Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe

Overview

General Information

Sample name:QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe
Analysis ID:1585887
MD5:9b3c35a49dd56d6282a2a89832046ffc
SHA1:0cb9124335747f5dd253744a828d5e30ca7d06f3
SHA256:2234c3a3350dbeba11b7564dc52d5aa1252777f9ffe8dcf4027dcb54fc4542aa
Tags:exeQuasarRATuser-TeamDreier
Infos:

Detection

Quasar
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected Quasar RAT
.NET source code contains potential unpacker
.NET source code contains very large array initializations
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected non-DNS traffic on DNS port
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe (PID: 6648 cmdline: "C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe" MD5: 9B3C35A49DD56D6282A2A89832046FFC)
    • QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe (PID: 4940 cmdline: "C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe" MD5: 9B3C35A49DD56D6282A2A89832046FFC)
      • schtasks.exe (PID: 7104 cmdline: "schtasks" /create /tn "pdfdocument" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe" /rl HIGHEST /f MD5: 48C2FE20575769DE916F48EF0676A965)
        • conhost.exe (PID: 2080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • Exccelworkbook.exe (PID: 6576 cmdline: "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe" MD5: 9B3C35A49DD56D6282A2A89832046FFC)
        • Exccelworkbook.exe (PID: 6404 cmdline: "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe" MD5: 9B3C35A49DD56D6282A2A89832046FFC)
        • Exccelworkbook.exe (PID: 6696 cmdline: "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe" MD5: 9B3C35A49DD56D6282A2A89832046FFC)
        • Exccelworkbook.exe (PID: 6724 cmdline: "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe" MD5: 9B3C35A49DD56D6282A2A89832046FFC)
          • schtasks.exe (PID: 5324 cmdline: "schtasks" /create /tn "pdfdocument" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe" /rl HIGHEST /f MD5: 48C2FE20575769DE916F48EF0676A965)
            • conhost.exe (PID: 1848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • Exccelworkbook.exe (PID: 3060 cmdline: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe MD5: 9B3C35A49DD56D6282A2A89832046FFC)
    • Exccelworkbook.exe (PID: 5664 cmdline: "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe" MD5: 9B3C35A49DD56D6282A2A89832046FFC)
    • Exccelworkbook.exe (PID: 5016 cmdline: "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe" MD5: 9B3C35A49DD56D6282A2A89832046FFC)
    • Exccelworkbook.exe (PID: 6744 cmdline: "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe" MD5: 9B3C35A49DD56D6282A2A89832046FFC)
    • Exccelworkbook.exe (PID: 6696 cmdline: "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe" MD5: 9B3C35A49DD56D6282A2A89832046FFC)
    • Exccelworkbook.exe (PID: 1816 cmdline: "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe" MD5: 9B3C35A49DD56D6282A2A89832046FFC)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Quasar RAT, QuasarRATQuasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult.
  • APT33
  • Dropping Elephant
  • Stone Panda
  • The Gorgon Group
https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat

Malware Configuration

Threatname: Quasar

{"Version": "1.4.1", "Host:Port": "twart.myfirewall.org:9792;rency.ydns.eu:5287;wqo9.firewall-gateway.de:8841;code1.ydns.eu:5287;wqo9.firewall-gateway.de:9792;", "SubDirectory": "SubDir", "InstallName": "Exccelworkbook.exe", "MutexName": "025351e291-5d1041-4fa37-932c7-869aeiQec514992", "StartupKey": "pdfdocument", "Tag": "CODE", "LogDirectoryName": "Logs", "ServerSignature": "XBBvS+rvDQy/NRA7cnb+1Bf2zFbsUHBtrkbS5j0N0VYcCxHngz7kKbyn5Jk5bqDEI6eX9AB+bIEClKSPSVh4o0tmRTlCyQR8n6K5WidNbCUdY2+XqfpKSeeSe+/39iGrb9ZLHaZnA9ciC9yC4PwnmFUO4AD6c2tNeWgm2PU1ohA9OikWzIuh/ks9RkLPCX2N5NbpAd+AvnufkOJwDLDXLT4MfcZlD2s7folRvVMxMcO7qQh4qI3ucP90WFCEokdbM4Rp3wOtslDricIMAIkAmogGRz4B5aLGHo+UKGsYDeV1bWBtzFi1XTWQ/6q4qfqiD4xLJpDFMICIRPNdK9raQkGcTP03+NhWNSswQU59I2Ar9A0CAUdysw34N2Kjm/UbGRrW3+j9kbJxMldClUDkeN0cGmVyyaiGpPUQBlBuqH620bBOymsxD3XZ6Ouxl9MgjTV6Il/iiq/NSebMLiET2K09Tvpmc/8DD8KLeu+5NrJnmChJat6LR2NCPqv1vp8xPgJNCm4DSv6HB78QRq0Ni/oqW7UBnQR4da5/ckoEk+1ZyMZ/TftczNdKaLoyii2gXx3EzDhVEQy9OH8iNQqevGPW/pTYqLGAkH4hRs0+kir9p7nSGZpHvgHSJL7DbCzKlTEYyAlb4VFoR4L+DhJ0+A8JWxhOkfSCX2jo3RVCcPs=", "ServerCertificate": "MIIE9DCCAtygAwIBAgIQANqzkhOLx49IztAjuviKazANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI0MDgyMDEyNDQxNVoYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAgCzkFEuivKBaTsClmq/3wI2X1uYUZUxf0vEiobTv72lQBIu1jz/r6PADg+cpeGisY1MV3VsdWhecO8dT7LosHtl/FnpTjASkUp3LF0d6cPTgeLsKbK/xJ06uq5gaKvG8Q5zXq6Jbxv+STJdEgmxCf1SPAXViD1PIiGLt2B24qZyOtsSpTSnM5cQuLAvr/6xZG7GYkCU7PRADMGFUm3Xg6L3vRUU3h6vaddoMBAW9ENXVaym1eN5aax3x4tLNUp+kerM+kb/Ab/mi01+PfutPKTptP/dqEGZuKmVrGdX9A+s2Wo6sPtSl85NJT+HT+SSrROvGbx4GH3d6MSHx71JSzy+dph46LV3brBMzY/2xvLbIuPVHqniL/Y0bsUke6aD9cfXIa4UBi7TiKBuoKJYqoYa/VgdoqB4yDaczAnzzYXov7thvPL1Rwv5TueNsPSrQbXbvEJUDxRazlLIrGLuYzeGrnbFHOTM8KKpSVnE8uiXiSEW31DRNHXyLImklMHjwtGd4sjZD5EfkUcg1v9gVCu80ggT+/l7SflY07DOLFvS1ii2ZUPu3IjcbyPtlFj6pGUYjMbIZj8AdqIKyMh6IWtbsu6TMC2yEPSk5pwXrEf7M89nIfHtuhZio+mZ0MhGyHos3nv51/dDBKQnEtcJiODik24kI3JTMGnfQsp7IMjECAwEAAaMyMDAwHQYDVR0OBBYEFFUq5ihhM0we5AVYMhcmFpT6wUKMMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBAFQvpu2xTTenJ6N6YiRWxJ1cwH673yEt60lfsF/xncTeD79qdjD371b1GzQtcYZtYuSdgajGG4YZ8gBrwthm2fOcfuWK2VRDOe7/++mJVEvvsUzzexNeB5nZCYuu1N4UA7z8RHJy6ycPTTcelqyMKUjAGTCZa2BQhkxoFq+wBrEZrY975RcEe7bNNWg0S8YpvdKXxwy/gDZUoWyWXvgmDFQ6VjzDk3jJb0fonxnP/9F7sjd1uU2t5d6aQdPXzbzgWC/IKRXpfdIIZe15uHs1o1O909ymViRRsyy36cjwZ1M2snHWsU7vO//CptldBoV6k6bKkvXA23Cg1vUT0mj0MW554Vb20afxPhyWqHQa4ffHspH2HxViicHx9YaD+WjNAER0Skdo7/sxVR9Ozms2kb8Tyd18mwtVvwmlBNdtwsw8MX9PeW0AXlJUXkHkj47TVP+yyv1dKdUaGZq+ErPjiGoQGBCeHrrtGh+WryK38T7huLnpt++Q4U+CJ6+u9Mvd+C7MCZmgsO9sn0fTL/z54j3zBaWZoRcUZg8IZ7U+C5eGCrg9VjubVdYSar5CrCQnw8x2Rl63qjLVOwpiRoNnEXxmE23yyx1hkP8r27EcTbH7PpJHI22khScfDhf0X/99HEaBqcs+GI+YnC5dpPHY9koTdT5JckCfPJ9sprOn9Ble"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.1769970688.0000000000720000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
    00000006.00000002.1919924334.000000000BC7A000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
      00000005.00000002.1816081787.0000000002AD9000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
        00000006.00000002.1878255019.00000000031C7000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
          00000009.00000002.4182925533.000000000318C000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
            Click to see the 14 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe.2f15048.0.raw.unpackJoeSecurity_QuasarYara detected Quasar RATJoe Security
              5.2.Exccelworkbook.exe.4299990.2.unpackJoeSecurity_QuasarYara detected Quasar RATJoe Security
                5.2.Exccelworkbook.exe.4299990.2.unpackMAL_QuasarRAT_May19_1Detects QuasarRAT malwareFlorian Roth
                • 0x28d0d8:$x1: Quasar.Common.Messages
                • 0x29d43b:$x1: Quasar.Common.Messages
                • 0x2a99f2:$x4: Uninstalling... good bye :-(
                • 0x2ab1e7:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
                5.2.Exccelworkbook.exe.4299990.2.unpackINDICATOR_SUSPICIOUS_GENInfoStealerDetects executables containing common artifcats observed in infostealersditekSHen
                • 0x2a8fa4:$f1: FileZilla\recentservers.xml
                • 0x2a8fe4:$f2: FileZilla\sitemanager.xml
                • 0x2a9026:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions
                • 0x2a9272:$b1: Chrome\User Data\
                • 0x2a92c8:$b1: Chrome\User Data\
                • 0x2a95a0:$b2: Mozilla\Firefox\Profiles
                • 0x2a969c:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
                • 0x2fb720:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
                • 0x2a97f4:$b4: Opera Software\Opera Stable\Login Data
                • 0x2a98ae:$b5: YandexBrowser\User Data\
                • 0x2a991c:$b5: YandexBrowser\User Data\
                • 0x2a95f0:$s4: logins.json
                • 0x2a9326:$a1: username_value
                • 0x2a9344:$a2: password_value
                • 0x2a9630:$a3: encryptedUsername
                • 0x2fb664:$a3: encryptedUsername
                • 0x2a9654:$a4: encryptedPassword
                • 0x2fb682:$a4: encryptedPassword
                • 0x2fb600:$a5: httpRealm
                5.2.Exccelworkbook.exe.4299990.2.unpackMALWARE_Win_QuasarStealerDetects Quasar infostealerditekshen
                • 0x163116:$s1: PGma.System.MouseKeyHook, Version=5.6.130.0, Culture=neutral, PublicKeyToken=null
                • 0x2a9adc:$s3: Process already elevated.
                • 0x28cdd7:$s4: get_PotentiallyVulnerablePasswords
                • 0x276e58:$s5: GetKeyloggerLogsDirectory
                • 0x29cb9a:$s5: GetKeyloggerLogsDirectory
                • 0x28cdfa:$s6: set_PotentiallyVulnerablePasswords
                • 0x2fcd4e:$s7: BQuasar.Client.Extensions.RegistryKeyExtensions+<GetKeyValues>
                Click to see the 28 entries

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Suspicious Add Scheduled Task Parent
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "schtasks" /create /tn "pdfdocument" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe" /rl HIGHEST /f, CommandLine: "schtasks" /create /tn "pdfdocument" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe" /rl HIGHEST /f, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe", ParentImage: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe, ParentProcessId: 6724, ParentProcessName: Exccelworkbook.exe, ProcessCommandLine: "schtasks" /create /tn "pdfdocument" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe" /rl HIGHEST /f, ProcessId: 5324, ProcessName: schtasks.exe
                Sigma detected: Suspicious Schtasks From Env Var Folder
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "schtasks" /create /tn "pdfdocument" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe" /rl HIGHEST /f, CommandLine: "schtasks" /create /tn "pdfdocument" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe" /rl HIGHEST /f, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe", ParentImage: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe, ParentProcessId: 4940, ParentProcessName: QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe, ProcessCommandLine: "schtasks" /create /tn "pdfdocument" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe" /rl HIGHEST /f, ProcessId: 7104, ProcessName: schtasks.exe

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-08T12:48:15.586054+010020355951Domain Observed Used for C2 Detected94.156.177.1175287192.168.2.449736TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-08T12:48:15.586054+010020276191Domain Observed Used for C2 Detected94.156.177.1175287192.168.2.449736TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Found malware configuration
                Source: 5.2.Exccelworkbook.exe.45b6fb0.1.raw.unpackMalware Configuration Extractor: Quasar {"Version": "1.4.1", "Host:Port": "twart.myfirewall.org:9792;rency.ydns.eu:5287;wqo9.firewall-gateway.de:8841;code1.ydns.eu:5287;wqo9.firewall-gateway.de:9792;", "SubDirectory": "SubDir", "InstallName": "Exccelworkbook.exe", "MutexName": "025351e291-5d1041-4fa37-932c7-869aeiQec514992", "StartupKey": "pdfdocument", "Tag": "CODE", "LogDirectoryName": "Logs", "ServerSignature": "XBBvS+rvDQy/NRA7cnb+1Bf2zFbsUHBtrkbS5j0N0VYcCxHngz7kKbyn5Jk5bqDEI6eX9AB+bIEClKSPSVh4o0tmRTlCyQR8n6K5WidNbCUdY2+XqfpKSeeSe+/39iGrb9ZLHaZnA9ciC9yC4PwnmFUO4AD6c2tNeWgm2PU1ohA9OikWzIuh/ks9RkLPCX2N5NbpAd+AvnufkOJwDLDXLT4MfcZlD2s7folRvVMxMcO7qQh4qI3ucP90WFCEokdbM4Rp3wOtslDricIMAIkAmogGRz4B5aLGHo+UKGsYDeV1bWBtzFi1XTWQ/6q4qfqiD4xLJpDFMICIRPNdK9raQkGcTP03+NhWNSswQU59I2Ar9A0CAUdysw34N2Kjm/UbGRrW3+j9kbJxMldClUDkeN0cGmVyyaiGpPUQBlBuqH620bBOymsxD3XZ6Ouxl9MgjTV6Il/iiq/NSebMLiET2K09Tvpmc/8DD8KLeu+5NrJnmChJat6LR2NCPqv1vp8xPgJNCm4DSv6HB78QRq0Ni/oqW7UBnQR4da5/ckoEk+1ZyMZ/TftczNdKaLoyii2gXx3EzDhVEQy9OH8iNQqevGPW/pTYqLGAkH4hRs0+kir9p7nSGZpHvgHSJL7DbCzKlTEYyAlb4VFoR4L+DhJ0+A8JWxhOkfSCX2jo3RVCcPs=", "ServerCertificate": "MIIE9DCCAtygAwIBAgIQANqzkhOLx49IztAjuviKazANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI0MDgyMDEyNDQxNVoYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAgCzkFEuivKBaTsClmq/3wI2X1uYUZUxf0vEiobTv72lQBIu1jz/r6PADg+cpeGisY1MV3VsdWhecO8dT7LosHtl/FnpTjASkUp3LF0d6cPTgeLsKbK/xJ06uq5gaKvG8Q5zXq6Jbxv+STJdEgmxCf1SPAXViD1PIiGLt2B24qZyOtsSpTSnM5cQuLAvr/6xZG7GYkCU7PRADMGFUm3Xg6L3vRUU3h6vaddoMBAW9ENXVaym1eN5aax3x4tLNUp+kerM+kb/Ab/mi01+PfutPKTptP/dqEGZuKmVrGdX9A+s2Wo6sPtSl85NJT+HT+SSrROvGbx4GH3d6MSHx71JSzy+dph46LV3brBMzY/2xvLbIuPVHqniL/Y0bsUke6aD9cfXIa4UBi7TiKBuoKJYqoYa/VgdoqB4yDaczAnzzYXov7thvPL1Rwv5TueNsPSrQbXbvEJUDxRazlLIrGLuYzeGrnbFHOTM8KKpSVnE8uiXiSEW31DRNHXyLImklMHjwtGd4sjZD5EfkUcg1v9gVCu80ggT+/l7SflY07DOLFvS1ii2ZUPu3IjcbyPtlFj6pGUYjMbIZj8AdqIKyMh6IWtbsu6TMC2yEPSk5pwXrEf7M89nIfHtuhZio+mZ0MhGyHos3nv51/dDBKQnEtcJiODik24kI3JTMGnfQsp7IMjECAwEAAaMyMDAwHQYDVR0OBBYEFFUq5ihhM0we5AVYMhcmFpT6wUKMMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBAFQvpu2xTTenJ6N6YiRWxJ1cwH673yEt60lfsF/xncTeD79qdjD371b1GzQtcYZtYuSdgajGG4YZ8gBrwthm2fOcfuWK2VRDOe7/++mJVEvvsUzzexNeB5nZCYuu1N4UA7z8RHJy6ycPTTcelqyMKUjAGTCZa2BQhkxoFq+wBrEZrY975RcEe7bNNWg0S8YpvdKXxwy/gDZUoWyWXvgmDFQ6VjzDk3jJb0fonxnP/9F7sjd1uU2t5d6aQdPXzbzgWC/IKRXpfdIIZe15uHs1o1O909ymViRRsyy36cjwZ1M2snHWsU7vO//CptldBoV6k6bKkvXA23Cg1vUT0mj0MW554Vb20afxPhyWqHQa4ffHspH2HxViicHx9YaD+WjNAER0Skdo7/sxVR9Ozms2kb8Tyd18mwtVvwmlBNdtwsw8MX9PeW0AXlJUXkHkj47TVP+yyv1dKdUaGZq+ErPjiGoQGBCeHrrtGh+WryK38T7huLnpt++Q4U+CJ6+u9Mvd+C7MCZmgsO9sn0fTL/z54j3zBaWZoRcUZg8IZ7U+C5eGCrg9VjubVdYSar5CrCQnw8x2Rl63qjLVOwpiRoNnEXxmE23yyx1hkP8r27EcTbH7PpJHI22khScfDhf0X/99HEaBqcs+GI+YnC5dpPHY9koTdT5JckCfPJ9sprOn9Ble"}
                Multi AV Scanner detection for dropped file
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeReversingLabs: Detection: 34%
                Multi AV Scanner detection for submitted file
                Source: QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeVirustotal: Detection: 29%Perma Link
                Source: QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeReversingLabs: Detection: 34%
                Yara detected Quasar RAT
                Source: Yara matchFile source: 0.2.QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe.2f15048.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.Exccelworkbook.exe.4299990.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe.c1f2a58.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.Exccelworkbook.exe.45b6fb0.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.Exccelworkbook.exe.45b6fb0.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe.c1f2a58.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.Exccelworkbook.exe.4299990.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000002.1769970688.0000000000720000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.1919924334.000000000BC7A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.1816081787.0000000002AD9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.1878255019.00000000031C7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.4182925533.000000000318C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1758223737.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.1822871144.0000000003A99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1762726823.000000000C1F2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1769970688.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1762726823.000000000B691000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.1822871144.0000000004299000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe PID: 6648, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe PID: 4940, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Exccelworkbook.exe PID: 6576, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Exccelworkbook.exe PID: 3060, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Exccelworkbook.exe PID: 6724, type: MEMORYSTR
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for dropped file
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeJoe Sandbox ML: detected
                Machine Learning detection for sample
                Source: QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeJoe Sandbox ML: detected
                Source: QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: unknownHTTPS traffic detected: 195.201.57.90:443 -> 192.168.2.4:49738 version: TLS 1.2
                Source: QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: YgrU.pdb source: QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe, Exccelworkbook.exe.2.dr
                Source: Binary string: YgrU.pdbSHA256 source: QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe, Exccelworkbook.exe.2.dr

