER32(?,?,?,?), ref: 0571B58D
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1365405677.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_5710000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID: MessageSend
                                          • String ID:
                                          • API String ID: 3850602802-0
                                          • Opcode ID: 6c6909a6aced34ded6601b1f096cc0874190d41a5ce6cb31c77a707d6086bf8b
                                          • Instruction ID: e79f1f63ab4b97643cd34341e3ba60460417d778bb81b05bd10bac6b04ea1979
                                          • Opcode Fuzzy Hash: 6c6909a6aced34ded6601b1f096cc0874190d41a5ce6cb31c77a707d6086bf8b
                                          • Instruction Fuzzy Hash: 441103B5800348DFDB10DF9AC885BDEBBF8EB48310F108419E918A7200C375A944CFA5
                                          Function 05712010 Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                          Download Yara Rule
                                          APIs
                                          • SetWindowLongW.USER32(?,?,?), ref: 05712075
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1365405677.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_5710000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID: LongWindow
                                          • String ID:
                                          • API String ID: 1378638983-0
                                          • Opcode ID: 3e1df8b52bfcb27cb8334efaa928e81eadcfdfdc241bfc42f6033f076f9afb4b
                                          • Instruction ID: d3221155244e4db6d96d0fd5394767c2ec741b56d62e4f11cf20f30f9afafbe7
                                          • Opcode Fuzzy Hash: 3e1df8b52bfcb27cb8334efaa928e81eadcfdfdc241bfc42f6033f076f9afb4b
                                          • Instruction Fuzzy Hash: 1C1133B9800208CFDB10CF9AC585BEEBBF8EB48310F20851AD819A7741D379A944CFA5
                                          Function 05712018 Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                          Download Yara Rule
                                          APIs
                                          • SetWindowLongW.USER32(?,?,?), ref: 05712075
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1365405677.0000000005710000.00000040.00000800.00020000.00000000.sdmp, Offset: 05710000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_5710000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID: LongWindow
                                          • String ID:
                                          • API String ID: 1378638983-0
                                          • Opcode ID: 3420c2e37d88a8e4c12134aa220b228edbfd89c9d9070a2739e33148d4f34dc8
                                          • Instruction ID: 2dd82904dfa8484ffd67ea67dc79c1883498eb586d8fcec678410817791b110f
                                          • Opcode Fuzzy Hash: 3420c2e37d88a8e4c12134aa220b228edbfd89c9d9070a2739e33148d4f34dc8
                                          • Instruction Fuzzy Hash: A41115B5800249DFDB20CF9AC585BDEFBF8EB48320F10851AD959A7341C375A944CFA5
                                          Function 015CD01C Relevance: .1, Instructions: 72COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1352669275.00000000015CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015CD000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_15cd000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a51a0c7d73347b64fcacbc92dd17d42981cc56a261b4760c2ee71e3cfc979a44
                                          • Instruction ID: 1fa94d8bf2e0fe6aeff72c0fa8ca190f9fabe93f27148a6241e4927f7d1ce8d9
                                          • Opcode Fuzzy Hash: a51a0c7d73347b64fcacbc92dd17d42981cc56a261b4760c2ee71e3cfc979a44
                                          • Instruction Fuzzy Hash: 4A21F175504200EFDB15DFA8D580B26BBA1FB84714F20C96DE80A9F292D33AD407CAA2
                                          Function 015CD006 Relevance: .1, Instructions: 62COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1352669275.00000000015CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015CD000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_15cd000_doc_Pedido 02024091622008176.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 89348d3d6fdf46406b036d0997af39dcdc215141e566efc9f7f804d4f213577b
                                          • Instruction ID: 9e4686f9866b8dfeb0a29efc6e2e68b9783347769a1edfbcc64a45956ff63a2a
                                          • Opcode Fuzzy Hash: 89348d3d6fdf46406b036d0997af39dcdc215141e566efc9f7f804d4f213577b
                                          • Instruction Fuzzy Hash: 9621B0755083809FCB12CF68D590715BF71FB46214F28C5EED8498F6A3C33A980ACBA2

                                          Execution Graph

                                          Execution Coverage:9.3%
                                          Dynamic/Decrypted Code Coverage:100%
                                          Signature Coverage:0%
                                          Total number of Nodes:257
                                          Total number of Limit Nodes:20
                                          execution_graph 40984 8a80478 CloseHandle 40985 8a804df 40984->40985 40986 8a86688 40987 8a866ac 40986->40987 40988 8a866b3 40986->40988 40992 8a866da 40988->40992 40993 8a8513c 40988->40993 40991 8a8513c GetCurrentThreadId 40991->40992 40994 8a85147 40993->40994 40995 8a869ef GetCurrentThreadId 40994->40995 40996 8a866d0 40994->40996 40995->40996 40996->40991 40997 10ed528 DuplicateHandle 40998 10ed5be 40997->40998 41049 10eb238 41050 10eb27a 41049->41050 41051 10eb280 GetModuleHandleW 41049->41051 41050->41051 41052 10eb2ad 41051->41052 40733 12752e0 40735 12752e4 40733->40735 40734 127546b 40735->40734 40737 1274edc 40735->40737 40738 1275560 PostMessageW 40737->40738 40739 12755cc 40738->40739 40739->40735 40999 56f99c8 41000 56f99da 40999->41000 41001 56f99f0 40999->41001 41003 56f7fcc 41000->41003 41004 56f7fd7 41003->41004 41005 56fa24e 41004->41005 41008 56fb1c8 41004->41008 41013 56fb1d8 41004->41013 41005->41001 41010 56fb1d8 41008->41010 41009 56fb20e 41009->41004 41010->41009 41018 56f9cd8 41010->41018 41014 56fb1f9 41013->41014 41015 56fb20e 41014->41015 41016 56f9cd8 DrawTextExW 41014->41016 41015->41004 41017 56fb25e 41016->41017 41019 56f9ce3 41018->41019 41022 56fbdec 41019->41022 41021 56fb25e 41024 56fbdf7 41022->41024 41023 56fcb51 41023->41021 41024->41023 41028 56fd660 41024->41028 41032 56fd670 41024->41032 41025 56fcc55 41025->41021 41029 56fd670 41028->41029 41035 56fbfc4 41029->41035 41033 56fbfc4 DrawTextExW 41032->41033 41034 56fd68d 41033->41034 41034->41025 41036 56fd6a8 DrawTextExW 41035->41036 41038 56fd68d 41036->41038 41038->41025 40740 12731ad 40742 127306c 40740->40742 40741 127307b 40742->40741 40747 1273a40 40742->40747 40770 1273a78 40742->40770 40792 1273ade 40742->40792 40743 1273473 40748 1273a03 40747->40748 40749 1273a62 40747->40749 40748->40743 40815 127433a 40749->40815 40820 1273f5a 40749->40820 40828 127461b 40749->40828 40834 127435d 40749->40834 40839 1273eff 40749->40839 40844 1273fbf 40749->40844 40854 12742df 40749->40854 40859 12740df 40749->40859 40864 12744b3 40749->40864 40868 1273ff6 40749->40868 40873 1274117 40749->40873 40878 12740f7 40749->40878 40883 12744e9 40749->40883 40891 1273ea2 40749->40891 40898 1273f24 40749->40898 40904 1274164 40749->40904 40909 1274024 40749->40909 40914 12740a5 40749->40914 40921 12742ba 40749->40921 40750 1273a9a 40750->40743 40771 1273a92 40770->40771 40773 12740a5 4 API calls 40771->40773 40774 1274024 2 API calls 40771->40774 40775 1274164 2 API calls 40771->40775 40776 1273f24 2 API calls 40771->40776 40777 1273ea2 4 API calls 40771->40777 40778 12744e9 4 API calls 40771->40778 40779 12740f7 2 API calls 40771->40779 40780 1274117 2 API calls 40771->40780 40781 1273ff6 2 API calls 40771->40781 40782 12744b3 2 API calls 40771->40782 40783 12740df 2 API calls 40771->40783 40784 12742df 2 API calls 40771->40784 40785 1273fbf 4 API calls 40771->40785 40786 1273eff 2 API calls 40771->40786 40787 127435d 2 API calls 40771->40787 40788 127461b 2 API calls 40771->40788 40789 1273f5a 4 API calls 40771->40789 40790 127433a 2 API calls 40771->40790 40791 12742ba 2 API calls 40771->40791 40772 1273a9a 40772->40743 40773->40772 40774->40772 40775->40772 40776->40772 40777->40772 40778->40772 40779->40772 40780->40772 40781->40772 40782->40772 40783->40772 40784->40772 40785->40772 40786->40772 40787->40772 40788->40772 40789->40772 40790->40772 40791->40772 40793 1273a6c 40792->40793 40794 1273ae1 40792->40794 40796 12740a5 4 API calls 40793->40796 40797 1274024 2 API calls 40793->40797 40798 1274164 2 API calls 40793->40798 40799 1273f24 2 API calls 40793->40799 40800 1273ea2 4 API calls 40793->40800 40801 12744e9 4 API calls 40793->40801 40802 12740f7 2 API calls 40793->40802 40803 1274117 2 API calls 40793->40803 40804 1273ff6 2 API calls 40793->40804 40805 12744b3 2 API calls 40793->40805 40806 12740df 2 API calls 40793->40806 40807 12742df 2 API calls 40793->40807 40808 1273fbf 4 API calls 40793->40808 40809 1273eff 2 API calls 40793->40809 40810 127435d 2 API calls 40793->40810 40811 127461b 2 API calls 40793->40811 40812 1273f5a 4 API calls 40793->40812 40813 127433a 2 API calls 40793->40813 40814 12742ba 2 API calls 40793->40814 40794->40743 40795 1273a9a 40795->40743 40796->40795 40797->40795 40798->40795 40799->40795 40800->40795 40801->40795 40802->40795 40803->40795 40804->40795 40805->40795 40806->40795 40807->40795 40808->40795 40809->40795 40810->40795 40811->40795 40812->40795 40813->40795 40814->40795 40816 127417f 40815->40816 40817 1274060 40816->40817 40926 12729c1 40816->40926 40930 12729c8 40816->40930 40817->40750 40934 1274b27 40820->40934 40939 1274b38 40820->40939 40821 1273fb9 40822 1273f0b 40822->40821 40944 1272340 40822->40944 40948 1272348 40822->40948 40823 12748ee 40829 1274622 40828->40829 40830 1274290 40828->40830 40831 12748bc 40830->40831 40832 12729c1 WriteProcessMemory 40830->40832 40833 12729c8 WriteProcessMemory 40830->40833 40832->40830 40833->40830 40835 1273f0b 40834->40835 40837 1272340 ResumeThread 40835->40837 40838 1272348 ResumeThread 40835->40838 40836 12748ee 40837->40836 40838->40836 40840 1273f0b 40839->40840 40842 1272340 ResumeThread 40840->40842 40843 1272348 ResumeThread 40840->40843 40841 12748ee 40842->40841 40843->40841 40845 1273fcc 40844->40845 40846 12742db 40844->40846 40845->40846 40847 1273f0b 40845->40847 40848 127486e 40846->40848 40960 1272ab0 40846->40960 40964 1272ab8 40846->40964 40850 1272340 ResumeThread 40847->40850 40851 1272348 ResumeThread 40847->40851 40849 12748ee 40850->40849 40851->40849 40855 12742e5 40854->40855 40856 127486e 40855->40856 40857 1272ab0 ReadProcessMemory 40855->40857 40858 1272ab8 ReadProcessMemory 40855->40858 40857->40855 40858->40855 40861 1274290 40859->40861 40860 12748bc 40861->40860 40862 12729c1 WriteProcessMemory 40861->40862 40863 12729c8 WriteProcessMemory 40861->40863 40862->40861 40863->40861 40865 12747c8 40864->40865 40968 1272901 40865->40968 40972 1272908 40865->40972 40869 1273ffa 40868->40869 40871 12729c1 WriteProcessMemory 40869->40871 40872 12729c8 WriteProcessMemory 40869->40872 40870 1274271 40871->40870 40872->40870 40874 1273f0b 40873->40874 40874->40873 40876 1272340 ResumeThread 40874->40876 40877 1272348 ResumeThread 40874->40877 40875 12748ee 40876->40875 40877->40875 40880 1274104 40878->40880 40879 127486e 40880->40879 40881 1272ab0 ReadProcessMemory 40880->40881 40882 1272ab8 ReadProcessMemory 40880->40882 40881->40880 40882->40880 40884 12740a4 40883->40884 40885 1273f0b 40884->40885 40887 1272830 Wow64SetThreadContext 40884->40887 40888 1272828 Wow64SetThreadContext 40884->40888 40885->40750 40889 1272340 ResumeThread 40885->40889 40890 1272348 ResumeThread 40885->40890 40886 12748ee 40887->40885 40888->40885 40889->40886 40890->40886 40976 1272c45 40891->40976 40980 1272c50 40891->40980 40892 1273ed9 40896 1272340 ResumeThread 40892->40896 40897 1272348 ResumeThread 40892->40897 40893 12748ee 40896->40893 40897->40893 40899 1273f0b 40898->40899 40900 1274473 40899->40900 40902 1272340 ResumeThread 40899->40902 40903 1272348 ResumeThread 40899->40903 40900->40750 40901 12748ee 40902->40901 40903->40901 40905 127416e 40904->40905 40907 12729c1 WriteProcessMemory 40905->40907 40908 12729c8 WriteProcessMemory 40905->40908 40906 1274060 40906->40750 40907->40906 40908->40906 40910 1273ffa 40909->40910 40912 12729c1 WriteProcessMemory 40910->40912 40913 12729c8 WriteProcessMemory 40910->40913 40911 1274271 40912->40911 40913->40911 40919 1272830 Wow64SetThreadContext 40914->40919 40920 1272828 Wow64SetThreadContext 40914->40920 40915 12740bf 40917 1272340 ResumeThread 40915->40917 40918 1272348 ResumeThread 40915->40918 40916 12748ee 40917->40916 40918->40916 40919->40915 40920->40915 40922 12742db 40921->40922 40923 127486e 40922->40923 40924 1272ab0 ReadProcessMemory 40922->40924 40925 1272ab8 ReadProcessMemory 40922->40925 40924->40922 40925->40922 40927 1272a10 WriteProcessMemory 40926->40927 40929 1272a67 40927->40929 40929->40817 40931 1272a10 WriteProcessMemory 40930->40931 40933 1272a67 40931->40933 40933->40817 40935 1274b4d 40934->40935 40952 1272830 40935->40952 40956 1272828 40935->40956 40936 1274b63 40936->40822 40940 1274b4d 40939->40940 40942 1272830 Wow64SetThreadContext 40940->40942 40943 1272828 Wow64SetThreadContext 40940->40943 40941 1274b63 40941->40822 40942->40941 40943->40941 40945 1272388 ResumeThread 40944->40945 40947 12723b9 40945->40947 40947->40823 40949 1272388 ResumeThread 40948->40949 40951 12723b9 40949->40951 40951->40823 40953 1272875 Wow64SetThreadContext 40952->40953 40955 12728bd 40953->40955 40955->40936 40957 1272875 Wow64SetThreadContext 40956->40957 40959 12728bd 40957->40959 40959->40936 40961 1272b03 ReadProcessMemory 40960->40961 40963 1272b47 40961->40963 40963->40846 40965 1272b03 ReadProcessMemory 40964->40965 40967 1272b47 40965->40967 40967->40846 40969 1272948 VirtualAllocEx 40968->40969 40971 1272985 40969->40971 40971->40865 40973 1272948 VirtualAllocEx 40972->40973 40975 1272985 40973->40975 40975->40865 40977 1272c50 CreateProcessA 40976->40977 40979 1272e9b 40977->40979 40981 1272cd9 CreateProcessA 40980->40981 40983 1272e9b 40981->40983 41039 10ed2e0 41040 10ed326 GetCurrentProcess 41039->41040 41042 10ed378 GetCurrentThread 41040->41042 41043 10ed371 41040->41043 41044 10ed3b5 GetCurrentProcess 41042->41044 41045 10ed3ae 41042->41045 41043->41042 41048 10ed3eb 41044->41048 41045->41044 41046 10ed413 GetCurrentThreadId 41047 10ed444 41046->41047 41048->41046