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2027619 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (Quasar CnC) : 94.156.177.117:5287 -> 192.168.2.4:49736
                Source: Network trafficSuricata IDS: 2035595 - Severity 1 - ET MALWARE Generic AsyncRAT Style SSL Cert : 94.156.177.117:5287 -> 192.168.2.4:49736
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: twart.myfirewall.org
                Yara detected Generic Downloader
                Source: Yara matchFile source: 2.2.QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.Exccelworkbook.exe.45b6fb0.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe.c1f2a58.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.Exccelworkbook.exe.4299990.2.raw.unpack, type: UNPACKEDPE
                Source: global trafficTCP traffic: 192.168.2.4:49736 -> 94.156.177.117:5287
                Source: global trafficTCP traffic: 192.168.2.4:63837 -> 1.1.1.1:53
                Source: Joe Sandbox ViewIP Address: 195.201.57.90 195.201.57.90
                Source: Joe Sandbox ViewIP Address: 195.201.57.90 195.201.57.90
                Source: Joe Sandbox ViewASN Name: NET1-ASBG NET1-ASBG
                Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                Source: unknownDNS query: name: ipwho.is
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0Host: ipwho.isConnection: Keep-Alive
                Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0Host: ipwho.isConnection: Keep-Alive
                Source: global trafficDNS traffic detected: DNS query: twart.myfirewall.org
                Source: global trafficDNS traffic detected: DNS query: rency.ydns.eu
                Source: global trafficDNS traffic detected: DNS query: ipwho.is
                Source: 77EC63BDA74BD0D0E0426DC8F8008506.9.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                Source: Exccelworkbook.exe, 00000009.00000002.4180585071.0000000001323000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabI
                Source: Exccelworkbook.exe, 00000009.00000002.4180585071.0000000001323000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en2
                Source: Exccelworkbook.exe, 00000009.00000002.4182925533.0000000003140000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ipwho.is
                Source: Exccelworkbook.exe, 00000009.00000002.4182925533.0000000003140000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ipwho.isd
                Source: Exccelworkbook.exe, 00000009.00000002.4182925533.000000000318C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/
                Source: Exccelworkbook.exe, 00000009.00000002.4182925533.000000000318C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/d
                Source: QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe, 00000002.00000002.1787337073.0000000003461000.00000004.00000800.00020000.00000000.sdmp, Exccelworkbook.exe, 00000009.00000002.4182925533.0000000002EEB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe, 00000000.00000002.1761027373.0000000007102000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                Source: QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe, 00000000.00000002.1761027373.0000000007102000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                Source: QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe, 00000000.00000002.1761027373.0000000007102000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                Source: QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe, 00000000.00000002.1761027373.0000000007102000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                Source: QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe, 00000000.00000002.1761027373.0000000007102000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                Source: QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe, 00000000.00000002.1761027373.0000000007102000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                Source: QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe, 00000000.00000002.1761027373.0000000007102000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                Source: QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe, 00000000.00000002.1761027373.0000000007102000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                Source: QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe, 00000000.00000002.1761027373.0000000007102000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                Source: QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe, 00000000.00000002.1761027373.0000000007102000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                Source: QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe, 00000000.00000002.1761027373.0000000007102000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                Source: QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe, 00000000.00000002.1761027373.0000000007102000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                Source: QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe, 00000000.00000002.1761027373.0000000007102000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                Source: QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe, 00000000.00000002.1761027373.0000000007102000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                Source: QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe, 00000000.00000002.1761027373.0000000007102000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                Source: QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe, 00000000.00000002.1761027373.0000000007102000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                Source: QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe, 00000000.00000002.1761027373.0000000007102000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                Source: QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe, 00000000.00000002.1761027373.0000000007102000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                Source: QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe, 00000000.00000002.1761027373.0000000007102000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                Source: QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe, 00000000.00000002.1761027373.0000000007102000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                Source: QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe, 00000000.00000002.1761027373.0000000007102000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                Source: QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe, 00000000.00000002.1761027373.0000000007102000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                Source: QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe, 00000000.00000002.1761027373.0000000007102000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                Source: QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe, 00000000.00000002.1761027373.0000000007102000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                Source: QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe, 00000000.00000002.1761027373.0000000007102000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                Source: QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe, 00000000.00000002.1762726823.000000000C1F2000.00000004.00000800.00020000.00000000.sdmp, QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe, 00000000.00000002.1762726823.000000000B691000.00000004.00000800.00020000.00000000.sdmp, QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe, 00000002.00000002.1769970688.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Exccelworkbook.exe, 00000005.00000002.1822871144.0000000003A99000.00000004.00000800.00020000.00000000.sdmp, Exccelworkbook.exe, 00000005.00000002.1822871144.0000000004299000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                Source: Exccelworkbook.exe, 00000009.00000002.4182925533.000000000312E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ipwho.is
                Source: QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe, 00000000.00000002.1762726823.000000000C1F2000.00000004.00000800.00020000.00000000.sdmp, QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe, 00000000.00000002.1762726823.000000000B691000.00000004.00000800.00020000.00000000.sdmp, QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe, 00000002.00000002.1769970688.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Exccelworkbook.exe, 00000005.00000002.1822871144.0000000003A99000.00000004.00000800.00020000.00000000.sdmp, Exccelworkbook.exe, 00000005.00000002.1822871144.0000000004299000.00000004.00000800.00020000.00000000.sdmp, Exccelworkbook.exe, 00000009.00000002.4182925533.000000000312E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ipwho.is/
                Source: QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe, 00000000.00000002.1762726823.000000000C1F2000.00000004.00000800.00020000.00000000.sdmp, QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe, 00000000.00000002.1762726823.000000000B691000.00000004.00000800.00020000.00000000.sdmp, QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe, 00000002.00000002.1769970688.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Exccelworkbook.exe, 00000005.00000002.1822871144.0000000003A99000.00000004.00000800.00020000.00000000.sdmp, Exccelworkbook.exe, 00000005.00000002.1822871144.0000000004299000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/11564914/23354;
                Source: QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe, 00000000.00000002.1762726823.000000000C1F2000.00000004.00000800.00020000.00000000.sdmp, QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe, 00000000.00000002.1762726823.000000000B691000.00000004.00000800.00020000.00000000.sdmp, QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe, 00000002.00000002.1769970688.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Exccelworkbook.exe, 00000005.00000002.1822871144.0000000003A99000.00000004.00000800.00020000.00000000.sdmp, Exccelworkbook.exe, 00000005.00000002.1822871144.0000000004299000.00000004.00000800.00020000.00000000.sdmp, Exccelworkbook.exe, 00000009.00000002.4182925533.0000000002EF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/14436606/23354
                Source: QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe, 00000000.00000002.1762726823.000000000C1F2000.00000004.00000800.00020000.00000000.sdmp, QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe, 00000000.00000002.1762726823.000000000B691000.00000004.00000800.00020000.00000000.sdmp, QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe, 00000002.00000002.1769970688.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Exccelworkbook.exe, 00000005.00000002.1822871144.0000000003A99000.00000004.00000800.00020000.00000000.sdmp, Exccelworkbook.exe, 00000005.00000002.1822871144.0000000004299000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/2152978/23354sCannot
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
                Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
                Source: unknownHTTPS traffic detected: 195.201.57.90:443 -> 192.168.2.4:49738 version: TLS 1.2

                Key, Mouse, Clipboard, Microphone and Screen Capturing

                barindex
                Installs a global keyboard hook
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeJump to behavior

                E-Banking Fraud

                barindex
                Yara detected Quasar RAT
                Source: Yara matchFile source: 0.2.QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe.2f15048.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.Exccelworkbook.exe.4299990.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe.c1f2a58.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.Exccelworkbook.exe.45b6fb0.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.Exccelworkbook.exe.45b6fb0.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe.c1f2a58.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.Exccelworkbook.exe.4299990.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000002.1769970688.0000000000720000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.1919924334.000000000BC7A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.1816081787.0000000002AD9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.1878255019.00000000031C7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.4182925533.000000000318C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1758223737.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.1822871144.0000000003A99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1762726823.000000000C1F2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1769970688.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1762726823.000000000B691000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.1822871144.0000000004299000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe PID: 6648, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe PID: 4940, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Exccelworkbook.exe PID: 6576, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Exccelworkbook.exe PID: 3060, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Exccelworkbook.exe PID: 6724, type: MEMORYSTR

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 5.2.Exccelworkbook.exe.4299990.2.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
                Source: 5.2.Exccelworkbook.exe.4299990.2.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                Source: 5.2.Exccelworkbook.exe.4299990.2.unpack, type: UNPACKEDPEMatched rule: Detects Quasar infostealer Author: ditekshen
                Source: 0.2.QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe.c1f2a58.4.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
                Source: 0.2.QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe.c1f2a58.4.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                Source: 0.2.QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe.c1f2a58.4.unpack, type: UNPACKEDPEMatched rule: Detects Quasar infostealer Author: ditekshen
                Source: 2.2.QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
                Source: 2.2.QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                Source: 2.2.QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Quasar infostealer Author: ditekshen
                Source: 5.2.Exccelworkbook.exe.45b6fb0.1.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
                Source: 5.2.Exccelworkbook.exe.45b6fb0.1.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                Source: 5.2.Exccelworkbook.exe.45b6fb0.1.unpack, type: UNPACKEDPEMatched rule: Detects Quasar infostealer Author: ditekshen
                Source: 5.2.Exccelworkbook.exe.45b6fb0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
                Source: 5.2.Exccelworkbook.exe.45b6fb0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                Source: 5.2.Exccelworkbook.exe.45b6fb0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Quasar infostealer Author: ditekshen
                Source: 0.2.QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe.c1f2a58.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
                Source: 0.2.QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe.c1f2a58.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                Source: 0.2.QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe.c1f2a58.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Quasar infostealer Author: ditekshen
                Source: 5.2.Exccelworkbook.exe.4299990.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
                Source: 5.2.Exccelworkbook.exe.4299990.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                Source: 5.2.Exccelworkbook.exe.4299990.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Quasar infostealer Author: ditekshen
                .NET source code contains very large array initializations
                Source: 0.2.QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe.2f15048.0.raw.unpack, .csLarge array initialization: : array initializer size 37142
                Source: 0.2.QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe.5970000.1.raw.unpack, .csLarge array initialization: : array initializer size 37142
                Initial sample is a PE file and has a suspicious name
                Source: initial sampleStatic PE information: Filename: QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe
                Source: initial sampleStatic PE information: Filename: QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess Stats: CPU usage > 49%
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeCode function: 0_2_0121D5BC0_2_0121D5BC
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeCode function: 0_2_02C515600_2_02C51560
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeCode function: 0_2_02C533300_2_02C53330
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeCode function: 0_2_02C5155B0_2_02C5155B
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeCode function: 2_2_0185F03C2_2_0185F03C
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeCode function: 5_2_00C3D5BC5_2_00C3D5BC
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeCode function: 5_2_028C15605_2_028C1560
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeCode function: 5_2_028C34305_2_028C3430
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeCode function: 5_2_028C15505_2_028C1550
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeCode function: 6_2_0187D5BC6_2_0187D5BC
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeCode function: 6_2_051B15606_2_051B1560
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeCode function: 6_2_051B15546_2_051B1554
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeCode function: 6_2_051B34306_2_051B3430
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeCode function: 6_2_05746F406_2_05746F40
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeCode function: 6_2_0574782C6_2_0574782C
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeCode function: 6_2_057400406_2_05740040
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeCode function: 6_2_057400076_2_05740007
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeCode function: 6_2_05746F1F6_2_05746F1F
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeCode function: 6_2_076836986_2_07683698
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeCode function: 6_2_076845486_2_07684548
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeCode function: 6_2_076842106_2_07684210
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeCode function: 6_2_076800406_2_07680040
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeCode function: 6_2_07680F006_2_07680F00
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeCode function: 6_2_07686DE06_2_07686DE0
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeCode function: 6_2_0768D7786_2_0768D778
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeCode function: 6_2_076857406_2_07685740
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeCode function: 6_2_0768368A6_2_0768368A
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeCode function: 6_2_0768F6906_2_0768F690
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeCode function: 6_2_076845386_2_07684538
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeCode function: 6_2_076855086_2_07685508
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeCode function: 6_2_076854F86_2_076854F8
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeCode function: 6_2_076842016_2_07684201
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeCode function: 6_2_076832E06_2_076832E0
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeCode function: 6_2_076832D06_2_076832D0
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeCode function: 6_2_076830706_2_07683070
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeCode function: 6_2_076800066_2_07680006
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeCode function: 6_2_076830806_2_07683080
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeCode function: 6_2_0768DFE86_2_0768DFE8
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeCode function: 6_2_0768DFDB6_2_0768DFDB
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeCode function: 6_2_07681E006_2_07681E00
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeCode function: 6_2_07680E106_2_07680E10
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeCode function: 6_2_07681E106_2_07681E10
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeCode function: 6_2_07686DD16_2_07686DD1
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeCode function: 6_2_07680D8A6_2_07680D8A
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeCode function: 6_2_07682CC96_2_07682CC9
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeCode function: 6_2_07682CD86_2_07682CD8
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeCode function: 6_2_0768DBB06_2_0768DBB0
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeCode function: 6_2_0768FAC86_2_0768FAC8
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeCode function: 9_2_0141F03C9_2_0141F03C
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeCode function: 16_2_0330F03C16_2_0330F03C
                Source: QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe, 00000000.00000002.1762726823.000000000C1F2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameClient.exe. vs QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe
                Source: QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe, 00000000.00000002.1762726823.000000000B691000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameClient.exe. vs QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe
                Source: QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe, 00000000.00000002.1760767787.0000000005970000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameFGMaker.dll2 vs QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe
                Source: QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe, 00000000.00000002.1758223737.0000000002EF1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameFGMaker.dll2 vs QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe
                Source: QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe, 00000000.00000002.1758223737.0000000002EF1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameClient.exe. vs QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe
                Source: QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe, 00000000.00000000.1706522041.0000000000ACC000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameYgrU.exeD vs QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe
                Source: QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe, 00000002.00000002.1769970688.0000000000720000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameClient.exe. vs QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe
                Source: QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeBinary or memory string: OriginalFilenameYgrU.exeD vs QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe
                Source: QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 5.2.Exccelworkbook.exe.4299990.2.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                Source: 5.2.Exccelworkbook.exe.4299990.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                Source: 5.2.Exccelworkbook.exe.4299990.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
                Source: 0.2.QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe.c1f2a58.4.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                Source: 0.2.QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe.c1f2a58.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                Source: 0.2.QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe.c1f2a58.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
                Source: 2.2.QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                Source: 2.2.QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                Source: 2.2.QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
                Source: 5.2.Exccelworkbook.exe.45b6fb0.1.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                Source: 5.2.Exccelworkbook.exe.45b6fb0.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                Source: 5.2.Exccelworkbook.exe.45b6fb0.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
                Source: 5.2.Exccelworkbook.exe.45b6fb0.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                Source: 5.2.Exccelworkbook.exe.45b6fb0.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                Source: 5.2.Exccelworkbook.exe.45b6fb0.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
                Source: 0.2.QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe.c1f2a58.4.raw.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                Source: 0.2.QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe.c1f2a58.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                Source: 0.2.QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe.c1f2a58.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
                Source: 5.2.Exccelworkbook.exe.4299990.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                Source: 5.2.Exccelworkbook.exe.4299990.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                Source: 5.2.Exccelworkbook.exe.4299990.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
                Source: QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe, 00000000.00000002.1749530263.0000000001207000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tional Typeface Corporation.slntyd"
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@27/5@3/3
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe.logJump to behavior
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2080:120:WilError_03
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeMutant created: NULL
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1848:120:WilError_03
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeMutant created: \Sessions\1\BaseNamedObjects\Local\025351e291-5d1041-4fa37-932c7-869aeiQec514992
                Source: QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeVirustotal: Detection: 29%
                Source: QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeReversingLabs: Detection: 34%
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeFile read: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe "C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe"
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeProcess created: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe "C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe"
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /create /tn "pdfdocument" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe" /rl HIGHEST /f
                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe"
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe"
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe"
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe"
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /create /tn "pdfdocument" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe" /rl HIGHEST /f
                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe"
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe"
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe"
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe"
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeProcess created: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe "C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe"Jump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /create /tn "pdfdocument" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe" /rl HIGHEST /fJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /create /tn "pdfdocument" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe" /rl HIGHEST /fJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeSection loaded: textshaping.dllJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: textshaping.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: textshaping.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: cryptnet.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: webio.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: cabinet.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: rasapi32.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: rasman.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: rtutils.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dll
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: mscoree.dll
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: kernel.appcore.dll
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: version.dll
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: uxtheme.dll
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: windows.storage.dll
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: wldp.dll
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: profapi.dll
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: cryptsp.dll
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: rsaenh.dll
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: cryptbase.dll
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: msasn1.dll
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                Source: QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeStatic file information: File size 3773952 > 1048576
                Source: QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x398a00
                Source: QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: YgrU.pdb source: QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe, Exccelworkbook.exe.2.dr
                Source: Binary string: YgrU.pdbSHA256 source: QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe, Exccelworkbook.exe.2.dr

                Data Obfuscation

                barindex
                .NET source code contains potential unpacker
                Source: 0.2.QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe.2f15048.0.raw.unpack, .cs.Net Code: System.Reflection.Assembly.Load(byte[])
                Source: 0.2.QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe.5970000.1.raw.unpack, .cs.Net Code: System.Reflection.Assembly.Load(byte[])
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeCode function: 0_2_01214779 push esi; iretd 0_2_0121477A
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeCode function: 0_2_0121477B push esi; iretd 0_2_01214782
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeCode function: 0_2_012147B0 push esi; iretd 0_2_012147B2
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeCode function: 0_2_01214658 push edx; iretd 0_2_0121465A
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeCode function: 0_2_012146BB push edx; iretd 0_2_012146BE
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeCode function: 0_2_012146BF push edx; iretd 0_2_012146C2
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeCode function: 0_2_0121AC79 pushfd ; iretd 0_2_0121AC7A
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeCode function: 0_2_0121AC7B pushfd ; iretd 0_2_0121AC82
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeCode function: 0_2_01215F28 push esp; iretw 0_2_01216109
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeCode function: 5_2_05027BB8 push eax; mov dword ptr [esp], ecx5_2_05027BBC
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeCode function: 6_2_05827BB8 push eax; mov dword ptr [esp], ecx6_2_05827BBC
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeFile created: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeJump to dropped file

                Boot Survival

                barindex
                Uses schtasks.exe or at.exe to add and modify task schedules
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /create /tn "pdfdocument" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe" /rl HIGHEST /f

                Hooking and other Techniques for Hiding and Protection

                barindex
                Hides that the sample has been downloaded from the Internet (zone.identifier)
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeFile opened: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe:Zone.Identifier read attributes | deleteJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeFile opened: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe:Zone.Identifier read attributes | deleteJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeFile opened: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe:Zone.Identifier read attributes | deleteJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOX

                Malware Analysis System Evasion

                barindex
                Yara detected AntiVM3
                Source: Yara matchFile source: Process Memory Space: QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe PID: 6648, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Exccelworkbook.exe PID: 6576, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Exccelworkbook.exe PID: 3060, type: MEMORYSTR
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeMemory allocated: 1210000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeMemory allocated: 2EF0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeMemory allocated: 2C30000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeMemory allocated: 8F20000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeMemory allocated: 7820000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeMemory allocated: 9F20000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeMemory allocated: AF20000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeMemory allocated: B690000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeMemory allocated: CA00000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeMemory allocated: DA00000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeMemory allocated: 1850000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeMemory allocated: 3460000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeMemory allocated: 1AE0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeMemory allocated: C30000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeMemory allocated: 2A90000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeMemory allocated: 28A0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeMemory allocated: 8660000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeMemory allocated: 7000000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeMemory allocated: 9660000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeMemory allocated: A660000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeMemory allocated: AA30000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeMemory allocated: 8660000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeMemory allocated: 1830000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeMemory allocated: 3190000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeMemory allocated: 5190000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeMemory allocated: 8D10000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeMemory allocated: 9D10000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeMemory allocated: 9F00000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeMemory allocated: AF00000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeMemory allocated: B640000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeMemory allocated: C9B0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeMemory allocated: D9B0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeMemory allocated: 1410000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeMemory allocated: 2EC0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeMemory allocated: 4EC0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeMemory allocated: 1960000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeMemory allocated: 3500000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeMemory allocated: 1960000 memory reserve | memory write watch
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeWindow / User API: threadDelayed 5694Jump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeWindow / User API: threadDelayed 3988Jump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe TID: 6724Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe TID: 2364Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe TID: 5664Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe TID: 6692Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe TID: 3848Thread sleep time: -25825441703193356s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe TID: 4584Thread sleep time: -30000s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe TID: 1136Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BaseBoard
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BIOS
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeThread delayed: delay time: 922337203685477
                Source: Exccelworkbook.exe, 00000009.00000002.4180585071.0000000001323000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWx
                Source: Exccelworkbook.exe, 00000009.00000002.4199691518.00000000060FF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: Exccelworkbook.exe, 00000009.00000002.4199422613.00000000060D8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW~s~
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess token adjusted: Debug
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Injects a PE file into a foreign processes
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeMemory written: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeMemory written: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeMemory written: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeProcess created: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe "C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe"Jump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /create /tn "pdfdocument" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe" /rl HIGHEST /fJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /create /tn "pdfdocument" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe" /rl HIGHEST /fJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\OFFSYMSB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeQueries volume information: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeQueries volume information: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeQueries volume information: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeQueries volume information: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                Source: C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected Quasar RAT
                Source: Yara matchFile source: 0.2.QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe.2f15048.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.Exccelworkbook.exe.4299990.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe.c1f2a58.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.Exccelworkbook.exe.45b6fb0.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.Exccelworkbook.exe.45b6fb0.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe.c1f2a58.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.Exccelworkbook.exe.4299990.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000002.1769970688.0000000000720000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.1919924334.000000000BC7A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.1816081787.0000000002AD9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.1878255019.00000000031C7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.4182925533.000000000318C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1758223737.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.1822871144.0000000003A99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1762726823.000000000C1F2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1769970688.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1762726823.000000000B691000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.1822871144.0000000004299000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe PID: 6648, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe PID: 4940, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Exccelworkbook.exe PID: 6576, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Exccelworkbook.exe PID: 3060, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Exccelworkbook.exe PID: 6724, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected Quasar RAT
                Source: Yara matchFile source: 0.2.QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe.2f15048.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.Exccelworkbook.exe.4299990.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe.c1f2a58.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.Exccelworkbook.exe.45b6fb0.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.Exccelworkbook.exe.45b6fb0.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe.c1f2a58.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.Exccelworkbook.exe.4299990.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000002.1769970688.0000000000720000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.1919924334.000000000BC7A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.1816081787.0000000002AD9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.1878255019.00000000031C7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.4182925533.000000000318C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1758223737.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.1822871144.0000000003A99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1762726823.000000000C1F2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1769970688.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1762726823.000000000B691000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.1822871144.0000000004299000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe PID: 6648, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe PID: 4940, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Exccelworkbook.exe PID: 6576, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Exccelworkbook.exe PID: 3060, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Exccelworkbook.exe PID: 6724, type: MEMORYSTR

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts21
                Windows Management Instrumentation                		1
                Scheduled Task/Job                		111
                Process Injection                		1
                Masquerading                		11
                Input Capture                		1
                Query Registry                		Remote Services11
                Input Capture                		11
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts1
                Scheduled Task/Job                		1
                DLL Side-Loading                		1
                Scheduled Task/Job                		1
                Disable or Modify Tools                		LSASS Memory111
                Security Software Discovery                		Remote Desktop Protocol1
                Archive Collected Data                		1
                Non-Standard Port                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                DLL Side-Loading                		41
                Virtualization/Sandbox Evasion                		Security Account Manager1
                Process Discovery                		SMB/Windows Admin SharesData from Network Shared Drive1
                Ingress Tool Transfer                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
                Process Injection                		NTDS41
                Virtualization/Sandbox Evasion                		Distributed Component Object ModelInput Capture2
                Non-Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Hidden Files and Directories                		LSA Secrets1
                Application Window Discovery                		SSHKeylogging113
                Application Layer Protocol                		Scheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Network Configuration Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                Software Packing                		DCSync23
                System Information Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1585887 Sample: QUOTATION - RFQ2496_PO 0877... Startdate: 08/01/2025 Architecture: WINDOWS Score: 100 52 rency.ydns.eu 2->52 54 twart.myfirewall.org 2->54 56 ipwho.is 2->56 66 Suricata IDS alerts for network traffic 2->66 68 Found malware configuration 2->68 70 Malicious sample detected (through community Yara rule) 2->70 72 11 other signatures 2->72 11 QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe 3 2->11         started        15 Exccelworkbook.exe 2 2->15         started        signatures3 process4 file5 50 QUOTATION - RFQ249...f(87kb).com.exe.log, ASCII 11->50 dropped 78 Injects a PE file into a foreign processes 11->78 17 QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe 4 11->17         started        21 Exccelworkbook.exe 15->21         started        23 Exccelworkbook.exe 15->23         started        25 Exccelworkbook.exe 15->25         started        27 2 other processes 15->27 signatures6 process7 file8 48 C:\Users\user\AppData\...xccelworkbook.exe, PE32 17->48 dropped 64 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->64 29 Exccelworkbook.exe 3 17->29         started        32 schtasks.exe 1 17->32         started        signatures9 process10 signatures11 80 Multi AV Scanner detection for dropped file 29->80 82 Machine Learning detection for dropped file 29->82 84 Injects a PE file into a foreign processes 29->84 34 Exccelworkbook.exe 15 2 29->34         started        38 Exccelworkbook.exe 29->38         started        40 Exccelworkbook.exe 29->40         started        42 conhost.exe 32->42         started        process12 dnsIp13 58 rency.ydns.eu 94.156.177.117, 49736, 5287 NET1-ASBG Bulgaria 34->58 60 ipwho.is 195.201.57.90, 443, 49738 HETZNER-ASDE Germany 34->60 62 twart.myfirewall.org 127.0.0.4 unknown unknown 34->62 74 Hides that the sample has been downloaded from the Internet (zone.identifier) 34->74 76 Installs a global keyboard hook 34->76 44 schtasks.exe 34->44         started        signatures14 process15 process16 46 conhost.exe 44->46         started       

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe29%VirustotalBrowse
                QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe34%ReversingLabsByteCode-MSIL.Trojan.Perseus
                QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe100%Joe Sandbox ML

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe100%Joe Sandbox ML
                C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe34%ReversingLabsByteCode-MSIL.Trojan.Perseus

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://schemas.datacontract.org/2004/07/d0%Avira URL Cloudsafe
                http://ipwho.isd0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                rency.ydns.eu
                		94.156.177.117
                		truetrue
                  		unknown
                  ipwho.is
                  		195.201.57.90
                  		truefalse
                    		high
                    twart.myfirewall.org
                    		127.0.0.4
                    		truefalse
                      		high

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      twart.myfirewall.orgfalse
                        		high
                        https://ipwho.is/false
                          		high

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          https://api.ipify.org/QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe, 00000000.00000002.1762726823.000000000C1F2000.00000004.00000800.00020000.00000000.sdmp, QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe, 00000000.00000002.1762726823.000000000B691000.00000004.00000800.00020000.00000000.sdmp, QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe, 00000002.00000002.1769970688.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Exccelworkbook.exe, 00000005.00000002.1822871144.0000000003A99000.00000004.00000800.00020000.00000000.sdmp, Exccelworkbook.exe, 00000005.00000002.1822871144.0000000004299000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.apache.org/licenses/LICENSE-2.0QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe, 00000000.00000002.1761027373.0000000007102000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.fontbureau.comQUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe, 00000000.00000002.1761027373.0000000007102000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.fontbureau.com/designersGQUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe, 00000000.00000002.1761027373.0000000007102000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.fontbureau.com/designers/?QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe, 00000000.00000002.1761027373.0000000007102000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://stackoverflow.com/q/14436606/23354QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe, 00000000.00000002.1762726823.000000000C1F2000.00000004.00000800.00020000.00000000.sdmp, QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe, 00000000.00000002.1762726823.000000000B691000.00000004.00000800.00020000.00000000.sdmp, QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe, 00000002.00000002.1769970688.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Exccelworkbook.exe, 00000005.00000002.1822871144.0000000003A99000.00000004.00000800.00020000.00000000.sdmp, Exccelworkbook.exe, 00000005.00000002.1822871144.0000000004299000.00000004.00000800.00020000.00000000.sdmp, Exccelworkbook.exe, 00000009.00000002.4182925533.0000000002EF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.founder.com.cn/cn/bTheQUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe, 00000000.00000002.1761027373.0000000007102000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://schemas.datacontract.org/2004/07/Exccelworkbook.exe, 00000009.00000002.4182925533.000000000318C000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.fontbureau.com/designers?QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe, 00000000.00000002.1761027373.0000000007102000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://ipwho.isdExccelworkbook.exe, 00000009.00000002.4182925533.0000000003140000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.tiro.comQUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe, 00000000.00000002.1761027373.0000000007102000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.fontbureau.com/designersQUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe, 00000000.00000002.1761027373.0000000007102000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://www.goodfont.co.krQUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe, 00000000.00000002.1761027373.0000000007102000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://www.carterandcone.comlQUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe, 00000000.00000002.1761027373.0000000007102000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://www.sajatypeworks.comQUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe, 00000000.00000002.1761027373.0000000007102000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://www.typography.netDQUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe, 00000000.00000002.1761027373.0000000007102000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://schemas.datacontract.org/2004/07/dExccelworkbook.exe, 00000009.00000002.4182925533.000000000318C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.fontbureau.com/designers/cabarga.htmlNQUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe, 00000000.00000002.1761027373.0000000007102000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://www.founder.com.cn/cn/cTheQUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe, 00000000.00000002.1761027373.0000000007102000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://www.galapagosdesign.com/staff/dennis.htmQUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe, 00000000.00000002.1761027373.0000000007102000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://www.founder.com.cn/cnQUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe, 00000000.00000002.1761027373.0000000007102000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://www.fontbureau.com/designers/frere-user.htmlQUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe, 00000000.00000002.1761027373.0000000007102000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://stackoverflow.com/q/11564914/23354;QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe, 00000000.00000002.1762726823.000000000C1F2000.00000004.00000800.00020000.00000000.sdmp, QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe, 00000000.00000002.1762726823.000000000B691000.00000004.00000800.00020000.00000000.sdmp, QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe, 00000002.00000002.1769970688.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Exccelworkbook.exe, 00000005.00000002.1822871144.0000000003A99000.00000004.00000800.00020000.00000000.sdmp, Exccelworkbook.exe, 00000005.00000002.1822871144.0000000004299000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://www.jiyu-kobo.co.jp/QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe, 00000000.00000002.1761027373.0000000007102000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://ipwho.isExccelworkbook.exe, 00000009.00000002.4182925533.000000000312E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://www.galapagosdesign.com/DPleaseQUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe, 00000000.00000002.1761027373.0000000007102000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://www.fontbureau.com/designers8QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe, 00000000.00000002.1761027373.0000000007102000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://www.fonts.comQUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe, 00000000.00000002.1761027373.0000000007102000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://www.sandoll.co.krQUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe, 00000000.00000002.1761027373.0000000007102000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://www.urwpp.deDPleaseQUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe, 00000000.00000002.1761027373.0000000007102000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://stackoverflow.com/q/2152978/23354sCannotQUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe, 00000000.00000002.1762726823.000000000C1F2000.00000004.00000800.00020000.00000000.sdmp, QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe, 00000000.00000002.1762726823.000000000B691000.00000004.00000800.00020000.00000000.sdmp, QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe, 00000002.00000002.1769970688.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Exccelworkbook.exe, 00000005.00000002.1822871144.0000000003A99000.00000004.00000800.00020000.00000000.sdmp, Exccelworkbook.exe, 00000005.00000002.1822871144.0000000004299000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://www.zhongyicts.com.cnQUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe, 00000000.00000002.1761027373.0000000007102000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameQUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe, 00000002.00000002.1787337073.0000000003461000.00000004.00000800.00020000.00000000.sdmp, Exccelworkbook.exe, 00000009.00000002.4182925533.0000000002EEB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://www.sakkal.comQUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe, 00000000.00000002.1761027373.0000000007102000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://ipwho.isExccelworkbook.exe, 00000009.00000002.4182925533.0000000003140000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high