                                          Executed Functions

                                          Function 010ED2DF Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          • GetCurrentProcess.KERNEL32 ref: 010ED35E
                                          • GetCurrentThread.KERNEL32 ref: 010ED39B
                                          • GetCurrentProcess.KERNEL32 ref: 010ED3D8
                                          • GetCurrentThreadId.KERNEL32 ref: 010ED431
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.1366318927.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_10e0000_workbook.jbxd
                                          Similarity
                                          • API ID: Current$ProcessThread
                                          • String ID:
                                          • API String ID: 2063062207-0
                                          • Opcode ID: 3da1a5de373c6ce45b6b878dbe65431925628c375dc12f2fc1b5b588d6a28414
                                          • Instruction ID: ba4c740f6e70fa4f242a634b2d4cb3c3dffcc3f3f4ea222fdc2911b40dcbd02e
                                          • Opcode Fuzzy Hash: 3da1a5de373c6ce45b6b878dbe65431925628c375dc12f2fc1b5b588d6a28414
                                          • Instruction Fuzzy Hash: 835136B0900349CFEB28CFAAD548BEEBBF5EB88314F20C459E059AB360D7745945CB65
                                          Function 010ED2E0 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          • GetCurrentProcess.KERNEL32 ref: 010ED35E
                                          • GetCurrentThread.KERNEL32 ref: 010ED39B
                                          • GetCurrentProcess.KERNEL32 ref: 010ED3D8
                                          • GetCurrentThreadId.KERNEL32 ref: 010ED431
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.1366318927.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_10e0000_workbook.jbxd
                                          Similarity
                                          • API ID: Current$ProcessThread
                                          • String ID:
                                          • API String ID: 2063062207-0
                                          • Opcode ID: 2322292be52466952949f4a5ef5599495710a2a128f18ff66cce70847d76b4ed
                                          • Instruction ID: 2cda051f78f0520034b4cfaaef2300b2c3fbb296feccb5962388fc90d91c923d
                                          • Opcode Fuzzy Hash: 2322292be52466952949f4a5ef5599495710a2a128f18ff66cce70847d76b4ed
                                          • Instruction Fuzzy Hash: DE5146B0900309CFEB28CFAAD548BDEBBF5EB48314F20C459E059AB360D7749944CB65
                                          Function 01272C45 Relevance: 1.7, APIs: 1, Instructions: 247processCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 44 1272c45-1272ce5 47 1272ce7-1272cf1 44->47 48 1272d1e-1272d3e 44->48 47->48 49 1272cf3-1272cf5 47->49 55 1272d77-1272da6 48->55 56 1272d40-1272d4a 48->56 50 1272cf7-1272d01 49->50 51 1272d18-1272d1b 49->51 53 1272d05-1272d14 50->53 54 1272d03 50->54 51->48 53->53 57 1272d16 53->57 54->53 62 1272ddf-1272e99 CreateProcessA 55->62 63 1272da8-1272db2 55->63 56->55 58 1272d4c-1272d4e 56->58 57->51 60 1272d71-1272d74 58->60 61 1272d50-1272d5a 58->61 60->55 64 1272d5e-1272d6d 61->64 65 1272d5c 61->65 76 1272ea2-1272f28 62->76 77 1272e9b-1272ea1 62->77 63->62 66 1272db4-1272db6 63->66 64->64 67 1272d6f 64->67 65->64 68 1272dd9-1272ddc 66->68 69 1272db8-1272dc2 66->69 67->60 68->62 71 1272dc6-1272dd5 69->71 72 1272dc4 69->72 71->71 73 1272dd7 71->73 72->71 73->68 87 1272f2a-1272f2e 76->87 88 1272f38-1272f3c 76->88 77->76 87->88 89 1272f30 87->89 90 1272f3e-1272f42 88->90 91 1272f4c-1272f50 88->91 89->88 90->91 92 1272f44 90->92 93 1272f52-1272f56 91->93 94 1272f60-1272f64 91->94 92->91 93->94 97 1272f58 93->97 95 1272f76-1272f7d 94->95 96 1272f66-1272f6c 94->96 98 1272f94 95->98 99 1272f7f-1272f8e 95->99 96->95 97->94 101 1272f95 98->101 99->98 101->101
                                          APIs
                                          • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 01272E86
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.1374377417.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_1270000_workbook.jbxd
                                          Similarity
                                          • API ID: CreateProcess
                                          • String ID:
                                          • API String ID: 963392458-0
                                          • Opcode ID: 03dde13d21d90482f4d4fa2e0a8ea51e7564d2c28533f9835ab25cbf38a5dff3
                                          • Instruction ID: fc06cec77e5abe21297755585d710cc1c70b9f4b00e7aeb283d945ea82ac7f78
                                          • Opcode Fuzzy Hash: 03dde13d21d90482f4d4fa2e0a8ea51e7564d2c28533f9835ab25cbf38a5dff3
                                          • Instruction Fuzzy Hash: 85A15B71D10619CFEB24CF69C8417EEBBB2BF48314F1481AAE948A7244DB749985CF91
                                          Function 01272C50 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 102 1272c50-1272ce5 104 1272ce7-1272cf1 102->104 105 1272d1e-1272d3e 102->105 104->105 106 1272cf3-1272cf5 104->106 112 1272d77-1272da6 105->112 113 1272d40-1272d4a 105->113 107 1272cf7-1272d01 106->107 108 1272d18-1272d1b 106->108 110 1272d05-1272d14 107->110 111 1272d03 107->111 108->105 110->110 114 1272d16 110->114 111->110 119 1272ddf-1272e99 CreateProcessA 112->119 120 1272da8-1272db2 112->120 113->112 115 1272d4c-1272d4e 113->115 114->108 117 1272d71-1272d74 115->117 118 1272d50-1272d5a 115->118 117->112 121 1272d5e-1272d6d 118->121 122 1272d5c 118->122 133 1272ea2-1272f28 119->133 134 1272e9b-1272ea1 119->134 120->119 123 1272db4-1272db6 120->123 121->121 124 1272d6f 121->124 122->121 125 1272dd9-1272ddc 123->125 126 1272db8-1272dc2 123->126 124->117 125->119 128 1272dc6-1272dd5 126->128 129 1272dc4 126->129 128->128 130 1272dd7 128->130 129->128 130->125 144 1272f2a-1272f2e 133->144 145 1272f38-1272f3c 133->145 134->133 144->145 146 1272f30 144->146 147 1272f3e-1272f42 145->147 148 1272f4c-1272f50 145->148 146->145 147->148 149 1272f44 147->149 150 1272f52-1272f56 148->150 151 1272f60-1272f64 148->151 149->148 150->151 154 1272f58 150->154 152 1272f76-1272f7d 151->152 153 1272f66-1272f6c 151->153 155 1272f94 152->155 156 1272f7f-1272f8e 152->156 153->152 154->151 158 1272f95 155->158 156->155 158->158
                                          APIs
                                          • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 01272E86
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.1374377417.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_1270000_workbook.jbxd
                                          Similarity
                                          • API ID: CreateProcess
                                          • String ID:
                                          • API String ID: 963392458-0
                                          • Opcode ID: d21e4fc51e0f43f838be994e93f047c936e765e0ebdba6f07b2e567c81888eb9
                                          • Instruction ID: 02ab5bfcb2c8fb188d7cec2536c93ea558b9630b2ce840e1f686971dc5c4042c
                                          • Opcode Fuzzy Hash: d21e4fc51e0f43f838be994e93f047c936e765e0ebdba6f07b2e567c81888eb9
                                          • Instruction Fuzzy Hash: 2E915B71D1061ACFEB24DF69C841BEEBBB2FF48310F148569E908A7244DB749985CF91
                                          Function 056FBFC4 Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 267 56fbfc4-56fd6f4 269 56fd6ff-56fd70e 267->269 270 56fd6f6-56fd6fc 267->270 271 56fd713-56fd74c DrawTextExW 269->271 272 56fd710 269->272 270->269 273 56fd74e-56fd754 271->273 274 56fd755-56fd772 271->274 272->271 273->274
                                          APIs
                                          • DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,056FD68D,?,?), ref: 056FD73F
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.1413164945.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_56f0000_workbook.jbxd
                                          Similarity
                                          • API ID: DrawText
                                          • String ID:
                                          • API String ID: 2175133113-0
                                          • Opcode ID: e27e982d0d638594f907225cec7ee0bd5cf536b7310a1e1764d36a762d245207
                                          • Instruction ID: 5afad47bea5534fc965f30de31d426dbeb9b5113c2fd8a19f19d03facd692b26
                                          • Opcode Fuzzy Hash: e27e982d0d638594f907225cec7ee0bd5cf536b7310a1e1764d36a762d245207
                                          • Instruction Fuzzy Hash: E631E0B5D003099FDB10DF9AD884AAEFBF5FB48310F14842AE919A7310D774A944CFA4
                                          Function 056FD6A1 Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 287 56fd6a1-56fd6f4 289 56fd6ff-56fd70e 287->289 290 56fd6f6-56fd6fc 287->290 291 56fd713-56fd74c DrawTextExW 289->291 292 56fd710 289->292 290->289 293 56fd74e-56fd754 291->293 294 56fd755-56fd772 291->294 292->291 293->294
                                          APIs
                                          • DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,056FD68D,?,?), ref: 056FD73F
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.1413164945.00000000056F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_56f0000_workbook.jbxd
                                          Similarity
                                          • API ID: DrawText
                                          • String ID:
                                          • API String ID: 2175133113-0
                                          • Opcode ID: 3917cc7be560ee6641ffc2424af8f040556cc818a65a8ee423ada1255a4df0ff
                                          • Instruction ID: e746bac878eb1687d40d717db3b47e6bab71ec71f0c88fb5211080d53ed08a61
                                          • Opcode Fuzzy Hash: 3917cc7be560ee6641ffc2424af8f040556cc818a65a8ee423ada1255a4df0ff
                                          • Instruction Fuzzy Hash: 8C31C0B5D002499FDB10CF9AD884A9EFBF9FB48310F14842AE919A7710D775A944CFA4
                                          Function 012729C1 Relevance: 1.6, APIs: 1, Instructions: 71injectionCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 277 12729c1-1272a16 279 1272a26-1272a65 WriteProcessMemory 277->279 280 1272a18-1272a24 277->280 282 1272a67-1272a6d 279->282 283 1272a6e-1272a9e 279->283 280->279 282->283
                                          APIs
                                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 01272A58
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.1374377417.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_1270000_workbook.jbxd
                                          Similarity
                                          • API ID: MemoryProcessWrite
                                          • String ID:
                                          • API String ID: 3559483778-0
                                          • Opcode ID: a02adaf83ea9e5a7f6ce4074e6afa7b404a78e4d6621a0a91b54d4b3fbafaa0e
                                          • Instruction ID: ba4cf07a046be7ec8905694317ff04bdfa4964b11c000bb36e3f7bf4ede5a33e
                                          • Opcode Fuzzy Hash: a02adaf83ea9e5a7f6ce4074e6afa7b404a78e4d6621a0a91b54d4b3fbafaa0e
                                          • Instruction Fuzzy Hash: E2212472910349DFDB14DFA9C880BEEBBF1FB48310F10842AE959A7241D7799941CB64
                                          Function 012729C8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 297 12729c8-1272a16 299 1272a26-1272a65 WriteProcessMemory 297->299 300 1272a18-1272a24 297->300 302 1272a67-1272a6d 299->302 303 1272a6e-1272a9e 299->303 300->299 302->303
                                          APIs
                                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 01272A58
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.1374377417.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_1270000_workbook.jbxd
                                          Similarity
                                          • API ID: MemoryProcessWrite
                                          • String ID:
                                          • API String ID: 3559483778-0
                                          • Opcode ID: 97f67af7427843c8b602bef2f162663028add93e0319c3a13a3c24fc0e50fb5d
                                          • Instruction ID: 720a0c4acbdbe3d4c7d90cadef389d431cf1a73adf2b02858ed751a2ce4b5f65
                                          • Opcode Fuzzy Hash: 97f67af7427843c8b602bef2f162663028add93e0319c3a13a3c24fc0e50fb5d
                                          • Instruction Fuzzy Hash: 71212471910349DFDB14DFAAC980BEEBBF5FF48310F10842AEA18A7240C7799945CBA4
                                          Function 01272828 Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 307 1272828-127287b 309 127287d-1272889 307->309 310 127288b-12728bb Wow64SetThreadContext 307->310 309->310 312 12728c4-12728f4 310->312 313 12728bd-12728c3 310->313 313->312
                                          APIs
                                          • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 012728AE
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.1374377417.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_1270000_workbook.jbxd
                                          Similarity
                                          • API ID: ContextThreadWow64
                                          • String ID:
                                          • API String ID: 983334009-0
                                          • Opcode ID: 42b58925011493be30ea5c2a169472b4565c0244aeeb0539950ebd1493889b4a
                                          • Instruction ID: eda44dd89587d9d9a8b34dc8cbb97c2b9943da7ea7579fd6cdd711b570a4c307
                                          • Opcode Fuzzy Hash: 42b58925011493be30ea5c2a169472b4565c0244aeeb0539950ebd1493889b4a
                                          • Instruction Fuzzy Hash: 30214872D10309CFEB14CFA9C4857EEBBF0EB48210F14842ED559A7240CB799945CFA4
                                          Function 01272AB0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 317 1272ab0-1272b45 ReadProcessMemory 320 1272b47-1272b4d 317->320 321 1272b4e-1272b7e 317->321 320->321
                                          APIs
                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 01272B38
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.1374377417.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_1270000_workbook.jbxd
                                          Similarity
                                          • API ID: MemoryProcessRead
                                          • String ID:
                                          • API String ID: 1726664587-0
                                          • Opcode ID: 58dd217eb24cffa6616a8a0752961a6711196c69125a06aeba20321c2df9c57c
                                          • Instruction ID: 4db9cbb9eb94a20e4cd13d78705303ddc298abf80197a38fdce89c86e248aad0
                                          • Opcode Fuzzy Hash: 58dd217eb24cffa6616a8a0752961a6711196c69125a06aeba20321c2df9c57c
                                          • Instruction Fuzzy Hash: A321F4B2C10349DFDB14CFA9C880BEEBBF5FF48310F50842AE919A7250D73999018B65
                                          Function 01272830 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 325 1272830-127287b 327 127287d-1272889 325->327 328 127288b-12728bb Wow64SetThreadContext 325->328 327->328 330 12728c4-12728f4 328->330 331 12728bd-12728c3 328->331 331->330
                                          APIs
                                          • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 012728AE
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.1374377417.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_1270000_workbook.jbxd
                                          Similarity
                                          • API ID: ContextThreadWow64
                                          • String ID:
                                          • API String ID: 983334009-0
                                          • Opcode ID: b45d1493ef54cf5d08b5b399c1567b348be00cbd8258eac8c0831494aa2a10ea
                                          • Instruction ID: 444b97e214f4e1f12fbd5779e6e301ee4e607b94abcdf5b02a72180acb210bce
                                          • Opcode Fuzzy Hash: b45d1493ef54cf5d08b5b399c1567b348be00cbd8258eac8c0831494aa2a10ea
                                          • Instruction Fuzzy Hash: 41215471D10309CFEB14CFAAC480BEEBBF4EB48210F14842AE519A7340CB789945CBA4
                                          Function 01272AB8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 335 1272ab8-1272b45 ReadProcessMemory 338 1272b47-1272b4d 335->338 339 1272b4e-1272b7e 335->339 338->339
                                          APIs
                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 01272B38
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.1374377417.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_1270000_workbook.jbxd
                                          Similarity
                                          • API ID: MemoryProcessRead
                                          • String ID:
                                          • API String ID: 1726664587-0
                                          • Opcode ID: 911f416c46040b297400480a4ff97b5adef2bd5140ad90c380214047393eaf23
                                          • Instruction ID: 4b32ffd016f1112d98fe55054e000319ec5f81daed911f53eab77c42bf246c18
                                          • Opcode Fuzzy Hash: 911f416c46040b297400480a4ff97b5adef2bd5140ad90c380214047393eaf23
                                          • Instruction Fuzzy Hash: A72103718003499FDB14DFAAC880BEEBBF5FF48310F50842AE919A7240D73999018BA5
                                          Function 010ED528 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 348 10ed528-10ed5bc DuplicateHandle 349 10ed5be-10ed5c4 348->349 350 10ed5c5-10ed5e2 348->350 349->350
                                          APIs
                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 010ED5AF
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.1366318927.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_10e0000_workbook.jbxd
                                          Similarity
                                          • API ID: DuplicateHandle
                                          • String ID:
                                          • API String ID: 3793708945-0
                                          • Opcode ID: 1d940ad9854f3d2c3faa31ed7877d08428992af0d35d59159702d4d791c4792d
                                          • Instruction ID: b35b5acbc62b23241d4e8ee6e072770f3537779e72369b3c6a1d058e8b47a459
                                          • Opcode Fuzzy Hash: 1d940ad9854f3d2c3faa31ed7877d08428992af0d35d59159702d4d791c4792d
                                          • Instruction Fuzzy Hash: 4621C4B5D00248DFDB10CF9AD584ADEFBF4EB48314F14841AE958A7350D379A944CFA5
                                          Function 010ED527 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 343 10ed527-10ed5bc DuplicateHandle 344 10ed5be-10ed5c4 343->344 345 10ed5c5-10ed5e2 343->345 344->345
                                          APIs
                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 010ED5AF
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.1366318927.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_10e0000_workbook.jbxd
                                          Similarity
                                          • API ID: DuplicateHandle
                                          • String ID:
                                          • API String ID: 3793708945-0
                                          • Opcode ID: 815127f01a2eef3accfcaf35cff39825dc4a982de29bb0d8baf68f1e80813a00
                                          • Instruction ID: ca7359dd1db3f8396a2dec2d9b3f8de7938377470789ff98dbcc9e087633acbf
                                          • Opcode Fuzzy Hash: 815127f01a2eef3accfcaf35cff39825dc4a982de29bb0d8baf68f1e80813a00
                                          • Instruction Fuzzy Hash: 3D21E0B6D00248EFDB10CFAAD484AEEFBF4EB48310F14801AE958A7350C379A945CF64
                                          Function 01272901 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 01272976
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.1374377417.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_1270000_workbook.jbxd
                                          Similarity
                                          • API ID: AllocVirtual
                                          • String ID:
                                          • API String ID: 4275171209-0
                                          • Opcode ID: bdb99593a702b238bd11548c49e7345904a20347b8ffca7c0d2538563ebf04aa
                                          • Instruction ID: 6a476c45a43856ef16308b69ec6fccc85c3f4247d8e046647722be70d8532f6e
                                          • Opcode Fuzzy Hash: bdb99593a702b238bd11548c49e7345904a20347b8ffca7c0d2538563ebf04aa
                                          • Instruction Fuzzy Hash: 1F111472C10349DFDB24DFA9C845BEEBBF5EB88320F24841AE559A7250C7799940CFA4
                                          Function 01272908 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 01272976
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.1374377417.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_1270000_workbook.jbxd
                                          Similarity
                                          • API ID: AllocVirtual
                                          • String ID:
                                          • API String ID: 4275171209-0
                                          • Opcode ID: 34c9b32ecfae1c8d40035b19b5429b7d6618b79ef7be8d9a69989b7026dc75d7
                                          • Instruction ID: 4b366acdb1e5144bb44abeb9cac9d4565d6863bbfefab36d1a95a4707382e9e1
                                          • Opcode Fuzzy Hash: 34c9b32ecfae1c8d40035b19b5429b7d6618b79ef7be8d9a69989b7026dc75d7
                                          • Instruction Fuzzy Hash: A5112672800349DFDB24DFAAC844BDFFBF5EB48310F248419E559A7250CB799540CBA5
                                          Function 01272340 Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.1374377417.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_1270000_workbook.jbxd
                                          Similarity
                                          • API ID: ResumeThread
                                          • String ID:
                                          • API String ID: 947044025-0
                                          • Opcode ID: a69e5582f29cf4583d2d44cf363b93f7a00886a458fd8debc7e6f270bcde0bed
                                          • Instruction ID: ea06511af2cee724bf84fee096921ac25a6bec6ab1ae0ce3431fc3c8e4753490
                                          • Opcode Fuzzy Hash: a69e5582f29cf4583d2d44cf363b93f7a00886a458fd8debc7e6f270bcde0bed
                                          • Instruction Fuzzy Hash: 6A1146B1C10348CFDB24DFAAC4457EEFBF4EB88210F24842ED519A7240CA399941CB94
                                          Function 01272348 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.1374377417.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_1270000_workbook.jbxd
                                          Similarity
                                          • API ID: ResumeThread
                                          • String ID:
                                          • API String ID: 947044025-0
                                          • Opcode ID: b8f8ea280063b3305c3f804b2aff41ade8ee3f541f6e5bbc3748f175449eb28c
                                          • Instruction ID: cc6c790e266603487869ddba4febfdcab0ccdfc5b9b160a07a291f6c38c9c517
                                          • Opcode Fuzzy Hash: b8f8ea280063b3305c3f804b2aff41ade8ee3f541f6e5bbc3748f175449eb28c
                                          • Instruction Fuzzy Hash: BE112571D00348CFDB24DFAAC4447EEFBF4EB88224F24841AD519A7340CA79A944CBA9
                                          Function 010EB238 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 010EB29E
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.1366318927.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_10e0000_workbook.jbxd
                                          Similarity
                                          • API ID: HandleModule
                                          • String ID:
                                          • API String ID: 4139908857-0
                                          • Opcode ID: df50f00453da8992330ea27da205f0900b6f0557e59e0b3dafc75afe6c7a6e01
                                          • Instruction ID: 4b05ebd2ba1cb585665eb3aa8b4ffa7178dcf6bfb8aaffeddfd1d723df6be18b
                                          • Opcode Fuzzy Hash: df50f00453da8992330ea27da205f0900b6f0557e59e0b3dafc75afe6c7a6e01
                                          • Instruction Fuzzy Hash: 09110FB6C002498FDB24CF9AC444ADEFBF4EF88314F10841AD968A7210C379A545CFA5
                                          Function 010EB237 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 010EB29E
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.1366318927.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_10e0000_workbook.jbxd
                                          Similarity
                                          • API ID: HandleModule
                                          • String ID:
                                          • API String ID: 4139908857-0
                                          • Opcode ID: bf020fea87c102b902070e2cd42ce9c47f03a346345e92f1378bfdc8eb0e0f3a
                                          • Instruction ID: 28b0fd2919a903da46aad26c0c20f09e45bdce54ddb4121e495e7c5d36b51ac5
                                          • Opcode Fuzzy Hash: bf020fea87c102b902070e2cd42ce9c47f03a346345e92f1378bfdc8eb0e0f3a
                                          • Instruction Fuzzy Hash: 2C110FB6C002498FDB24CFAAD484ADEFBF4EF88314F10845AD869A7210C379A545CFA1
                                          Function 01274EDC Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • PostMessageW.USER32(?,00000010,00000000,?), ref: 012755BD
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.1374377417.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_1270000_workbook.jbxd
                                          Similarity
                                          • API ID: MessagePost
                                          • String ID:
                                          • API String ID: 410705778-0
                                          • Opcode ID: 47838a244e80ce008088b56a71f9b3f3ca907c086687c8f306ddd80f69242b54
                                          • Instruction ID: a3e43fcdc73550f94224acb11fc57d6670004b625200525392b3e10f8d51e24f
                                          • Opcode Fuzzy Hash: 47838a244e80ce008088b56a71f9b3f3ca907c086687c8f306ddd80f69242b54
                                          • Instruction Fuzzy Hash: F311E0B6810349DFDB20DF9AD485BDEFBF8EB48310F10841AE558A7200D375A944CFA5
                                          Function 01275559 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • PostMessageW.USER32(?,00000010,00000000,?), ref: 012755BD
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.1374377417.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_1270000_workbook.jbxd
                                          Similarity
                                          • API ID: MessagePost
                                          • String ID:
                                          • API String ID: 410705778-0
                                          • Opcode ID: 49ed0251448872611c3025e0e1f7fa33b846b28bf0aa87a858ce9da839c0ac50
                                          • Instruction ID: 6f4ab6aa859ca5e6722ae0ce75d48a0e1516482feb2c3843d4e4bbeb9c42c7ce
                                          • Opcode Fuzzy Hash: 49ed0251448872611c3025e0e1f7fa33b846b28bf0aa87a858ce9da839c0ac50
                                          • Instruction Fuzzy Hash: C011F2B6800349DFDB20CF9AD485BDEFBF4EB48320F20841AE558A7210C379A944CFA1
                                          Function 08A80472 Relevance: 1.3, APIs: 1, Instructions: 49COMMON
                                          Download Yara Rule
                                          APIs
                                          • CloseHandle.KERNELBASE(?), ref: 08A804D0
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.1414339379.0000000008A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_8a80000_workbook.jbxd
                                          Similarity
                                          • API ID: CloseHandle
                                          • String ID:
                                          • API String ID: 2962429428-0
                                          • Opcode ID: 337aa53f71b8bde7eac5658416cffd128456f4e59650aed6449bf16a181408b5
                                          • Instruction ID: 8430b12d79283d476a87947f4afea5c83e74637d8ce9b9de528e46a7adbdd542
                                          • Opcode Fuzzy Hash: 337aa53f71b8bde7eac5658416cffd128456f4e59650aed6449bf16a181408b5
                                          • Instruction Fuzzy Hash: 931133B6800749CFDB20DF9AC445BDEBBF4EB48320F10841AD958A7740C738A648CFA5
                                          Function 08A80478 Relevance: 1.3, APIs: 1, Instructions: 47COMMON
                                          Download Yara Rule
                                          APIs
                                          • CloseHandle.KERNELBASE(?), ref: 08A804D0
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.1414339379.0000000008A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A80000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_8a80000_workbook.jbxd
                                          Similarity
                                          • API ID: CloseHandle
                                          • String ID:
                                          • API String ID: 2962429428-0
                                          • Opcode ID: 95352c3a308811d3204a514ee25a80944fc3f31092c78351ac78e86a8e2c2353
                                          • Instruction ID: 7d4dde318de764912e056a7a52f07265ec86a0eb05deca33fdeff7ee6b867298
                                          • Opcode Fuzzy Hash: 95352c3a308811d3204a514ee25a80944fc3f31092c78351ac78e86a8e2c2353
                                          • Instruction Fuzzy Hash: B31103B6800749CFDB20DF9AC545BDEBBF4EB48320F10841AD958A7741D739A544CFA5
                                          Function 00E0D4C4 Relevance: .1, Instructions: 75COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.1362772566.0000000000E0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_e0d000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c0ee1de867258bf3fe6938f8e884372f21580ec9474f72c6d35de3d8333f7557
                                          • Instruction ID: 26697db833d4b8c47815663a26c78730aec1c7b8c64420b5ecd3f78c7c929a35
                                          • Opcode Fuzzy Hash: c0ee1de867258bf3fe6938f8e884372f21580ec9474f72c6d35de3d8333f7557
                                          • Instruction Fuzzy Hash: 6221C172508240EFDB15DF54DDC0B26BB65FB88318F248569ED092B296C336D896CBA2
                                          Function 00E0D3D8 Relevance: .1, Instructions: 75COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.1362772566.0000000000E0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_e0d000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: fba184860352ac38a141e2e27992d08a9c9641f6429dffe1eefd1799657442c0
                                          • Instruction ID: 16b344d55424ef04a8000b5ae17e9268acd014295d5b0377cc01bfef3b8eee3a
                                          • Opcode Fuzzy Hash: fba184860352ac38a141e2e27992d08a9c9641f6429dffe1eefd1799657442c0
                                          • Instruction Fuzzy Hash: 57210672508204DFDB14DF54D9C0B26BB65FB94328F20C569E9095F296C336E896CBA2
                                          Function 00E1D1D4 Relevance: .1, Instructions: 72COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.1362902221.0000000000E1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E1D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_e1d000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 34b2557aa455a40970c3cd02a16767b717c6d1cc10d157f026d29448814577d1
                                          • Instruction ID: a5ff34ccae2f2f7957165ba105e6a577f0620983e34f0aea244512fbefd727f4
                                          • Opcode Fuzzy Hash: 34b2557aa455a40970c3cd02a16767b717c6d1cc10d157f026d29448814577d1
                                          • Instruction Fuzzy Hash: 64210771508304EFDB15DF54D9C0BA5BBA5FB84318F20C66DE8195F2A2C336D886CA61
                                          Function 00E1D01C Relevance: .1, Instructions: 72COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.1362902221.0000000000E1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E1D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_e1d000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6d034f6d7f1adbef581461c486eb93a562a2a7f97b6ca8bcb22cf821cb916fc5
                                          • Instruction ID: 82cbf6955710de4fd0fca438871daf38ac5a9dc4cdebd58e44ab4e37876c0cf8
                                          • Opcode Fuzzy Hash: 6d034f6d7f1adbef581461c486eb93a562a2a7f97b6ca8bcb22cf821cb916fc5
                                          • Instruction Fuzzy Hash: A521F575508300EFDB14DF24D9C4B56BB66FB88318F20C56DE80A5B296C336D887CA62
                                          Function 00E1D005 Relevance: .1, Instructions: 62COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.1362902221.0000000000E1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E1D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_e1d000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: abc1e8c61948f9a59fbd42888b7e22c1b5f8ee37c5c8bced58bef792d85d1860
                                          • Instruction ID: daabad59faa54e965200170511d2022c7701f225da738aeb80eb5502b7718926
                                          • Opcode Fuzzy Hash: abc1e8c61948f9a59fbd42888b7e22c1b5f8ee37c5c8bced58bef792d85d1860
                                          • Instruction Fuzzy Hash: FB21837550D3809FCB12CF24D990755BF71EB46314F28C5DAD8498F6A7C33A984ACB62
                                          Function 00E0D4BF Relevance: .1, Instructions: 56COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.1362772566.0000000000E0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_e0d000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0d9143a8ff6c40554208124bd87d7ebbaad978752f52efe449982275cc027c51
                                          • Instruction ID: bd7e161d9c2bf08cb90d026cdbb105216696c48f10082210b2a3eb9e19622001
                                          • Opcode Fuzzy Hash: 0d9143a8ff6c40554208124bd87d7ebbaad978752f52efe449982275cc027c51
                                          • Instruction Fuzzy Hash: A8110372404280DFCB15CF50D9C0B16BF71FB88328F24C6A9DC091B696C336D85ACBA2
                                          Function 00E0D3D3 Relevance: .1, Instructions: 56COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.1362772566.0000000000E0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_e0d000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0d9143a8ff6c40554208124bd87d7ebbaad978752f52efe449982275cc027c51
                                          • Instruction ID: 8802906b9797e1b083d639cc6308fedb0555e11d1a723b526f3449970b9869c0
                                          • Opcode Fuzzy Hash: 0d9143a8ff6c40554208124bd87d7ebbaad978752f52efe449982275cc027c51
                                          • Instruction Fuzzy Hash: FD1103B2404240DFCB15CF40D9C0B16BF71FB94324F24C6A9D8090B696C33AE856CBA2
                                          Function 00E1D1CF Relevance: .1, Instructions: 53COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.1362902221.0000000000E1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E1D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_e1d000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9e088ad8a07711d9d3566a887b1f888bc4d4e2f61ff705deeaaa2a632ac83149
                                          • Instruction ID: f3b19f1a162991557ee9a8bbad037347777c4b8c78b9cb548c2a05a713806baf
                                          • Opcode Fuzzy Hash: 9e088ad8a07711d9d3566a887b1f888bc4d4e2f61ff705deeaaa2a632ac83149
                                          • Instruction Fuzzy Hash: F011BB75908280DFCB15CF50D9C0B55FBA1FB84318F24C6A9D8494B6A6C33AD89ACB62
                                          Function 00E0D795 Relevance: .0, Instructions: 45COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.1362772566.0000000000E0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_e0d000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 967f0d79b4c4886f168abe0b528dc33c4d1e0e5456e0cf7ba46e63c3fee6eb30
                                          • Instruction ID: eb8643871306c6f7e5cb4e57c3e2c9d53b340302b085072908087832fb800a6e
                                          • Opcode Fuzzy Hash: 967f0d79b4c4886f168abe0b528dc33c4d1e0e5456e0cf7ba46e63c3fee6eb30
                                          • Instruction Fuzzy Hash: 5701A731408344DAE7204E65CD84B66BB98EF51728F18D45BED496E2C6C6799884CB72
                                          Function 00E0D794 Relevance: .0, Instructions: 36COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.1362772566.0000000000E0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_e0d000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e9347cfa74cd86c5bffeffe6470614e63aad1983c9c623731d7bf4afee3df117
                                          • Instruction ID: 0df3c340828c83bf491ca285569a7d7f1a02c013d470fd46ea69447aa8eb157b
                                          • Opcode Fuzzy Hash: e9347cfa74cd86c5bffeffe6470614e63aad1983c9c623731d7bf4afee3df117
                                          • Instruction Fuzzy Hash: 1BF06272408344EEE7248E19DD84B66FF98EB51728F18C55AED486F2C6C2799844CB71

                                          Execution Graph

                                          Execution Coverage:11.6%
                                          Dynamic/Decrypted Code Coverage:100%
                                          Signature Coverage:0%
                                          Total number of Nodes:284
                                          Total number of Limit Nodes:20
                                          execution_graph 57371 1bc31ad 57372 1bc30bb 57371->57372 57374 1bc306c 57372->57374 57378 1bc3a78 57372->57378 57402 1bc3ac8 57372->57402 57427 1bc3a69 57372->57427 57373 1bc3473 57379 1bc3a92 57378->57379 57393 1bc3a9a 57379->57393 57451 1bc435d 57379->57451 57456 1bc3ea2 57379->57456 57463 1bc41e0 57379->57463 57468 1bc40a5 57379->57468 57475 1bc3f24 57379->57475 57481 1bc4024 57379->57481 57486 1bc4164 57379->57486 57491 1bc44e9 57379->57491 57499 1bc44b3 57379->57499 57503 1bc40f7 57379->57503 57508 1bc4117 57379->57508 57513 1bc3ff6 57379->57513 57518 1bc461b 57379->57518 57524 1bc42ba 57379->57524 57529 1bc3f5a 57379->57529 57537 1bc433a 57379->57537 57542 1bc40df 57379->57542 57548 1bc42df 57379->57548 57553 1bc3eff 57379->57553 57558 1bc3fbf 57379->57558 57568 1bc46fd 57379->57568 57393->57373 57403 1bc3aa1 57402->57403 57404 1bc3ad7 57402->57404 57405 1bc435d 2 API calls 57403->57405 57406 1bc46fd 2 API calls 57403->57406 57407 1bc3fbf 4 API calls 57403->57407 57408 1bc3eff 2 API calls 57403->57408 57409 1bc42df 2 API calls 57403->57409 57410 1bc40df 2 API calls 57403->57410 57411 1bc433a 2 API calls 57403->57411 57412 1bc3f5a 4 API calls 57403->57412 57413 1bc42ba 2 API calls 57403->57413 57414 1bc461b 2 API calls 57403->57414 57415 1bc3ff6 2 API calls 57403->57415 57416 1bc4117 2 API calls 57403->57416 57417 1bc40f7 2 API calls 57403->57417 57418 1bc3a9a 57403->57418 57419 1bc44b3 2 API calls 57403->57419 57420 1bc44e9 4 API calls 57403->57420 57421 1bc4164 2 API calls 57403->57421 57422 1bc4024 2 API calls 57403->57422 57423 1bc3f24 2 API calls 57403->57423 57424 1bc40a5 4 API calls 57403->57424 57425 1bc41e0 2 API calls 57403->57425 57426 1bc3ea2 4 API calls 57403->57426 57404->57373 57405->57418 57406->57418 57407->57418 57408->57418 57409->57418 57410->57418 57411->57418 57412->57418 57413->57418 57414->57418 57415->57418 57416->57418 57417->57418 57418->57373 57419->57418 57420->57418 57421->57418 57422->57418 57423->57418 57424->57418 57425->57418 57426->57418 57429 1bc3a92 57427->57429 57428 1bc3a9a 57428->57373 57429->57428 57430 1bc435d 2 API calls 57429->57430 57431 1bc46fd 2 API calls 57429->57431 57432 1bc3fbf 4 API calls 57429->57432 57433 1bc3eff 2 API calls 57429->57433 57434 1bc42df 2 API calls 57429->57434 57435 1bc40df 2 API calls 57429->57435 57436 1bc433a 2 API calls 57429->57436 57437 1bc3f5a 4 API calls 57429->57437 57438 1bc42ba 2 API calls 57429->57438 57439 1bc461b 2 API calls 57429->57439 57440 1bc3ff6 2 API calls 57429->57440 57441 1bc4117 2 API calls 57429->57441 57442 1bc40f7 2 API calls 57429->57442 57443 1bc44b3 2 API calls 57429->57443 57444 1bc44e9 4 API calls 57429->57444 57445 1bc4164 2 API calls 57429->57445 57446 1bc4024 2 API calls 57429->57446 57447 1bc3f24 2 API calls 57429->57447 57448 1bc40a5 4 API calls 57429->57448 57449 1bc41e0 2 API calls 57429->57449 57450 1bc3ea2 4 API calls 57429->57450 57430->57428 57431->57428 57432->57428 57433->57428 57434->57428 57435->57428 57436->57428 57437->57428 57438->57428 57439->57428 57440->57428 57441->57428 57442->57428 57443->57428 57444->57428 57445->57428 57446->57428 57447->57428 57448->57428 57449->57428 57450->57428 57452 1bc3f0b 57451->57452 57573 1bc2348 57452->57573 57577 1bc2340 57452->57577 57453 1bc48ee 57581 1bc2c45 57456->57581 57585 1bc2c50 57456->57585 57457 1bc3ed9 57461 1bc2348 ResumeThread 57457->57461 57462 1bc2340 ResumeThread 57457->57462 57458 1bc48ee 57461->57458 57462->57458 57464 1bc416e 57463->57464 57465 1bc4060 57463->57465 57589 1bc29c8 57464->57589 57593 1bc29c1 57464->57593 57465->57393 57597 1bc2830 57468->57597 57601 1bc2828 57468->57601 57469 1bc40bf 57473 1bc2348 ResumeThread 57469->57473 57474 1bc2340 ResumeThread 57469->57474 57470 1bc48ee 57473->57470 57474->57470 57478 1bc3f0b 57475->57478 57476 1bc4473 57476->57393 57477 1bc48ee 57478->57476 57479 1bc2348 ResumeThread 57478->57479 57480 1bc2340 ResumeThread 57478->57480 57479->57477 57480->57477 57482 1bc3ffa 57481->57482 57484 1bc29c8 WriteProcessMemory 57482->57484 57485 1bc29c1 WriteProcessMemory 57482->57485 57483 1bc4271 57484->57483 57485->57483 57487 1bc416e 57486->57487 57489 1bc29c8 WriteProcessMemory 57487->57489 57490 1bc29c1 WriteProcessMemory 57487->57490 57488 1bc4060 57488->57393 57489->57488 57490->57488 57492 1bc40a4 57491->57492 57493 1bc3f0b 57492->57493 57495 1bc2828 Wow64SetThreadContext 57492->57495 57496 1bc2830 Wow64SetThreadContext 57492->57496 57493->57393 57497 1bc2348 ResumeThread 57493->57497 57498 1bc2340 ResumeThread 57493->57498 57494 1bc48ee 57495->57493 57496->57493 57497->57494 57498->57494 57500 1bc47c8 57499->57500 57605 1bc2908 57500->57605 57609 1bc2901 57500->57609 57505 1bc4104 57503->57505 57504 1bc486e 57504->57393 57505->57504 57613 1bc2ab8 57505->57613 57617 1bc2ab0 57505->57617 57509 1bc3f0b 57508->57509 57509->57508 57511 1bc2348 ResumeThread 57509->57511 57512 1bc2340 ResumeThread 57509->57512 57510 1bc48ee 57511->57510 57512->57510 57514 1bc3ffa 57513->57514 57516 1bc29c8 WriteProcessMemory 57514->57516 57517 1bc29c1 WriteProcessMemory 57514->57517 57515 1bc4271 57516->57515 57517->57515 57519 1bc45c2 57518->57519 57521 1bc4622 57518->57521 57522 1bc29c8 WriteProcessMemory 57519->57522 57523 1bc29c1 WriteProcessMemory 57519->57523 57520 1bc45e3 57520->57393 57522->57520 57523->57520 57525 1bc42db 57524->57525 57526 1bc486e 57525->57526 57527 1bc2ab8 ReadProcessMemory 57525->57527 57528 1bc2ab0 ReadProcessMemory 57525->57528 57526->57393 57527->57525 57528->57525 57621 1bc4b38 57529->57621 57626 1bc4b27 57529->57626 57530 1bc3fb9 57531 1bc3f0b 57531->57530 57535 1bc2348 ResumeThread 57531->57535 57536 1bc2340 ResumeThread 57531->57536 57532 1bc48ee 57535->57532 57536->57532 57538 1bc417f 57537->57538 57539 1bc4060 57538->57539 57540 1bc29c8 WriteProcessMemory 57538->57540 57541 1bc29c1 WriteProcessMemory 57538->57541 57539->57393 57540->57539 57541->57539 57543 1bc4290 57542->57543 57544 1bc48bc 57543->57544 57546 1bc29c8 WriteProcessMemory 57543->57546 57547 1bc29c1 WriteProcessMemory 57543->57547 57545 1bc45e3 57545->57393 57546->57545 57547->57545 57549 1bc42e5 57548->57549 57550 1bc486e 57549->57550 57551 1bc2ab8 ReadProcessMemory 57549->57551 57552 1bc2ab0 ReadProcessMemory 57549->57552 57550->57393 57551->57549 57552->57549 57554 1bc3f0b 57553->57554 57556 1bc2348 ResumeThread 57554->57556 57557 1bc2340 ResumeThread 57554->57557 57555 1bc48ee 57556->57555 57557->57555 57559 1bc3fcc 57558->57559 57560 1bc42db 57558->57560 57559->57560 57561 1bc3f0b 57559->57561 57562 1bc486e 57560->57562 57566 1bc2ab8 ReadProcessMemory 57560->57566 57567 1bc2ab0 ReadProcessMemory 57560->57567 57564 1bc2348 ResumeThread 57561->57564 57565 1bc2340 ResumeThread 57561->57565 57562->57393 57563 1bc48ee 57564->57563 57565->57563 57566->57560 57567->57560 57569 1bc468d 57568->57569 57571 1bc2348 ResumeThread 57569->57571 57572 1bc2340 ResumeThread 57569->57572 57570 1bc48ee 57571->57570 57572->57570 57574 1bc2388 ResumeThread 57573->57574 57576 1bc23b9 57574->57576 57576->57453 57578 1bc2388 ResumeThread 57577->57578 57580 1bc23b9 57578->57580 57580->57453 57582 1bc2cd9 CreateProcessA 57581->57582 57584 1bc2e9b 57582->57584 57586 1bc2cd9 CreateProcessA 57585->57586 57588 1bc2e9b 57586->57588 57590 1bc2a10 WriteProcessMemory 57589->57590 57592 1bc2a67 57590->57592 57592->57465 57594 1bc2a10 WriteProcessMemory 57593->57594 57596 1bc2a67 57594->57596 57596->57465 57598 1bc2875 Wow64SetThreadContext 57597->57598 57600 1bc28bd 57598->57600 57600->57469 57602 1bc2875 Wow64SetThreadContext 57601->57602 57604 1bc28bd 57602->57604 57604->57469 57606 1bc2948 VirtualAllocEx 57605->57606 57608 1bc2985 57606->57608 57608->57500 57610 1bc2948 VirtualAllocEx 57609->57610 57612 1bc2985 57610->57612 57612->57500 57614 1bc2b03 ReadProcessMemory 57613->57614 57616 1bc2b47 57614->57616 57616->57505 57618 1bc2b03 ReadProcessMemory 57617->57618 57620 1bc2b47 57618->57620 57620->57505 57622 1bc4b4d 57621->57622 57624 1bc2828 Wow64SetThreadContext 57622->57624 57625 1bc2830 Wow64SetThreadContext 57622->57625 57623 1bc4b63 57623->57531 57624->57623 57625->57623 57627 1bc4b38 57626->57627 57629 1bc2828 Wow64SetThreadContext 57627->57629 57630 1bc2830 Wow64SetThreadContext 57627->57630 57628 1bc4b63 57628->57531 57629->57628 57630->57628 57654 1994668 57655 199467a 57654->57655 57656 1994686 57655->57656 57658 1994779 57655->57658 57659 199479d 57658->57659 57663 1994879 57659->57663 57667 1994888 57659->57667 57665 19948af 57663->57665 57664 199498c 57664->57664 57665->57664 57671 19944c4 57665->57671 57668 19948af 57667->57668 57669 19944c4 CreateActCtxA 57668->57669 57670 199498c 57668->57670 57669->57670 57672 1995918 CreateActCtxA 57671->57672 57674 19959db 57672->57674 57674->57674 57332 7cb99c8 57333 7cb99da 57332->57333 57334 7cb99f0 57332->57334 57336 7cb7fcc 57333->57336 57337 7cb7fd7 57336->57337 57338 7cba24e 57337->57338 57341 7cbb1c8 57337->57341 57346 7cbb1d8 57337->57346 57338->57334 57343 7cbb1dd 57341->57343 57342 7cbb20e 57342->57337 57343->57342 57351 7cb9cd8 57343->57351 57348 7cbb1dd 57346->57348 57347 7cbb20e 57347->57337 57348->57347 57349 7cb9cd8 DrawTextExW 57348->57349 57350 7cbb25e 57349->57350 57352 7cb9ce3 57351->57352 57355 7cbbdec 57352->57355 57354 7cbb25e 57357 7cbbdf7 57355->57357 57356 7cbcb51 57356->57354 57357->57356 57361 7cbd670 57357->57361 57364 7cbd660 57357->57364 57358 7cbcc55 57358->57354 57362 7cbd68d 57361->57362 57367 7cbbfc4 57361->57367 57362->57358 57365 7cbbfc4 DrawTextExW 57364->57365 57366 7cbd68d 57365->57366 57366->57358 57369 7cbd6a8 DrawTextExW 57367->57369 57370 7cbd74e 57369->57370 57370->57362 57631 1bc5428 57632 1bc55b3 57631->57632 57634 1bc544e 57631->57634 57634->57632 57635 1bc4d1c 57634->57635 57636 1bc56a8 PostMessageW 57635->57636 57637 1bc5714 57636->57637 57637->57634 57638 7cc0478 CloseHandle 57639 7cc04df 57638->57639 57640 199af50 57641 199af5f 57640->57641 57644 199b048 57640->57644 57649 199b037 57640->57649 57645 199b07c 57644->57645 57646 199b059 57644->57646 57645->57641 57646->57645 57647 199b280 GetModuleHandleW 57646->57647 57648 199b2ad 57647->57648 57648->57641 57650 199b07c 57649->57650 57651 199b059 57649->57651 57650->57641 57651->57650 57652 199b280 GetModuleHandleW 57651->57652 57653 199b2ad 57652->57653 57653->57641 57675 199d2e0 57676 199d326 57675->57676 57680 199d4b0 57676->57680 57683 199d4c0 57676->57683 57677 199d413 57686 199af34 57680->57686 57684 199d4ee 57683->57684 57685 199af34 DuplicateHandle 57683->57685 57684->57677 57685->57684 57687 199d528 DuplicateHandle 57686->57687 57688 199d4ee 57687->57688 57688->57677