                                                                                            World Map of Contacted IPs

                                                                                            • No. of IPs < 25%
                                                                                            • 25% < No. of IPs < 50%
                                                                                            • 50% < No. of IPs < 75%
                                                                                            • 75% < No. of IPs

                                                                                            Public IPs

                                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                                            94.156.177.117
                                                                                            		rency.ydns.euBulgaria
                                                                                            		43561NET1-ASBGtrue
                                                                                            195.201.57.90
                                                                                            		ipwho.isGermany
                                                                                            		24940HETZNER-ASDEfalse

                                                                                            Private

                                                                                            IP
                                                                                            127.0.0.4

                                                                                            General Information

                                                                                            Joe Sandbox version:41.0.0 Charoite
                                                                                            Analysis ID:1585887
                                                                                            Start date and time:2025-01-08 12:47:05 +01:00
                                                                                            Joe Sandbox product:CloudBasic
                                                                                            Overall analysis duration:0h 10m 1s
                                                                                            Hypervisor based Inspection enabled:false
                                                                                            Report type:full
                                                                                            Cookbook file name:default.jbs
                                                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                            Number of analysed new started processes analysed:21
                                                                                            Number of new started drivers analysed:0
                                                                                            Number of existing processes analysed:0
                                                                                            Number of existing drivers analysed:0
                                                                                            Number of injected processes analysed:0
                                                                                            Technologies:
                                                                                            • HCA enabled
                                                                                            • EGA enabled
                                                                                            • AMSI enabled
                                                                                            Analysis Mode:default
                                                                                            Analysis stop reason:Timeout
                                                                                            Sample name:QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe
                                                                                            Detection:MAL
                                                                                            Classification:mal100.troj.spyw.evad.winEXE@27/5@3/3
                                                                                            EGA Information:
                                                                                            • Successful, ratio: 100%
                                                                                            HCA Information:
                                                                                            • Successful, ratio: 100%
                                                                                            • Number of executed functions: 204
                                                                                            • Number of non-executed functions: 3
                                                                                            Cookbook Comments:
                                                                                            • Found application associated with file extension: .exe
                                                                                            • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                                            Warnings

                                                                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                                            • Excluded IPs from analysis (whitelisted): 2.22.50.144, 2.22.50.131, 23.56.254.164, 20.109.210.53, 13.107.246.45
                                                                                            • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, a767.dspw65.akamai.net, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com, download.windowsupdate.com.edgesuite.net
                                                                                            • Not all processes where analyzed, report is missing behavior information
                                                                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                            • Report size getting too big, too many NtReadVirtualMemory calls found.

                                                                                            Simulations

                                                                                            Behavior and APIs

                                                                                            TimeTypeDescription
                                                                                            06:48:01API Interceptor1x Sleep call for process: QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe modified
                                                                                            06:48:07API Interceptor11825234x Sleep call for process: Exccelworkbook.exe modified
                                                                                            11:48:06Task SchedulerRun new task: pdfdocument path: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe

                                                                                            Joe Sandbox View / Context

                                                                                            IPs

                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                            195.201.57.90SPt4FUjZMt.exeGet hashmaliciousAsyncRAT, Luca Stealer, MicroClip, PythonCryptoHijacker, RedLineBrowse
                                                                                            • /?output=json
                                                                                            765iYbgWn9.exeGet hashmaliciousLuca StealerBrowse
                                                                                            • /?output=json
                                                                                            765iYbgWn9.exeGet hashmaliciousLuca StealerBrowse
                                                                                            • /?output=json
                                                                                            WfKynArKjH.exeGet hashmaliciousAsyncRAT, Luca Stealer, MicroClip, RedLineBrowse
                                                                                            • /?output=json
                                                                                            ubes6SC7Vd.exeGet hashmaliciousUnknownBrowse
                                                                                            • ipwhois.app/xml/
                                                                                            cOQD62FceM.exeGet hashmaliciousLuca Stealer, Rusty StealerBrowse
                                                                                            • /?output=json
                                                                                            Clipper.exeGet hashmaliciousUnknownBrowse
                                                                                            • /?output=json
                                                                                            cOQD62FceM.exeGet hashmaliciousLuca StealerBrowse
                                                                                            • /?output=json
                                                                                            Cryptor.exeGet hashmaliciousLuca StealerBrowse
                                                                                            • /?output=json
                                                                                            Cryptor.exeGet hashmaliciousLuca Stealer, Rusty StealerBrowse
                                                                                            • /?output=json

                                                                                            Domains

                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                            ipwho.isUXxZ4m65ro.exeGet hashmaliciousQuasarBrowse
                                                                                            • 195.201.57.90
                                                                                            ny9LDJr6pA.exeGet hashmaliciousQuasarBrowse
                                                                                            • 195.201.57.90
                                                                                            jaTDEkWCbs.exeGet hashmaliciousQuasarBrowse
                                                                                            • 195.201.57.90
                                                                                            2Mi3lKoJfj.exeGet hashmaliciousQuasarBrowse
                                                                                            • 195.201.57.90
                                                                                            YJaaZuNHwI.exeGet hashmaliciousQuasarBrowse
                                                                                            • 195.201.57.90
                                                                                            Flasher.exeGet hashmaliciousLuca Stealer, Rusty StealerBrowse
                                                                                            • 108.181.61.49
                                                                                            msgde.exeGet hashmaliciousQuasarBrowse
                                                                                            • 108.181.61.49
                                                                                            6ee7HCp9cD.exeGet hashmaliciousQuasarBrowse
                                                                                            • 108.181.61.49
                                                                                            wUSt04rfJ0.exeGet hashmaliciousQuasarBrowse
                                                                                            • 108.181.61.49
                                                                                            https://en.newsnowbangla.com/archives/69912Get hashmaliciousHTMLPhisher, TechSupportScamBrowse
                                                                                            • 108.181.61.49
                                                                                            rency.ydns.euZam#U00f3wienie 89118 _ Metal-Constructions.pdf.com.exeGet hashmaliciousQuasarBrowse
                                                                                            • 93.123.85.234

                                                                                            ASNs

                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                            HETZNER-ASDEYOUR TV LICENCE STATEMENT.pdfGet hashmaliciousHTMLPhisherBrowse
                                                                                            • 78.46.22.25
                                                                                            https://mrohailkhan.com/energyaustralia/auth/auhs1Get hashmaliciousUnknownBrowse
                                                                                            • 138.201.222.163
                                                                                            file.exeGet hashmaliciousAsyncRATBrowse
                                                                                            • 116.203.56.216
                                                                                            UXxZ4m65ro.exeGet hashmaliciousQuasarBrowse
                                                                                            • 195.201.57.90
                                                                                            https://email.garagesalefinder.com/c/eJyMU92OsjoUfZp6xwRaoO2FF-XPYT4VnXHQ8caUFivK3wcC-vYnzImc25OQlbXYa-_VJrtyniCCZ-ncwMg2KKWmPrvMCRWYGDSBBAkLnSGigttEUJpiLHRhzLK5JRHWEbE0wS1LkxzqmpnKRCMYcymIhUyJgKkr3nCVtjxPz1kp0-ZNVMUsn1_u9xogBmAAYDAMw5uqKpWnXLZp02cibUcfgEHNVcolgAEX-Q2goOUAeUsAbZ4B5Lma-bXS9YjEH8_jUsCMDFHdh-8V6xawX6ug4FFt3FtnCCFin8wJow2-DWulyU1_iVhfsfe8SpYtI8px_iiPHZXv8Movh2Cj-95Hcj0kV7urV6jyYvatjOfWaYZ2MRxIba6V3Jx55O3PcZmp2muai3lerzYyDgu0zWKnNlb-o7Sf7h6p70NxCvM23_41HfOEGuWGy9q9Hnlqfep7pO0Kfgrvm-rvV7zTOloie11_fJdEol2uDrr9xfmOPrr1Vr-IJWM_mXjnt9SPV5IVx53pOD-UrUI1qHwX-N2-JfHP9ThUm97B9z_nIOnjcuOGjloo51Iwxy6FckMA7bIrAPIMAG2RSYA8a5H18gTbKy737aLto4f-0GD3DaDdZgogj0WebZ6M8IN8ys_TY2eziPTBe70KjWKtt8gaxll5lpZ3gDzBtbpLNBsalBgGNrFuUoTHOC67JgfIGzehnVYBQAtjAC37l8GRuSOYU4G-pG2NgEYgk_ReFjwWsPli0J_MwSSdVxuc_v2bYU25I0BvMvvT0fBL_tdrsyktMAglv0Qs4o5D0vHD8ZIUFG4XwVMUFP0UQcef1jWBOkDea447drMR_PHuZATmTlIH0KIMQPP3-3_uWTOv0_JWvWU9L6semDpvmmpIeHn7fYv9HP4TAAD__7e2IkMGet hashmaliciousHTMLPhisherBrowse
                                                                                            • 148.251.133.221
                                                                                            Mes_Drivers_3.0.4.exeGet hashmaliciousUnknownBrowse
                                                                                            • 116.202.167.133
                                                                                            1.exeGet hashmaliciousUnknownBrowse
                                                                                            • 144.76.136.153
                                                                                            1.exeGet hashmaliciousUnknownBrowse
                                                                                            • 144.76.136.153
                                                                                            miori.x86.elfGet hashmaliciousUnknownBrowse
                                                                                            • 144.79.65.29
                                                                                            sfqbr.ps1Get hashmaliciousDcRat, KeyLogger, StormKitty, Strela Stealer, VenomRATBrowse
                                                                                            • 94.130.22.61
                                                                                            NET1-ASBGQuotation2025-0107pdf.exeGet hashmaliciousLokibot, PureLog StealerBrowse
                                                                                            • 94.156.177.41
                                                                                            Kloki.m68k.elfGet hashmaliciousMiraiBrowse
                                                                                            • 83.222.191.90
                                                                                            Kloki.arm7.elfGet hashmaliciousMiraiBrowse
                                                                                            • 83.222.191.90
                                                                                            Kloki.mpsl.elfGet hashmaliciousMiraiBrowse
                                                                                            • 83.222.191.90
                                                                                            Kloki.ppc.elfGet hashmaliciousMiraiBrowse
                                                                                            • 83.222.191.90
                                                                                            Kloki.spc.elfGet hashmaliciousUnknownBrowse
                                                                                            • 83.222.191.90
                                                                                            Kloki.mips.elfGet hashmaliciousMiraiBrowse
                                                                                            • 83.222.191.90
                                                                                            Kloki.arm5.elfGet hashmaliciousMiraiBrowse
                                                                                            • 83.222.191.90
                                                                                            Kloki.arm4.elfGet hashmaliciousMiraiBrowse
                                                                                            • 83.222.191.90
                                                                                            mips.elfGet hashmaliciousUnknownBrowse
                                                                                            • 83.222.191.90

                                                                                            JA3 Fingerprints

                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                            3b5074b1b5d032e5620f69f9f700ff0eproforma invoice pdf.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                            • 195.201.57.90
                                                                                            174.exeGet hashmaliciousXmrigBrowse
                                                                                            • 195.201.57.90
                                                                                            spreadmalware.exeGet hashmaliciousXWormBrowse
                                                                                            • 195.201.57.90
                                                                                            invoice-1623385214.pdf.jsGet hashmaliciousPureLog Stealer, RHADAMANTHYS, zgRATBrowse
                                                                                            • 195.201.57.90
                                                                                            invoice-1623385214 pdf.jsGet hashmaliciousPureLog Stealer, RHADAMANTHYS, zgRATBrowse
                                                                                            • 195.201.57.90
                                                                                            0a0#U00a0.jsGet hashmaliciousPureLog Stealer, RHADAMANTHYS, zgRATBrowse
                                                                                            • 195.201.57.90
                                                                                            c2.htaGet hashmaliciousRemcosBrowse
                                                                                            • 195.201.57.90
                                                                                            http://xyft.zmdusdxj.ruGet hashmaliciousUnknownBrowse
                                                                                            • 195.201.57.90
                                                                                            Globalfoundries eCHECK- Payment Advice.htmlGet hashmaliciousUnknownBrowse
                                                                                            • 195.201.57.90

                                                                                            Dropped Files

                                                                                            No context

                                                                                            Created / dropped Files

                                                                                            C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe
                                                                                            File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                                                                                            Category:dropped
                                                                                            Size (bytes):71954
                                                                                            Entropy (8bit):7.996617769952133
                                                                                            Encrypted:true
                                                                                            SSDEEP:1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
                                                                                            MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
                                                                                            SHA1:1723BE06719828DDA65AD804298D0431F6AFF976
                                                                                            SHA-256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
                                                                                            SHA-512:BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
                                                                                            Malicious:false
                                                                                            Reputation:high, very likely benign file
                                                                                            Preview:MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..*Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=*....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.|.c.&>?..^t. ..;..X.d.E.0G....[Q.*,*......#.Dp..L.o|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

                                                                                            C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):328
                                                                                            Entropy (8bit):3.1302776811683923
                                                                                            Encrypted:false
                                                                                            SSDEEP:6:kKgn9UswDLL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:5DnLNkPlE99SNxAhUe/3
                                                                                            MD5:1760A2968E08479BCF221E793CC6E097
                                                                                            SHA1:D5008DA1F6138DB58A698914F8D7974E81103D21
                                                                                            SHA-256:A67544BF733E1714AAF428F65A3F97CC18145958A76134439D08FD359FC09C4C
                                                                                            SHA-512:1F8B5C9512ADCD77E8868A06E8BF215C82FF407CAD36EFAB1A7DC218E3B7DC56DFAB03ED7F1CCCC771FAA946380F8BD52555D5EB9DFD87944978DCD2D0E74C73
                                                                                            Malicious:false
                                                                                            Preview:p...... ........|@-..a..(....................................................... ........G..@.......&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

                                                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Exccelworkbook.exe.log

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe
                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):1216
                                                                                            Entropy (8bit):5.34331486778365
                                                                                            Encrypted:false
                                                                                            SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                                                            MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                                                            SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                                                            SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                                                            SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                                                            Malicious:false
                                                                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe.log

                                                                                            Download File
                                                                                            Process:C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe
                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):1216
                                                                                            Entropy (8bit):5.34331486778365
                                                                                            Encrypted:false
                                                                                            SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                                                            MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                                                            SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                                                            SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                                                            SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                                                            Malicious:true
                                                                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                                            C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe

                                                                                            Download File
                                                                                            Process:C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe
                                                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):3773952
                                                                                            Entropy (8bit):7.995193019666378
                                                                                            Encrypted:true
                                                                                            SSDEEP:98304:Xd36tNUGXT/1LirUtZDS7uJTtTD+ukiR+erm7fr2:X8tNFNLgQA7E9DtkoK7fK
                                                                                            MD5:9B3C35A49DD56D6282A2A89832046FFC
                                                                                            SHA1:0CB9124335747F5DD253744A828D5E30CA7D06F3
                                                                                            SHA-256:2234C3A3350DBEBA11B7564DC52D5AA1252777F9FFE8DCF4027DCB54FC4542AA
                                                                                            SHA-512:33B45162D1C4E1F6AB103B92921E5FE1754EB3EC1B062298B5B976BC887EF2D559102A2CE8C758C5F7E12E33973C46326A126599226250F941251553BE4F2854
                                                                                            Malicious:true
                                                                                            Antivirus:
                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                            • Antivirus: ReversingLabs, Detection: 34%
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...L.~g..............0...9..........9.. ....9...@.. ........................:...........@...................................9.O.....9.......................9.......9.T............................................ ............... ..H............text.....9.. ....9................. ..`.rsrc.........9.......9.............@..@.reloc........9.......9.............@..B..................9.....H........H..............\....t8.........................................^..}.....(.......(.....*.0..V........s...... =...}......{....o....}......{....o....}.....r...p}......{....o....}......+..*...0..+.........,..{.......+....,...{....o........(.....*..0............s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....(......{.....o .....{........s!...o".....{....r...po#.....{.....:..s$...o%.....{.....o&.....{....r...po'.....{.....o .....{.......;s!...o

                                                                                            Static File Info

                                                                                            General

                                                                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Entropy (8bit):7.995193019666378
                                                                                            TrID:
                                                                                            • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                                            • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                            • Windows Screen Saver (13104/52) 0.07%
                                                                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                            File name:QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe
                                                                                            File size:3'773'952 bytes
                                                                                            MD5:9b3c35a49dd56d6282a2a89832046ffc
                                                                                            SHA1:0cb9124335747f5dd253744a828d5e30ca7d06f3
                                                                                            SHA256:2234c3a3350dbeba11b7564dc52d5aa1252777f9ffe8dcf4027dcb54fc4542aa
                                                                                            SHA512:33b45162d1c4e1f6ab103b92921e5fe1754eb3ec1b062298b5b976bc887ef2d559102a2ce8c758c5f7e12e33973c46326a126599226250f941251553be4f2854
                                                                                            SSDEEP:98304:Xd36tNUGXT/1LirUtZDS7uJTtTD+ukiR+erm7fr2:X8tNFNLgQA7E9DtkoK7fK
                                                                                            TLSH:ED063356030E55D8CA528B3929C4BB25F77475A0C2A3D30D32A890775EEE70BDAFED12
                                                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...L.~g..............0...9...........9.. ....9...@.. ........................:...........@................................