                                          Executed Functions

                                          Function 07DFAC80 Relevance: 15.6, Strings: 10, Instructions: 3087COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 294 7dfac80-7dfad0c 994 7dfad12 call 7dfe058 294->994 995 7dfad12 call 7dfe068 294->995 299 7dfad18-7dfad26 300 7dfad2f-7dfaf57 299->300 328 7dfaf5d-7dfb2e5 300->328 329 7dfe040-7dfe046 300->329 328->329 384 7dfb2eb-7dfb3c9 328->384 384->329 396 7dfb3cf-7dfb3da 384->396 396->329 397 7dfb3e0-7dfb45d 396->397 397->329 404 7dfb463-7dfb541 397->404 404->329 416 7dfb547-7dfb83e 404->416 416->329 456 7dfb844-7dfb84f 416->456 456->329 457 7dfb855-7dfc162 456->457 457->329 576 7dfc168-7dfc57a 457->576 576->329 630 7dfc580-7dfc58b 576->630 630->329 631 7dfc591-7dfc5ad 630->631 631->329 633 7dfc5b3-7dfc6ce 631->633 633->329 650 7dfc6d4-7dfc813 633->650 650->329 667 7dfc819-7dfcb6f 650->667 667->329 712 7dfcb75-7dfcd9e 667->712 712->329 741 7dfcda4-7dfd0c0 712->741 741->329 784 7dfd0c6-7dfd25c 741->784 784->329 806 7dfd262-7dfd3f8 784->806 806->329 828 7dfd3fe-7dfd5ad 806->828 828->329 851 7dfd5b3-7dfdbb7 828->851 851->329 933 7dfdbbd-7dfe03f 851->933 994->299 995->299
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1493970130.0000000007DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DF0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_7df0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: $q$$q$$q$$q$$q$$q$$q$$q$$q$$q
                                          • API String ID: 0-1298971921
                                          • Opcode ID: 6b39940f398d6f0ed6a8f7130717e37381cb5a5cded72f2ace287d9245716dbe
                                          • Instruction ID: 3e4aeb5265d60a4870ed0994263764ed7d7ae650dadf1e72cf0a7cafec4c5962
                                          • Opcode Fuzzy Hash: 6b39940f398d6f0ed6a8f7130717e37381cb5a5cded72f2ace287d9245716dbe
                                          • Instruction Fuzzy Hash: 5B639274A002189FDB24DF64E995B9ABBB2FF8D700F1485D8E9099B354DB359E80CF90
                                          Function 07DFAC90 Relevance: 15.6, Strings: 10, Instructions: 3084COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 996 7dfac90-7dfad0c 1695 7dfad12 call 7dfe058 996->1695 1696 7dfad12 call 7dfe068 996->1696 1000 7dfad18-7dfad26 1001 7dfad2f-7dfaf57 1000->1001 1029 7dfaf5d-7dfb2e5 1001->1029 1030 7dfe040-7dfe046 1001->1030 1029->1030 1085 7dfb2eb-7dfb3c9 1029->1085 1085->1030 1097 7dfb3cf-7dfb3da 1085->1097 1097->1030 1098 7dfb3e0-7dfb45d 1097->1098 1098->1030 1105 7dfb463-7dfb541 1098->1105 1105->1030 1117 7dfb547-7dfb83e 1105->1117 1117->1030 1157 7dfb844-7dfb84f 1117->1157 1157->1030 1158 7dfb855-7dfc162 1157->1158 1158->1030 1277 7dfc168-7dfc57a 1158->1277 1277->1030 1331 7dfc580-7dfc58b 1277->1331 1331->1030 1332 7dfc591-7dfc5ad 1331->1332 1332->1030 1334 7dfc5b3-7dfc6ce 1332->1334 1334->1030 1351 7dfc6d4-7dfc813 1334->1351 1351->1030 1368 7dfc819-7dfcb6f 1351->1368 1368->1030 1413 7dfcb75-7dfcd9e 1368->1413 1413->1030 1442 7dfcda4-7dfd0c0 1413->1442 1442->1030 1485 7dfd0c6-7dfd25c 1442->1485 1485->1030 1507 7dfd262-7dfd3f8 1485->1507 1507->1030 1529 7dfd3fe-7dfd5ad 1507->1529 1529->1030 1552 7dfd5b3-7dfdbb7 1529->1552 1552->1030 1634 7dfdbbd-7dfe03f 1552->1634 1695->1000 1696->1000
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1493970130.0000000007DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DF0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_7df0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: $q$$q$$q$$q$$q$$q$$q$$q$$q$$q
                                          • API String ID: 0-1298971921
                                          • Opcode ID: bd064dfed7460b24c11bacba689752808eeb0d3d71f09cad279dc85064db75c1
                                          • Instruction ID: d99afaa757ad8e91087197634bd0a5d436569e0e9ef057e8587a5215d7d5422f
                                          • Opcode Fuzzy Hash: bd064dfed7460b24c11bacba689752808eeb0d3d71f09cad279dc85064db75c1
                                          • Instruction Fuzzy Hash: E7639274A002189FDB24DF64E995B9ABBB2FF8D700F1485D8E9099B354DB359E80CF90
                                          Function 07DF8957 Relevance: 6.0, Strings: 4, Instructions: 984COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1697 7df8957-7df8985 1699 7df89ee-7df89f8 1697->1699 1700 7df8987-7df89f8 1697->1700 1704 7df8a02-7df8a4f 1699->1704 1700->1704 1711 7df8a5a-7df8a61 1704->1711 1712 7df8a51-7df8a58 1704->1712 1714 7df8a6a 1711->1714 1715 7df8a63-7df8a68 1711->1715 1713 7df8a80-7df8a84 1712->1713 1716 7df8a86-7df8a8a 1713->1716 1717 7df8a94-7df8b66 1713->1717 1940 7df8a6a call 7df9971 1714->1940 1941 7df8a6a call 7df9980 1714->1941 1715->1713 1716->1717 1739 7df8b70-7df8b7f call 7dff268 1717->1739 1718 7df8a70-7df8a7d 1718->1713 1740 7df8b85-7df8b8d 1739->1740 1742 7df8b97-7df8b9f 1740->1742 1743 7df8ba7-7df964f 1742->1743 1899 7df9659-7df9661 1743->1899 1936 7df9663 call 7cb1780 1899->1936 1937 7df9663 call 7cb1790 1899->1937 1938 7df9663 call 7cb1b20 1899->1938 1939 7df9663 call 7cb18b0 1899->1939 1900 7df9669-7df9855 1936->1900 1937->1900 1938->1900 1939->1900 1940->1718 1941->1718
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1493970130.0000000007DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DF0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_7df0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: 0EIq$+~Zk^$;~Zk^$}Zk^
                                          • API String ID: 0-2811352204
                                          • Opcode ID: 786bd9f57d134451925b59b2647ea3d64f57ee59d12ad3399c7fe6a5461fcd5e
                                          • Instruction ID: 4e7406b4ebb0da703deca334e433af10b84582ffccd707fac002fdca34d8bb1c
                                          • Opcode Fuzzy Hash: 786bd9f57d134451925b59b2647ea3d64f57ee59d12ad3399c7fe6a5461fcd5e
                                          • Instruction Fuzzy Hash: 9A920674A103008FE728DB79D494B5AB7FAFB89305F604869E58A97360DF35AD82CF50
                                          Function 07DF89B0 Relevance: 6.0, Strings: 4, Instructions: 962COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1942 7df89b0-7df8a4f 1952 7df8a5a-7df8a61 1942->1952 1953 7df8a51-7df8a58 1942->1953 1955 7df8a6a 1952->1955 1956 7df8a63-7df8a68 1952->1956 1954 7df8a80-7df8a84 1953->1954 1957 7df8a86-7df8a8a 1954->1957 1958 7df8a94-7df9661 call 7dff268 1954->1958 2181 7df8a6a call 7df9971 1955->2181 2182 7df8a6a call 7df9980 1955->2182 1956->1954 1957->1958 2177 7df9663 call 7cb1780 1958->2177 2178 7df9663 call 7cb1790 1958->2178 2179 7df9663 call 7cb1b20 1958->2179 2180 7df9663 call 7cb18b0 1958->2180 1959 7df8a70-7df8a7d 1959->1954 2141 7df9669-7df9855 2177->2141 2178->2141 2179->2141 2180->2141 2181->1959 2182->1959
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1493970130.0000000007DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DF0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_7df0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: 0EIq$+~Zk^$;~Zk^$}Zk^
                                          • API String ID: 0-2811352204
                                          • Opcode ID: c1b85860343eec61f872b322fd136674d75871778ff4cffb870e73a9502d927a
                                          • Instruction ID: cf14a99ab62772f73871f167081d77b9abf3e11d86d52b1e7a635c9986a8a382
                                          • Opcode Fuzzy Hash: c1b85860343eec61f872b322fd136674d75871778ff4cffb870e73a9502d927a
                                          • Instruction Fuzzy Hash: 3392F474A103008FE728DB79D494B6AB7FAFB89305F504869E58A97360DF35AD82CF50
                                          Function 07DF9980 Relevance: 5.3, Strings: 4, Instructions: 316COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 2183 7df9980-7df9995 2184 7df999f-7df99dc 2183->2184 2185 7df9997-7df999e 2183->2185 2188 7df99de-7df99f2 2184->2188 2189 7df9a26-7df9a71 2184->2189 2192 7df99fb-7df9a23 2188->2192 2193 7df99f4 2188->2193 2199 7df9abf-7df9b09 2189->2199 2200 7df9a73-7df9a87 2189->2200 2192->2189 2193->2192 2210 7df9b0b-7df9b1f 2199->2210 2211 7df9b57-7df9b9f 2199->2211 2203 7df9a89 2200->2203 2204 7df9a90-7df9abc 2200->2204 2203->2204 2204->2199 2214 7df9b28-7df9b54 2210->2214 2215 7df9b21 2210->2215 2221 7df9beb-7df9c33 2211->2221 2222 7df9ba1-7df9bb5 2211->2222 2214->2211 2215->2214 2233 7df9cca-7df9cce 2221->2233 2234 7df9c39-7df9c3c 2221->2234 2225 7df9bbe-7df9be8 2222->2225 2226 7df9bb7 2222->2226 2225->2221 2226->2225 2237 7df9d34-7df9d58 2233->2237 2238 7df9cd0-7df9ce6 2233->2238 2235 7df9d8a-7df9dd0 2234->2235 2236 7df9c42-7df9c65 2234->2236 2243 7df9c6b-7df9c6f 2236->2243 2244 7df9c67-7df9c69 2236->2244 2266 7df9d5f-7df9d83 2237->2266 2245 7df9cec-7df9cf3 2238->2245 2246 7df9ce8-7df9cea 2238->2246 2250 7df9c78-7df9c7b 2243->2250 2251 7df9c71-7df9c76 2243->2251 2249 7df9c86-7df9c88 2244->2249 2253 7df9cfc-7df9d0d 2245->2253 2254 7df9cf5-7df9cfa 2245->2254 2252 7df9d12-7df9d14 2246->2252 2255 7df9c8a-7df9c91 2249->2255 2256 7df9c93-7df9c97 2249->2256 2261 7df9c83 2250->2261 2251->2249 2257 7df9d16-7df9d1d 2252->2257 2258 7df9d25-7df9d33 2252->2258 2253->2252 2254->2252 2263 7df9ca0-7df9cb4 2255->2263 2256->2263 2264 7df9c99 2256->2264 2257->2235 2265 7df9d1f-7df9d23 2257->2265 2261->2249 2263->2235 2269 7df9cba-7df9cc4 2263->2269 2264->2263 2265->2258 2265->2266 2266->2235 2269->2233 2269->2234
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1493970130.0000000007DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DF0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_7df0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: K}Zk^$[}Zk^$k}Zk^${}Zk^
                                          • API String ID: 0-336735761
                                          • Opcode ID: a4c94dd389b026bff9b73d64a6771af13818eab87c6f695312d461ec27e90dcf
                                          • Instruction ID: 1575ba9f26c0cceb19151f157c146c9570796cdc85144de26c9053390a0d38ca
                                          • Opcode Fuzzy Hash: a4c94dd389b026bff9b73d64a6771af13818eab87c6f695312d461ec27e90dcf
                                          • Instruction Fuzzy Hash: 35C18E70E002098BDB14DF68D49079EFBF2FBC9300F258529E509AB345EB75AD46CB91
                                          Function 07DFFE70 Relevance: 2.6, Strings: 2, Instructions: 96COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 2295 7dffe70-7dfff48 call 7dffdf4 2303 7dfff4d-7dfffb8 call 7dffe04 2295->2303
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1493970130.0000000007DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DF0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_7df0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: #$#
                                          • API String ID: 0-2529538431
                                          • Opcode ID: 79d5dc67c77777dee4b5a99f15e460846f0d83b41ea4ddf11e36f5f73d56884a
                                          • Instruction ID: b8ae2fa20b206428ed7515c5c5c227d0e21428ce78058ac490a36b4ddf42339a
                                          • Opcode Fuzzy Hash: 79d5dc67c77777dee4b5a99f15e460846f0d83b41ea4ddf11e36f5f73d56884a
                                          • Instruction Fuzzy Hash: DD417975D102189BCF14DFA8D8806EEFBF6FF88310F109219E814AB355E7759946CB91
                                          Function 07DFFE80 Relevance: 2.6, Strings: 2, Instructions: 90COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 2309 7dffe80-7dfff48 call 7dffdf4 2316 7dfff4d-7dfffb8 call 7dffe04 2309->2316
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1493970130.0000000007DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DF0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_7df0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: #$#
                                          • API String ID: 0-2529538431
                                          • Opcode ID: 4149f78fdf430c4e8c69d047454542488544ab836bf026be15421c8b69b46d88
                                          • Instruction ID: 53f09b6395f048cfb75ef8d801c46ec9dcf23c80937a6fa1cdbe7152f0d63208
                                          • Opcode Fuzzy Hash: 4149f78fdf430c4e8c69d047454542488544ab836bf026be15421c8b69b46d88
                                          • Instruction Fuzzy Hash: DF316675D102189BCF14DFA8D880AAEFBF6FF88310F109219E914AB365E7749D46CB91
                                          Function 01BC2C45 Relevance: 1.7, APIs: 1, Instructions: 245processCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 2322 1bc2c45-1bc2ce5 2324 1bc2d1e-1bc2d3e 2322->2324 2325 1bc2ce7-1bc2cf1 2322->2325 2332 1bc2d77-1bc2da6 2324->2332 2333 1bc2d40-1bc2d4a 2324->2333 2325->2324 2326 1bc2cf3-1bc2cf5 2325->2326 2327 1bc2d18-1bc2d1b 2326->2327 2328 1bc2cf7-1bc2d01 2326->2328 2327->2324 2330 1bc2d05-1bc2d14 2328->2330 2331 1bc2d03 2328->2331 2330->2330 2335 1bc2d16 2330->2335 2331->2330 2341 1bc2ddf-1bc2e99 CreateProcessA 2332->2341 2342 1bc2da8-1bc2db2 2332->2342 2333->2332 2334 1bc2d4c-1bc2d4e 2333->2334 2336 1bc2d50-1bc2d5a 2334->2336 2337 1bc2d71-1bc2d74 2334->2337 2335->2327 2339 1bc2d5c 2336->2339 2340 1bc2d5e-1bc2d6d 2336->2340 2337->2332 2339->2340 2340->2340 2343 1bc2d6f 2340->2343 2353 1bc2e9b-1bc2ea1 2341->2353 2354 1bc2ea2-1bc2f28 2341->2354 2342->2341 2344 1bc2db4-1bc2db6 2342->2344 2343->2337 2346 1bc2db8-1bc2dc2 2344->2346 2347 1bc2dd9-1bc2ddc 2344->2347 2348 1bc2dc4 2346->2348 2349 1bc2dc6-1bc2dd5 2346->2349 2347->2341 2348->2349 2349->2349 2351 1bc2dd7 2349->2351 2351->2347 2353->2354 2364 1bc2f38-1bc2f3c 2354->2364 2365 1bc2f2a-1bc2f2e 2354->2365 2367 1bc2f4c-1bc2f50 2364->2367 2368 1bc2f3e-1bc2f42 2364->2368 2365->2364 2366 1bc2f30 2365->2366 2366->2364 2369 1bc2f60-1bc2f64 2367->2369 2370 1bc2f52-1bc2f56 2367->2370 2368->2367 2371 1bc2f44 2368->2371 2373 1bc2f76-1bc2f7d 2369->2373 2374 1bc2f66-1bc2f6c 2369->2374 2370->2369 2372 1bc2f58 2370->2372 2371->2367 2372->2369 2375 1bc2f7f-1bc2f8e 2373->2375 2376 1bc2f94 2373->2376 2374->2373 2375->2376 2378 1bc2f95 2376->2378 2378->2378
                                          APIs
                                          • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 01BC2E86
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1435597072.0000000001BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01BC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_1bc0000_workbook.jbxd
                                          Similarity
                                          • API ID: CreateProcess
                                          • String ID:
                                          • API String ID: 963392458-0
                                          • Opcode ID: 886a0599795b3014cf034a5e80a0738e8d7eb8a695aaf9dea1151c9ce2e552fb
                                          • Instruction ID: b3759131b9fbd579644750728e22f347e0b417bf59da9784ab9972373836cdf4
                                          • Opcode Fuzzy Hash: 886a0599795b3014cf034a5e80a0738e8d7eb8a695aaf9dea1151c9ce2e552fb
                                          • Instruction Fuzzy Hash: 56A16971D00619CFEB28DF68C841BEEBBB2FF48710F1481A9E808A7250DB759985CF91
                                          Function 01BC2C50 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 2379 1bc2c50-1bc2ce5 2381 1bc2d1e-1bc2d3e 2379->2381 2382 1bc2ce7-1bc2cf1 2379->2382 2389 1bc2d77-1bc2da6 2381->2389 2390 1bc2d40-1bc2d4a 2381->2390 2382->2381 2383 1bc2cf3-1bc2cf5 2382->2383 2384 1bc2d18-1bc2d1b 2383->2384 2385 1bc2cf7-1bc2d01 2383->2385 2384->2381 2387 1bc2d05-1bc2d14 2385->2387 2388 1bc2d03 2385->2388 2387->2387 2392 1bc2d16 2387->2392 2388->2387 2398 1bc2ddf-1bc2e99 CreateProcessA 2389->2398 2399 1bc2da8-1bc2db2 2389->2399 2390->2389 2391 1bc2d4c-1bc2d4e 2390->2391 2393 1bc2d50-1bc2d5a 2391->2393 2394 1bc2d71-1bc2d74 2391->2394 2392->2384 2396 1bc2d5c 2393->2396 2397 1bc2d5e-1bc2d6d 2393->2397 2394->2389 2396->2397 2397->2397 2400 1bc2d6f 2397->2400 2410 1bc2e9b-1bc2ea1 2398->2410 2411 1bc2ea2-1bc2f28 2398->2411 2399->2398 2401 1bc2db4-1bc2db6 2399->2401 2400->2394 2403 1bc2db8-1bc2dc2 2401->2403 2404 1bc2dd9-1bc2ddc 2401->2404 2405 1bc2dc4 2403->2405 2406 1bc2dc6-1bc2dd5 2403->2406 2404->2398 2405->2406 2406->2406 2408 1bc2dd7 2406->2408 2408->2404 2410->2411 2421 1bc2f38-1bc2f3c 2411->2421 2422 1bc2f2a-1bc2f2e 2411->2422 2424 1bc2f4c-1bc2f50 2421->2424 2425 1bc2f3e-1bc2f42 2421->2425 2422->2421 2423 1bc2f30 2422->2423 2423->2421 2426 1bc2f60-1bc2f64 2424->2426 2427 1bc2f52-1bc2f56 2424->2427 2425->2424 2428 1bc2f44 2425->2428 2430 1bc2f76-1bc2f7d 2426->2430 2431 1bc2f66-1bc2f6c 2426->2431 2427->2426 2429 1bc2f58 2427->2429 2428->2424 2429->2426 2432 1bc2f7f-1bc2f8e 2430->2432 2433 1bc2f94 2430->2433 2431->2430 2432->2433 2435 1bc2f95 2433->2435 2435->2435
                                          APIs
                                          • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 01BC2E86
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1435597072.0000000001BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01BC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_1bc0000_workbook.jbxd
                                          Similarity
                                          • API ID: CreateProcess
                                          • String ID:
                                          • API String ID: 963392458-0
                                          • Opcode ID: 6530dcb0e56c96f5ed0c8c93d43cf1095f3e2d0bad018684fe5a8a91a93162db
                                          • Instruction ID: 66b40996832ed7e54a93e40747c5be83ef21a922d3d850390ab83ee5d86eaba8
                                          • Opcode Fuzzy Hash: 6530dcb0e56c96f5ed0c8c93d43cf1095f3e2d0bad018684fe5a8a91a93162db
                                          • Instruction Fuzzy Hash: A3915971D00619DFEB28DF68C841BEEBBB2FF48710F1481A9E809A7250DB759985CF91
                                          Function 0199B048 Relevance: 1.7, APIs: 1, Instructions: 196COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 2436 199b048-199b057 2437 199b059-199b066 call 1999ab8 2436->2437 2438 199b083-199b087 2436->2438 2445 199b068 2437->2445 2446 199b07c 2437->2446 2440 199b089-199b093 2438->2440 2441 199b09b-199b0dc 2438->2441 2440->2441 2447 199b0e9-199b0f7 2441->2447 2448 199b0de-199b0e6 2441->2448 2491 199b06e call 199b2d1 2445->2491 2492 199b06e call 199b2e0 2445->2492 2446->2438 2449 199b0f9-199b0fe 2447->2449 2450 199b11b-199b11d 2447->2450 2448->2447 2453 199b109 2449->2453 2454 199b100-199b107 call 199ad00 2449->2454 2452 199b120-199b127 2450->2452 2451 199b074-199b076 2451->2446 2455 199b1b8-199b278 2451->2455 2457 199b129-199b131 2452->2457 2458 199b134-199b13b 2452->2458 2459 199b10b-199b119 2453->2459 2454->2459 2486 199b27a-199b27d 2455->2486 2487 199b280-199b2ab GetModuleHandleW 2455->2487 2457->2458 2462 199b148-199b151 call 199ad10 2458->2462 2463 199b13d-199b145 2458->2463 2459->2452 2467 199b15e-199b163 2462->2467 2468 199b153-199b15b 2462->2468 2463->2462 2469 199b181-199b18e 2467->2469 2470 199b165-199b16c 2467->2470 2468->2467 2477 199b1b1-199b1b7 2469->2477 2478 199b190-199b1ae 2469->2478 2470->2469 2472 199b16e-199b17e call 199ad20 call 199ad30 2470->2472 2472->2469 2478->2477 2486->2487 2488 199b2ad-199b2b3 2487->2488 2489 199b2b4-199b2c8 2487->2489 2488->2489 2491->2451 2492->2451
                                          APIs
                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 0199B29E
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1433830444.0000000001990000.00000040.00000800.00020000.00000000.sdmp, Offset: 01990000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_1990000_workbook.jbxd
                                          Similarity
                                          • API ID: HandleModule
                                          • String ID:
                                          • API String ID: 4139908857-0
                                          • Opcode ID: 375c59124d6307935b7fec4b94e375ba487ff5b2a0d66de92b04a8c2e45b96f0
                                          • Instruction ID: d9e471e08478479ad9d9ff689767a4048b6684423a8437693599140e522a0278
                                          • Opcode Fuzzy Hash: 375c59124d6307935b7fec4b94e375ba487ff5b2a0d66de92b04a8c2e45b96f0
                                          • Instruction Fuzzy Hash: DE7137B0A00B058FEB28DF2DE455B5ABBF5FF88200F04892DD54AD7A50D739E945CB91
                                          Function 019944C4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 2602 19944c4-19959d9 CreateActCtxA 2605 19959db-19959e1 2602->2605 2606 19959e2-1995a3c 2602->2606 2605->2606 2613 1995a4b-1995a4f 2606->2613 2614 1995a3e-1995a41 2606->2614 2615 1995a51-1995a5d 2613->2615 2616 1995a60 2613->2616 2614->2613 2615->2616 2618 1995a61 2616->2618 2618->2618
                                          APIs
                                          • CreateActCtxA.KERNEL32(?), ref: 019959C9
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1433830444.0000000001990000.00000040.00000800.00020000.00000000.sdmp, Offset: 01990000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_1990000_workbook.jbxd
                                          Similarity
                                          • API ID: Create
                                          • String ID:
                                          • API String ID: 2289755597-0
                                          • Opcode ID: cd770d5d7afd5ff98a2ffa82d1d88977d2eb2e6ebb367cb6164d9560b34eed18
                                          • Instruction ID: e29702dd008e66ced7d59fc210bbe8e1ca5fc6327fd212c946d4884ae6e2082b
                                          • Opcode Fuzzy Hash: cd770d5d7afd5ff98a2ffa82d1d88977d2eb2e6ebb367cb6164d9560b34eed18
                                          • Instruction Fuzzy Hash: D641EF71C01718CBEF24CFA9C884B8EBBB5BF49304F60806AD408AB251DB796945CF94
                                          Function 0199590C Relevance: 1.6, APIs: 1, Instructions: 94COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 2619 199590c-19959d9 CreateActCtxA 2621 19959db-19959e1 2619->2621 2622 19959e2-1995a3c 2619->2622 2621->2622 2629 1995a4b-1995a4f 2622->2629 2630 1995a3e-1995a41 2622->2630 2631 1995a51-1995a5d 2629->2631 2632 1995a60 2629->2632 2630->2629 2631->2632 2634 1995a61 2632->2634 2634->2634
                                          APIs
                                          • CreateActCtxA.KERNEL32(?), ref: 019959C9
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1433830444.0000000001990000.00000040.00000800.00020000.00000000.sdmp, Offset: 01990000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_1990000_workbook.jbxd
                                          Similarity
                                          • API ID: Create
                                          • String ID:
                                          • API String ID: 2289755597-0
                                          • Opcode ID: a562c962f9821f551d9651b940d1de1d45dd675459c0261fe7a0a7696c2e598d
                                          • Instruction ID: de32f6c8d0575179361c80e18df87aaca32e0d85cb7ab628280386b459b96aee
                                          • Opcode Fuzzy Hash: a562c962f9821f551d9651b940d1de1d45dd675459c0261fe7a0a7696c2e598d
                                          • Instruction Fuzzy Hash: 3441F2B1C01719CFEF25CFA9C884B8EBBB5BF49304F20805AD408AB251DB795945CF90
                                          Function 07CBD6A1 Relevance: 1.6, APIs: 1, Instructions: 74COMMON
                                          Download Yara Rule
                                          APIs
                                          • DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,07CBD68D,?,?), ref: 07CBD73F
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1493392251.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_7cb0000_workbook.jbxd
                                          Similarity
                                          • API ID: DrawText
                                          • String ID:
                                          • API String ID: 2175133113-0
                                          • Opcode ID: 9c1cbe6737ab8246e55d6d10c5ad213897db6cdd0c44e0ba08f702336cdc4bf4
                                          • Instruction ID: b9f5f21dbd2c564404275618038b0beecd0297eb155f4aa34ca0f49b16703d32
                                          • Opcode Fuzzy Hash: 9c1cbe6737ab8246e55d6d10c5ad213897db6cdd0c44e0ba08f702336cdc4bf4
                                          • Instruction Fuzzy Hash: 1031E3B5D002099FDB20CF9AD885ADEFBF4FB48320F14842AE919A7710D775A944CFA1
                                          Function 07CBBFC4 Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                          Download Yara Rule
                                          APIs
                                          • DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,07CBD68D,?,?), ref: 07CBD73F
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1493392251.0000000007CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_7cb0000_workbook.jbxd
                                          Similarity
                                          • API ID: DrawText
                                          • String ID:
                                          • API String ID: 2175133113-0
                                          • Opcode ID: 64952f2ec1731e2f5126c37adcffb7e0e64a2dc04b2305bbfcfaece78e561738
                                          • Instruction ID: 2b229a1df62facb31e7d471ad25ab0813f05554527c65062752b9e47302e23f9
                                          • Opcode Fuzzy Hash: 64952f2ec1731e2f5126c37adcffb7e0e64a2dc04b2305bbfcfaece78e561738
                                          • Instruction Fuzzy Hash: A031E0B5D006099FDB20CF9AD884ADEBBF4FB48310F54842AE919A7310D775A944CFA1
                                          Function 01BC29C1 Relevance: 1.6, APIs: 1, Instructions: 71injectionCOMMON
                                          Download Yara Rule
                                          APIs
                                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 01BC2A58
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1435597072.0000000001BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01BC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_1bc0000_workbook.jbxd
                                          Similarity
                                          • API ID: MemoryProcessWrite
                                          • String ID:
                                          • API String ID: 3559483778-0
                                          • Opcode ID: e43e08b6b0270811ed11b92a5c9a6e8aae405cc9339fd1d7dd66a9c513357a99
                                          • Instruction ID: d939a01dc7564c5ae3f4279c8c9a7907cd22baced5f7ce20e511a18c77e643bc
                                          • Opcode Fuzzy Hash: e43e08b6b0270811ed11b92a5c9a6e8aae405cc9339fd1d7dd66a9c513357a99
                                          • Instruction Fuzzy Hash: CA2122B29003099FDB14CFA9C981BEEBBF1FB48310F10842AE919A7241C7799941CBA0
                                          Function 01BC29C8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                          Download Yara Rule
                                          APIs
                                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 01BC2A58
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1435597072.0000000001BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01BC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_1bc0000_workbook.jbxd
                                          Similarity
                                          • API ID: MemoryProcessWrite
                                          • String ID:
                                          • API String ID: 3559483778-0
                                          • Opcode ID: cfa6548a8af023057f1fcd515ef38529fa4956713ecd46a41a2bfc3540edeb06
                                          • Instruction ID: 5bc94fc191884fb6354f1465f2a7a94f2f9015d6c099cf4fd0061093052bbe99
                                          • Opcode Fuzzy Hash: cfa6548a8af023057f1fcd515ef38529fa4956713ecd46a41a2bfc3540edeb06
                                          • Instruction Fuzzy Hash: 542124729003499FDB14CFAAC981BEEBBF5FF48310F10842AE919A7241C7799944CBA5
                                          Function 01BC2828 Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 01BC28AE
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1435597072.0000000001BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01BC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_1bc0000_workbook.jbxd
                                          Similarity
                                          • API ID: ContextThreadWow64
                                          • String ID:
                                          • API String ID: 983334009-0
                                          • Opcode ID: 95eeadc1c99501ff586433497bfc7e2eaefe103b649a271c95859e31dab96dd6
                                          • Instruction ID: 5f3e96c685d9d9f0bd98da10143e04982b289f3f17d4c369810a0d9b5ad4e5f7
                                          • Opcode Fuzzy Hash: 95eeadc1c99501ff586433497bfc7e2eaefe103b649a271c95859e31dab96dd6
                                          • Instruction Fuzzy Hash: D4213475D003098FEB14CFAAC481BEEBBF0EF88210F10842ED559A7240CB799945CBA5
                                          Function 01BC2AB0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                          Download Yara Rule
                                          APIs
                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 01BC2B38
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1435597072.0000000001BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01BC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_1bc0000_workbook.jbxd
                                          Similarity
                                          • API ID: MemoryProcessRead
                                          • String ID:
                                          • API String ID: 1726664587-0
                                          • Opcode ID: 3fbb5e001d0468ea4a3a8e5c5dc487a4ac4a84f531b34801deb16e3769ffa3ef
                                          • Instruction ID: e8429008808936d5a421f4e8b44bd5f3ae755d842f9ac577233b3330fda59b62
                                          • Opcode Fuzzy Hash: 3fbb5e001d0468ea4a3a8e5c5dc487a4ac4a84f531b34801deb16e3769ffa3ef
                                          • Instruction Fuzzy Hash: A521F4B1C003499FDB14CFA9C881BEEBBF5FF48310F50842EE519A7250D73999018BA5
                                          Function 0199AF34 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                          Download Yara Rule
                                          APIs
                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0199D4EE,?,?,?,?,?), ref: 0199D5AF
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1433830444.0000000001990000.00000040.00000800.00020000.00000000.sdmp, Offset: 01990000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_1990000_workbook.jbxd
                                          Similarity
                                          • API ID: DuplicateHandle
                                          • String ID:
                                          • API String ID: 3793708945-0
                                          • Opcode ID: 0de5a897f1f7e0ade9b00d9f0914a88dbe2d3c8b963984e78441200e829fad4c
                                          • Instruction ID: 4e321cfd7cabd498273574bccda1c6f6a08ba40ce64d524e57199669041e57b3
                                          • Opcode Fuzzy Hash: 0de5a897f1f7e0ade9b00d9f0914a88dbe2d3c8b963984e78441200e829fad4c
                                          • Instruction Fuzzy Hash: F421E3B5900248EFDB10CFAAD484ADEBBF8EB48310F14841AE918A7350D379A944CFA5
                                          Function 01BC2830 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 01BC28AE
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1435597072.0000000001BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01BC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_1bc0000_workbook.jbxd
                                          Similarity
                                          • API ID: ContextThreadWow64
                                          • String ID:
                                          • API String ID: 983334009-0
                                          • Opcode ID: 1f2fad0aea2776d6e1173133119a349bbf2acc14711e76f5db67df44831742bc
                                          • Instruction ID: 288db025aa483bc704e365d3f65d027eaa841b5498729a7bfe27db1235728d40
                                          • Opcode Fuzzy Hash: 1f2fad0aea2776d6e1173133119a349bbf2acc14711e76f5db67df44831742bc
                                          • Instruction Fuzzy Hash: 96213471D003098FEB14CFAAC485BEEBBF4EF48210F14842EE559A7340CB79A945CBA5
                                          Function 01BC2AB8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                          Download Yara Rule
                                          APIs
                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 01BC2B38
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1435597072.0000000001BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01BC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_1bc0000_workbook.jbxd
                                          Similarity
                                          • API ID: MemoryProcessRead
                                          • String ID:
                                          • API String ID: 1726664587-0
                                          • Opcode ID: b9131123439502b96ac315799e7fddc5795bdda68661fc4440211dda8948fbec
                                          • Instruction ID: 5616faaca7d014f2a215e527abe2e71381a1d5225edb6685dd8c3808f80237bf
                                          • Opcode Fuzzy Hash: b9131123439502b96ac315799e7fddc5795bdda68661fc4440211dda8948fbec
                                          • Instruction Fuzzy Hash: 842103718003499FDB14CFAAC881BEEBBF5FF48310F50842AE919A7240CB3999018BA5
                                          Function 0199D521 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                          Download Yara Rule
                                          APIs
                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0199D4EE,?,?,?,?,?), ref: 0199D5AF
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1433830444.0000000001990000.00000040.00000800.00020000.00000000.sdmp, Offset: 01990000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_1990000_workbook.jbxd
                                          Similarity
                                          • API ID: DuplicateHandle
                                          • String ID:
                                          • API String ID: 3793708945-0
                                          • Opcode ID: 2c6b9fe8617d11c427a5eca7a7b3103497b5b66a5ba931b5d28013aa6ac44476
                                          • Instruction ID: 0e261aaa1db49e1a27c7faaa436b6e93b38103a424b60125eed5df9e075f2b7c
                                          • Opcode Fuzzy Hash: 2c6b9fe8617d11c427a5eca7a7b3103497b5b66a5ba931b5d28013aa6ac44476
                                          • Instruction Fuzzy Hash: B721E2B5D00209DFDB10CFA9D985ADEBBF8EB48310F14841AE918A7350D379A944CFA1
                                          Function 01BC2901 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 01BC2976
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1435597072.0000000001BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01BC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_1bc0000_workbook.jbxd
                                          Similarity
                                          • API ID: AllocVirtual
                                          • String ID:
                                          • API String ID: 4275171209-0
                                          • Opcode ID: 40ed3322bfe0aa598ed6376acc3232cbc4ed5f8068aad024fbe63c93ebbce5a2
                                          • Instruction ID: 04d307e6dc4718b0dfb86519913455bbb3a23411a5db47036dec903102551ea6
                                          • Opcode Fuzzy Hash: 40ed3322bfe0aa598ed6376acc3232cbc4ed5f8068aad024fbe63c93ebbce5a2
                                          • Instruction Fuzzy Hash: 28111772D003499FDB24DFA9C445BEFBBF5EB88310F24841AE555A7250C7769940CFA1
                                          Function 01BC2908 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 01BC2976
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1435597072.0000000001BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01BC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_1bc0000_workbook.jbxd
                                          Similarity
                                          • API ID: AllocVirtual
                                          • String ID:
                                          • API String ID: 4275171209-0
                                          • Opcode ID: d48e29bba84b1556bbc44813f0ed808f9f869273b944b021ec46febb6c979325
                                          • Instruction ID: eafb45251de33123cc94ab471f74ef19eee471cf2116384e6f724866dc82b99b
                                          • Opcode Fuzzy Hash: d48e29bba84b1556bbc44813f0ed808f9f869273b944b021ec46febb6c979325
                                          • Instruction Fuzzy Hash: ED1126728003499FDB24DFAAC845BDFBBF5EB48310F148419E515A7250CB7AA540CBA5
                                          Function 01BC2340 Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • ResumeThread.KERNELBASE(BD0A3001), ref: 01BC23AA
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1435597072.0000000001BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01BC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_1bc0000_workbook.jbxd
                                          Similarity
                                          • API ID: ResumeThread
                                          • String ID:
                                          • API String ID: 947044025-0
                                          • Opcode ID: 4233aecbbb01c88ecb2483ea4df2e16012694a2cc384a935a9f18a6ead97365a
                                          • Instruction ID: f8b0218af74151adf5dadf16e9bcbd816e44188a7b9d7fae9c826828e11ceaa1
                                          • Opcode Fuzzy Hash: 4233aecbbb01c88ecb2483ea4df2e16012694a2cc384a935a9f18a6ead97365a
                                          • Instruction Fuzzy Hash: 471119B1D003498FEB24DFA9C4457EEBBF5EB88210F24842ED515A7340CB799945CB95
                                          Function 01BC2348 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • ResumeThread.KERNELBASE(BD0A3001), ref: 01BC23AA
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1435597072.0000000001BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01BC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_1bc0000_workbook.jbxd
                                          Similarity
                                          • API ID: ResumeThread
                                          • String ID:
                                          • API String ID: 947044025-0
                                          • Opcode ID: 34854e92b13e5eccc5420a277bfcb179241f71bff64dcccab59ae86881f05fd1
                                          • Instruction ID: 4cd1e9db847d62a0c31a6132e11d3c9c24c1b1855e18897e7812dbaaf07ca1c4
                                          • Opcode Fuzzy Hash: 34854e92b13e5eccc5420a277bfcb179241f71bff64dcccab59ae86881f05fd1
                                          • Instruction Fuzzy Hash: 87112871D003488FDB24DFAAC4457DEFBF4EB88210F24841DD519A7340CB79A544CBA5
                                          Function 01BC4D1C Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • PostMessageW.USER32(?,00000010,00000000,?), ref: 01BC5705
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1435597072.0000000001BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01BC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_1bc0000_workbook.jbxd
                                          Similarity
                                          • API ID: MessagePost
                                          • String ID:
                                          • API String ID: 410705778-0
                                          • Opcode ID: 9c2d4aa8c432ae2289284aa2dd540fec1fd398fe32786cb7bf375babc4214dcf
                                          • Instruction ID: 8f6974e6c730987a3df3cdc0c3c07342342d220a7a0e83e842c4cb5a0928cc16
                                          • Opcode Fuzzy Hash: 9c2d4aa8c432ae2289284aa2dd540fec1fd398fe32786cb7bf375babc4214dcf
                                          • Instruction Fuzzy Hash: 2F11F2B6900349DFDB20CF9AD885BDEBBF8EB48710F10845AE519A7300C379A944CFA5
                                          Function 01BC56A0 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • PostMessageW.USER32(?,00000010,00000000,?), ref: 01BC5705
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1435597072.0000000001BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01BC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_1bc0000_workbook.jbxd
                                          Similarity
                                          • API ID: MessagePost
                                          • String ID:
                                          • API String ID: 410705778-0
                                          • Opcode ID: a070cdd5610c4f5f4ca8d24e42468df3d110d8c7a55411ab3cbf0a9e16bba114
                                          • Instruction ID: babd247c494c26e8bc9958358e08fb2f95a1564072c9ccf266507cf31f52e678
                                          • Opcode Fuzzy Hash: a070cdd5610c4f5f4ca8d24e42468df3d110d8c7a55411ab3cbf0a9e16bba114
                                          • Instruction Fuzzy Hash: 0F11F5B5800348DFDB20CF99D445BDEBBF4EB48310F20845AE519A7610C375A944CFA1
                                          Function 0199B238 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 0199B29E
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1433830444.0000000001990000.00000040.00000800.00020000.00000000.sdmp, Offset: 01990000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_1990000_workbook.jbxd
                                          Similarity
                                          • API ID: HandleModule
                                          • String ID:
                                          • API String ID: 4139908857-0
                                          • Opcode ID: b9cd4a7b7ff569611cb928bc8fc6dc12bc648ca32a2387854472cf3d461010ed
                                          • Instruction ID: 2de685bfaba8f72b1a468ea270330dc42f7e2d7a344f63c4713b19bfd8cadd84
                                          • Opcode Fuzzy Hash: b9cd4a7b7ff569611cb928bc8fc6dc12bc648ca32a2387854472cf3d461010ed
                                          • Instruction Fuzzy Hash: E7110FB6C006498FDB20CF9AD444BDEFBF8EB88310F10846AD929A7200C379A545CFA1
                                          Function 07CC0470 Relevance: 1.3, APIs: 1, Instructions: 60COMMON
                                          Download Yara Rule
                                          APIs
                                          • CloseHandle.KERNELBASE(?), ref: 07CC04D0
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1493556000.0000000007CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_7cc0000_workbook.jbxd
                                          Similarity
                                          • API ID: CloseHandle
                                          • String ID:
                                          • API String ID: 2962429428-0
                                          • Opcode ID: b53dfc9d3741de6fbb919cfb84f73b14765a6c4892ec5e8467a7d1e4326d7231
                                          • Instruction ID: e7e23ce85417c12636b804a253f77d611f0d3cc912c0bf1f89d4c47532b37b8e
                                          • Opcode Fuzzy Hash: b53dfc9d3741de6fbb919cfb84f73b14765a6c4892ec5e8467a7d1e4326d7231
                                          • Instruction Fuzzy Hash: 3C2167B6900609CFDB20CF99D445BDEFBF4EB48320F10845AD558AB640C339A584CFA1
                                          Function 07DF9DE1 Relevance: 1.3, Strings: 1, Instructions: 40COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1493970130.0000000007DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DF0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_7df0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: 4'q
                                          • API String ID: 0-1807707664
                                          • Opcode ID: a89a3c8167b04b3e0a833e717bcbe3060e539621de3d29e9a99a99af250d487d
                                          • Instruction ID: 3b92089b6574841d03970e212860f4217c402ae5340bf3114dda87b106c2fd13
                                          • Opcode Fuzzy Hash: a89a3c8167b04b3e0a833e717bcbe3060e539621de3d29e9a99a99af250d487d
                                          • Instruction Fuzzy Hash: 7701ED306192C98FC70ADB78D89408C3F62FF86214B1446E9D0868F293EE395E56CB52
                                          Function 07CC0478 Relevance: 1.3, APIs: 1, Instructions: 33COMMON
                                          Download Yara Rule
                                          APIs
                                          • CloseHandle.KERNELBASE(?), ref: 07CC04D0
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1493556000.0000000007CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CC0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_7cc0000_workbook.jbxd
                                          Similarity
                                          • API ID: CloseHandle
                                          • String ID:
                                          • API String ID: 2962429428-0
                                          • Opcode ID: 4ece681aad0e37b267699600dd9ee671ede83965effbd74d4aa7427892418945
                                          • Instruction ID: de3e6f9666481af06b9f0fcc86c5f8a14af7e16f43d3a65690b80e390590fde5
                                          • Opcode Fuzzy Hash: 4ece681aad0e37b267699600dd9ee671ede83965effbd74d4aa7427892418945
                                          • Instruction Fuzzy Hash: 4001EEB0800749DFDB20CF9AC589B9FBBF8EB08310F108419E559AB340C379A584CFA5
                                          Function 07DF9E08 Relevance: 1.3, Strings: 1, Instructions: 32COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1493970130.0000000007DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DF0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_7df0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: 4'q
                                          • API String ID: 0-1807707664
                                          • Opcode ID: 23f25f6776025f0ec845c9d4bb7800a0d04ff8d341a5d95b4487b30f19194476
                                          • Instruction ID: 8b66d7f7d2bb721db3b23287c097215c72fdd91bd4a838506779a8522bafaa36
                                          • Opcode Fuzzy Hash: 23f25f6776025f0ec845c9d4bb7800a0d04ff8d341a5d95b4487b30f19194476
                                          • Instruction Fuzzy Hash: 8EF08C30A1120DEFCB04EFB8E48558C7FB2FB88204B5049A8E4099B301EE386E54CB51
                                          Function 07DF3090 Relevance: .7, Instructions: 727COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1493970130.0000000007DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DF0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_7df0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6b2b0686cb7d55c3f53095f43a2311b186a4c30c7ac6d16b7b22c002e88f9936
                                          • Instruction ID: acdf3a1040c667410a84d0c566e18dcefadf5bc8dba64c0d131f283b4705d090
                                          • Opcode Fuzzy Hash: 6b2b0686cb7d55c3f53095f43a2311b186a4c30c7ac6d16b7b22c002e88f9936
                                          • Instruction Fuzzy Hash: 3E724071910609CFDB14EF68C8946ADBBB1FF45305F028299D549AB265EF30EAC9CF81
                                          Function 07DF0040 Relevance: .6, Instructions: 551COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1493970130.0000000007DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DF0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_7df0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e004b5c605d62108ed1d1c96fcde2f5bfb9a4d7535395fcfeb9ae84690142062
                                          • Instruction ID: 3a614d036d2614ef4bd91817ba8442f44dc5caa4a419cdbc270431e868138e62
                                          • Opcode Fuzzy Hash: e004b5c605d62108ed1d1c96fcde2f5bfb9a4d7535395fcfeb9ae84690142062
                                          • Instruction Fuzzy Hash: 7942D671E1071ACBCB24DF68C8846EDF7B1BF89304F119699D559BB221EB30AA85CF40
                                          Function 07DF4960 Relevance: .5, Instructions: 500COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1493970130.0000000007DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DF0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_7df0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 83cf008ab8e18f519356d6f49de69a05a20063ebd00c9cc3d043ab8cd52cf2e5
                                          • Instruction ID: 73d701350f5f37d4c19977a379e9bce5ede4a30b9228391af45a28ca3ccfa5d2
                                          • Opcode Fuzzy Hash: 83cf008ab8e18f519356d6f49de69a05a20063ebd00c9cc3d043ab8cd52cf2e5
                                          • Instruction Fuzzy Hash: D6222674A10215CFCB14DF78C884BADB7B2FF89304F1586A8E54AAB365EB30A945CF50
                                          Function 07DFE517 Relevance: .5, Instructions: 493COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1493970130.0000000007DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DF0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_7df0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0c60d921e3c4339d4fda7e1e0baccfe934bc9eec835505ba1250ded8481b42bd
                                          • Instruction ID: 363ac3a5e84be3dd07367d6b56a8d31776f6017ae1b5665c43dfc4713c4e234a
                                          • Opcode Fuzzy Hash: 0c60d921e3c4339d4fda7e1e0baccfe934bc9eec835505ba1250ded8481b42bd
                                          • Instruction Fuzzy Hash: 6B32D679710110DFDB04DF68E984D5B7BB6FB8C715B105198EA0A9B362EB3AAC85CF10
                                          Function 07DF003F Relevance: .3, Instructions: 326COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1493970130.0000000007DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DF0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_7df0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f43339b2175363dd0e33f19150b09605894508db1520588bfd4c11a603c9be46
                                          • Instruction ID: bd8d870d8025ce845e168585c3098792352a114db9e578b80e4f76040466ed95
                                          • Opcode Fuzzy Hash: f43339b2175363dd0e33f19150b09605894508db1520588bfd4c11a603c9be46
                                          • Instruction Fuzzy Hash: F0E10975E1061ACFCB24DF68C9846EDF7B1BF49300F119699D559AB262EB30AE80CF40
                                          Function 07DFF268 Relevance: .2, Instructions: 227COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1493970130.0000000007DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DF0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_7df0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e49b130d4786667c6e953146b7ca51afca4cdc396aeb7b3ca96fa057e7be4a50
                                          • Instruction ID: 7683d288cab1d4243ed3e065ed49f30ffa461cb18aa11f5b21299867964dadd6
                                          • Opcode Fuzzy Hash: e49b130d4786667c6e953146b7ca51afca4cdc396aeb7b3ca96fa057e7be4a50
                                          • Instruction Fuzzy Hash: 7791C235A103118BDB14EF38D48029D77B2EFC5204B54896CD809AF359EFB9AD4AC7E6
                                          Function 07DF5480 Relevance: .2, Instructions: 198COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1493970130.0000000007DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DF0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_7df0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 51396b8fb730c4ad28e1fd1a03aaa8e175f07a174aa8051a3edea764a4a438c9
                                          • Instruction ID: 75c2c2c606501993eae71d17303b9b0cf39760ca33b96ab438ec9c0b1fe2aa5e
                                          • Opcode Fuzzy Hash: 51396b8fb730c4ad28e1fd1a03aaa8e175f07a174aa8051a3edea764a4a438c9
                                          • Instruction Fuzzy Hash: B5712676B002598FCB06DFBCC48499DF7B2BF89200F158269E55AEB355EB30E845CB90
                                          Function 07DF2A20 Relevance: .2, Instructions: 197COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1493970130.0000000007DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DF0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_7df0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 57203aec1e16422b3b0cbd12128ecb578bc60ec65948b5378214a5bbca8af0ce
                                          • Instruction ID: 0b71acdfb9f1313a26eeaba9704ec99053ce81f3b2f2d5cfa9543d167aac5c44
                                          • Opcode Fuzzy Hash: 57203aec1e16422b3b0cbd12128ecb578bc60ec65948b5378214a5bbca8af0ce
                                          • Instruction Fuzzy Hash: 3291097191060ACFCB41DF68C880999FBF5FF89310B15879AE959EB255EB30E985CF80
                                          Function 07DF1DA8 Relevance: .2, Instructions: 176COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1493970130.0000000007DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DF0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_7df0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 221fb568a60576f84da69e7cf872ecab09d0ed2f35f6dcd88bc53699bd3202da
                                          • Instruction ID: 29be07086235ce7a35bf42fa1ec1d99f82b3a4c86625dc35394c1fb49363b86f
                                          • Opcode Fuzzy Hash: 221fb568a60576f84da69e7cf872ecab09d0ed2f35f6dcd88bc53699bd3202da
                                          • Instruction Fuzzy Hash: E471CEB9700A00CFC718DF29C49895ABBF2FF8921571589A9E54ACB372DB72EC41CB50
                                          Function 07DF1D99 Relevance: .2, Instructions: 174COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1493970130.0000000007DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DF0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_7df0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 47a73bd79d5f50a3c32a97356ba407640747398522d980f04cf06bd390f0fd8b
                                          • Instruction ID: 4d0ac3b56f1b2e32140d52486fd8d2a089670ae820b7b59130fce52a139f11fe
                                          • Opcode Fuzzy Hash: 47a73bd79d5f50a3c32a97356ba407640747398522d980f04cf06bd390f0fd8b
                                          • Instruction Fuzzy Hash: DA71F2B9700600CFC718DF29C498A59BBF2FF8920571589A9E54ACB372DB72EC45CB50
                                          Function 07DF4950 Relevance: .2, Instructions: 173COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1493970130.0000000007DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DF0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_7df0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 296d7f5eac540d852f1b2dcd6ff1d9ab579bb446365854fdf8778a5da6db9aff
                                          • Instruction ID: 5bde00f9a6c9d0462a41cd76f36d6315cd37dd24673d63b67e7f42ad91adf365
                                          • Opcode Fuzzy Hash: 296d7f5eac540d852f1b2dcd6ff1d9ab579bb446365854fdf8778a5da6db9aff
                                          • Instruction Fuzzy Hash: 73619C71A002418FDB14DF79C888B9DB7F2FF89210F0546B8E64A9F3A1DB74A805CB61
                                          Function 07DF1BB8 Relevance: .2, Instructions: 172COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1493970130.0000000007DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DF0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_7df0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6473243db0c39decb7f72ab36984d7a84f8c91ecd7f9d1b16938176d3d7da64d
                                          • Instruction ID: 389b50f971e23cd55ce7dd4bb974cd240ff689ae493e369b9bdffc04815e7604
                                          • Opcode Fuzzy Hash: 6473243db0c39decb7f72ab36984d7a84f8c91ecd7f9d1b16938176d3d7da64d
                                          • Instruction Fuzzy Hash: DF7180B4A0020ACFC714CF69D584999FBF1BF49314B1986AAE949DB312E735E885CB90
                                          Function 07DF5472 Relevance: .2, Instructions: 153COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1493970130.0000000007DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DF0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_7df0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 94cdf96689ccb459fd0e59d226a2082e227951a9874d13dde5a488a796a50b44
                                          • Instruction ID: 12cc10eb71ae62d2529a8347d7ebf1937c312638e7bb0c64cbd43fa06106f072
                                          • Opcode Fuzzy Hash: 94cdf96689ccb459fd0e59d226a2082e227951a9874d13dde5a488a796a50b44
                                          • Instruction Fuzzy Hash: E5514E76B002198FCB05DFBCD48499CF7B2BF89200F158669E55AEB355EB31E845CB90
                                          Function 07DF2A11 Relevance: .1, Instructions: 145COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1493970130.0000000007DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DF0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_7df0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4c86b04423708770d52b2d130a6822bb771ba89cb972a062654eecee70049b3f
                                          • Instruction ID: 90a6981fa6bb9262759a086ca0e6ec35ae20287d38ad9db0fc2ffb9e408728c0
                                          • Opcode Fuzzy Hash: 4c86b04423708770d52b2d130a6822bb771ba89cb972a062654eecee70049b3f
                                          • Instruction Fuzzy Hash: 2251F87191070ACFCB41EFA8C880999FBB4FF49310B15D75AE859EB255EB70E985CB80
                                          Function 07DF52C8 Relevance: .1, Instructions: 139COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1493970130.0000000007DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DF0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_7df0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f2a9be4fa609a4bc2ccc4e5bd2c4da6b7dd36d467702bd2734fbfdfe79e94da0
                                          • Instruction ID: 15df0dd26d2648993ddc9aa3992569e6245e4f6a0027228619658dfbc6255eb0
                                          • Opcode Fuzzy Hash: f2a9be4fa609a4bc2ccc4e5bd2c4da6b7dd36d467702bd2734fbfdfe79e94da0
                                          • Instruction Fuzzy Hash: 3A41D5B1B006528BDB19A77CB41422EB6E7EFC551172A446DDA0BCF394EF64DC0683E2
                                          Function 07DF0CC9 Relevance: .1, Instructions: 108COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1493970130.0000000007DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DF0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_7df0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 275f441310c511f79d6b97005f41d65d71bc2ade950511b18b41f37a33912d35
                                          • Instruction ID: 68548383730ba40e29328a6fb1b901a57e7cfa75fad3de1fa6adfb100806067e
                                          • Opcode Fuzzy Hash: 275f441310c511f79d6b97005f41d65d71bc2ade950511b18b41f37a33912d35
                                          • Instruction Fuzzy Hash: 1D416F35A10709CFCB14EF78C884AEDBBB6FF89304F018559E155AB325EB71A946CB81
                                          Function 07DF0CD8 Relevance: .1, Instructions: 101COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1493970130.0000000007DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DF0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_7df0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ba5b8f7f38c8410e176fb9397b44ecbcbbf2452049ecead8e06b43507f8763ae
                                          • Instruction ID: a72338448fca0e8a09ce48e824e10cdef0adf12a2b0f408f18c234f9651971b9
                                          • Opcode Fuzzy Hash: ba5b8f7f38c8410e176fb9397b44ecbcbbf2452049ecead8e06b43507f8763ae
                                          • Instruction Fuzzy Hash: F8414A35A10719CFCB14EF78C8849EDBBB6FF89304F008559E155AB325EB70A946CB81
                                          Function 07DF1BA8 Relevance: .1, Instructions: 96COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1493970130.0000000007DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DF0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_7df0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 70b6f01254b31e05185a0c66279467ac90be4e02dd276115f709c7b0d2e5ecd3
                                          • Instruction ID: 1aa657aa8181a02ef9a2acaa2962a1f4a8e3d4cc6b1ec020a59e5f9b707444bf
                                          • Opcode Fuzzy Hash: 70b6f01254b31e05185a0c66279467ac90be4e02dd276115f709c7b0d2e5ecd3
                                          • Instruction Fuzzy Hash: E4413DB4A0024ACFC714CF68D584999FBF1FF49310B0986AAD949DB351E731EC45CB90
                                          Function 07DF0BD0 Relevance: .1, Instructions: 92COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1493970130.0000000007DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DF0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_7df0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 8353c3c75d0c2b90f1fb3956130df413a3a4d2ce828321a80073f7345ce73ac8
                                          • Instruction ID: 8b69da0c555301448526a2162ff1c52d609620e81680434d14a0e3226dc581dd
                                          • Opcode Fuzzy Hash: 8353c3c75d0c2b90f1fb3956130df413a3a4d2ce828321a80073f7345ce73ac8
                                          • Instruction Fuzzy Hash: F0314F36B002199FCF04EF64E8448DDF7B6FF88214B059269E516AB325FB31AD45CB80
                                          Function 0192D3D8 Relevance: .1, Instructions: 75COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1432611088.000000000192D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0192D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_192d000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a97552b3051c29209e85536922dac8fd93ea6ed40e52c3698a40bb17977bbc6f
                                          • Instruction ID: 87784b59cb0afd516b78869c4a1e3ea0f547393d177cf2fc839595d6c991e6d8
                                          • Opcode Fuzzy Hash: a97552b3051c29209e85536922dac8fd93ea6ed40e52c3698a40bb17977bbc6f
                                          • Instruction Fuzzy Hash: 5E213672504200DFDB15DF54D9C0F66BBA5FB84714F20C56DE90D0F29AC336E446CAA2
                                          Function 0192D4C4 Relevance: .1, Instructions: 75COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1432611088.000000000192D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0192D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_192d000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3c7bbdddf78e34a5c913c0d7ab131fa865270ab18f2e9fcca904efb27b297ed5
                                          • Instruction ID: deef46736d5ba8d1167b9d24748868701e24dcc794b27ae16b09b4cd5eabb306
                                          • Opcode Fuzzy Hash: 3c7bbdddf78e34a5c913c0d7ab131fa865270ab18f2e9fcca904efb27b297ed5
                                          • Instruction Fuzzy Hash: 1A21D372504240EFDB15DF54D9C0F26BFA5FB88318F24C569E9090B25EC376D456CAA2
                                          Function 0193D1D4 Relevance: .1, Instructions: 72COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1432963111.000000000193D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0193D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_193d000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5ef158a14421b2b010b4dcf8268ab6541ebecc94ad9f34be25189825f7cd8715
                                          • Instruction ID: 0a56f307ace55b1d80030214e5f6d2ea3a422648881a95523233cd0033b18d16
                                          • Opcode Fuzzy Hash: 5ef158a14421b2b010b4dcf8268ab6541ebecc94ad9f34be25189825f7cd8715