                                                                                            File Icon

                                                                                            Icon Hash:90cececece8e8eb0

                                                                                            Static PE Info

                                                                                            General

                                                                                            Entrypoint:0x79a9da
                                                                                            Entrypoint Section:.text
                                                                                            Digitally signed:false
                                                                                            Imagebase:0x400000
                                                                                            Subsystem:windows gui
                                                                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                            Time Stamp:0x677E194C [Wed Jan 8 06:21:00 2025 UTC]
                                                                                            TLS Callbacks:
                                                                                            CLR (.Net) Version:
                                                                                            OS Version Major:4
                                                                                            OS Version Minor:0
                                                                                            File Version Major:4
                                                                                            File Version Minor:0
                                                                                            Subsystem Version Major:4
                                                                                            Subsystem Version Minor:0
                                                                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                            Entrypoint Preview

                                                                                            Instruction
                                                                                            jmp dword ptr [00402000h]
                                                                                            adc dh, byte ptr [esi+edx*2]
                                                                                            js 00007F3A307F1472h
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [ecx], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [edx], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [ebx], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax+eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al
                                                                                            add byte ptr [eax], al

                                                                                            Data Directories

                                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x39a9880x4f.text
                                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x39c0000x618.rsrc
                                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x39e0000xc.reloc
                                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x3987040x54.text
                                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                            Sections

                                                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                            .text0x20000x3989f80x398a00db6e7c209ab5ed87ae1a649dce154e4bunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                            .rsrc0x39c0000x6180x8005dd18aedd949dc659da3b5b222db78e8False0.3359375data3.457239621336859IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                            .reloc0x39e0000xc0x200b59b0b392e5cd9003d5411a2756e8a20False0.044921875data0.09800417566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                            Resources

                                                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                            RT_VERSION0x39c0900x388data0.4192477876106195
                                                                                            RT_MANIFEST0x39c4280x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                                            Imports

                                                                                            DLLImport
                                                                                            mscoree.dll_CorExeMain

                                                                                            Network Behavior

                                                                                            Suricata IDS Alerts

                                                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                            2025-01-08T12:48:15.586054+01002027619ET MALWARE Observed Malicious SSL Cert (Quasar CnC)194.156.177.1175287192.168.2.449736TCP
                                                                                            2025-01-08T12:48:15.586054+01002035595ET MALWARE Generic AsyncRAT Style SSL Cert194.156.177.1175287192.168.2.449736TCP

                                                                                            Network Port Distribution

                                                                                            TCP Packets

                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                            Jan 8, 2025 12:48:14.843255043 CET497365287192.168.2.494.156.177.117
                                                                                            Jan 8, 2025 12:48:14.848119974 CET52874973694.156.177.117192.168.2.4
                                                                                            Jan 8, 2025 12:48:14.848217010 CET497365287192.168.2.494.156.177.117
                                                                                            Jan 8, 2025 12:48:14.856270075 CET497365287192.168.2.494.156.177.117
                                                                                            Jan 8, 2025 12:48:14.861074924 CET52874973694.156.177.117192.168.2.4
                                                                                            Jan 8, 2025 12:48:15.569263935 CET52874973694.156.177.117192.168.2.4
                                                                                            Jan 8, 2025 12:48:15.569284916 CET52874973694.156.177.117192.168.2.4
                                                                                            Jan 8, 2025 12:48:15.569385052 CET497365287192.168.2.494.156.177.117
                                                                                            Jan 8, 2025 12:48:15.578752995 CET497365287192.168.2.494.156.177.117
                                                                                            Jan 8, 2025 12:48:15.586054087 CET52874973694.156.177.117192.168.2.4
                                                                                            Jan 8, 2025 12:48:15.812189102 CET52874973694.156.177.117192.168.2.4
                                                                                            Jan 8, 2025 12:48:15.872365952 CET497365287192.168.2.494.156.177.117
                                                                                            Jan 8, 2025 12:48:16.909128904 CET49738443192.168.2.4195.201.57.90
                                                                                            Jan 8, 2025 12:48:16.909174919 CET44349738195.201.57.90192.168.2.4
                                                                                            Jan 8, 2025 12:48:16.909245968 CET49738443192.168.2.4195.201.57.90
                                                                                            Jan 8, 2025 12:48:16.911079884 CET49738443192.168.2.4195.201.57.90
                                                                                            Jan 8, 2025 12:48:16.911094904 CET44349738195.201.57.90192.168.2.4
                                                                                            Jan 8, 2025 12:48:17.756572962 CET44349738195.201.57.90192.168.2.4
                                                                                            Jan 8, 2025 12:48:17.756666899 CET49738443192.168.2.4195.201.57.90
                                                                                            Jan 8, 2025 12:48:17.761550903 CET49738443192.168.2.4195.201.57.90
                                                                                            Jan 8, 2025 12:48:17.761580944 CET44349738195.201.57.90192.168.2.4
                                                                                            Jan 8, 2025 12:48:17.761864901 CET44349738195.201.57.90192.168.2.4
                                                                                            Jan 8, 2025 12:48:17.769789934 CET49738443192.168.2.4195.201.57.90
                                                                                            Jan 8, 2025 12:48:17.815331936 CET44349738195.201.57.90192.168.2.4
                                                                                            Jan 8, 2025 12:48:17.961065054 CET44349738195.201.57.90192.168.2.4
                                                                                            Jan 8, 2025 12:48:17.961148024 CET44349738195.201.57.90192.168.2.4
                                                                                            Jan 8, 2025 12:48:17.961256981 CET49738443192.168.2.4195.201.57.90
                                                                                            Jan 8, 2025 12:48:18.292387962 CET49738443192.168.2.4195.201.57.90
                                                                                            Jan 8, 2025 12:48:18.600476980 CET497365287192.168.2.494.156.177.117
                                                                                            Jan 8, 2025 12:48:18.606324911 CET52874973694.156.177.117192.168.2.4
                                                                                            Jan 8, 2025 12:48:18.606379032 CET497365287192.168.2.494.156.177.117
                                                                                            Jan 8, 2025 12:48:18.611991882 CET52874973694.156.177.117192.168.2.4
                                                                                            Jan 8, 2025 12:48:19.131222963 CET52874973694.156.177.117192.168.2.4
                                                                                            Jan 8, 2025 12:48:19.281632900 CET497365287192.168.2.494.156.177.117
                                                                                            Jan 8, 2025 12:48:19.501163960 CET52874973694.156.177.117192.168.2.4
                                                                                            Jan 8, 2025 12:48:19.669223070 CET497365287192.168.2.494.156.177.117
                                                                                            Jan 8, 2025 12:48:21.255002975 CET6383753192.168.2.41.1.1.1
                                                                                            Jan 8, 2025 12:48:21.259849072 CET53638371.1.1.1192.168.2.4
                                                                                            Jan 8, 2025 12:48:21.259910107 CET6383753192.168.2.41.1.1.1
                                                                                            Jan 8, 2025 12:48:21.264760971 CET53638371.1.1.1192.168.2.4
                                                                                            Jan 8, 2025 12:48:21.708065033 CET6383753192.168.2.41.1.1.1
                                                                                            Jan 8, 2025 12:48:21.713124037 CET53638371.1.1.1192.168.2.4
                                                                                            Jan 8, 2025 12:48:21.713180065 CET6383753192.168.2.41.1.1.1
                                                                                            Jan 8, 2025 12:48:44.513041973 CET497365287192.168.2.494.156.177.117
                                                                                            Jan 8, 2025 12:48:44.517963886 CET52874973694.156.177.117192.168.2.4
                                                                                            Jan 8, 2025 12:49:09.528680086 CET497365287192.168.2.494.156.177.117
                                                                                            Jan 8, 2025 12:49:09.533516884 CET52874973694.156.177.117192.168.2.4
                                                                                            Jan 8, 2025 12:49:34.597675085 CET497365287192.168.2.494.156.177.117
                                                                                            Jan 8, 2025 12:49:34.602559090 CET52874973694.156.177.117192.168.2.4
                                                                                            Jan 8, 2025 12:49:59.747695923 CET497365287192.168.2.494.156.177.117
                                                                                            Jan 8, 2025 12:49:59.753628016 CET52874973694.156.177.117192.168.2.4
                                                                                            Jan 8, 2025 12:50:24.763293028 CET497365287192.168.2.494.156.177.117
                                                                                            Jan 8, 2025 12:50:24.768187046 CET52874973694.156.177.117192.168.2.4
                                                                                            Jan 8, 2025 12:50:49.841588974 CET497365287192.168.2.494.156.177.117
                                                                                            Jan 8, 2025 12:50:49.846462011 CET52874973694.156.177.117192.168.2.4
                                                                                            Jan 8, 2025 12:51:14.970277071 CET497365287192.168.2.494.156.177.117
                                                                                            Jan 8, 2025 12:51:14.975174904 CET52874973694.156.177.117192.168.2.4
                                                                                            Jan 8, 2025 12:51:40.029383898 CET497365287192.168.2.494.156.177.117
                                                                                            Jan 8, 2025 12:51:40.034245968 CET52874973694.156.177.117192.168.2.4
                                                                                            Jan 8, 2025 12:52:05.185762882 CET497365287192.168.2.494.156.177.117
                                                                                            Jan 8, 2025 12:52:05.190732956 CET52874973694.156.177.117192.168.2.4

                                                                                            UDP Packets

                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                            Jan 8, 2025 12:48:12.589793921 CET6453853192.168.2.41.1.1.1
                                                                                            Jan 8, 2025 12:48:12.605371952 CET53645381.1.1.1192.168.2.4
                                                                                            Jan 8, 2025 12:48:14.827189922 CET4983353192.168.2.41.1.1.1
                                                                                            Jan 8, 2025 12:48:14.842231989 CET53498331.1.1.1192.168.2.4
                                                                                            Jan 8, 2025 12:48:16.898441076 CET5593053192.168.2.41.1.1.1
                                                                                            Jan 8, 2025 12:48:16.905210972 CET53559301.1.1.1192.168.2.4
                                                                                            Jan 8, 2025 12:48:21.254548073 CET53519741.1.1.1192.168.2.4

                                                                                            DNS Queries

                                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                            Jan 8, 2025 12:48:12.589793921 CET192.168.2.41.1.1.10xc08aStandard query (0)twart.myfirewall.orgA (IP address)IN (0x0001)false
                                                                                            Jan 8, 2025 12:48:14.827189922 CET192.168.2.41.1.1.10xbff4Standard query (0)rency.ydns.euA (IP address)IN (0x0001)false
                                                                                            Jan 8, 2025 12:48:16.898441076 CET192.168.2.41.1.1.10x3d5cStandard query (0)ipwho.isA (IP address)IN (0x0001)false

                                                                                            DNS Answers

                                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                            Jan 8, 2025 12:48:12.605371952 CET1.1.1.1192.168.2.40xc08aNo error (0)twart.myfirewall.org127.0.0.4A (IP address)IN (0x0001)false
                                                                                            Jan 8, 2025 12:48:14.842231989 CET1.1.1.1192.168.2.40xbff4No error (0)rency.ydns.eu94.156.177.117A (IP address)IN (0x0001)false
                                                                                            Jan 8, 2025 12:48:16.905210972 CET1.1.1.1192.168.2.40x3d5cNo error (0)ipwho.is195.201.57.90A (IP address)IN (0x0001)false

                                                                                            HTTP Request Dependency Graph

                                                                                            • ipwho.is

                                                                                            HTTPS Proxied Packets

                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                            0192.168.2.449738195.201.57.904436724C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe
                                                                                            TimestampBytes transferredDirectionData
                                                                                            2025-01-08 11:48:17 UTC150OUTGET / HTTP/1.1
                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0
                                                                                            Host: ipwho.is
                                                                                            Connection: Keep-Alive
                                                                                            2025-01-08 11:48:17 UTC223INHTTP/1.1 200 OK
                                                                                            Date: Wed, 08 Jan 2025 11:48:17 GMT
                                                                                            Content-Type: application/json; charset=utf-8
                                                                                            Transfer-Encoding: chunked
                                                                                            Connection: close
                                                                                            Server: ipwhois
                                                                                            Access-Control-Allow-Headers: *
                                                                                            X-Robots-Tag: noindex
                                                                                            2025-01-08 11:48:17 UTC1021INData Raw: 33 66 31 0d 0a 7b 0a 20 20 20 20 22 41 62 6f 75 74 20 55 73 22 3a 20 22 68 74 74 70 73 3a 5c 2f 5c 2f 69 70 77 68 6f 69 73 2e 69 6f 22 2c 0a 20 20 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 0a 20 20 20 20 22 73 75 63 63 65 73 73 22 3a 20 74 72 75 65 2c 0a 20 20 20 20 22 74 79 70 65 22 3a 20 22 49 50 76 34 22 2c 0a 20 20 20 20 22 63 6f 6e 74 69 6e 65 6e 74 22 3a 20 22 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 22 2c 0a 20 20 20 20 22 63 6f 6e 74 69 6e 65 6e 74 5f 63 6f 64 65 22 3a 20 22 4e 41 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f
                                                                                            Data Ascii: 3f1{ "About Us": "https:\/\/ipwhois.io", "ip": "8.46.123.189", "success": true, "type": "IPv4", "continent": "North America", "continent_code": "NA", "country": "United States", "country_code": "US", "region": "New Yo