                                          • Instruction Fuzzy Hash: 7521F271904200EFEB15DFA4D9D0F26BBA5FBC4324F60C96DE90D4B292C336D846CA62
                                          Function 0193D01C Relevance: .1, Instructions: 72COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1432963111.000000000193D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0193D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_193d000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: de7f9ddf335a29195b53fcf90186587e0d1f36eac74542e6e4546217af344a5d
                                          • Instruction ID: 93719b0b7ec406167646d721606ca101466fcaf4878378289b5f8996a286b7b1
                                          • Opcode Fuzzy Hash: de7f9ddf335a29195b53fcf90186587e0d1f36eac74542e6e4546217af344a5d
                                          • Instruction Fuzzy Hash: F721FFB1604200EFDB15DF64D990B26FBA5EB84614F60C96DE80E0B292C336D807CA62
                                          Function 07DF3BD0 Relevance: .1, Instructions: 70COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1493970130.0000000007DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DF0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_7df0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ec6b825abc4de74b8c34f00e650ca6c661ecc0e5181f725c0ce86db97214de0f
                                          • Instruction ID: cc6c46d6cf39e59ad08fbecbfae5cdcf9f3b2201d965466d2002bac71b3dd6a4
                                          • Opcode Fuzzy Hash: ec6b825abc4de74b8c34f00e650ca6c661ecc0e5181f725c0ce86db97214de0f
                                          • Instruction Fuzzy Hash: 09214271A106099FCB10EF6CD84059EFBB4FF99311F55C26AE958A7200FB30E998CB91
                                          Function 0193D006 Relevance: .1, Instructions: 62COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1432963111.000000000193D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0193D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_193d000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 8235708b58901a95733cf463bcd2683bb137e0a4daa24af5093a81711633f728
                                          • Instruction ID: 47c880da27861f6b3ee9bdc75189ed5c5b6c3f2e53898905dd99e2b396d4d94e
                                          • Opcode Fuzzy Hash: 8235708b58901a95733cf463bcd2683bb137e0a4daa24af5093a81711633f728
                                          • Instruction Fuzzy Hash: 172183755093809FDB13CF64D590715FFB1EB46214F28C5EAD8498F6A7C33A980ACB62
                                          Function 07DF5C80 Relevance: .1, Instructions: 59COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1493970130.0000000007DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DF0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_7df0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: be5f435193fd93b736b4bfde19bb68981ff992cfedfde204ef4785a42bde6319
                                          • Instruction ID: a51502490b98f304a0bca424499d9f0f518d9e9344f55fbc237985a8c325a308
                                          • Opcode Fuzzy Hash: be5f435193fd93b736b4bfde19bb68981ff992cfedfde204ef4785a42bde6319
                                          • Instruction Fuzzy Hash: D9219D72C00B5286DB019F68D840381B365FF95324F1A9ABACD4C3F346EB757984CBA0
                                          Function 0192D3D3 Relevance: .1, Instructions: 56COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1432611088.000000000192D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0192D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_192d000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0d9143a8ff6c40554208124bd87d7ebbaad978752f52efe449982275cc027c51
                                          • Instruction ID: a4e03ce160a99cf80e6edc808210c378a0892841dee2231ce86a50113f323fc9
                                          • Opcode Fuzzy Hash: 0d9143a8ff6c40554208124bd87d7ebbaad978752f52efe449982275cc027c51
                                          • Instruction Fuzzy Hash: 8A11E472404240DFDB16CF44D5C0B56BFB1FB84314F24C6A9D9090B69BC33AD456CB91
                                          Function 0192D4BF Relevance: .1, Instructions: 56COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1432611088.000000000192D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0192D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_192d000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0d9143a8ff6c40554208124bd87d7ebbaad978752f52efe449982275cc027c51
                                          • Instruction ID: 18923051a6c9801034e92b6d50e9019147444c696d94aeb929d249fa11027dd0
                                          • Opcode Fuzzy Hash: 0d9143a8ff6c40554208124bd87d7ebbaad978752f52efe449982275cc027c51
                                          • Instruction Fuzzy Hash: 13110372404280DFDB16CF54D5C0B16BFB1FB84314F24C6A9D8090B65BC336D456CBA2
                                          Function 07DF2040 Relevance: .1, Instructions: 55COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1493970130.0000000007DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DF0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_7df0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d341773ff6557f1b604c98e0d649ef452a71e4e0fd0870fdb9f3256adac0ff52
                                          • Instruction ID: 70d163edba3c0a2bed155a6d49f3c1a9d60b4e7f855aedca431b65567afc432c
                                          • Opcode Fuzzy Hash: d341773ff6557f1b604c98e0d649ef452a71e4e0fd0870fdb9f3256adac0ff52
                                          • Instruction Fuzzy Hash: A50128B360030A5FDB34A6B4E44079EB7E8EB80221F00446AC609DB580EE21F448C3A4
                                          Function 07DF5C90 Relevance: .1, Instructions: 54COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1493970130.0000000007DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DF0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_7df0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: efbc3ce8565cdd1d8dca25cfdb3b0acd03882c023f2bcd0ad245c1a79fe6d43f
                                          • Instruction ID: 2af6bb7704f406ce86fe92a5ba121ac6b476c978aefdb8a3184834e61aa57c97
                                          • Opcode Fuzzy Hash: efbc3ce8565cdd1d8dca25cfdb3b0acd03882c023f2bcd0ad245c1a79fe6d43f
                                          • Instruction Fuzzy Hash: 2D117C32D00B5686DB109F29D840282B365FF95324F1A87BACD4C3F306EBB17984C7A0
                                          Function 07DF5230 Relevance: .1, Instructions: 53COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1493970130.0000000007DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DF0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_7df0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7b28351e2e4d2cb9d0289b26d7eb3314081d17b5a5111248fa981f37dd3ae090
                                          • Instruction ID: 0757c04e787f03ed0dbb8006041162b5e2fbded086760925e2d397d084d3281d
                                          • Opcode Fuzzy Hash: 7b28351e2e4d2cb9d0289b26d7eb3314081d17b5a5111248fa981f37dd3ae090
                                          • Instruction Fuzzy Hash: FC01C475710201DFCB18DB69E888A6FBBE6FFC8614B144569E10ACB320CB75EC02C750
                                          Function 0193D1CF Relevance: .1, Instructions: 53COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1432963111.000000000193D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0193D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_193d000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9e088ad8a07711d9d3566a887b1f888bc4d4e2f61ff705deeaaa2a632ac83149
                                          • Instruction ID: 88eaa5cd3240b3b70dac405faa18732fe6cb16e571e9fe35a70926e64c163b22
                                          • Opcode Fuzzy Hash: 9e088ad8a07711d9d3566a887b1f888bc4d4e2f61ff705deeaaa2a632ac83149
                                          • Instruction Fuzzy Hash: 4111BB75904280DFDB16CF54D5D0B15FFA1FB84324F24C6A9D8494B697C33AD80ACB62
                                          Function 07DF66E0 Relevance: .1, Instructions: 52COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1493970130.0000000007DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DF0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_7df0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 93f293c43bc8bc93ed698f59c9ade7d88a5b17f4e42c0da529f38865750625ce
                                          • Instruction ID: d80a024eab6c77d9bbd7957d2e605de927ee9b64bc75c5083bdaa49edac43126
                                          • Opcode Fuzzy Hash: 93f293c43bc8bc93ed698f59c9ade7d88a5b17f4e42c0da529f38865750625ce
                                          • Instruction Fuzzy Hash: 7A11E5703043114BEB15A778D81539F7BAAEB85314F10855DD18D8F3C3C9FAA8464BA2
                                          Function 07DF62A0 Relevance: .1, Instructions: 51COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1493970130.0000000007DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DF0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_7df0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d74e573b1f4b25fcbc5fe9883836afa55b430ba301f2e1c6591e45d2fd4fecb3
                                          • Instruction ID: 731c60d0d8a7c2579c65a84d3bd88bac0b7b11fc5d021726879c8d037e65576b
                                          • Opcode Fuzzy Hash: d74e573b1f4b25fcbc5fe9883836afa55b430ba301f2e1c6591e45d2fd4fecb3
                                          • Instruction Fuzzy Hash: 6C11C4703003118BEB156778941479B66DAEBC4304F10841DE28D8F3C2CEFAA84647A2
                                          Function 0192D795 Relevance: .0, Instructions: 45COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1432611088.000000000192D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0192D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_192d000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5cb05c928a170ecf3669c1a29b72723740c889daa9a7cf95dfd65525713a7531
                                          • Instruction ID: 78763e375342ec23cd0187d1167f5c1c47c818bfb8f3b9032474a67366a16fb0
                                          • Opcode Fuzzy Hash: 5cb05c928a170ecf3669c1a29b72723740c889daa9a7cf95dfd65525713a7531
                                          • Instruction Fuzzy Hash: 3201A7714043949EE7208EA9CD84F66BBDCEF41625F14845AED0D1E28AC37D9444CAB2
                                          Function 07DF5240 Relevance: .0, Instructions: 45COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1493970130.0000000007DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DF0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_7df0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3f5f9ef72c57299942519aa171b84ee109701b00b554b2f5ae57d932deda0374
                                          • Instruction ID: 7561dfef9f838adf5d845cf12c0e61c4b1284fe0df2bfe28b327e0aa695f34b1
                                          • Opcode Fuzzy Hash: 3f5f9ef72c57299942519aa171b84ee109701b00b554b2f5ae57d932deda0374
                                          • Instruction Fuzzy Hash: A7015A74710211CFC718DB6AE888A6ABBE6EFC96147148569E50ACB320CB71EC05CB60
                                          Function 07DF0F00 Relevance: .0, Instructions: 45COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1493970130.0000000007DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DF0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_7df0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 17a3f0d6825fcb5efb6ec30232d9cee565cdd6dc414e7c4c5fbf062791b4029f
                                          • Instruction ID: a65a593fd659adb5a99953eedbdeb99e820ba69489dc8ad5e7dab5786084734d
                                          • Opcode Fuzzy Hash: 17a3f0d6825fcb5efb6ec30232d9cee565cdd6dc414e7c4c5fbf062791b4029f
                                          • Instruction Fuzzy Hash: 2601A272600B068FC724EF39C4906AAF7B5EF85300F51962DEA859B761EB34E842CF41
                                          Function 07DF12D9 Relevance: .0, Instructions: 44COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1493970130.0000000007DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DF0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_7df0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0e5fb26a334916c5c8a4a4e72db72ea73722f1674d316dd0112d057c1caac7ea
                                          • Instruction ID: 1e13fc33c555d629b5b0c0f27d7793f5c916a42dc5e1eb96f5b231621eaa967c
                                          • Opcode Fuzzy Hash: 0e5fb26a334916c5c8a4a4e72db72ea73722f1674d316dd0112d057c1caac7ea
                                          • Instruction Fuzzy Hash: FF01D13A7107048BCB05AB38D4056EEB779EFC1210F05562ED9999B700EF35A542C6A5
                                          Function 07DF0F10 Relevance: .0, Instructions: 44COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1493970130.0000000007DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DF0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_7df0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: dfe6122ad2bb32d3b1368aa4fc597ce883a26c79fcddecd4d9539a11768a1b6e
                                          • Instruction ID: f6cb5fc9c8dfa3f3f327f62118fca134951b27a36b3d348d0f5c8a19fb188317
                                          • Opcode Fuzzy Hash: dfe6122ad2bb32d3b1368aa4fc597ce883a26c79fcddecd4d9539a11768a1b6e
                                          • Instruction Fuzzy Hash: C4010C71A00B068FC724EF39C45456AB7F6EF85300F51C66EE9869B261EB31E942CF81
                                          Function 07DF1358 Relevance: .0, Instructions: 39COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1493970130.0000000007DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DF0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_7df0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ca40bf03c622dc7d3939a3fe8b2be1f8efbc2ca5e1b502f0d8a1c48c42ed98cb
                                          • Instruction ID: d6f8877d20bf565fb5caa0c4e615a6043fb683ee318a1e5b1a18b2835daa44d1
                                          • Opcode Fuzzy Hash: ca40bf03c622dc7d3939a3fe8b2be1f8efbc2ca5e1b502f0d8a1c48c42ed98cb
                                          • Instruction Fuzzy Hash: 63F0C8313002148FC7245A2AE444B6FB7FAFFC9311F540569E50587760DB39EC42C750
                                          Function 07DF16F0 Relevance: .0, Instructions: 37COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1493970130.0000000007DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DF0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_7df0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 97dc3316fa748695ba1042e332af722d8ad7cd5d2f197dd59f0700e5eb7bc4df
                                          • Instruction ID: 769f09cb2d841ddc8923c3e8d0b72e4480ae1a320eb6bb0016fd280acaf7298e
                                          • Opcode Fuzzy Hash: 97dc3316fa748695ba1042e332af722d8ad7cd5d2f197dd59f0700e5eb7bc4df
                                          • Instruction Fuzzy Hash: 1CF054767047154B97149A7AE88485AB7E9EBC8225310467AE14AC7710DE619C068790
                                          Function 07DF12E8 Relevance: .0, Instructions: 37COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1493970130.0000000007DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DF0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_7df0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6f6a99bd51373f0ae89b8f5a1f0ad5f0185438e9783d6beb5a61e4cd26b6a821
                                          • Instruction ID: 056a9aa4b78428f12752674dd2c84548786a6165b1df1f5adb09c3f929b93584
                                          • Opcode Fuzzy Hash: 6f6a99bd51373f0ae89b8f5a1f0ad5f0185438e9783d6beb5a61e4cd26b6a821
                                          • Instruction Fuzzy Hash: 36F0C23A700705CBCB15BB7494044EEB775EFC1210F01566ED9991B200FF31A541C6E5
                                          Function 0192D794 Relevance: .0, Instructions: 36COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1432611088.000000000192D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0192D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_192d000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d25c09c93c14e55ee6587ecd7996c77ba8592ee70062e9a6f7046dfb0d045280
                                          • Instruction ID: 45562b877727d457b4dcafbddf1627e9092b53eba251aea728e4320d362e7d93
                                          • Opcode Fuzzy Hash: d25c09c93c14e55ee6587ecd7996c77ba8592ee70062e9a6f7046dfb0d045280
                                          • Instruction Fuzzy Hash: 5CF0C271404380AEE7208E59CC84B62FFDCEB40625F18C05AED0C0F287C3799844CAB1
                                          Function 07DFE4CB Relevance: .0, Instructions: 35COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1493970130.0000000007DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DF0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_7df0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0b20755a6f5b0b3dc548fc9e86f4194095d804dec7e2a87419cf58a77b7387c4
                                          • Instruction ID: dac9c1c4f46d056d31a0a8f157ea6038bc725ff719b41f4a24bffc982e295e3c
                                          • Opcode Fuzzy Hash: 0b20755a6f5b0b3dc548fc9e86f4194095d804dec7e2a87419cf58a77b7387c4
                                          • Instruction Fuzzy Hash: F9F08C22A1D3904FD3079634AC262D67F65AF57105B0E81EFD0C5CF1A3D6498D0787A2
                                          Function 07DFA730 Relevance: .0, Instructions: 34COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1493970130.0000000007DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DF0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_7df0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ba4c98db4e2b82948190cfc6d5a836c24def7619be65084e0ecf364f49940ad6
                                          • Instruction ID: d9306500800320a537e2d53249471cc55d12ab32719281f605df400fd506b434
                                          • Opcode Fuzzy Hash: ba4c98db4e2b82948190cfc6d5a836c24def7619be65084e0ecf364f49940ad6
                                          • Instruction Fuzzy Hash: F8F09E715091500FD701533CE8666D23F75DB97200B89828EF086CF662EA8D8C0B43A1
                                          Function 07DF1368 Relevance: .0, Instructions: 34COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1493970130.0000000007DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DF0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_7df0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: af3a4bc45f0bc80554239a242ddfd2ce8ed28473a91659b6f9c9c524d2b58f68
                                          • Instruction ID: a3e8f2f2b09803fe37118f90284cfb919cf719eee377a1a66d474dec11c1deb3
                                          • Opcode Fuzzy Hash: af3a4bc45f0bc80554239a242ddfd2ce8ed28473a91659b6f9c9c524d2b58f68
                                          • Instruction Fuzzy Hash: 50F0B4353006148FC724AB1AD44496FB7EAFFCD225700056DE10A8B760DF75EC42C790
                                          Function 07DF16E0 Relevance: .0, Instructions: 33COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1493970130.0000000007DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DF0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_7df0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3b97c1dae8671e3c89bdb22dacf233800f5197456019f1f3ff1b50ca6ae83444
                                          • Instruction ID: 97ea8d7a5d108f46d6a739a6e37b66fe066a897b95d8ca401a67d70a6bd51882
                                          • Opcode Fuzzy Hash: 3b97c1dae8671e3c89bdb22dacf233800f5197456019f1f3ff1b50ca6ae83444
                                          • Instruction Fuzzy Hash: DDF02BB67093414FD7029775A89481E7FE9DFC512530549BEE085CB322DD64DC058351
                                          Function 07DF9FE8 Relevance: .0, Instructions: 33COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1493970130.0000000007DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DF0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_7df0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7a0fc5f46ab3f8921d5e822ce33d3f1809168114c39a12718846eddabb68475c
                                          • Instruction ID: 744fcf95657437972a08b9208b9741bc736cdc5a2194ab059ced7b028619d164
                                          • Opcode Fuzzy Hash: 7a0fc5f46ab3f8921d5e822ce33d3f1809168114c39a12718846eddabb68475c
                                          • Instruction Fuzzy Hash: 27F0B436201309DFD714EF38D8849AE7BEEEFC63557144869E1048B324DA39EC12C795
                                          Function 07DF1B51 Relevance: .0, Instructions: 33COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1493970130.0000000007DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DF0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_7df0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5bfe24463ac114d05c264b9ce099d643edd4fbb631b90b8a033890b0b26e5327
                                          • Instruction ID: 9b29f6103e3c6f29a172425eee2d39a235911793da093e2d711dff5a3e2a93e0
                                          • Opcode Fuzzy Hash: 5bfe24463ac114d05c264b9ce099d643edd4fbb631b90b8a033890b0b26e5327
                                          • Instruction Fuzzy Hash: 4BF04471200610CFC704CB2CD888A59BBE5EF4A71AB0645A9E00ACB732DB72EC01CB80
                                          Function 07DF67E0 Relevance: .0, Instructions: 31COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1493970130.0000000007DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DF0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_7df0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 73cc262b442dcdeaac3a5439968e28465f479dede27be52124fa60c0a172c88e
                                          • Instruction ID: 3921b545bd0233ca82188105c6b370e41b63a3ab28a616b5cb4ccb8cfe14fcbd
                                          • Opcode Fuzzy Hash: 73cc262b442dcdeaac3a5439968e28465f479dede27be52124fa60c0a172c88e
                                          • Instruction Fuzzy Hash: 37F05E716103058F9F18CF18D482A857BE5FB04318720486DE456CF302E772EC038B84
                                          Function 07DF9FF8 Relevance: .0, Instructions: 29COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1493970130.0000000007DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DF0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_7df0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 05b82845b72d00b3c3a6be8014d791cbb6826ae15d941f18018d5e7f3c27d07a
                                          • Instruction ID: 4f4fb8a90a8286d129d6567fdb0a7373ab711639243b6be25c3d4da1ae222b2d
                                          • Opcode Fuzzy Hash: 05b82845b72d00b3c3a6be8014d791cbb6826ae15d941f18018d5e7f3c27d07a
                                          • Instruction Fuzzy Hash: 2EF08C3620130ADBD718AF39D4408AA37ADEF8A3553108469E6048B224DA75AC118B94
                                          Function 07DF1B60 Relevance: .0, Instructions: 28COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1493970130.0000000007DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DF0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_7df0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 398c5633f042eeca51f481b559d5216a21a5d03fb5bfe1345a3829a67494c1c9
                                          • Instruction ID: 72ccd5372dd5d83d049108f03bd5c3d0d20512f5f1b3ca42836a1b635c112ec8
                                          • Opcode Fuzzy Hash: 398c5633f042eeca51f481b559d5216a21a5d03fb5bfe1345a3829a67494c1c9
                                          • Instruction Fuzzy Hash: C4F0DF74200614CFC718DB2CD588D59BBEAEF4AB1971285A9E10ACB332DB72EC41CB80
                                          Function 07DF56A7 Relevance: .0, Instructions: 27COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1493970130.0000000007DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DF0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_7df0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: de6c8fd2c8a441e2bfae20518cc3ddfb355bae1e59c77f9e1adcc55ad6420759
                                          • Instruction ID: 4aebca271b8ceea558e0a599b6263324aec129f0e20ef5bb609e9d0027caf0e9
                                          • Opcode Fuzzy Hash: de6c8fd2c8a441e2bfae20518cc3ddfb355bae1e59c77f9e1adcc55ad6420759
                                          • Instruction Fuzzy Hash: 34E0CD337040249FCB10629CFC45ADDB7A5DBD5175B590177E208D7710D96A8C1347A1
                                          Function 07DF67D0 Relevance: .0, Instructions: 25COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1493970130.0000000007DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DF0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_7df0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 41b8921c8d33cff09ad6da3182fd9bad0b3ec01e5c4b28edab4945995dd1f243
                                          • Instruction ID: 37a88f8d52ce0b67fa5336f087a79145b8b0ddde57e5b32d665610c1a377ce20
                                          • Opcode Fuzzy Hash: 41b8921c8d33cff09ad6da3182fd9bad0b3ec01e5c4b28edab4945995dd1f243
                                          • Instruction Fuzzy Hash: AAE0DF326143058BDF29CB58E89339ABF96EB00204F18886DE44ACF741EB21D9478FC1
                                          Function 07DF9FA0 Relevance: .0, Instructions: 25COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1493970130.0000000007DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DF0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_7df0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: dfc9e89c209be031139affaf7b27685952faf3a319887a3890053b1a60758bc6
                                          • Instruction ID: d96da901b3b9cd98d227815a9533db3f0d5d8156ac41e3f33d9dc1e358b1e9fd
                                          • Opcode Fuzzy Hash: dfc9e89c209be031139affaf7b27685952faf3a319887a3890053b1a60758bc6
                                          • Instruction Fuzzy Hash: 29F0C975D0420CEFCB41DFA4D8855DEBFB9EB48204F1046EAD815E7245EA385B1A9F81
                                          Function 07DF66A1 Relevance: .0, Instructions: 23COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1493970130.0000000007DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DF0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_7df0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e317681cc282f29d8606ef2d9a919620656011a01f430bcb9c39f787ae368c88
                                          • Instruction ID: 93319751871e2ddc1f87cb04fa5f278a183b2ac7e568545075a1b2dfa3c8dbb5
                                          • Opcode Fuzzy Hash: e317681cc282f29d8606ef2d9a919620656011a01f430bcb9c39f787ae368c88
                                          • Instruction Fuzzy Hash: 85E0C2763046185BDB1A665CD4117CBB2DDCBCC750F05806AE20DCB3A0D9A4ED0043EA
                                          Function 07DFA6F0 Relevance: .0, Instructions: 20COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1493970130.0000000007DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DF0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_7df0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e6ca1e1c4d5f2ff7abafebefee6a6ff8f59da9286e107bef51dfb6a347aa0656
                                          • Instruction ID: 9f178af627d665f8b616006d806c4d242840bf851fb4aa5ff99e1fa3ee065085
                                          • Opcode Fuzzy Hash: e6ca1e1c4d5f2ff7abafebefee6a6ff8f59da9286e107bef51dfb6a347aa0656
                                          • Instruction Fuzzy Hash: 68E0C2306001254BDB44A63DE8527DB2BA6EB89210F545728E046CFB01DAAE9D0703E0
                                          Function 07DFE058 Relevance: .0, Instructions: 20COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1493970130.0000000007DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DF0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_7df0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d531d1f797edf7b34db64d9da89d47691de720d425d1ff9956ddfce97c3dbf19
                                          • Instruction ID: 0b7e1671533b585845e63286b6c29e7b73c09d7d25381c7c6fa7c023130a8d13
                                          • Opcode Fuzzy Hash: d531d1f797edf7b34db64d9da89d47691de720d425d1ff9956ddfce97c3dbf19
                                          • Instruction Fuzzy Hash: 74E0C2313140248FC3085B9CE450AA73BA6E79E721F1001B9F10DCB7A4C93AEC434780
                                          Function 07DF9FB0 Relevance: .0, Instructions: 19COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1493970130.0000000007DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DF0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_7df0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 814ed5568ddf84b52bc5e9986a44360436f660bfcd2bcb0f1cbe3bb27a267867
                                          • Instruction ID: 360e736ac0207478d8b8f97bb7c4089ac8a27127ef34f781b13a739ce3f59fb0
                                          • Opcode Fuzzy Hash: 814ed5568ddf84b52bc5e9986a44360436f660bfcd2bcb0f1cbe3bb27a267867
                                          • Instruction Fuzzy Hash: A8E09275D0020CEFCB40DFE4D9858DDBBB9EB48204F1086AAE819A3204EB346B55DF80
                                          Function 07DF66B0 Relevance: .0, Instructions: 18COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1493970130.0000000007DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DF0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_7df0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ffc79747d71cfc1c4e6a186dbb0fdcdf5702572b4871d445df40818d49b1d23a
                                          • Instruction ID: 007c1514fcf70dfaccd4a7f9d15e117f9b1aa2d7b4946ee7b2a4500ba3626d1a
                                          • Opcode Fuzzy Hash: ffc79747d71cfc1c4e6a186dbb0fdcdf5702572b4871d445df40818d49b1d23a
                                          • Instruction Fuzzy Hash: ECD05E713046145BDB09674C941079BB6DE8FCD750F05806BE60D8B3A0C9A19C0142E6
                                          Function 07DF20C8 Relevance: .0, Instructions: 16COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1493970130.0000000007DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DF0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_7df0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ee8100b5c445cdedd4838ea781cf8ff54af38f083ab94ba84c04799d9f2d3640
                                          • Instruction ID: 3f8a2d906613d2cb30a0cf59560fb0fe0981967adc4213a0fe89b6a1375784cd
                                          • Opcode Fuzzy Hash: ee8100b5c445cdedd4838ea781cf8ff54af38f083ab94ba84c04799d9f2d3640
                                          • Instruction Fuzzy Hash: 2FD0A9B22802488FCB008B98C887B293B74AF46714B1800ACE14A8B722C32BF802C751
                                          Function 07DFE068 Relevance: .0, Instructions: 16COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1493970130.0000000007DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DF0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_7df0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0b7f48291151c82435ad79b1e9350663d6ca5c4e2d3253fd01364f18f0dab6df
                                          • Instruction ID: 5bbd62b556f46739c42ffbdaf288a74703ee0ca85552a8c967f51b1e96c25202
                                          • Opcode Fuzzy Hash: 0b7f48291151c82435ad79b1e9350663d6ca5c4e2d3253fd01364f18f0dab6df
                                          • Instruction Fuzzy Hash: 86D05E353200289B8304AB5CE444C573BADEB9D72571040A9E10987364CE65EC018BD0
                                          Function 07DF20D8 Relevance: .0, Instructions: 13COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.1493970130.0000000007DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DF0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_15_2_7df0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 297dc1e80638cb8261d32d7afade5006b2f7425a309055fc63825cecf9193c78
                                          • Instruction ID: 4f597fa006d867d3b10b5c3aad9015cc9ab2ad74a3f8a8a6093128f39244ee25
                                          • Opcode Fuzzy Hash: 297dc1e80638cb8261d32d7afade5006b2f7425a309055fc63825cecf9193c78
                                          • Instruction Fuzzy Hash: 2CC01271340A088FCB04CBA8E89082633A8BF88A1930400A8E20E8B621D722F811CA00

                                          Execution Graph

                                          Execution Coverage:8.6%
                                          Dynamic/Decrypted Code Coverage:100%
                                          Signature Coverage:0%
                                          Total number of Nodes:75
                                          Total number of Limit Nodes:7
                                          execution_graph 23688 1456540 23689 1456569 23688->23689 23693 1456720 23689->23693 23696 145670f 23689->23696 23690 1456673 23700 145611c 23693->23700 23697 1456713 23696->23697 23698 145674e 23696->23698 23699 145611c DuplicateHandle 23697->23699 23698->23690 23699->23698 23701 1456788 DuplicateHandle 23700->23701 23702 145674e 23701->23702 23702->23690 23703 1454668 23704 1454676 23703->23704 23709 1456de0 23704->23709 23707 1454704 23710 1456e05 23709->23710 23718 1456ef0 23710->23718 23722 1456edf 23710->23722 23711 14546e9 23714 145421c 23711->23714 23715 1454227 23714->23715 23730 1458560 23715->23730 23717 1458806 23717->23707 23720 1456f17 23718->23720 23719 1456ff4 23719->23719 23720->23719 23726 1456414 23720->23726 23724 1456f17 23722->23724 23723 1456ff4 23723->23723 23724->23723 23725 1456414 CreateActCtxA 23724->23725 23725->23723 23727 1457370 CreateActCtxA 23726->23727 23729 1457433 23727->23729 23731 145856b 23730->23731 23734 1458580 23731->23734 23733 14588dd 23733->23717 23735 145858b 23734->23735 23738 14585b0 23735->23738 23737 14589ba 23737->23733 23739 14585bb 23738->23739 23742 14585e0 23739->23742 23741 1458aad 23741->23737 23743 14585eb 23742->23743 23745 1459e93 23743->23745 23748 145bed1 23743->23748 23744 1459ed1 23744->23741 23745->23744 23754 145df70 23745->23754 23749 145beda 23748->23749 23751 145be91 23748->23751 23758 145bf08 23749->23758 23761 145bef8 23749->23761 23750 145bee6 23750->23745 23751->23745 23755 145df91 23754->23755 23756 145dfb5 23755->23756 23769 145e120 23755->23769 23756->23744 23764 145bff0 23758->23764 23759 145bf17 23759->23750 23762 145bf17 23761->23762 23763 145bff0 GetModuleHandleW 23761->23763 23762->23750 23763->23762 23765 145c034 23764->23765 23766 145c011 23764->23766 23765->23759 23766->23765 23767 145c238 GetModuleHandleW 23766->23767 23768 145c265 23767->23768 23768->23759 23770 145e12d 23769->23770 23771 145e166 23770->23771 23773 145c464 23770->23773 23771->23756 23774 145c46f 23773->23774 23775 145e1d8 23774->23775 23777 145c498 23774->23777 23778 145c4a3 23777->23778 23779 14585e0 2 API calls 23778->23779 23780 145e247 23779->23780 23783 145e2c0 23780->23783 23781 145e256 23781->23775 23784 145e2ee 23783->23784 23785 145e3ba KiUserCallbackDispatcher 23784->23785 23786 145e3bf 23784->23786 23785->23786