                                                                                            Statistics

                                                                                            CPU Usage

                                                                                            Click to jump to process

                                                                                            Memory Usage

                                                                                            Click to jump to process

                                                                                            High Level Behavior Distribution

                                                                                            Click to dive into process behavior distribution

                                                                                            Behavior

                                                                                            Click to jump to process

                                                                                            System Behavior

                                                                                            General

                                                                                            Target ID:0
                                                                                            Start time:06:47:59
                                                                                            Start date:08/01/2025
                                                                                            Path:C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:"C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe"
                                                                                            Imagebase:0x730000
                                                                                            File size:3'773'952 bytes
                                                                                            MD5 hash:9B3C35A49DD56D6282A2A89832046FFC
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Yara matches:
                                                                                            • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000002.1758223737.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000002.1762726823.000000000C1F2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000002.1762726823.000000000B691000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                            Reputation:low
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:2
                                                                                            Start time:06:48:03
                                                                                            Start date:08/01/2025
                                                                                            Path:C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:"C:\Users\user\Desktop\QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exe"
                                                                                            Imagebase:0xd70000
                                                                                            File size:3'773'952 bytes
                                                                                            MD5 hash:9B3C35A49DD56D6282A2A89832046FFC
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Yara matches:
                                                                                            • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000002.00000002.1769970688.0000000000720000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000002.00000002.1769970688.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                            Reputation:low
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:3
                                                                                            Start time:06:48:05
                                                                                            Start date:08/01/2025
                                                                                            Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:"schtasks" /create /tn "pdfdocument" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe" /rl HIGHEST /f
                                                                                            Imagebase:0xd30000
                                                                                            File size:187'904 bytes
                                                                                            MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:high
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:4
                                                                                            Start time:06:48:05
                                                                                            Start date:08/01/2025
                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                            Imagebase:0x7ff7699e0000
                                                                                            File size:862'208 bytes
                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:high
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:5
                                                                                            Start time:06:48:05
                                                                                            Start date:08/01/2025
                                                                                            Path:C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:"C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe"
                                                                                            Imagebase:0x7ff70f330000
                                                                                            File size:3'773'952 bytes
                                                                                            MD5 hash:9B3C35A49DD56D6282A2A89832046FFC
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Yara matches:
                                                                                            • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000005.00000002.1816081787.0000000002AD9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000005.00000002.1822871144.0000000003A99000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000005.00000002.1822871144.0000000004299000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                            Antivirus matches:
                                                                                            • Detection: 100%, Joe Sandbox ML
                                                                                            • Detection: 34%, ReversingLabs
                                                                                            Reputation:low
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:6
                                                                                            Start time:06:48:06
                                                                                            Start date:08/01/2025
                                                                                            Path:C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe
                                                                                            Imagebase:0xb10000
                                                                                            File size:3'773'952 bytes
                                                                                            MD5 hash:9B3C35A49DD56D6282A2A89832046FFC
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Yara matches:
                                                                                            • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000006.00000002.1919924334.000000000BC7A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                            • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000006.00000002.1878255019.00000000031C7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                            Reputation:low
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:7
                                                                                            Start time:06:48:08
                                                                                            Start date:08/01/2025
                                                                                            Path:C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:"C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe"
                                                                                            Imagebase:0x580000
                                                                                            File size:3'773'952 bytes
                                                                                            MD5 hash:9B3C35A49DD56D6282A2A89832046FFC
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:low
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:8
                                                                                            Start time:06:48:08
                                                                                            Start date:08/01/2025
                                                                                            Path:C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:"C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe"
                                                                                            Imagebase:0x710000
                                                                                            File size:3'773'952 bytes
                                                                                            MD5 hash:9B3C35A49DD56D6282A2A89832046FFC
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:low
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:9
                                                                                            Start time:06:48:08
                                                                                            Start date:08/01/2025
                                                                                            Path:C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:"C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe"
                                                                                            Imagebase:0x960000
                                                                                            File size:3'773'952 bytes
                                                                                            MD5 hash:9B3C35A49DD56D6282A2A89832046FFC
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Yara matches:
                                                                                            • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000009.00000002.4182925533.000000000318C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                            Reputation:low
                                                                                            Has exited:false

                                                                                            General

                                                                                            Target ID:10
                                                                                            Start time:06:48:11
                                                                                            Start date:08/01/2025
                                                                                            Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:"schtasks" /create /tn "pdfdocument" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe" /rl HIGHEST /f
                                                                                            Imagebase:0xd30000
                                                                                            File size:187'904 bytes
                                                                                            MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:high
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:11
                                                                                            Start time:06:48:11
                                                                                            Start date:08/01/2025
                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                            Imagebase:0x7ff7699e0000
                                                                                            File size:862'208 bytes
                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:high
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:12
                                                                                            Start time:06:48:15
                                                                                            Start date:08/01/2025
                                                                                            Path:C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:"C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe"
                                                                                            Imagebase:0x430000
                                                                                            File size:3'773'952 bytes
                                                                                            MD5 hash:9B3C35A49DD56D6282A2A89832046FFC
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:low
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:13
                                                                                            Start time:06:48:15
                                                                                            Start date:08/01/2025
                                                                                            Path:C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:"C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe"
                                                                                            Imagebase:0x720000
                                                                                            File size:3'773'952 bytes
                                                                                            MD5 hash:9B3C35A49DD56D6282A2A89832046FFC
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:low
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:14
                                                                                            Start time:06:48:15
                                                                                            Start date:08/01/2025
                                                                                            Path:C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:"C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe"
                                                                                            Imagebase:0x130000
                                                                                            File size:3'773'952 bytes
                                                                                            MD5 hash:9B3C35A49DD56D6282A2A89832046FFC
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:low
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:15
                                                                                            Start time:06:48:15
                                                                                            Start date:08/01/2025
                                                                                            Path:C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:"C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe"
                                                                                            Imagebase:0x180000
                                                                                            File size:3'773'952 bytes
                                                                                            MD5 hash:9B3C35A49DD56D6282A2A89832046FFC
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:low
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:16
                                                                                            Start time:06:48:15
                                                                                            Start date:08/01/2025
                                                                                            Path:C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:"C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe"
                                                                                            Imagebase:0xd60000
                                                                                            File size:3'773'952 bytes
                                                                                            MD5 hash:9B3C35A49DD56D6282A2A89832046FFC
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:low
                                                                                            Has exited:true

                                                                                            Disassembly

                                                                                            Reset < >

                                                                                              Execution Graph

                                                                                              Execution Coverage:9.8%
                                                                                              Dynamic/Decrypted Code Coverage:100%
                                                                                              Signature Coverage:5.2%
                                                                                              Total number of Nodes:191
                                                                                              Total number of Limit Nodes:14
                                                                                              execution_graph 17491 121d040 17492 121d086 GetCurrentProcess 17491->17492 17494 121d0d1 17492->17494 17495 121d0d8 GetCurrentThread 17492->17495 17494->17495 17496 121d115 GetCurrentProcess 17495->17496 17498 121d10e 17495->17498 17497 121d14b 17496->17497 17499 121d173 GetCurrentThreadId 17497->17499 17498->17496 17500 121d1a4 17499->17500 17725 121d690 DuplicateHandle 17726 121d726 17725->17726 17501 2c50ae3 17502 2c50ae9 17501->17502 17503 2c50a3f 17502->17503 17507 2c51290 17502->17507 17526 2c51233 17502->17526 17545 2c51240 17502->17545 17508 2c511f0 17507->17508 17509 2c511f2 17508->17509 17564 2c51c66 17508->17564 17569 2c5155b 17508->17569 17575 2c51a3d 17508->17575 17580 2c518dd 17508->17580 17586 2c51af0 17508->17586 17591 2c517b1 17508->17591 17596 2c51a97 17508->17596 17601 2c51655 17508->17601 17607 2c51fca 17508->17607 17612 2c51eee 17508->17612 17617 2c51dce 17508->17617 17622 2c51caf 17508->17622 17626 2c5162c 17508->17626 17631 2c51ba3 17508->17631 17635 2c51560 17508->17635 17641 2c51841 17508->17641 17509->17503 17528 2c5125a 17526->17528 17527 2c51262 17527->17503 17528->17527 17529 2c51c66 2 API calls 17528->17529 17530 2c51841 2 API calls 17528->17530 17531 2c51560 2 API calls 17528->17531 17532 2c51ba3 2 API calls 17528->17532 17533 2c5162c 2 API calls 17528->17533 17534 2c51caf 2 API calls 17528->17534 17535 2c51dce 2 API calls 17528->17535 17536 2c51eee 2 API calls 17528->17536 17537 2c51fca 2 API calls 17528->17537 17538 2c51655 2 API calls 17528->17538 17539 2c51a97 2 API calls 17528->17539 17540 2c517b1 2 API calls 17528->17540 17541 2c51af0 2 API calls 17528->17541 17542 2c518dd 2 API calls 17528->17542 17543 2c51a3d 2 API calls 17528->17543 17544 2c5155b 2 API calls 17528->17544 17529->17527 17530->17527 17531->17527 17532->17527 17533->17527 17534->17527 17535->17527 17536->17527 17537->17527 17538->17527 17539->17527 17540->17527 17541->17527 17542->17527 17543->17527 17544->17527 17546 2c5125a 17545->17546 17547 2c51262 17546->17547 17548 2c51c66 2 API calls 17546->17548 17549 2c51841 2 API calls 17546->17549 17550 2c51560 2 API calls 17546->17550 17551 2c51ba3 2 API calls 17546->17551 17552 2c5162c 2 API calls 17546->17552 17553 2c51caf 2 API calls 17546->17553 17554 2c51dce 2 API calls 17546->17554 17555 2c51eee 2 API calls 17546->17555 17556 2c51fca 2 API calls 17546->17556 17557 2c51655 2 API calls 17546->17557 17558 2c51a97 2 API calls 17546->17558 17559 2c517b1 2 API calls 17546->17559 17560 2c51af0 2 API calls 17546->17560 17561 2c518dd 2 API calls 17546->17561 17562 2c51a3d 2 API calls 17546->17562 17563 2c5155b 2 API calls 17546->17563 17547->17503 17548->17547 17549->17547 17550->17547 17551->17547 17552->17547 17553->17547 17554->17547 17555->17547 17556->17547 17557->17547 17558->17547 17559->17547 17560->17547 17561->17547 17562->17547 17563->17547 17646 2c50040 17564->17646 17650 2c50006 17564->17650 17565 2c51b9c 17565->17564 17566 2c51e6d 17565->17566 17571 2c51593 17569->17571 17570 2c5166a 17570->17509 17571->17570 17654 2c50457 17571->17654 17659 2c50460 17571->17659 17576 2c51a48 17575->17576 17578 2c50006 Wow64SetThreadContext 17576->17578 17579 2c50040 Wow64SetThreadContext 17576->17579 17577 2c5183d 17577->17509 17578->17577 17579->17577 17581 2c517bd 17580->17581 17582 2c5192b 17581->17582 17663 2c501d0 17581->17663 17667 2c501d8 17581->17667 17582->17509 17583 2c519d5 17583->17509 17587 2c51de1 17586->17587 17589 2c501d0 WriteProcessMemory 17587->17589 17590 2c501d8 WriteProcessMemory 17587->17590 17588 2c51e05 17589->17588 17590->17588 17592 2c517bd 17591->17592 17594 2c501d0 WriteProcessMemory 17592->17594 17595 2c501d8 WriteProcessMemory 17592->17595 17593 2c519d5 17593->17509 17594->17593 17595->17593 17597 2c51a48 17596->17597 17599 2c50006 Wow64SetThreadContext 17597->17599 17600 2c50040 Wow64SetThreadContext 17597->17600 17598 2c5183d 17598->17509 17599->17598 17600->17598 17603 2c51635 17601->17603 17602 2c5166a 17602->17509 17603->17602 17605 2c50457 CreateProcessA 17603->17605 17606 2c50460 CreateProcessA 17603->17606 17604 2c51795 17604->17509 17604->17604 17605->17604 17606->17604 17608 2c51ffb 17607->17608 17610 2c501d0 WriteProcessMemory 17608->17610 17611 2c501d8 WriteProcessMemory 17608->17611 17609 2c5201c 17610->17609 17611->17609 17613 2c51eff 17612->17613 17615 2c501d0 WriteProcessMemory 17613->17615 17616 2c501d8 WriteProcessMemory 17613->17616 17614 2c5201c 17615->17614 17616->17614 17618 2c51b9c 17617->17618 17619 2c51e6d 17618->17619 17620 2c50006 Wow64SetThreadContext 17618->17620 17621 2c50040 Wow64SetThreadContext 17618->17621 17620->17618 17621->17618 17671 2c50110 17622->17671 17676 2c50118 17622->17676 17623 2c51ccd 17627 2c51635 17626->17627 17629 2c50457 CreateProcessA 17627->17629 17630 2c50460 CreateProcessA 17627->17630 17628 2c51795 17628->17509 17628->17628 17629->17628 17630->17628 17680 2c502c3 17631->17680 17684 2c502c8 17631->17684 17632 2c51a36 17632->17509 17637 2c51593 17635->17637 17636 2c5166a 17636->17509 17637->17636 17639 2c50457 CreateProcessA 17637->17639 17640 2c50460 CreateProcessA 17637->17640 17638 2c51795 17638->17509 17638->17638 17639->17638 17640->17638 17642 2c51ef2 17641->17642 17644 2c501d0 WriteProcessMemory 17642->17644 17645 2c501d8 WriteProcessMemory 17642->17645 17643 2c5201c 17644->17643 17645->17643 17647 2c50085 Wow64SetThreadContext 17646->17647 17649 2c500cd 17647->17649 17649->17565 17651 2c50040 Wow64SetThreadContext 17650->17651 17653 2c500cd 17651->17653 17653->17565 17655 2c5041e 17654->17655 17656 2c5045b CreateProcessA 17654->17656 17655->17509 17658 2c506ab 17656->17658 17660 2c504e9 CreateProcessA 17659->17660 17662 2c506ab 17660->17662 17664 2c501d8 WriteProcessMemory 17663->17664 17666 2c50277 17664->17666 17666->17583 17668 2c50220 WriteProcessMemory 17667->17668 17670 2c50277 17668->17670 17670->17583 17672 2c500d6 17671->17672 17673 2c50113 VirtualAllocEx 17671->17673 17672->17623 17675 2c50195 17673->17675 17675->17623 17677 2c50158 VirtualAllocEx 17676->17677 17679 2c50195 17677->17679 17679->17623 17681 2c502c8 ReadProcessMemory 17680->17681 17683 2c50357 17681->17683 17683->17632 17685 2c50313 ReadProcessMemory 17684->17685 17687 2c50357 17685->17687 17687->17632 17688 1214668 17689 121467a 17688->17689 17690 1214686 17689->17690 17692 1214783 17689->17692 17693 121479d 17692->17693 17697 1214888 17693->17697 17701 1214883 17693->17701 17699 12148af 17697->17699 17698 121498c 17699->17698 17705 12144c4 17699->17705 17702 12148af 17701->17702 17703 121498c 17702->17703 17704 12144c4 CreateActCtxA 17702->17704 17704->17703 17706 1215918 CreateActCtxA 17705->17706 17708 12159db 17706->17708 17727 121af98 17728 121afe0 GetModuleHandleW 17727->17728 17729 121afda 17727->17729 17730 121b00d 17728->17730 17729->17728 17709 2c50a6e 17710 2c5087a 17709->17710 17711 2c508f3 17710->17711 17712 2c51290 10 API calls 17710->17712 17713 2c51240 10 API calls 17710->17713 17714 2c51233 10 API calls 17710->17714 17712->17711 17713->17711 17714->17711 17715 2c52328 17716 2c524b3 17715->17716 17717 2c5234e 17715->17717 17717->17716 17720 2c525a0 17717->17720 17723 2c525a8 PostMessageW 17717->17723 17721 2c525a8 PostMessageW 17720->17721 17722 2c52614 17721->17722 17722->17717 17724 2c52614 17723->17724 17724->17717

                                                                                              Executed Functions

                                                                                              Function 02C51560 Relevance: .2, Instructions: 167COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1750961399.0000000002C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C50000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_2c50000_QUOTATION - RFQ2496_PO 08775622879.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: e7c3eb38c7d18a33160fc1f970ef840d819fd1ffa6585a7e7b9c1408167a30bd
                                                                                              • Instruction ID: 47098a0cbe08df7279ca1ef313d7d1eb260e0e9441ae8d354f3f9ab8c287431e
                                                                                              • Opcode Fuzzy Hash: e7c3eb38c7d18a33160fc1f970ef840d819fd1ffa6585a7e7b9c1408167a30bd
                                                                                              • Instruction Fuzzy Hash: 8861F771D45629CBEB24CF66C8447E9BBF6BF89300F14C1AAD80DA6251DBB05AC5CF44
                                                                                              Function 0121D031 Relevance: 6.1, APIs: 4, Instructions: 132threadCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 527 121d031-121d0cf GetCurrentProcess 532 121d0d1-121d0d7 527->532 533 121d0d8-121d10c GetCurrentThread 527->533 532->533 534 121d115-121d149 GetCurrentProcess 533->534 535 121d10e-121d114 533->535 537 121d152-121d16d call 121d623 534->537 538 121d14b-121d151 534->538 535->534 541 121d173-121d1a2 GetCurrentThreadId 537->541 538->537 542 121d1a4-121d1aa 541->542 543 121d1ab-121d20d 541->543 542->543
                                                                                              APIs
                                                                                              • GetCurrentProcess.KERNEL32 ref: 0121D0BE
                                                                                              • GetCurrentThread.KERNEL32 ref: 0121D0FB
                                                                                              • GetCurrentProcess.KERNEL32 ref: 0121D138
                                                                                              • GetCurrentThreadId.KERNEL32 ref: 0121D191
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1749645972.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_1210000_QUOTATION - RFQ2496_PO 08775622879.jbxd
                                                                                              Similarity
                                                                                              • API ID: Current$ProcessThread
                                                                                              • String ID:
                                                                                              • API String ID: 2063062207-0
                                                                                              • Opcode ID: 05b2ab39d42ca121d09de0cd09a571d3bf50e7194f1da3b2c3126c4e47ffa484
                                                                                              • Instruction ID: ffe11f07a97df8e9e08affbab7e1f5b683b792f2525bd18a9460bbde937136bc
                                                                                              • Opcode Fuzzy Hash: 05b2ab39d42ca121d09de0cd09a571d3bf50e7194f1da3b2c3126c4e47ffa484
                                                                                              • Instruction Fuzzy Hash: 205144B0901249CFDB14DFA9D548B9EBFF1BF89304F208469E119A7360D735A984CF65
                                                                                              Function 0121D040 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 550 121d040-121d0cf GetCurrentProcess 554 121d0d1-121d0d7 550->554 555 121d0d8-121d10c GetCurrentThread 550->555 554->555 556 121d115-121d149 GetCurrentProcess 555->556 557 121d10e-121d114 555->557 559 121d152-121d16d call 121d623 556->559 560 121d14b-121d151 556->560 557->556 563 121d173-121d1a2 GetCurrentThreadId 559->563 560->559 564 121d1a4-121d1aa 563->564 565 121d1ab-121d20d 563->565 564->565
                                                                                              APIs
                                                                                              • GetCurrentProcess.KERNEL32 ref: 0121D0BE
                                                                                              • GetCurrentThread.KERNEL32 ref: 0121D0FB
                                                                                              • GetCurrentProcess.KERNEL32 ref: 0121D138
                                                                                              • GetCurrentThreadId.KERNEL32 ref: 0121D191
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1749645972.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_1210000_QUOTATION - RFQ2496_PO 08775622879.jbxd
                                                                                              Similarity
                                                                                              • API ID: Current$ProcessThread
                                                                                              • String ID:
                                                                                              • API String ID: 2063062207-0
                                                                                              • Opcode ID: 9a5d77d5a0b88b45a9dd502e63db0e2693efe402741eea7f9c317e707f763ce5
                                                                                              • Instruction ID: 0e727972c50cfbf46826441d045378066314f1a40cb4e40001bf416d9e432d90
                                                                                              • Opcode Fuzzy Hash: 9a5d77d5a0b88b45a9dd502e63db0e2693efe402741eea7f9c317e707f763ce5
                                                                                              • Instruction Fuzzy Hash: 005133B0900249CFDB14DFAAD548BEEBBF1BB88304F208459E119A7360D735A984CF65
                                                                                              Function 02C50457 Relevance: 1.8, APIs: 1, Instructions: 264processCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 594 2c50457-2c50459 595 2c5041e-2c50448 594->595 596 2c5045b-2c504f5 594->596 599 2c504f7-2c50501 596->599 600 2c5052e-2c5054e 596->600 599->600 602 2c50503-2c50505 599->602 609 2c50587-2c505b6 600->609 610 2c50550-2c5055a 600->610 603 2c50507-2c50511 602->603 604 2c50528-2c5052b 602->604 607 2c50515-2c50524 603->607 608 2c50513 603->608 604->600 607->607 611 2c50526 607->611 608->607 616 2c505ef-2c506a9 CreateProcessA 609->616 617 2c505b8-2c505c2 609->617 610->609 612 2c5055c-2c5055e 610->612 611->604 614 2c50581-2c50584 612->614 615 2c50560-2c5056a 612->615 614->609 618 2c5056c 615->618 619 2c5056e-2c5057d 615->619 630 2c506b2-2c50738 616->630 631 2c506ab-2c506b1 616->631 617->616 620 2c505c4-2c505c6 617->620 618->619 619->619 621 2c5057f 619->621 622 2c505e9-2c505ec 620->622 623 2c505c8-2c505d2 620->623 621->614 622->616 625 2c505d4 623->625 626 2c505d6-2c505e5 623->626 625->626 626->626 627 2c505e7 626->627 627->622 641 2c50748-2c5074c 630->641 642 2c5073a-2c5073e 630->642 631->630 644 2c5075c-2c50760 641->644 645 2c5074e-2c50752 641->645 642->641 643 2c50740 642->643 643->641 647 2c50770-2c50774 644->647 648 2c50762-2c50766 644->648 645->644 646 2c50754 645->646 646->644 650 2c50786-2c5078d 647->650 651 2c50776-2c5077c 647->651 648->647 649 2c50768 648->649 649->647 652 2c507a4 650->652 653 2c5078f-2c5079e 650->653 651->650 655 2c507a5 652->655 653->652 655->655
                                                                                              APIs
                                                                                              • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 02C50696
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1750961399.0000000002C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C50000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_2c50000_QUOTATION - RFQ2496_PO 08775622879.jbxd
                                                                                              Similarity
                                                                                              • API ID: CreateProcess
                                                                                              • String ID:
                                                                                              • API String ID: 963392458-0
                                                                                              • Opcode ID: c68bc494b61dafcc6a0bd7e9de6bca698ea9acf8b99f2207e6b96743a8027d63
                                                                                              • Instruction ID: 14c70208e5a8b7e043d4421b90274b45452ebe69f5eccd47372196676aa8f200
                                                                                              • Opcode Fuzzy Hash: c68bc494b61dafcc6a0bd7e9de6bca698ea9acf8b99f2207e6b96743a8027d63
                                                                                              • Instruction Fuzzy Hash: C2A15B71D00229CFDB10CFA8C9417EEBBB2BF88314F1485A9E849E7254DB749A85CF95
                                                                                              Function 02C50460 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 656 2c50460-2c504f5 658 2c504f7-2c50501 656->658 659 2c5052e-2c5054e 656->659 658->659 660 2c50503-2c50505 658->660 666 2c50587-2c505b6 659->666 667 2c50550-2c5055a 659->667 661 2c50507-2c50511 660->661 662 2c50528-2c5052b 660->662 664 2c50515-2c50524 661->664 665 2c50513 661->665 662->659 664->664 668 2c50526 664->668 665->664 673 2c505ef-2c506a9 CreateProcessA 666->673 674 2c505b8-2c505c2 666->674 667->666 669 2c5055c-2c5055e 667->669 668->662 671 2c50581-2c50584 669->671 672 2c50560-2c5056a 669->672 671->666 675 2c5056c 672->675 676 2c5056e-2c5057d 672->676 687 2c506b2-2c50738 673->687 688 2c506ab-2c506b1 673->688 674->673 677 2c505c4-2c505c6 674->677 675->676 676->676 678 2c5057f 676->678 679 2c505e9-2c505ec 677->679 680 2c505c8-2c505d2 677->680 678->671 679->673 682 2c505d4 680->682 683 2c505d6-2c505e5 680->683 682->683 683->683 684 2c505e7 683->684 684->679 698 2c50748-2c5074c 687->698 699 2c5073a-2c5073e 687->699 688->687 701 2c5075c-2c50760 698->701 702 2c5074e-2c50752 698->702 699->698 700 2c50740 699->700 700->698 704 2c50770-2c50774 701->704 705 2c50762-2c50766 701->705 702->701 703 2c50754 702->703 703->701 707 2c50786-2c5078d 704->707 708 2c50776-2c5077c 704->708 705->704 706 2c50768 705->706 706->704 709 2c507a4 707->709 710 2c5078f-2c5079e 707->710 708->707 712 2c507a5 709->712 710->709 712->712
                                                                                              APIs
                                                                                              • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 02C50696
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1750961399.0000000002C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C50000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_2c50000_QUOTATION - RFQ2496_PO 08775622879.jbxd
                                                                                              Similarity
                                                                                              • API ID: CreateProcess
                                                                                              • String ID:
                                                                                              • API String ID: 963392458-0
                                                                                              • Opcode ID: 776071bcf84e30ab4b03f6e62a947ba48e17781a3d875ecd0cbfae4398c6729e
                                                                                              • Instruction ID: 98b60362d065e95f2fd3edb598831b8ff7faabcc6fa066519e91eb9c2b753f1c
                                                                                              • Opcode Fuzzy Hash: 776071bcf84e30ab4b03f6e62a947ba48e17781a3d875ecd0cbfae4398c6729e
                                                                                              • Instruction Fuzzy Hash: 58914971D00229CFDB10CFA8C8417EEBBB2BF88314F1485A9E849E7254DB749A85CF95
                                                                                              Function 012144C4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 713 12144c4-12159d9 CreateActCtxA 716 12159e2-1215a3c 713->716 717 12159db-12159e1 713->717 724 1215a4b-1215a4f 716->724 725 1215a3e-1215a41 716->725 717->716 726 1215a51-1215a5d 724->726 727 1215a60 724->727 725->724 726->727 729 1215a61 727->729 729->729
                                                                                              APIs
                                                                                              • CreateActCtxA.KERNEL32(?), ref: 012159C9
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1749645972.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_1210000_QUOTATION - RFQ2496_PO 08775622879.jbxd
                                                                                              Similarity
                                                                                              • API ID: Create
                                                                                              • String ID:
                                                                                              • API String ID: 2289755597-0
                                                                                              • Opcode ID: dd642c7f100a4493ffd8fa7950aab9e1e6ae62d199fd08890ce068c6e3489e78
                                                                                              • Instruction ID: 811ba1580095037ed7f1ee0ffa1e224a6328f5ffdf576c0c7013b0649e0065b4
                                                                                              • Opcode Fuzzy Hash: dd642c7f100a4493ffd8fa7950aab9e1e6ae62d199fd08890ce068c6e3489e78
                                                                                              • Instruction Fuzzy Hash: A141D2B1C10719CFDB24CFA9C88478EBBF5BF49304F24809AE419AB255DB756945CF90
                                                                                              Function 01215913 Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 730 1215913-1215916 731 1215918-12159d9 CreateActCtxA 730->731 733 12159e2-1215a3c 731->733 734 12159db-12159e1 731->734 741 1215a4b-1215a4f 733->741 742 1215a3e-1215a41 733->742 734->733 743 1215a51-1215a5d 741->743 744 1215a60 741->744 742->741 743->744 746 1215a61 744->746 746->746
                                                                                              APIs
                                                                                              • CreateActCtxA.KERNEL32(?), ref: 012159C9
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1749645972.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_1210000_QUOTATION - RFQ2496_PO 08775622879.jbxd
                                                                                              Similarity
                                                                                              • API ID: Create
                                                                                              • String ID:
                                                                                              • API String ID: 2289755597-0
                                                                                              • Opcode ID: ccc41e553727a07f7fa1c6bd579ebee0a21fbe46b6716045b8745a25b4c8dd6f
                                                                                              • Instruction ID: 31d77e056d1e852d0d24705c00cdf65b1ed5adcdef8ef8c2ebb587a3111b06f1
                                                                                              • Opcode Fuzzy Hash: ccc41e553727a07f7fa1c6bd579ebee0a21fbe46b6716045b8745a25b4c8dd6f
                                                                                              • Instruction Fuzzy Hash: FB41C2B1C00719CFDB24CFA9C98478EBBF5BF49304F24809AD419AB255DB756945CF90
                                                                                              Function 02C50006 Relevance: 1.6, APIs: 1, Instructions: 88threadCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 747 2c50006-2c5008b 750 2c5008d-2c50099 747->750 751 2c5009b-2c500cb Wow64SetThreadContext 747->751 750->751 753 2c500d4-2c50104 751->753 754 2c500cd-2c500d3 751->754 754->753
                                                                                              APIs
                                                                                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 02C500BE
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1750961399.0000000002C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C50000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_2c50000_QUOTATION - RFQ2496_PO 08775622879.jbxd
                                                                                              Similarity
                                                                                              • API ID: ContextThreadWow64
                                                                                              • String ID:
                                                                                              • API String ID: 983334009-0
                                                                                              • Opcode ID: 559bfe91ee82096b1c6f9d59e7830f749faef55020649c947e7f397eae24eb47
                                                                                              • Instruction ID: 0b793fb3dce5909fcca8fdd52782b23a313affb1813e0ea843a0a50523b9c6a8
                                                                                              • Opcode Fuzzy Hash: 559bfe91ee82096b1c6f9d59e7830f749faef55020649c947e7f397eae24eb47
                                                                                              • Instruction Fuzzy Hash: 22319E718043598FC711CFA9C4817EEBFF0EF8A324F15846AD444AB252D7389985CBA4
                                                                                              Function 02C50110 Relevance: 1.6, APIs: 1, Instructions: 75memoryCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 758 2c50110-2c50111 759 2c500d6-2c50104 758->759 760 2c50113-2c50193 VirtualAllocEx 758->760 766 2c50195-2c5019b 760->766 767 2c5019c-2c501c1 760->767 766->767
                                                                                              APIs
                                                                                              • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 02C50186
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1750961399.0000000002C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C50000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_2c50000_QUOTATION - RFQ2496_PO 08775622879.jbxd
                                                                                              Similarity
                                                                                              • API ID: AllocVirtual
                                                                                              • String ID:
                                                                                              • API String ID: 4275171209-0
                                                                                              • Opcode ID: 30d07aa17dbbd5778e56749c71dfb4aff15d2976fa5982fc080ae4c945b70106
                                                                                              • Instruction ID: 7a1b313df146b07eca0ea0b6703f6d91ec75512066116c45bd546e70fe5454cb
                                                                                              • Opcode Fuzzy Hash: 30d07aa17dbbd5778e56749c71dfb4aff15d2976fa5982fc080ae4c945b70106
                                                                                              • Instruction Fuzzy Hash: 0121DBB28003498FCB10DF99C8407DEBFF4EF88320F14882AD465A7251C739A954CFA1
                                                                                              Function 02C501D0 Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 771 2c501d0-2c50226 774 2c50236-2c50275 WriteProcessMemory 771->774 775 2c50228-2c50234 771->775 777 2c50277-2c5027d 774->777 778 2c5027e-2c502ae 774->778 775->774 777->778
                                                                                              APIs
                                                                                              • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 02C50268
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1750961399.0000000002C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C50000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_2c50000_QUOTATION - RFQ2496_PO 08775622879.jbxd
                                                                                              Similarity
                                                                                              • API ID: MemoryProcessWrite
                                                                                              • String ID:
                                                                                              • API String ID: 3559483778-0
                                                                                              • Opcode ID: 0824ac888968a81a4c0347c5d05867e96d71000126c34ada0322f12b7d2d5906
                                                                                              • Instruction ID: c70196c11a7b8ee69b23225034148e4fe708338090659d33cd5f1d485e406bc3
                                                                                              • Opcode Fuzzy Hash: 0824ac888968a81a4c0347c5d05867e96d71000126c34ada0322f12b7d2d5906
                                                                                              • Instruction Fuzzy Hash: 0D2168B19003199FCB10CFA9C880BEEBBF4FF48310F108429E959A7250D7789944CBA4
                                                                                              Function 02C501D8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 782 2c501d8-2c50226 784 2c50236-2c50275 WriteProcessMemory 782->784 785 2c50228-2c50234 782->785 787 2c50277-2c5027d 784->787 788 2c5027e-2c502ae 784->788 785->784 787->788
                                                                                              APIs
                                                                                              • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 02C50268
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1750961399.0000000002C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C50000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_2c50000_QUOTATION - RFQ2496_PO 08775622879.jbxd
                                                                                              Similarity
                                                                                              • API ID: MemoryProcessWrite
                                                                                              • String ID:
                                                                                              • API String ID: 3559483778-0
                                                                                              • Opcode ID: d6f6c5b9666a8e5b04f0acc45275f493e0c2fc4b0b166f9934d2628c0960d8e2
                                                                                              • Instruction ID: 9e634de3fe3a013c15ef291a0738f30a9cd3ffb33e28de1e9531f63964056856
                                                                                              • Opcode Fuzzy Hash: d6f6c5b9666a8e5b04f0acc45275f493e0c2fc4b0b166f9934d2628c0960d8e2
                                                                                              • Instruction Fuzzy Hash: CB2127B59003599FCF10CFA9C985BEEBBF5FF48310F10842AE959A7250D7789944CBA4
                                                                                              Function 02C502C3 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 792 2c502c3-2c50355 ReadProcessMemory 796 2c50357-2c5035d 792->796 797 2c5035e-2c5038e 792->797 796->797
                                                                                              APIs
                                                                                              • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 02C50348
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1750961399.0000000002C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C50000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_2c50000_QUOTATION - RFQ2496_PO 08775622879.jbxd
                                                                                              Similarity
                                                                                              • API ID: MemoryProcessRead
                                                                                              • String ID:
                                                                                              • API String ID: 1726664587-0
                                                                                              • Opcode ID: fc90f1426e7d01ec621f8eb15883e2c0041e5f3f4fb00e212fdaeeb7a1d2dc45
                                                                                              • Instruction ID: bc392097d48515d0fbfe666fe701ae0c6fdd715abe3f007de067f8ff2ab720df
                                                                                              • Opcode Fuzzy Hash: fc90f1426e7d01ec621f8eb15883e2c0041e5f3f4fb00e212fdaeeb7a1d2dc45
                                                                                              • Instruction Fuzzy Hash: 4A214AB18003599FCB10DFA9C980BDEFBF5FF88320F108429E958A7250D7359945CBA5
                                                                                              Function 0121D689 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 801 121d689-121d68e 802 121d690-121d724 DuplicateHandle 801->802 803 121d726-121d72c 802->803 804 121d72d-121d74a 802->804 803->804
                                                                                              APIs
                                                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0121D717
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1749645972.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_1210000_QUOTATION - RFQ2496_PO 08775622879.jbxd
                                                                                              Similarity
                                                                                              • API ID: DuplicateHandle
                                                                                              • String ID:
                                                                                              • API String ID: 3793708945-0
                                                                                              • Opcode ID: 0008447acf2664994f59a42e9398832fbd3def42de4de26d0fa7709654057de3
                                                                                              • Instruction ID: 8b76434d079d14e3e8e23512ab20da34c85dc4effeaeef824e0415af113e0cd9
                                                                                              • Opcode Fuzzy Hash: 0008447acf2664994f59a42e9398832fbd3def42de4de26d0fa7709654057de3
                                                                                              • Instruction Fuzzy Hash: EB21E3B5900259DFDB10CF9AD984ADEFFF5FB48314F14802AE918A7210D374A940CFA5
                                                                                              Function 02C502C8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 02C50348
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1750961399.0000000002C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C50000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_2c50000_QUOTATION - RFQ2496_PO 08775622879.jbxd
                                                                                              Similarity
                                                                                              • API ID: MemoryProcessRead
                                                                                              • String ID:
                                                                                              • API String ID: 1726664587-0
                                                                                              • Opcode ID: 2017d7df6a119f399622cc01040669e8f3df9c82783a67911d7a2b7510a0ffbf
                                                                                              • Instruction ID: 24851d5c379c6ba443cce34c222c9ad1e23a41545080cbeeca600b8fd491816e
                                                                                              • Opcode Fuzzy Hash: 2017d7df6a119f399622cc01040669e8f3df9c82783a67911d7a2b7510a0ffbf
                                                                                              • Instruction Fuzzy Hash: 8D2139B19003599FCB10DFAAC944BEEFBF5FF48320F10842AE959A7250C7399544CBA5
                                                                                              Function 02C50040 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 02C500BE
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1750961399.0000000002C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C50000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_2c50000_QUOTATION - RFQ2496_PO 08775622879.jbxd
                                                                                              Similarity
                                                                                              • API ID: ContextThreadWow64
                                                                                              • String ID:
                                                                                              • API String ID: 983334009-0
                                                                                              • Opcode ID: 6c0b5ad51eb6be65089534dba2ab2a04244b938a50385ce7030124e8811bd7e9
                                                                                              • Instruction ID: ff8a7fef182ba9de5c41aac5317b58d2b6c8ed643ccb2291d2570a47a1669c3d
                                                                                              • Opcode Fuzzy Hash: 6c0b5ad51eb6be65089534dba2ab2a04244b938a50385ce7030124e8811bd7e9
                                                                                              • Instruction Fuzzy Hash: 8E214CB19003198FDB10DFAAC5857EEBBF4EF88324F108429D459A7240C7789584CFA5
                                                                                              Function 0121D690 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0121D717
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1749645972.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_1210000_QUOTATION - RFQ2496_PO 08775622879.jbxd
                                                                                              Similarity
                                                                                              • API ID: DuplicateHandle
                                                                                              • String ID:
                                                                                              • API String ID: 3793708945-0
                                                                                              • Opcode ID: 6477482dea24c019dccf2799f1688f113892fddbc34a4794a89cffbfd56dd178
                                                                                              • Instruction ID: 7857db5c71d3298d40f7bfd210995c4aaada611f4eb0cc48fe49d10cf0cb8c2f
                                                                                              • Opcode Fuzzy Hash: 6477482dea24c019dccf2799f1688f113892fddbc34a4794a89cffbfd56dd178
                                                                                              • Instruction Fuzzy Hash: 1D21E4B5900248DFDB10CF9AD584ADEBFF4FB48310F14801AE918A3310D374A940CFA5
                                                                                              Function 02C50118 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 02C50186
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1750961399.0000000002C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C50000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_2c50000_QUOTATION - RFQ2496_PO 08775622879.jbxd
                                                                                              Similarity
                                                                                              • API ID: AllocVirtual
                                                                                              • String ID:
                                                                                              • API String ID: 4275171209-0
                                                                                              • Opcode ID: f47308699b479ef0cbb9841b9f69eddd89d449ae26bb1990c1c20356638914fb
                                                                                              • Instruction ID: a223f9e546052d119e6741a3be27139e50c1f32879e4f9d98a9a00ef7a3fff36
                                                                                              • Opcode Fuzzy Hash: f47308699b479ef0cbb9841b9f69eddd89d449ae26bb1990c1c20356638914fb
                                                                                              • Instruction Fuzzy Hash: B91126B59002499FCB10DFAAC844BDFBFF5EF88320F208819E559A7250C775A944CFA5
                                                                                              Function 02C525A0 Relevance: 1.5, APIs: 1, Instructions: 49windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • PostMessageW.USER32(?,?,?,?), ref: 02C52605
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1750961399.0000000002C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C50000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_2c50000_QUOTATION - RFQ2496_PO 08775622879.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessagePost
                                                                                              • String ID:
                                                                                              • API String ID: 410705778-0
                                                                                              • Opcode ID: 9720986a3682c0727b1efaa9c1ecaef2f281bbc06d5ec8a2b430a390aacddc1c
                                                                                              • Instruction ID: c12bebe4a9a2130bf3a15a0820f17facea7bc5719c1130c8208a79cc3747228e
                                                                                              • Opcode Fuzzy Hash: 9720986a3682c0727b1efaa9c1ecaef2f281bbc06d5ec8a2b430a390aacddc1c
                                                                                              • Instruction Fuzzy Hash: E41113B58002589FCB10CF99C484BDEFBF8EB48314F108459E858A7210C375A984CFA5
                                                                                              Function 0121AF93 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 0121AFFE
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1749645972.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_1210000_QUOTATION - RFQ2496_PO 08775622879.jbxd
                                                                                              Similarity
                                                                                              • API ID: HandleModule
                                                                                              • String ID:
                                                                                              • API String ID: 4139908857-0
                                                                                              • Opcode ID: 9804596b3b654451e476a9bcafa860fd9993ac7e50087eb96a3e11d782ea1d64
                                                                                              • Instruction ID: 5fe70bcbc57cb236918b994a80f77330d2dbc5f9450bfe74b72defb8ca84bbe2
                                                                                              • Opcode Fuzzy Hash: 9804596b3b654451e476a9bcafa860fd9993ac7e50087eb96a3e11d782ea1d64
                                                                                              • Instruction Fuzzy Hash: 001132B5C002898FCB20CFAAC444BDEFFF0AF88324F14805AD569A7210C379A545CFA1
                                                                                              Function 0121AF98 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 0121AFFE
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1749645972.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_1210000_QUOTATION - RFQ2496_PO 08775622879.jbxd
                                                                                              Similarity
                                                                                              • API ID: HandleModule
                                                                                              • String ID:
                                                                                              • API String ID: 4139908857-0
                                                                                              • Opcode ID: 6b42e47771927f00dcc09201a1a53da1560c5c6bb0e7a3bb5c09eb186fab8136
                                                                                              • Instruction ID: 55ca5c86d839e70ad2a1a9b9df191f9d72cd595b100bf782c3e8f0a916a6c1dc
                                                                                              • Opcode Fuzzy Hash: 6b42e47771927f00dcc09201a1a53da1560c5c6bb0e7a3bb5c09eb186fab8136
                                                                                              • Instruction Fuzzy Hash: 2011E0B5C003498FDB14CF9AC444BDEFBF4AB88324F10842AD569A7214D379A545CFA5
                                                                                              Function 02C525A8 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • PostMessageW.USER32(?,?,?,?), ref: 02C52605
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1750961399.0000000002C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C50000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_2c50000_QUOTATION - RFQ2496_PO 08775622879.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessagePost
                                                                                              • String ID:
                                                                                              • API String ID: 410705778-0
                                                                                              • Opcode ID: 79e395903ec622f15684c0d2ac9af836db3036bc10559e1f57a7aa20ebb4992f
                                                                                              • Instruction ID: cca1f9ce7fb4d890f7a0f1cbdafc943a46653afe24d3e67d88ae292ea5214e68
                                                                                              • Opcode Fuzzy Hash: 79e395903ec622f15684c0d2ac9af836db3036bc10559e1f57a7aa20ebb4992f
                                                                                              • Instruction Fuzzy Hash: 7211D3B58003599FDB10DF9AC545BDEFBF8EB48324F10845AE958A7210C375A984CFA5
                                                                                              Function 011AD4C4 Relevance: .1, Instructions: 75COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1749110762.00000000011AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011AD000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_11ad000_QUOTATION - RFQ2496_PO 08775622879.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: cdf43e7fc16db1f8b74fa16bce788365eaf052aa28f27534c151fb30fcf71ae4
                                                                                              • Instruction ID: 6faafe34aa7f27aa465970a2eaab71ed1f47f0dae3c650163f8e9cd6832730dc
                                                                                              • Opcode Fuzzy Hash: cdf43e7fc16db1f8b74fa16bce788365eaf052aa28f27534c151fb30fcf71ae4
                                                                                              • Instruction Fuzzy Hash: 92214579500600DFCF09DF58E9C0B2ABF75FB88318F60C569E8494BA56C336D446CBA2
                                                                                              Function 011BD01C Relevance: .1, Instructions: 72COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1749192159.00000000011BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011BD000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_11bd000_QUOTATION - RFQ2496_PO 08775622879.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 1d17430e48414f54a18309bb8cf1260544b170c1eb1f4cab1cec39af9ff69f36
                                                                                              • Instruction ID: 7955627ca388717fa9f50482e18c9ef0af731854f4d835c94cf73474b298cbd1
                                                                                              • Opcode Fuzzy Hash: 1d17430e48414f54a18309bb8cf1260544b170c1eb1f4cab1cec39af9ff69f36
                                                                                              • Instruction Fuzzy Hash: 43212271604200DFCF1DDF58E9C4B66BFA5EB88318F20C5ADE80A4B256C33AD447CA62
                                                                                              Function 011BD1D4 Relevance: .1, Instructions: 72COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1749192159.00000000011BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011BD000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_11bd000_QUOTATION - RFQ2496_PO 08775622879.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: efa5df409a8a2fb91bd10012dac708fa2b173619f05df416be5a217a274267cb
                                                                                              • Instruction ID: 208e5f4f378cc8c4e3a42760240eeff3a5ca2f81b9e0c491c620c567144d1055
                                                                                              • Opcode Fuzzy Hash: efa5df409a8a2fb91bd10012dac708fa2b173619f05df416be5a217a274267cb
                                                                                              • Instruction Fuzzy Hash: 4A210771504240DFDF0DDF98E5C0B66BBA5FB84328F20C5ADE9094B256C336D446CB62
                                                                                              Function 011BD006 Relevance: .1, Instructions: 63COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1749192159.00000000011BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011BD000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_11bd000_QUOTATION - RFQ2496_PO 08775622879.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 52f2a7916b9dc3e8a5a531636d941f516d17fdf38417d11473851c1fa1901f11
                                                                                              • Instruction ID: f6523a7609b924413182d333bec9c5b540eaadc17d110656853d31d2570324f5
                                                                                              • Opcode Fuzzy Hash: 52f2a7916b9dc3e8a5a531636d941f516d17fdf38417d11473851c1fa1901f11
                                                                                              • Instruction Fuzzy Hash: ED2180755083809FCB06CF64D9D4B11BF71EB46218F28C5DAD8498F2A7C33A981ACB62
                                                                                              Function 011AD4BF Relevance: .1, Instructions: 56COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1749110762.00000000011AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011AD000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_11ad000_QUOTATION - RFQ2496_PO 08775622879.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                              • Instruction ID: d5e461b79528952b75a0887eb8ae0521e68497e559cf4b65e91b5667f967942f
                                                                                              • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                              • Instruction Fuzzy Hash: 1111E176404280CFCF06CF54E5C4B16BF71FB84318F24C6A9D8490B656C336D45ACBA2
                                                                                              Function 011BD1CF Relevance: .1, Instructions: 53COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1749192159.00000000011BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011BD000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_11bd000_QUOTATION - RFQ2496_PO 08775622879.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                              • Instruction ID: d4537a75b3f6d4194b4c5ca6f60d921e0c5393cfd8e546b52c00833ba1c4d21b
                                                                                              • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                              • Instruction Fuzzy Hash: 3E11BB75504280DFDB0ACF54D5C4B55BFA1FB84228F24C6AAD8494B296C33AD40ACB62