                                          Executed Functions

                                          Function 07FEB6E0 Relevance: .7, Instructions: 708COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.3791729016.0000000007FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FE0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_7fe0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: aacf932144724797dcb8cc6dc3a06ec38e6015adbe8d81723a2628ffe412704e
                                          • Instruction ID: 706389e84547c2112b5d69ee44f32bc35b51cca344d76be121e2e23a2d4ebf0c
                                          • Opcode Fuzzy Hash: aacf932144724797dcb8cc6dc3a06ec38e6015adbe8d81723a2628ffe412704e
                                          • Instruction Fuzzy Hash: E0427DB5B007168FDB15CF69C494A6EFBF6BF88300F28852AD55A97391CB34E901CB91
                                          Function 01457364 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 559 1457364-1457431 CreateActCtxA 561 1457433-1457439 559->561 562 145743a-1457494 559->562 561->562 569 1457496-1457499 562->569 570 14574a3-14574a7 562->570 569->570 571 14574a9-14574b5 570->571 572 14574b8 570->572 571->572 574 14574b9 572->574 574->574
                                          APIs
                                          • CreateActCtxA.KERNEL32(?), ref: 01457421
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.3756612693.0000000001450000.00000040.00000800.00020000.00000000.sdmp, Offset: 01450000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_1450000_workbook.jbxd
                                          Similarity
                                          • API ID: Create
                                          • String ID: U
                                          • API String ID: 2289755597-3372436214
                                          • Opcode ID: 746e31b5a3751eef46da8a298e4c53520e3076944ad08a274b08adec05f6bc32
                                          • Instruction ID: 6716cca652863f8312e4606c6ad4646cf42fdb0c2e07ce8e4b3e0255bc0caae5
                                          • Opcode Fuzzy Hash: 746e31b5a3751eef46da8a298e4c53520e3076944ad08a274b08adec05f6bc32
                                          • Instruction Fuzzy Hash: AD41B071C00719CFEB28DFA9C844BCEBBB5BF49305F60806AD808AB261DB755946CF90
                                          Function 07FE7911 Relevance: 2.8, Strings: 2, Instructions: 309COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 575 7fe7911-7fe7914 576 7fe789c-7fe78bc 575->576 577 7fe7916-7fe7980 575->577 583 7fe78be-7fe78df 576->583 584 7fe78e1-7fe78ea 576->584 590 7fe7988-7fe79c1 577->590 583->584 594 7fe79ca-7fe7a0c 590->594 595 7fe79c3-7fe79c8 590->595 596 7fe7a0f-7fe7a19 594->596 595->596 597 7fe7a1f-7fe7b0d call 7fe0a20 * 2 call 7fe0dc8 * 2 call 7fe0a20 call 7fe0dc8 596->597 598 7fe7b15-7fe7bfa call 7fe0788 * 2 596->598 597->598 645 7fe7c3e-7fe7ca9 call 7fe0788 598->645 646 7fe7bfc-7fe7c31 598->646 661 7fe7cab 645->661 662 7fe7cb4 645->662 646->645 658 7fe7c33-7fe7c36 646->658 658->645 661->662 663 7fe7cb5 662->663 663->663
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.3791729016.0000000007FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FE0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_7fe0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: 4'q$4'q
                                          • API String ID: 0-1467158625
                                          • Opcode ID: d725723aca8c7af2f40c7df494a22600f667a9ca4b36d06d8bc52a5b39568a81
                                          • Instruction ID: f7476a4fcfb5c644dd0433bd12b19e9aac6cffdd5fc1227b646dbdc9dc6c98c7
                                          • Opcode Fuzzy Hash: d725723aca8c7af2f40c7df494a22600f667a9ca4b36d06d8bc52a5b39568a81
                                          • Instruction Fuzzy Hash: 1DD1DC75B10218CFC744EFA8D994A9EB7B6FF89300F104169E505AB3A5DB71EC42CB50
                                          Function 07FE7920 Relevance: 2.8, Strings: 2, Instructions: 295COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 664 7fe7920-7fe7980 669 7fe7988-7fe79c1 664->669 673 7fe79ca-7fe7a0c 669->673 674 7fe79c3-7fe79c8 669->674 675 7fe7a0f-7fe7a19 673->675 674->675 676 7fe7a1f-7fe7b0d call 7fe0a20 * 2 call 7fe0dc8 * 2 call 7fe0a20 call 7fe0dc8 675->676 677 7fe7b15-7fe7bfa call 7fe0788 * 2 675->677 676->677 724 7fe7c3e-7fe7ca9 call 7fe0788 677->724 725 7fe7bfc-7fe7c31 677->725 740 7fe7cab 724->740 741 7fe7cb4 724->741 725->724 737 7fe7c33-7fe7c36 725->737 737->724 740->741 742 7fe7cb5 741->742 742->742
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.3791729016.0000000007FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FE0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_7fe0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: 4'q$4'q
                                          • API String ID: 0-1467158625
                                          • Opcode ID: 8db8d060e77d8966934fe509fadee30b12846e385228598237e357fda072209a
                                          • Instruction ID: 1d921a7f0ddceacc0367add556cdf14d0915289edd3fef97eb8f12ada32e8301
                                          • Opcode Fuzzy Hash: 8db8d060e77d8966934fe509fadee30b12846e385228598237e357fda072209a
                                          • Instruction Fuzzy Hash: F2C1B774A10218DFDB44EFA8C994AADB7B6FF89300F104169E506AB3A5DB71EC42CF51
                                          Function 0145BFF0 Relevance: 1.7, APIs: 1, Instructions: 199COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 743 145bff0-145c00f 744 145c011-145c01e call 145af60 743->744 745 145c03b-145c03f 743->745 752 145c034 744->752 753 145c020 744->753 746 145c041-145c04b 745->746 747 145c053-145c094 745->747 746->747 754 145c096-145c09e 747->754 755 145c0a1-145c0af 747->755 752->745 798 145c026 call 145c689 753->798 799 145c026 call 145c698 753->799 754->755 756 145c0b1-145c0b6 755->756 757 145c0d3-145c0d5 755->757 760 145c0c1 756->760 761 145c0b8-145c0bf call 145af6c 756->761 759 145c0d8-145c0df 757->759 758 145c02c-145c02e 758->752 762 145c170-145c230 758->762 763 145c0e1-145c0e9 759->763 764 145c0ec-145c0f3 759->764 766 145c0c3-145c0d1 760->766 761->766 793 145c232-145c235 762->793 794 145c238-145c263 GetModuleHandleW 762->794 763->764 767 145c0f5-145c0fd 764->767 768 145c100-145c109 call 145af7c 764->768 766->759 767->768 774 145c116-145c11b 768->774 775 145c10b-145c113 768->775 776 145c11d-145c124 774->776 777 145c139-145c146 774->777 775->774 776->777 779 145c126-145c136 call 145af8c call 145af9c 776->779 783 145c169-145c16f 777->783 784 145c148-145c166 777->784 779->777 784->783 793->794 795 145c265-145c26b 794->795 796 145c26c-145c280 794->796 795->796 798->758 799->758
                                          APIs
                                          • GetModuleHandleW.KERNEL32(00000000), ref: 0145C256
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.3756612693.0000000001450000.00000040.00000800.00020000.00000000.sdmp, Offset: 01450000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_1450000_workbook.jbxd
                                          Similarity
                                          • API ID: HandleModule
                                          • String ID:
                                          • API String ID: 4139908857-0
                                          • Opcode ID: ed6e51592b928c67b4dbbd700dcc7572871f385643ce402b417266aa43122bf2
                                          • Instruction ID: 89db52c25a2e09cad0feac0579a7dc528523b637ccf54451923a911249ce4d56
                                          • Opcode Fuzzy Hash: ed6e51592b928c67b4dbbd700dcc7572871f385643ce402b417266aa43122bf2
                                          • Instruction Fuzzy Hash: 498157B0A00B058FD764DF69C48079BBBF5BF48604F108A2ED88ADBB51D735E846CB90
                                          Function 01456414 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 800 1456414-1457431 CreateActCtxA 803 1457433-1457439 800->803 804 145743a-1457494 800->804 803->804 811 1457496-1457499 804->811 812 14574a3-14574a7 804->812 811->812 813 14574a9-14574b5 812->813 814 14574b8 812->814 813->814 816 14574b9 814->816 816->816
                                          APIs
                                          • CreateActCtxA.KERNEL32(?), ref: 01457421
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.3756612693.0000000001450000.00000040.00000800.00020000.00000000.sdmp, Offset: 01450000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_1450000_workbook.jbxd
                                          Similarity
                                          • API ID: Create
                                          • String ID:
                                          • API String ID: 2289755597-0
                                          • Opcode ID: cd54046c4d5b0b9175de6f91eebfcf9879be542c2d856592bb70d5193d4f9ccb
                                          • Instruction ID: 833a7e12f4ac4bea4fd8ad075713355d491b86d4e961f9c0f0ce59b0b0a5aefb
                                          • Opcode Fuzzy Hash: cd54046c4d5b0b9175de6f91eebfcf9879be542c2d856592bb70d5193d4f9ccb
                                          • Instruction Fuzzy Hash: E341B070C00719CFEB24DFA9C844BDEBBB5BF49305F60806AD808AB251DB756946CF90
                                          Function 01456780 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 817 1456780-1456783 819 1456788-145681c DuplicateHandle 817->819 820 1456825-1456842 819->820 821 145681e-1456824 819->821 821->820
                                          APIs
                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0145674E,?,?,?,?,?), ref: 0145680F
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.3756612693.0000000001450000.00000040.00000800.00020000.00000000.sdmp, Offset: 01450000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_1450000_workbook.jbxd
                                          Similarity
                                          • API ID: DuplicateHandle
                                          • String ID:
                                          • API String ID: 3793708945-0
                                          • Opcode ID: 96bc4c610f80244ff48410c24672c86374250bf6d20517938df38aebde626bf3
                                          • Instruction ID: bf9359e70e992f2384173ab46682ed848e175e7cd1ab3818c102b283fad5a8ee
                                          • Opcode Fuzzy Hash: 96bc4c610f80244ff48410c24672c86374250bf6d20517938df38aebde626bf3
                                          • Instruction Fuzzy Hash: C221F3B5900249EFDB10CFAAD984ADEFFF4EB48320F14801AE954A7351D379A944CFA5
                                          Function 0145611C Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 824 145611c-145681c DuplicateHandle 826 1456825-1456842 824->826 827 145681e-1456824 824->827 827->826
                                          APIs
                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0145674E,?,?,?,?,?), ref: 0145680F
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.3756612693.0000000001450000.00000040.00000800.00020000.00000000.sdmp, Offset: 01450000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_1450000_workbook.jbxd
                                          Similarity
                                          • API ID: DuplicateHandle
                                          • String ID:
                                          • API String ID: 3793708945-0
                                          • Opcode ID: 38d5a00f032ab33217a5fff368a7cc09558169db6b18d57c0148e4ec1beb3ca3
                                          • Instruction ID: 9bc8a97f177f909c85e0b4cde97606dfe38320d0f06fce0a9300b2a8f00da808
                                          • Opcode Fuzzy Hash: 38d5a00f032ab33217a5fff368a7cc09558169db6b18d57c0148e4ec1beb3ca3
                                          • Instruction Fuzzy Hash: D121E3B5D00248EFDB10CF9AD984ADEFBF4EB48310F14841AE918A7351D378A954CFA5
                                          Function 07FE6680 Relevance: 1.6, Strings: 1, Instructions: 309COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 830 7fe6680-7fe6701 837 7fe670a-7fe6718 830->837 838 7fe6703-7fe6708 830->838 839 7fe671b-7fe6796 call 7fe2fc8 837->839 838->839 919 7fe6799 call 7fe6b48 839->919 920 7fe6799 call 7fe6b38 839->920 849 7fe679f-7fe67a6 850 7fe67af-7fe67ec 849->850 851 7fe67a8-7fe67ad 849->851 852 7fe67ef-7fe685c 850->852 851->852 864 7fe696d-7fe69cd call 7fe0788 call 7fe0950 call 7fe0788 call 7fe0a20 852->864 865 7fe6862-7fe696b call 7fe63c8 call 7fe0788 call 7fe0950 call 7fe6360 call 7fe19d0 call 7fe0a20 852->865 888 7fe69d2-7fe69fa 864->888 865->888 896 7fe69fc-7fe6a34 888->896 897 7fe6a36-7fe6a5b 888->897 896->897 904 7fe6a5d 897->904 905 7fe6a66 897->905 904->905 909 7fe6a67 905->909 909->909 919->849 920->849
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.3791729016.0000000007FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FE0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_7fe0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: Plq
                                          • API String ID: 0-3623438852
                                          • Opcode ID: a9be262b84999346d4b247e412ca8ab99d339aaf96f2bc87a06f52bc074f3147
                                          • Instruction ID: 9a64e044f3e88d250c958663ff39cbbc2b6654b65a2a1d9771eda54f680f689e
                                          • Opcode Fuzzy Hash: a9be262b84999346d4b247e412ca8ab99d339aaf96f2bc87a06f52bc074f3147
                                          • Instruction Fuzzy Hash: ECD1EB74B102189FDB44EFA9D994EAEB7B6FF89700F144059E506AB3A5CA71EC01CB50
                                          Function 0145C1F0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 921 145c1f0-145c230 922 145c232-145c235 921->922 923 145c238-145c263 GetModuleHandleW 921->923 922->923 924 145c265-145c26b 923->924 925 145c26c-145c280 923->925 924->925
                                          APIs
                                          • GetModuleHandleW.KERNEL32(00000000), ref: 0145C256
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.3756612693.0000000001450000.00000040.00000800.00020000.00000000.sdmp, Offset: 01450000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_1450000_workbook.jbxd
                                          Similarity
                                          • API ID: HandleModule
                                          • String ID:
                                          • API String ID: 4139908857-0
                                          • Opcode ID: 8056e5fcc6be51dccfa6c112e06cef8beb0a21a8b3a510b3be41b7bac766d4cb
                                          • Instruction ID: f8a1f2152041892a8c6ef15182ebc2ad3ca6d4926039651045f3d0b4f26da2b7
                                          • Opcode Fuzzy Hash: 8056e5fcc6be51dccfa6c112e06cef8beb0a21a8b3a510b3be41b7bac766d4cb
                                          • Instruction Fuzzy Hash: 7A1113B6C003498FDB10DF9AC444BDEFBF8EB88210F10841AD819A7711C375A545CFA5
                                          Function 07FE6672 Relevance: 1.5, Strings: 1, Instructions: 262COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 927 7fe6672-7fe6701 935 7fe670a-7fe6718 927->935 936 7fe6703-7fe6708 927->936 937 7fe671b-7fe6796 call 7fe2fc8 935->937 936->937 1017 7fe6799 call 7fe6b48 937->1017 1018 7fe6799 call 7fe6b38 937->1018 947 7fe679f-7fe67a6 948 7fe67af-7fe67ec 947->948 949 7fe67a8-7fe67ad 947->949 950 7fe67ef-7fe685c 948->950 949->950 962 7fe696d-7fe69cd call 7fe0788 call 7fe0950 call 7fe0788 call 7fe0a20 950->962 963 7fe6862-7fe696b call 7fe63c8 call 7fe0788 call 7fe0950 call 7fe6360 call 7fe19d0 call 7fe0a20 950->963 986 7fe69d2-7fe69fa 962->986 963->986 994 7fe69fc-7fe6a34 986->994 995 7fe6a36-7fe6a5b 986->995 994->995 1002 7fe6a5d 995->1002 1003 7fe6a66 995->1003 1002->1003 1007 7fe6a67 1003->1007 1007->1007 1017->947 1018->947
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.3791729016.0000000007FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FE0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_7fe0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: Plq
                                          • API String ID: 0-3623438852
                                          • Opcode ID: 412f983b82da78f0cd6c513062f383bdeb9e640b53241dd158f9684770cfb3a7
                                          • Instruction ID: c8eb9231b5512b46889fde417a2ba54b010232c7e6efef9cb69095652c9a56de
                                          • Opcode Fuzzy Hash: 412f983b82da78f0cd6c513062f383bdeb9e640b53241dd158f9684770cfb3a7
                                          • Instruction Fuzzy Hash: A4B10C74B102189FDB44EFA9D894E9EBBB6FF89700F148059E505AB3A5CB71EC41CB50
                                          Function 07FE1F70 Relevance: 1.4, Strings: 1, Instructions: 134COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1056 7fe1f70-7fe1fe9 1064 7fe200c-7fe20b1 call 7fe0788 1056->1064 1065 7fe1feb-7fe2007 1056->1065 1072 7fe20b6-7fe20ba 1064->1072 1065->1072 1092 7fe20bc call 7fe21b0 1072->1092 1093 7fe20bc call 7fe21a1 1072->1093 1075 7fe20c2-7fe20cd 1079 7fe20cf-7fe20d1 1075->1079 1080 7fe20d8-7fe2104 1075->1080 1079->1080 1086 7fe210f 1080->1086 1087 7fe2106 1080->1087 1089 7fe2110 1086->1089 1087->1086 1089->1089 1092->1075 1093->1075
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.3791729016.0000000007FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FE0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_7fe0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: 4'q
                                          • API String ID: 0-1807707664
                                          • Opcode ID: c265a99806a8c14a5c4cf50d2cfb71f96473886bd0e9fac407f43a4477ea6b09
                                          • Instruction ID: 4660a88467e41ed41edc70c94a9fa985b8573bd834a54d16b77100f868e63176
                                          • Opcode Fuzzy Hash: c265a99806a8c14a5c4cf50d2cfb71f96473886bd0e9fac407f43a4477ea6b09
                                          • Instruction Fuzzy Hash: 8D415230B106148FCB54EB68C868A6DB7BBFFC9700F14441AE606AB394DF749D46CB91
                                          Function 07FE3CE5 Relevance: 1.4, Strings: 1, Instructions: 110COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.3791729016.0000000007FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FE0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_7fe0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: 4'q
                                          • API String ID: 0-1807707664
                                          • Opcode ID: c92d886e98ed52a15419fce9a59a5f26572414dcf44cabea1ce8a536e28796ca
                                          • Instruction ID: 7b617c41ab658bde3f96d83aadd4e4dfb1601fbb982d578b145e8e263c91e74f
                                          • Opcode Fuzzy Hash: c92d886e98ed52a15419fce9a59a5f26572414dcf44cabea1ce8a536e28796ca
                                          • Instruction Fuzzy Hash: D4313C717006149FD368EB69C858F2A77EAEFC9714F144468E60A8B3A1DE71EC42CB91
                                          Function 07FE3CE8 Relevance: 1.4, Strings: 1, Instructions: 109COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.3791729016.0000000007FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FE0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_7fe0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: 4'q
                                          • API String ID: 0-1807707664
                                          • Opcode ID: 3f37a739c7338e2a1eb8a6a83bc15b135baf6c0a108954bbd79bf1c461bccc23
                                          • Instruction ID: 6e7b947ecb55bbff79dd4e4345067b3bc3ddfd157fcc5e03968d4c43c96a6116
                                          • Opcode Fuzzy Hash: 3f37a739c7338e2a1eb8a6a83bc15b135baf6c0a108954bbd79bf1c461bccc23
                                          • Instruction Fuzzy Hash: 63314A717006149FD318EB69C898F2A73EAEFC8704F144468E60A8B3A1CF71EC42CB91
                                          Function 07FE1F41 Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.3791729016.0000000007FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FE0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_7fe0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: 4'q
                                          • API String ID: 0-1807707664
                                          • Opcode ID: feece2fa1d91ddfbacf3789ebf176820cfa8e4d845281532810b76a4708b0de8
                                          • Instruction ID: bb3870a9f9bbd4c3dc598d3d431ab48fad1a4fd2641820e239d6e89cc2fb4ad0
                                          • Opcode Fuzzy Hash: feece2fa1d91ddfbacf3789ebf176820cfa8e4d845281532810b76a4708b0de8
                                          • Instruction Fuzzy Hash: 4431D530B142559BC755AB688C64AAEBBBBBFC5610F14002EE606EB394CF789C06C791
                                          Function 07FE21B0 Relevance: .4, Instructions: 437COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.3791729016.0000000007FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FE0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_7fe0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1629ec465692d8e46f01e666567dc195689dea8acef128d22b8650dc6738828b
                                          • Instruction ID: fbb961ce2365457248d0ca6a7011d922c5cab932b6c75a6914681e64aed8a2ef
                                          • Opcode Fuzzy Hash: 1629ec465692d8e46f01e666567dc195689dea8acef128d22b8650dc6738828b
                                          • Instruction Fuzzy Hash: 12124870A106198FCB54EF68C894B9DB7B6BF89300F5485A9E50AAB365DF30ED85CF40
                                          Function 07FE9700 Relevance: .4, Instructions: 408COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.3791729016.0000000007FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FE0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_7fe0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 8ce8fbfa27e9543aace9ff79e6feed0a5d8e56b9b3c170bb3c9a56d5400a1563
                                          • Instruction ID: 5a8c8c68da11d2d76a66a907856876c3a2fde7f733338621143a009d4beb78e0
                                          • Opcode Fuzzy Hash: 8ce8fbfa27e9543aace9ff79e6feed0a5d8e56b9b3c170bb3c9a56d5400a1563
                                          • Instruction Fuzzy Hash: C7E107B07006058FD715CF68D88466EBBEAFF85615B588A1ED486CB795CB70FC01CBA2
                                          Function 07FE28A0 Relevance: .4, Instructions: 365COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.3791729016.0000000007FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FE0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_7fe0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6f3cc38abdbbb8eca61efe8f61d0b2ffb85922950ac2b1285e25f01c553f7296
                                          • Instruction ID: 7ef63f9c738b15b4a690d5e7b8c4d9b8b071c3e895c358dd55d62835f6d21f70
                                          • Opcode Fuzzy Hash: 6f3cc38abdbbb8eca61efe8f61d0b2ffb85922950ac2b1285e25f01c553f7296
                                          • Instruction Fuzzy Hash: C8E18674A00609DFCB54EFA8D4949ADBBB6FF89310F148569E9066B364DF30EC42CB91
                                          Function 07FEB2C0 Relevance: .3, Instructions: 314COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.3791729016.0000000007FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FE0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_7fe0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d89e395bf4d41ac2e3cc32d0440d6253ef5fd619a0c807c07e42890fb6c203b9
                                          • Instruction ID: af158af15019c9e5975538cc009821f2e847d21d033a12d595eab6336990ad52
                                          • Opcode Fuzzy Hash: d89e395bf4d41ac2e3cc32d0440d6253ef5fd619a0c807c07e42890fb6c203b9
                                          • Instruction Fuzzy Hash: 13C1BCF1A04745CFDB29CF28D445A2ABBF6BF85310F28856DE4868B6A5CB30EC41CB51
                                          Function 07FE6B38 Relevance: .3, Instructions: 264COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.3791729016.0000000007FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FE0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_7fe0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a8a4d492a3b3fefc65c241e02666af77fa260f1454db6e1ff07b900bcd27a1ee
                                          • Instruction ID: 07248fce73ed176daf2c129aacb53b71250876be19cd555449db84e050114428
                                          • Opcode Fuzzy Hash: a8a4d492a3b3fefc65c241e02666af77fa260f1454db6e1ff07b900bcd27a1ee
                                          • Instruction Fuzzy Hash: C8A17D74B006088FCB44EF68C8A4AAE77B6EFC9700F104559E5169B3A4DF71EC46CB92
                                          Function 07FE6B48 Relevance: .3, Instructions: 256COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.3791729016.0000000007FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FE0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_7fe0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 47b75004070db11e3b70c3bbf9e407403897fe4d1082fc0a92935592429235f6
                                          • Instruction ID: 998b88ba878f8e1e828cdd62be88912085911196f7a6f17175386872cf3b1fb0
                                          • Opcode Fuzzy Hash: 47b75004070db11e3b70c3bbf9e407403897fe4d1082fc0a92935592429235f6
                                          • Instruction Fuzzy Hash: 00A15E74B106088FCB44EFA8C8A4AAE77B6EFC9700F104559E5169B3A4DF71EC46CB91
                                          Function 07FE3170 Relevance: .2, Instructions: 228COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.3791729016.0000000007FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FE0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_7fe0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3b96fd5768a3b34af5dd1bd0a2d401aab678a6fe07bd5ace9027e3b372556b6d
                                          • Instruction ID: 136a0f25dad92f2bf8c7a00e9ce27dbbe234aef3612b8d7871a9676bc346063b
                                          • Opcode Fuzzy Hash: 3b96fd5768a3b34af5dd1bd0a2d401aab678a6fe07bd5ace9027e3b372556b6d
                                          • Instruction Fuzzy Hash: F2914D70B10215DFCB54DF68D898A6DBBB6EF89710F1841A9E906DB3A1CB34EC41CB91
                                          Function 07FE5AC8 Relevance: .2, Instructions: 204COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.3791729016.0000000007FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FE0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_7fe0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0e8da5aaf68f56a12858f343f9d961723ba683e341ee95f85ab250eb7b072cc0
                                          • Instruction ID: 7b28c5f8b2fd1639011361fe355fb5ab9410d8d9aed8b424fc5ce9ce27137e83
                                          • Opcode Fuzzy Hash: 0e8da5aaf68f56a12858f343f9d961723ba683e341ee95f85ab250eb7b072cc0
                                          • Instruction Fuzzy Hash: D3817270B006099FDB58EF64D864BAEB7B6EF88700F244129D511AB394CF75ED42CB91
                                          Function 07FEA6CB Relevance: .2, Instructions: 199COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.3791729016.0000000007FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FE0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_7fe0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6a5f855c38e1cd3d830c1124da3ebc1f38d997f04a9bd7dc9719278ab028d046
                                          • Instruction ID: ce08219aa8f7183ac41e4a1433c1b19a332b066b50c9fda7d0bc6385d588b39b
                                          • Opcode Fuzzy Hash: 6a5f855c38e1cd3d830c1124da3ebc1f38d997f04a9bd7dc9719278ab028d046
                                          • Instruction Fuzzy Hash: 3581D4B5A21229EFDB54CF98D980EADB7B6FF88310F198159E905AB361D731EC41CB40
                                          Function 07FEAE38 Relevance: .2, Instructions: 177COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.3791729016.0000000007FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FE0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_7fe0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0a674b48770749dfa49b8cdafdee4c09279149acca0db5473fc0bccd35f5f500
                                          • Instruction ID: b1a741f9fb72363de9b38d5a00a97204212764b8a08f2eafe9fd81780b031cac
                                          • Opcode Fuzzy Hash: 0a674b48770749dfa49b8cdafdee4c09279149acca0db5473fc0bccd35f5f500
                                          • Instruction Fuzzy Hash: 3351E3B17007418FE324DF2AD880B6BBBE6EF85320F14C52EE5568B291DB75E905CB91
                                          Function 07FE0F18 Relevance: .2, Instructions: 176COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.3791729016.0000000007FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FE0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_7fe0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b389b01331362d1a4eea144f6d3c7ee7d978fda95c20315d0ec9fca50d327b6a
                                          • Instruction ID: 6c6607eafe96a250c766e2dd6214728271f63624095f3e40cb2724caaafe9cdf
                                          • Opcode Fuzzy Hash: b389b01331362d1a4eea144f6d3c7ee7d978fda95c20315d0ec9fca50d327b6a
                                          • Instruction Fuzzy Hash: 96519270B006058FC754EF69C95496EBBFAEF89300B10416AE616DB361DF34ED06CBA1
                                          Function 07FE3161 Relevance: .2, Instructions: 170COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.3791729016.0000000007FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FE0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_7fe0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2cc049c35078b5f6356aaf485a31b877f976f5af2297bce4298c04a33974bf14
                                          • Instruction ID: 7b36828bbad6243417a9bf772e7d3e7374fe5cf083e29e1a156cdf9f17b6ed64
                                          • Opcode Fuzzy Hash: 2cc049c35078b5f6356aaf485a31b877f976f5af2297bce4298c04a33974bf14
                                          • Instruction Fuzzy Hash: A8611B74B10215DFCB44DF68D898AADB7BAFF89710F148169E9069B365CB70EC41CB90
                                          Function 07FE5AB8 Relevance: .2, Instructions: 166COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.3791729016.0000000007FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FE0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_7fe0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 639841109c26eb39f16bbb6321a6479696ba1e233ee71c0c36eea32c819d676b
                                          • Instruction ID: 5deb33e42c5d637fea1546231a7f1c5dced77afca5f72d3cdb2133a060bfe12f
                                          • Opcode Fuzzy Hash: 639841109c26eb39f16bbb6321a6479696ba1e233ee71c0c36eea32c819d676b
                                          • Instruction Fuzzy Hash: 8551A1B0B006099BDB19EF64D854BAEB7B7EF88704F244429D401AB391CF75ED82CB95
                                          Function 07FE7238 Relevance: .2, Instructions: 164COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.3791729016.0000000007FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FE0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_7fe0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5c86fcd7c7548d1b1b3adb0e10549c32705817249f2eebec46903a525039c52c
                                          • Instruction ID: 0036f61474d14886062dda30ea8f7c2956edea29f92462b6b59c66a173601321
                                          • Opcode Fuzzy Hash: 5c86fcd7c7548d1b1b3adb0e10549c32705817249f2eebec46903a525039c52c
                                          • Instruction Fuzzy Hash: 3141D732B041596FDF059EE99C509FFBBEEEF89210B08406BFA15D3141D935C91597B0
                                          Function 07FE2FC8 Relevance: .2, Instructions: 157COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.3791729016.0000000007FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FE0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_7fe0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c671dc5170a6f2e5c76ee975a3e642bb8f0bf557682ee711b5b3c243e95ef44f
                                          • Instruction ID: 5bd883f908487a10b3f9a875518f1818fc691e51807c724af3c2b2035426bac4
                                          • Opcode Fuzzy Hash: c671dc5170a6f2e5c76ee975a3e642bb8f0bf557682ee711b5b3c243e95ef44f
                                          • Instruction Fuzzy Hash: 5151A0727042409FC70A9F69E854E697FB6FF8922071980EAE205CB272CA35DC15DBA1
                                          Function 07FE2E38 Relevance: .1, Instructions: 140COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.3791729016.0000000007FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FE0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_7fe0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 76b40bba04e5bef02ac8df98aeb1a93a94451752e9a7a3d9be2495aebf23e6c6
                                          • Instruction ID: 068a9cbc950d8289f9585ce953668b14f2deb8b5ea53968dc8e27e62134b56c8
                                          • Opcode Fuzzy Hash: 76b40bba04e5bef02ac8df98aeb1a93a94451752e9a7a3d9be2495aebf23e6c6
                                          • Instruction Fuzzy Hash: 5F417C713007019FD7299B24C894B2AB7A7FFC9700F188568E6568B7A5DB72EC42DB81
                                          Function 07FEAA70 Relevance: .1, Instructions: 124COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.3791729016.0000000007FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FE0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_7fe0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: bd83507c9f94c421c04ce1c89eb3b1b81e55e29e3e62f5f1c217770f6cbad0f3
                                          • Instruction ID: f0dca336cab126fa330730544f6886f562439fa59dfae6d5ad0694b8107a5a8d
                                          • Opcode Fuzzy Hash: bd83507c9f94c421c04ce1c89eb3b1b81e55e29e3e62f5f1c217770f6cbad0f3
                                          • Instruction Fuzzy Hash: E7419071B002159FC714DB69D850A9EBBF6FF89310B2881AAE509DB361DB31EC02CB80
                                          Function 07FEB158 Relevance: .1, Instructions: 124COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.3791729016.0000000007FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FE0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_7fe0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: bffc4628c553bd7799517817f956818a572799ba67fbcbfe244b5d19480468d5
                                          • Instruction ID: 655c2a2956963530c322cb6a7f0b8d394a68aa7ac5990717726799f46d4d65af
                                          • Opcode Fuzzy Hash: bffc4628c553bd7799517817f956818a572799ba67fbcbfe244b5d19480468d5
                                          • Instruction Fuzzy Hash: DE41BEB1F047158FCB61DF78E54069EBBF6EF84220B18896ED15AC7A84DB34E840CB81
                                          Function 07FE5E11 Relevance: .1, Instructions: 101COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.3791729016.0000000007FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FE0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_7fe0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f7c56198502e1166ca05ad118e6a95c66ceadc2cb676498465318f80e0ff1d93
                                          • Instruction ID: fa00773df70a6d7d2496689c9176c11f21f421d5a2aa95788d8a4afb89e9becf
                                          • Opcode Fuzzy Hash: f7c56198502e1166ca05ad118e6a95c66ceadc2cb676498465318f80e0ff1d93
                                          • Instruction Fuzzy Hash: 0D319E30B146088FCB45EF68C8545AEBBBAAFC9700B14855BD902DB365DF749D06CBE2
                                          Function 07FE34A0 Relevance: .1, Instructions: 94COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.3791729016.0000000007FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FE0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_7fe0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0fdf91910bb3449ce6ec2ed3ae35cdd232559070830e4ac39cebf169abfd550b
                                          • Instruction ID: 3dc947006c92e9b6f8f9354a1477e218d7535c0ab3f7765998bb89bc76cbd392
                                          • Opcode Fuzzy Hash: 0fdf91910bb3449ce6ec2ed3ae35cdd232559070830e4ac39cebf169abfd550b
                                          • Instruction Fuzzy Hash: 8F312C75A002199BDF14DF68D854AEEBBB6FF88310F148029E911B73A4CB759D45CFA0
                                          Function 07FE5E28 Relevance: .1, Instructions: 93COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.3791729016.0000000007FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FE0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_7fe0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 339076cdab83a59abaa553fee3e634ee25f4d5746f408b17f6bd0910af12e089
                                          • Instruction ID: 5354e3360af6af64653c2655ebd24212eed2567aed8767c9a7da7aa8c695b934
                                          • Opcode Fuzzy Hash: 339076cdab83a59abaa553fee3e634ee25f4d5746f408b17f6bd0910af12e089
                                          • Instruction Fuzzy Hash: 85317234B105198FCB44EF68C898A6EB7BAEFC9700F10851ADA069B364DF749D02DBD1
                                          Function 07FEA5C8 Relevance: .1, Instructions: 84COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.3791729016.0000000007FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FE0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_7fe0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b816a91016d7b9f678c326d21c2a4c4e836e4331699bfa0faa728795ffd86068
                                          • Instruction ID: 0a23e0683b399b6eef774f639faafc990825db9666ec5956d2f006725136cab0
                                          • Opcode Fuzzy Hash: b816a91016d7b9f678c326d21c2a4c4e836e4331699bfa0faa728795ffd86068
                                          • Instruction Fuzzy Hash: 5031F0B5E51218DFEB14CFA9E884FEDBBB5BF48310F088159E411AB261D7709845CF50
                                          Function 0140D1D4 Relevance: .1, Instructions: 72COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.3756188717.000000000140D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0140D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_140d000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a58869f86809b253624bee70d2799177843c0082259691756404f2a0f0222089
                                          • Instruction ID: 155bc4da9e7fd6a9c0b1438b1cbedee46665b5f598f7d53d52f30a2c3f57bf2f
                                          • Opcode Fuzzy Hash: a58869f86809b253624bee70d2799177843c0082259691756404f2a0f0222089
                                          • Instruction Fuzzy Hash: EF21D371904300EFDB16DFA5D9C0B26BB65FB84324F20C57EE9094B3A2C336D44ACA61
                                          Function 0140D01C Relevance: .1, Instructions: 72COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.3756188717.000000000140D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0140D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_140d000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 358eefc0c341f79eea84dd9976c92ca516d1f3132d39566b66aeca73e848525b
                                          • Instruction ID: cb50b4b7b8af3fbe382c3ce0f48ddf67071663f8c59acd66a1451984df7ca2a7
                                          • Opcode Fuzzy Hash: 358eefc0c341f79eea84dd9976c92ca516d1f3132d39566b66aeca73e848525b
                                          • Instruction Fuzzy Hash: AE21D6B1904200DFDB16DFA5D984B16BB65EB84358F20C57ED90E4B3A6C336D44BCA62
                                          Function 07FEABB8 Relevance: .1, Instructions: 72COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.3791729016.0000000007FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FE0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_7fe0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: fad305148a5b804ee98e2d579f9890de1ea4ad0268d296affe7a7d9d758f0aee
                                          • Instruction ID: 906f8baf1614a27831602c1ee948a872279a76b4dc40da83a4b2d7e44a366847
                                          • Opcode Fuzzy Hash: fad305148a5b804ee98e2d579f9890de1ea4ad0268d296affe7a7d9d758f0aee
                                          • Instruction Fuzzy Hash: 57218371A04219DFCB159FA8C444DEE7FBAEF8D320F18552AE511A7391DA319882CBA1
                                          Function 07FE0E78 Relevance: .1, Instructions: 68COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.3791729016.0000000007FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FE0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_7fe0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 59513670de92b3fa7170068d362a737a2e12e25f8b709b7851f41a35aea9a803
                                          • Instruction ID: 24dfd0056957a931a8f3dd608f560170ae72296f5626512b20a86d8178fab612
                                          • Opcode Fuzzy Hash: 59513670de92b3fa7170068d362a737a2e12e25f8b709b7851f41a35aea9a803
                                          • Instruction Fuzzy Hash: A311E576300119AFCB065F94D804DAA7F7AEF89211B0940A7F6448F132CB71CC52DB91
                                          Function 07FE2D78 Relevance: .1, Instructions: 68COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.3791729016.0000000007FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FE0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_7fe0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: bcbac939bfff9a686d0ba875a45a4566b71fdd114017b0700f62858b0f426087
                                          • Instruction ID: e6cac1397c80cdd66196634a6925a14890749bf01dd7faa3f97b10101d22cfc4
                                          • Opcode Fuzzy Hash: bcbac939bfff9a686d0ba875a45a4566b71fdd114017b0700f62858b0f426087
                                          • Instruction Fuzzy Hash: 7D21A174B106048FCB10DF28D894AAEBBFABF89310F14456AE5419B361DB70ED05CBA2
                                          Function 07FEABC8 Relevance: .1, Instructions: 67COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.3791729016.0000000007FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FE0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_7fe0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a192898701e7505433d51290d31aa6cc2aea882775ea6cc7d477e092eeeaa018
                                          • Instruction ID: f569e1134902b40b4c644eb89d57eabcdd41ee8be3e6456b422176feb53e6f5f
                                          • Opcode Fuzzy Hash: a192898701e7505433d51290d31aa6cc2aea882775ea6cc7d477e092eeeaa018
                                          • Instruction Fuzzy Hash: 3B214F71A00219DFCB159FA8C4449EE7BBAFF8D320F189129E511A73A0DB319C41CBA1
                                          Function 0140D006 Relevance: .1, Instructions: 62COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.3756188717.000000000140D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0140D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_140d000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b4b9665d9c99fc07895120a8907d622a33f788d92fb177b34d5acb9124a0c92b
                                          • Instruction ID: c737a38fdad3de0c77795fa25ef987bd3d0f204eac17dfff985ad02f321fb575
                                          • Opcode Fuzzy Hash: b4b9665d9c99fc07895120a8907d622a33f788d92fb177b34d5acb9124a0c92b
                                          • Instruction Fuzzy Hash: 1A21B0755093808FCB03CF64D990712BF71EB46214F28C5EBD8498F6A3C33A980ACB62
                                          Function 07FE2D88 Relevance: .1, Instructions: 59COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.3791729016.0000000007FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FE0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_7fe0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ed5eb402d729a0f0d8c5d03c36ab0445065229efbb99bd13c62d03c6bb05c6b1
                                          • Instruction ID: 776645d846e6a225baac37d75195f273643d73f6d6b7309a43e6fd4c5a35ce7e
                                          • Opcode Fuzzy Hash: ed5eb402d729a0f0d8c5d03c36ab0445065229efbb99bd13c62d03c6bb05c6b1
                                          • Instruction Fuzzy Hash: 6E118E34B106048FCB54EF28D988A6EB7F6FF88310F144529E6069B360DB70ED05CBA2
                                          Function 0140D1CF Relevance: .1, Instructions: 53COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.3756188717.000000000140D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0140D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_140d000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9e088ad8a07711d9d3566a887b1f888bc4d4e2f61ff705deeaaa2a632ac83149
                                          • Instruction ID: 56955f80544f7a558e8a02675a563c4d3a45f3b1f3bc707d36de8ec93913e265
                                          • Opcode Fuzzy Hash: 9e088ad8a07711d9d3566a887b1f888bc4d4e2f61ff705deeaaa2a632ac83149
                                          • Instruction Fuzzy Hash: C211AC75904240DFDB16CF94D5C0B16BB61FB84224F24C6AED8494B7A6C33AD40ACB51
                                          Function 07FE35D9 Relevance: .1, Instructions: 52COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.3791729016.0000000007FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FE0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_7fe0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a9e0eddabd583064d01ea06cdb1a45e6e91e6079864516a6adfdb0a3220d015f
                                          • Instruction ID: a491b28a40ac0f8b96ebd58a89409d4c8527b74201cdf24ee63927e8ecca930a
                                          • Opcode Fuzzy Hash: a9e0eddabd583064d01ea06cdb1a45e6e91e6079864516a6adfdb0a3220d015f
                                          • Instruction Fuzzy Hash: 45112571700340DFC7269B34D454AAA7BA6EFCA310F1945ADE4824B791CF31EC42CB91
                                          Function 07FE0E88 Relevance: .0, Instructions: 49COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.3791729016.0000000007FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FE0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_7fe0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9cd4d54b77e082299b1998f523880a20d3593b03178070f4831b56c13b444c5d
                                          • Instruction ID: 391530ec6240547262adfc2b13c3896839726782fc8d41d66ba66c7b5b6b1d93
                                          • Opcode Fuzzy Hash: 9cd4d54b77e082299b1998f523880a20d3593b03178070f4831b56c13b444c5d
                                          • Instruction Fuzzy Hash: 2F0124617082859BC70A1638542033E3AAA9FC2100F2940BFD645CB382CEA89C0283D2
                                          Function 07FEA8C8 Relevance: .0, Instructions: 48COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.3791729016.0000000007FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FE0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_7fe0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: aa3e50db184bac5e952f31620766dec9d21c75cfbb0dbe12e48ca459dc56e2c9
                                          • Instruction ID: b5b01350c0eea85cff55bd35d4797ab74197d3ab06cdd7d1f54d60dfd27a5504
                                          • Opcode Fuzzy Hash: aa3e50db184bac5e952f31620766dec9d21c75cfbb0dbe12e48ca459dc56e2c9
                                          • Instruction Fuzzy Hash: 65112A74A21229DFCB54CF58DC94EADBBB1FF48220F054099E516AB3A2CB759C41CB41
                                          Function 07FE0991 Relevance: .0, Instructions: 47COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.3791729016.0000000007FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FE0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_7fe0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6b82da6add4a9de3bf23d7ca2d4ab147728d5084258a6162225b64ccf2790ee4
                                          • Instruction ID: fd2a998ef56701496ced8be1e8e75785abf9b75237e016eb4bbce737ef91bfa8
                                          • Opcode Fuzzy Hash: 6b82da6add4a9de3bf23d7ca2d4ab147728d5084258a6162225b64ccf2790ee4
                                          • Instruction Fuzzy Hash: C20184393006149FC3159B24D42495ABBB6EFC9711B10826AE9058B791CF36ED42CBD5
                                          Function 07FEB6D0 Relevance: .0, Instructions: 46COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.3791729016.0000000007FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FE0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_7fe0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 17107221eeb349a092380441f4183ba9404800ecbff0f87967fc7fa42e1c0fa5
                                          • Instruction ID: 5d5339044c1a0373dd2e6d232a7c0508cbff329327ff5462e6aaeab86a377612
                                          • Opcode Fuzzy Hash: 17107221eeb349a092380441f4183ba9404800ecbff0f87967fc7fa42e1c0fa5
                                          • Instruction Fuzzy Hash: 9C0192B5E146199FCB11EFACD5045DDBBB5FF89311F10816AE445E7310EB309A05CB51
                                          Function 07FE35E8 Relevance: .0, Instructions: 44COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.3791729016.0000000007FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FE0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_7fe0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 22e27c226ea6173a5c193fe2bd248adb15a16971cfd2aadc86de2a9d918ad273
                                          • Instruction ID: cf10a4187343d9ace5a8f0ba90e38f45323338194f0d49bcd6cd5620eabd5605
                                          • Opcode Fuzzy Hash: 22e27c226ea6173a5c193fe2bd248adb15a16971cfd2aadc86de2a9d918ad273
                                          • Instruction Fuzzy Hash: 96019E717002049FC725AA34D454E6A77A7AFC5320F198668E5564B794CF72EC02DB91
                                          Function 07FE0718 Relevance: .0, Instructions: 40COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.3791729016.0000000007FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FE0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_7fe0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 943278a35a800f63f2d77d404431f56ee9e7db80bee963f72a28e1d3cd42d9a8
                                          • Instruction ID: d261cc414724c34eb4d656175139f063c0d4cd44c032caeca867423405cb0aa8
                                          • Opcode Fuzzy Hash: 943278a35a800f63f2d77d404431f56ee9e7db80bee963f72a28e1d3cd42d9a8
                                          • Instruction Fuzzy Hash: 29F0C2353103409FC7159B28D854D6ABBBAEF8A720B0580AAFA85CF371CA31DC42CB90
                                          Function 07FE09A0 Relevance: .0, Instructions: 39COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.3791729016.0000000007FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FE0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_7fe0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 04f2d420a524ed5ac77bd10f04ce9cc3e9e8904a6b1444146823a443118bec5b
                                          • Instruction ID: cc383119cd7a720bd320210a78328925a8ed401e7d4c21c399579f6d608716c2
                                          • Opcode Fuzzy Hash: 04f2d420a524ed5ac77bd10f04ce9cc3e9e8904a6b1444146823a443118bec5b
                                          • Instruction Fuzzy Hash: 3001A4353006149FC7059B25D42495AB7B7EFCC711B108169EE0687794CF32EC02CBD0
                                          Function 013FD603 Relevance: .0, Instructions: 37COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.3756113357.00000000013FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013FD000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_13fd000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 175bd4d9474bf3295271b01f212f7316c45da5ffc9845eea0e357062de54488e
                                          • Instruction ID: fae9f2465f597b8153873a98030845fa4707c92d683278e02744a0b9f0049e8c
                                          • Opcode Fuzzy Hash: 175bd4d9474bf3295271b01f212f7316c45da5ffc9845eea0e357062de54488e
                                          • Instruction Fuzzy Hash: 68F0F9B6600644AFD7208F0AD984C27FBADEBD4674715C55AFD4A4B612C672EC41CEA0
                                          Function 013FD5F4 Relevance: .0, Instructions: 35COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.3756113357.00000000013FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013FD000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_13fd000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 74a4c6b7e46cbf544575c4ce6114bcb966659b4f2daa1fffc9bcadb5160dbe99
                                          • Instruction ID: ccb2ee8cbc090078eda489a94c544d6fc604da081fe3f5f264207f41764e2a10
                                          • Opcode Fuzzy Hash: 74a4c6b7e46cbf544575c4ce6114bcb966659b4f2daa1fffc9bcadb5160dbe99
                                          • Instruction Fuzzy Hash: 35F03775104680AFD725CF06C984C23BFB9EF8A6647198489FC4A8B762C671FC42CF60
                                          Function 07FE0728 Relevance: .0, Instructions: 32COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.3791729016.0000000007FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FE0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_7fe0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 37996418f6bc65a3def5c2e8a013b670b0617d3100f118c760979b6f66dc0004
                                          • Instruction ID: 1e948d80547c70933572ca2594c4498783c51d297b14c834bb85a6ed7693f8da
                                          • Opcode Fuzzy Hash: 37996418f6bc65a3def5c2e8a013b670b0617d3100f118c760979b6f66dc0004
                                          • Instruction Fuzzy Hash: A4F05E393102009FC714DF19D894D2AB7AAEFC9721B104069FA068B360CA31EC42DB90
                                          Function 07FEA551 Relevance: .0, Instructions: 27COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.3791729016.0000000007FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FE0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_7fe0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 59edcab0afe5dba884172bcd38adf45f95058a42b25f238f130b8ac7c560f57f
                                          • Instruction ID: efa7d2e516bb26c16f0c084657d301bae3e4445621ed3b9eb37fbca202e75335
                                          • Opcode Fuzzy Hash: 59edcab0afe5dba884172bcd38adf45f95058a42b25f238f130b8ac7c560f57f
                                          • Instruction Fuzzy Hash: 00F0A0357001049FDB04CB18D980A69B7F5FF89214F158199E1099F362D632FC028B90
                                          Function 07FEAA20 Relevance: .0, Instructions: 23COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.3791729016.0000000007FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FE0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_7fe0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b2118171f3295e029a76f5e7d44f33b02f10ef8662af72de102af020fb44371d
                                          • Instruction ID: a64e7588e342de467f2166cb51f61f2c6cfd94e732cab8b98ef189a5198ba258
                                          • Opcode Fuzzy Hash: b2118171f3295e029a76f5e7d44f33b02f10ef8662af72de102af020fb44371d
                                          • Instruction Fuzzy Hash: A2E0CD653093D497C30552796C154DBBF9B8B86220709C0DBD60587681CC759C0587D5
                                          Function 07FE38B1 Relevance: .0, Instructions: 21COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.3791729016.0000000007FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FE0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_7fe0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2dd7bb8c27e3799df2bba2515615a9289fe70ad88ffc143496d0f543f86ad743
                                          • Instruction ID: a6bde7a2e9fa2ff59cc9a37b5c35eb59a627cf8a372cd573aedb53cda4fb2ec8
                                          • Opcode Fuzzy Hash: 2dd7bb8c27e3799df2bba2515615a9289fe70ad88ffc143496d0f543f86ad743
                                          • Instruction Fuzzy Hash: CAE0CDF301D38CAFC3065B60DC144E0BF75BF1620071D40A7D5C547112C6325555C755
                                          Function 07FE8D80 Relevance: .0, Instructions: 18COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.3791729016.0000000007FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FE0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_7fe0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 485480e0991eebe8d620104d85748f987443993bd565730bc517177d71064a6c
                                          • Instruction ID: c62fdd6c21550a65e693972c0ac6d4d6d7aedb3d01dbb49eff786cf86326150a
                                          • Opcode Fuzzy Hash: 485480e0991eebe8d620104d85748f987443993bd565730bc517177d71064a6c
                                          • Instruction Fuzzy Hash: CFD0A7746083C91FCB7213F858201F93FA99F9714071845C7E9C98B2A6D914DD83C7A3
                                          Function 07FEAA30 Relevance: .0, Instructions: 16COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.3791729016.0000000007FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FE0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_7fe0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d31bc65ec9c145773f5dfd44b971fbf47584d6a1d88998381af17bc668d11bc2
                                          • Instruction ID: b9b6179b0d6e86f535d0aed76c94c911add40707a36d1023f5ff7e4897c4ff52
                                          • Opcode Fuzzy Hash: d31bc65ec9c145773f5dfd44b971fbf47584d6a1d88998381af17bc668d11bc2
                                          • Instruction Fuzzy Hash: EBD0A9B13042A887C308A2BEA8141AFB28F8BC9210B04806A9A0A83B44CC749C010699
                                          Function 07FEB120 Relevance: .0, Instructions: 16COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.3791729016.0000000007FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FE0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_7fe0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 53607f2fc465c7fcfcad09cbc147d012d1f7997c57d0961b1a4505a2d669ca8b
                                          • Instruction ID: 8149f5bb3ddbc6dc878b5c4cc4601d24b28e83cd1a1a315d2cb9429e4cbc4c86
                                          • Opcode Fuzzy Hash: 53607f2fc465c7fcfcad09cbc147d012d1f7997c57d0961b1a4505a2d669ca8b
                                          • Instruction Fuzzy Hash: FFD09E391092805FC353CB14D860992FFA56F9B214729C8CFE5C58B253C6279B17D7A1
                                          Function 07FE06F1 Relevance: .0, Instructions: 14COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.3791729016.0000000007FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FE0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_7fe0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 76ed0067a2492fb63f79dd879e0e552c0c7ceaba995d1274a017c4a5d47355b9
                                          • Instruction ID: b8ae02eb94479d7360916f08985fcc5139d7cf97fbddcb6d7f398eef774c54c7
                                          • Opcode Fuzzy Hash: 76ed0067a2492fb63f79dd879e0e552c0c7ceaba995d1274a017c4a5d47355b9
                                          • Instruction Fuzzy Hash: 79D0C93A14D6809FC3028B64E8158A07FB1AF5676131981D7E088CB673C226CE55D795
                                          Function 07FE0E51 Relevance: .0, Instructions: 14COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.3791729016.0000000007FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FE0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_7fe0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 697ddc379a4def973d10c913c29c0063b932fa66cecfa50c6a4f9c8d2fc33166
                                          • Instruction ID: 59660c6ff269d0a7436f2fe31df89acdee79aebd70fe88dad2360da0ddb93cad
                                          • Opcode Fuzzy Hash: 697ddc379a4def973d10c913c29c0063b932fa66cecfa50c6a4f9c8d2fc33166
                                          • Instruction Fuzzy Hash: 8FD0A73620E3809FC303573194108967F32EBC63013058996F141C75A2C3318D59D761
                                          Function 07FE8D90 Relevance: .0, Instructions: 14COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.3791729016.0000000007FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FE0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_7fe0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 8a49cbbe9113157d7103cfba121887e780da69f895587c9f12859f3624b704f2
                                          • Instruction ID: 8251a45feb9c016384e50a9b8c66637c2a544c5ea4600d39f8196ea4242ece92
                                          • Opcode Fuzzy Hash: 8a49cbbe9113157d7103cfba121887e780da69f895587c9f12859f3624b704f2
                                          • Instruction Fuzzy Hash: 63C08C30B503094B9AB466F468041AA33CDDBC4154B1880A5AE0EC7248EE22EC429392
                                          Function 07FE9F78 Relevance: .0, Instructions: 11COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.3791729016.0000000007FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FE0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_7fe0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f75fe13aa7698e7f5655f76be1d02049dbe766d2bf90f91faf76cbe847b72ad1
                                          • Instruction ID: 3115ba45d8ce74c60f43369c8197b36862f7179745ac0606105f4979f4609db4
                                          • Opcode Fuzzy Hash: f75fe13aa7698e7f5655f76be1d02049dbe766d2bf90f91faf76cbe847b72ad1
                                          • Instruction Fuzzy Hash: 39C08CB480420CCFEB209AA0D4097643BACE70433BF14229CEC08051018BB368D2C5B3
                                          Function 07FEAA43 Relevance: .0, Instructions: 11COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.3791729016.0000000007FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FE0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_7fe0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 52bb7829548717dfbe0ad2215db2e863ae2d4d09a7b143d5a9a4824c7beb09b1
                                          • Instruction ID: b5f1ff5c2ced4548f655cbbc816f11cc7a4390c0953a29d11dc2879991e0237f
                                          • Opcode Fuzzy Hash: 52bb7829548717dfbe0ad2215db2e863ae2d4d09a7b143d5a9a4824c7beb09b1
                                          • Instruction Fuzzy Hash: F2B092B359085E8789122EB8784D9CE3742E9392E9B1810A2E18CC5250D60E96064A80
                                          Function 07FE8F08 Relevance: .0, Instructions: 10COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.3791729016.0000000007FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FE0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_7fe0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d8ef781305eb473167e47359319ddbf554f5a0288b02997e704fe499302b72c0
                                          • Instruction ID: 33a5eb291b3314c25d79e9daba056b4a648d58109999e31e60caab8668ac54ef
                                          • Opcode Fuzzy Hash: d8ef781305eb473167e47359319ddbf554f5a0288b02997e704fe499302b72c0
                                          • Instruction Fuzzy Hash: 2ED0A9384081815FC322CB20C820C20BFB19F9A308B18C4EE99C88B253CA37AC13CB02
                                          Function 07FE0700 Relevance: .0, Instructions: 8COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.3791729016.0000000007FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FE0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_7fe0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9145439845d19ed285ef8ed2e2731e53e84310996d3e08af64ba1494253e8755
                                          • Instruction ID: a5ced1602b898661de329531365079a034e3d75a808f59c5ffcbefa728424f66
                                          • Opcode Fuzzy Hash: 9145439845d19ed285ef8ed2e2731e53e84310996d3e08af64ba1494253e8755
                                          • Instruction Fuzzy Hash: 58C0927A140208EFC700DF69E848C85BBB8EF1977171180A1FA088B332C732EC60DA94
                                          Function 07FE38C0 Relevance: .0, Instructions: 7COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.3791729016.0000000007FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FE0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_7fe0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 27a2f39d55ba769b651d666cbee98e4f2237c3de045cca73e1428bf58392fdff
                                          • Instruction ID: 4d8f1307c2f730088c27d01a6f532cf8ba24e6cc7e82815bcda4f04b6a8913f8
                                          • Opcode Fuzzy Hash: 27a2f39d55ba769b651d666cbee98e4f2237c3de045cca73e1428bf58392fdff
                                          • Instruction Fuzzy Hash: CFB09232004208AB86009B84E904895BB6AAB586007008025BA0906121CB32A862DB94

                                          Non-executed Functions

                                          Function 07FE1108 Relevance: 5.2, Strings: 4, Instructions: 156COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.3791729016.0000000007FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FE0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_16_2_7fe0000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: (_q$(_q$(_q$(_q
                                          • API String ID: 0-1088526261
                                          • Opcode ID: 32eb6dd031859c7a45fd8d0a715f3e80c0e4acba429f431628947d263e85ff1c
                                          • Instruction ID: 304c5641a0e0c62c8983fcdb57defc5fb1903c2ff80836aebae5794b7de3c55a
                                          • Opcode Fuzzy Hash: 32eb6dd031859c7a45fd8d0a715f3e80c0e4acba429f431628947d263e85ff1c
                                          • Instruction Fuzzy Hash: 6C518FB5F102098FC704EF79D85456EBBB6BF8A704B24456DE506AB361DB31DC81CB80

                                          Execution Graph

                                          Execution Coverage:8.7%
                                          Dynamic/Decrypted Code Coverage:100%
                                          Signature Coverage:0%
                                          Total number of Nodes:100
                                          Total number of Limit Nodes:10
                                          execution_graph 14050 2ee4668 14051 2ee4676 14050->14051 14062 2ee51d8 14051->14062 14066 2ee5050 14051->14066 14070 2ee5041 14051->14070 14074 2ee5480 14051->14074 14078 2ee4ff9 14051->14078 14052 2ee46af 14082 2ee6de0 14052->14082 14055 2ee4704 14063 2ee520a 14062->14063 14065 2ee5313 14063->14065 14091 2ee4e90 14063->14091 14065->14052 14067 2ee5069 14066->14067 14068 2ee4e90 4 API calls 14067->14068 14069 2ee50a7 14067->14069 14068->14069 14069->14052 14072 2ee5050 14070->14072 14071 2ee4e90 4 API calls 14073 2ee50a7 14071->14073 14072->14071 14072->14073 14073->14052 14075 2ee5490 14074->14075 14076 2ee4e90 4 API calls 14075->14076 14077 2ee54ad 14075->14077 14076->14077 14077->14052 14080 2ee5002 14078->14080 14079 2ee4e90 4 API calls 14081 2ee50a7 14079->14081 14080->14079 14080->14081 14081->14052 14083 2ee6e05 14082->14083 14101 2ee6edf 14083->14101 14105 2ee6ef0 14083->14105 14084 2ee46e9 14087 2ee421c 14084->14087 14088 2ee4227 14087->14088 14113 2ee8560 14088->14113 14090 2ee8806 14090->14055 14092 2ee4e9b GetCurrentProcess 14091->14092 14094 2ee65d8 GetCurrentThread 14092->14094 14095 2ee65d1 14092->14095 14096 2ee660e 14094->14096 14097 2ee6615 GetCurrentProcess 14094->14097 14095->14094 14096->14097 14100 2ee664b 14097->14100 14098 2ee6673 GetCurrentThreadId 14099 2ee66a4 14098->14099 14099->14065 14100->14098 14103 2ee6f17 14101->14103 14102 2ee6ff4 14102->14102 14103->14102 14109 2ee6414 14103->14109 14106 2ee6f17 14105->14106 14107 2ee6ff4 14106->14107 14108 2ee6414 CreateActCtxA 14106->14108 14108->14107 14110 2ee7370 CreateActCtxA 14109->14110 14112 2ee7433 14110->14112 14114 2ee856b 14113->14114 14117 2ee8580 14114->14117 14116 2ee88dd 14116->14090 14118 2ee858b 14117->14118 14121 2ee85b0 14118->14121 14120 2ee89ba 14120->14116 14122 2ee85bb 14121->14122 14125 2ee85e0 14122->14125 14124 2ee8aad 14124->14120 14126 2ee85eb 14125->14126 14128 2ee9e93 14126->14128 14131 2eebed1 14126->14131 14127 2ee9ed1 14127->14124 14128->14127 14137 2eedf70 14128->14137 14132 2eebeda 14131->14132 14134 2eebe91 14131->14134 14141 2eebef8 14132->14141 14144 2eebf08 14132->14144 14133 2eebee6 14133->14128 14134->14128 14139 2eedf91 14137->14139 14138 2eedfb5 14138->14127 14139->14138 14152 2eee120 14139->14152 14147 2eebff0 14141->14147 14142 2eebf17 14142->14133 14145 2eebf17 14144->14145 14146 2eebff0 GetModuleHandleW 14144->14146 14145->14133 14146->14145 14148 2eec034 14147->14148 14149 2eec011 14147->14149 14148->14142 14149->14148 14150 2eec238 GetModuleHandleW 14149->14150 14151 2eec265 14150->14151 14151->14142 14153 2eee12d 14152->14153 14154 2ee5480 4 API calls 14153->14154 14155 2eee15b 14154->14155 14156 2eee166 14155->14156 14158 2eec464 14155->14158 14156->14138 14160 2eec46f 14158->14160 14159 2eee1d8 14160->14159 14162 2eec498 14160->14162 14163 2eec4a3 14162->14163 14164 2ee85e0 7 API calls 14163->14164 14165 2eee247 14164->14165 14168 2eee2c0 14165->14168 14166 2eee256 14166->14159 14169 2eee2ee 14168->14169 14170 2eec530 GetFocus 14169->14170 14171 2eee3bf 14169->14171 14172 2eee317 14169->14172 14170->14172 14172->14171 14173 2eee3ba KiUserCallbackDispatcher 14172->14173 14173->14171 14174 2ee6788 14175 2ee67df DuplicateHandle 14174->14175 14176 2ee681e 14175->14176

                                          Executed Functions

                                          Function 02EE4E90 Relevance: 6.1, APIs: 4, Instructions: 132threadCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 536 2ee4e90-2ee65cf GetCurrentProcess 542 2ee65d8-2ee660c GetCurrentThread 536->542 543 2ee65d1-2ee65d7 536->543 544 2ee660e-2ee6614 542->544 545 2ee6615-2ee6649 GetCurrentProcess 542->545 543->542 544->545 547 2ee664b-2ee6651 545->547 548 2ee6652-2ee666d call 2ee670f 545->548 547->548 551 2ee6673-2ee66a2 GetCurrentThreadId 548->551 552 2ee66ab-2ee670d 551->552 553 2ee66a4-2ee66aa 551->553 553->552
                                          APIs
                                          • GetCurrentProcess.KERNEL32 ref: 02EE65BE
                                          • GetCurrentThread.KERNEL32 ref: 02EE65FB
                                          • GetCurrentProcess.KERNEL32 ref: 02EE6638
                                          • GetCurrentThreadId.KERNEL32 ref: 02EE6691
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.1457245398.0000000002EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_20_2_2ee0000_workbook.jbxd
                                          Similarity
                                          • API ID: Current$ProcessThread
                                          • String ID:
                                          • API String ID: 2063062207-0
                                          • Opcode ID: b883c34a5d345d7403ccb792e56ebf112886a5190f9ebd8257837536ee86c158
                                          • Instruction ID: 35b5d499da8e308b98ae9d014d0b97d26d8c42236551378caa821e5badc6bddb
                                          • Opcode Fuzzy Hash: b883c34a5d345d7403ccb792e56ebf112886a5190f9ebd8257837536ee86c158
                                          • Instruction Fuzzy Hash: B75148B0910709CFEB14CFA9C548B9EBBF5EB48304F20C459E409AB391DB74A944CF66
                                          Function 02EEBFF0 Relevance: 1.7, APIs: 1, Instructions: 200COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 678 2eebff0-2eec00f 679 2eec03b-2eec03f 678->679 680 2eec011-2eec01e call 2eeaf60 678->680 681 2eec053-2eec094 679->681 682 2eec041-2eec04b 679->682 687 2eec034 680->687 688 2eec020 680->688 689 2eec096-2eec09e 681->689 690 2eec0a1-2eec0af 681->690 682->681 687->679 733 2eec026 call 2eec698 688->733 734 2eec026 call 2eec689 688->734 689->690 691 2eec0d3-2eec0d5 690->691 692 2eec0b1-2eec0b6 690->692 695 2eec0d8-2eec0df 691->695 696 2eec0b8-2eec0bf call 2eeaf6c 692->696 697 2eec0c1 692->697 693 2eec02c-2eec02e 693->687 694 2eec170-2eec230 693->694 728 2eec238-2eec263 GetModuleHandleW 694->728 729 2eec232-2eec235 694->729 699 2eec0ec-2eec0f3 695->699 700 2eec0e1-2eec0e9 695->700 698 2eec0c3-2eec0d1 696->698 697->698 698->695 702 2eec0f5-2eec0fd 699->702 703 2eec100-2eec109 call 2eeaf7c 699->703 700->699 702->703 709 2eec10b-2eec113 703->709 710 2eec116-2eec11b 703->710 709->710 711 2eec11d-2eec124 710->711 712 2eec139-2eec146 710->712 711->712 714 2eec126-2eec136 call 2eeaf8c call 2eeaf9c 711->714 718 2eec148-2eec166 712->718 719 2eec169-2eec16f 712->719 714->712 718->719 730 2eec26c-2eec280 728->730 731 2eec265-2eec26b 728->731 729->728 731->730 733->693 734->693
                                          APIs
                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 02EEC256
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.1457245398.0000000002EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_20_2_2ee0000_workbook.jbxd
                                          Similarity
                                          • API ID: HandleModule
                                          • String ID:
                                          • API String ID: 4139908857-0
                                          • Opcode ID: 79e71c41278f064e6b4bc2cb50b6069cd2065311434e2a663f36ca88d3939c3b
                                          • Instruction ID: a933251b45824b4b5f28f039fe3c95ec2675466e261affbd80366509f0755ebf
                                          • Opcode Fuzzy Hash: 79e71c41278f064e6b4bc2cb50b6069cd2065311434e2a663f36ca88d3939c3b
                                          • Instruction Fuzzy Hash: 168138B0A00B058FDB24DF6AD44175ABBF1FF88204F10992EE48ADBB50D775E846CB91
                                          Function 02EE6414 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 735 2ee6414-2ee7431 CreateActCtxA 738 2ee743a-2ee7494 735->738 739 2ee7433-2ee7439 735->739 746 2ee7496-2ee7499 738->746 747 2ee74a3-2ee74a7 738->747 739->738 746->747 748 2ee74b8 747->748 749 2ee74a9-2ee74b5 747->749 750 2ee74b9 748->750 749->748 750->750
                                          APIs
                                          • CreateActCtxA.KERNEL32(?), ref: 02EE7421
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.1457245398.0000000002EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_20_2_2ee0000_workbook.jbxd
                                          Similarity
                                          • API ID: Create
                                          • String ID:
                                          • API String ID: 2289755597-0
                                          • Opcode ID: 27a6db2149bb4fc0cca6545247477b28648b5dbc2ff621116c556cccb7daaac6
                                          • Instruction ID: 542b97721bd5a2545573b26ca126d3e1d44248d90b26fb0e658664f03956976b
                                          • Opcode Fuzzy Hash: 27a6db2149bb4fc0cca6545247477b28648b5dbc2ff621116c556cccb7daaac6
                                          • Instruction Fuzzy Hash: 5041AE70D00729CBEB24DFA9C844BDEBBB5BF49308F20806AD419AB251DB756946CF90
                                          Function 02EE7364 Relevance: 1.6, APIs: 1, Instructions: 94COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 752 2ee7364-2ee7431 CreateActCtxA 754 2ee743a-2ee7494 752->754 755 2ee7433-2ee7439 752->755 762 2ee7496-2ee7499 754->762 763 2ee74a3-2ee74a7 754->763 755->754 762->763 764 2ee74b8 763->764 765 2ee74a9-2ee74b5 763->765 766 2ee74b9 764->766 765->764 766->766
                                          APIs
                                          • CreateActCtxA.KERNEL32(?), ref: 02EE7421
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.1457245398.0000000002EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_20_2_2ee0000_workbook.jbxd
                                          Similarity
                                          • API ID: Create
                                          • String ID:
                                          • API String ID: 2289755597-0
                                          • Opcode ID: 45e844e9ef3f211cfec538f5f7d619114241de4410537b3367aea49dd9fa167f
                                          • Instruction ID: 8a3954559300589798e8fb9e429ff468e4bda2ce0b43b318496e3a1e9912fa5f
                                          • Opcode Fuzzy Hash: 45e844e9ef3f211cfec538f5f7d619114241de4410537b3367aea49dd9fa167f
                                          • Instruction Fuzzy Hash: 3341BDB1C00729CFEB25CFA9C944BCDBBB5BF49308F24806AD419AB251DB756946CF90
                                          Function 02EE6780 Relevance: 1.6, APIs: 1, Instructions: 75COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 768 2ee6780-2ee67dc 771 2ee67df-2ee681c DuplicateHandle 768->771 772 2ee681e-2ee6824 771->772 773 2ee6825-2ee6842 771->773 772->773
                                          APIs
                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02EE680F
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.1457245398.0000000002EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_20_2_2ee0000_workbook.jbxd
                                          Similarity
                                          • API ID: DuplicateHandle
                                          • String ID:
                                          • API String ID: 3793708945-0
                                          • Opcode ID: 0f6c390d48fbfd12c1568ecba718e538bab80f49a01916f230380adb1939ee80
                                          • Instruction ID: f93a5b4289afbeda803fcc866a36e0398f00f5b5d94e2d7b19798276e19b9718
                                          • Opcode Fuzzy Hash: 0f6c390d48fbfd12c1568ecba718e538bab80f49a01916f230380adb1939ee80
                                          • Instruction Fuzzy Hash: 952135B5D00248DFDF10CF9AD885BEEBBF8EB58324F14801AE915A7251D339A944CFA5
                                          Function 02EE6788 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 776 2ee6788-2ee681c DuplicateHandle 778 2ee681e-2ee6824 776->778 779 2ee6825-2ee6842 776->779 778->779
                                          APIs
                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02EE680F
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.1457245398.0000000002EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_20_2_2ee0000_workbook.jbxd
                                          Similarity
                                          • API ID: DuplicateHandle
                                          • String ID:
                                          • API String ID: 3793708945-0
                                          • Opcode ID: 174e545a7107584c4aab928c027c9d7c683ed3dbf37f383475b0e5590be753a5
                                          • Instruction ID: 456ac4f9d9fadab946784ab4014056d3859f932c826f66cc8d4d734fc5345df8
                                          • Opcode Fuzzy Hash: 174e545a7107584c4aab928c027c9d7c683ed3dbf37f383475b0e5590be753a5
                                          • Instruction Fuzzy Hash: 8E21C4B5D00248DFDB10CF9AD984ADEBBF8FB48310F14841AE955A7350D379A944CFA5
                                          Function 02EEC1F0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 782 2eec1f0-2eec230 783 2eec238-2eec263 GetModuleHandleW 782->783 784 2eec232-2eec235 782->784 785 2eec26c-2eec280 783->785 786 2eec265-2eec26b 783->786 784->783 786->785
                                          APIs
                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 02EEC256
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.1457245398.0000000002EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_20_2_2ee0000_workbook.jbxd
                                          Similarity
                                          • API ID: HandleModule
                                          • String ID:
                                          • API String ID: 4139908857-0
                                          • Opcode ID: bec2a56c4384665cea99ee2aadbff00074921deefad7d4537cac94501ca06e28
                                          • Instruction ID: 69f9b4e0fe239186de2100e31045c1b0bb92dff3ae2956d0bc48329a1be1c5f0
                                          • Opcode Fuzzy Hash: bec2a56c4384665cea99ee2aadbff00074921deefad7d4537cac94501ca06e28
                                          • Instruction Fuzzy Hash: B31110B6C007498FDB20DF9AD444BDEFBF4EB88614F20C41AD429A7600C379A545CFA1
                                          Function 016AD01C Relevance: .1, Instructions: 72COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.1456749446.00000000016AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016AD000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_20_2_16ad000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b1ab1613016b7e302fc188be8928264cf015fc2ed80cc15083d4955c3f481f35
                                          • Instruction ID: f0e4ce42445a800dfd691b6f95fb2411febcf885644005a8f06a69b01e169b9a
                                          • Opcode Fuzzy Hash: b1ab1613016b7e302fc188be8928264cf015fc2ed80cc15083d4955c3f481f35
                                          • Instruction Fuzzy Hash: A3210071644200EFDB15DF64D980B26BBA1EB88314F60C56DE80A4B792C336D847CE62
                                          Function 016AD006 Relevance: .1, Instructions: 63COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000014.00000002.1456749446.00000000016AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016AD000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_20_2_16ad000_workbook.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 46aa6132cb3e897c1f68d01b2548e14444809b34367df1b7dea438349b728914
                                          • Instruction ID: 5f5548aa5766b0be891eba823dbef2d37093883c17e6b22a5000482209a34772
                                          • Opcode Fuzzy Hash: 46aa6132cb3e897c1f68d01b2548e14444809b34367df1b7dea438349b728914
                                          • Instruction Fuzzy Hash: 122180755483809FDB02CF54D994B11BF71EB46314F28C5DAD8498F6A7C33A9846CB62