                                                                                              Non-executed Functions

                                                                                              Function 02C53330 Relevance: .4, Instructions: 422COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1750961399.0000000002C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C50000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_2c50000_QUOTATION - RFQ2496_PO 08775622879.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 6aec3cf42c445255b0587ac1b08cf4f6535973b97f646ec7d08baef71d989a3f
                                                                                              • Instruction ID: dd480d6f90e5ddfcb2fbfc21af20676552ab26afe5aec913c8bd8798633ad825
                                                                                              • Opcode Fuzzy Hash: 6aec3cf42c445255b0587ac1b08cf4f6535973b97f646ec7d08baef71d989a3f
                                                                                              • Instruction Fuzzy Hash: 95E1CC707016A08FDB2ADB39C550B6EB7F6AFC8244F1484ADD9068B394CF35E942CB55
                                                                                              Function 0121D5BC Relevance: .3, Instructions: 264COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1749645972.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_1210000_QUOTATION - RFQ2496_PO 08775622879.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 80ecf67d2a47ddf25833384e6cf14a8ffa316db2bea7024148d6a512473c0028
                                                                                              • Instruction ID: 64ad5560f135dbdccdc75c95f9775d7b912b04b643fd6c30025953be98686091
                                                                                              • Opcode Fuzzy Hash: 80ecf67d2a47ddf25833384e6cf14a8ffa316db2bea7024148d6a512473c0028
                                                                                              • Instruction Fuzzy Hash: 24A18032E1021ACFCF05DFB4C9405AEB7F2FF95300B15456AE915AB269DB71E91ACB80
                                                                                              Function 02C5155B Relevance: .1, Instructions: 75COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1750961399.0000000002C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C50000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_2c50000_QUOTATION - RFQ2496_PO 08775622879.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: ccfc2d92a268928c83352dcbf0d5b353b2538855241af4d1e83cd950242d31f8
                                                                                              • Instruction ID: 43b4582181d124af81d02e17a3e6791513a9ac05345a29112abbcd22e32d4623
                                                                                              • Opcode Fuzzy Hash: ccfc2d92a268928c83352dcbf0d5b353b2538855241af4d1e83cd950242d31f8
                                                                                              • Instruction Fuzzy Hash: F93197B1D056288BEB28CFAB99143DDFAF6AFC9304F08C1AAC40CA6255DB740685CF44

                                                                                              Execution Graph

                                                                                              Execution Coverage:7.6%
                                                                                              Dynamic/Decrypted Code Coverage:100%
                                                                                              Signature Coverage:0%
                                                                                              Total number of Nodes:92
                                                                                              Total number of Limit Nodes:12
                                                                                              execution_graph 14854 1856540 14855 1856586 GetCurrentProcess 14854->14855 14857 18565d1 14855->14857 14858 18565d8 GetCurrentThread 14855->14858 14857->14858 14859 1856615 GetCurrentProcess 14858->14859 14860 185660e 14858->14860 14861 185664b 14859->14861 14860->14859 14866 1856780 14861->14866 14871 185670f 14861->14871 14862 1856673 GetCurrentThreadId 14863 18566a4 14862->14863 14867 1856783 DuplicateHandle 14866->14867 14869 1856718 14866->14869 14870 185681e 14867->14870 14869->14862 14870->14862 14872 18566a8 14871->14872 14872->14862 14873 1854668 14874 1854676 14873->14874 14879 1856de0 14874->14879 14877 1854704 14880 1856e05 14879->14880 14888 1856ef0 14880->14888 14892 1856edf 14880->14892 14881 18546e9 14884 185421c 14881->14884 14885 1854227 14884->14885 14900 1858560 14885->14900 14887 1858806 14887->14877 14890 1856f17 14888->14890 14889 1856ff4 14889->14889 14890->14889 14896 1856414 14890->14896 14894 1856f17 14892->14894 14893 1856ff4 14893->14893 14894->14893 14895 1856414 CreateActCtxA 14894->14895 14895->14893 14897 1857370 CreateActCtxA 14896->14897 14899 1857433 14897->14899 14899->14899 14901 185856b 14900->14901 14904 1858580 14901->14904 14903 18588dd 14903->14887 14905 185858b 14904->14905 14908 18585b0 14905->14908 14907 18589ba 14907->14903 14909 18585bb 14908->14909 14912 18585e0 14909->14912 14911 1858aad 14911->14907 14913 18585eb 14912->14913 14915 1859e93 14913->14915 14918 185bed1 14913->14918 14914 1859ed1 14914->14911 14915->14914 14924 185df60 14915->14924 14919 185beda 14918->14919 14921 185be91 14918->14921 14930 185bf08 14919->14930 14933 185bef8 14919->14933 14920 185bee6 14920->14915 14921->14915 14926 185df91 14924->14926 14925 185dfb5 14925->14914 14926->14925 14941 185e110 14926->14941 14945 185e120 14926->14945 14927 185e045 14927->14914 14936 185bff0 14930->14936 14931 185bf17 14931->14920 14934 185bf17 14933->14934 14935 185bff0 GetModuleHandleW 14933->14935 14934->14920 14935->14934 14937 185c034 14936->14937 14938 185c011 14936->14938 14937->14931 14938->14937 14939 185c238 GetModuleHandleW 14938->14939 14940 185c265 14939->14940 14940->14931 14942 185e120 14941->14942 14943 185e166 14942->14943 14949 185c464 14942->14949 14943->14927 14946 185e12d 14945->14946 14947 185e166 14946->14947 14948 185c464 4 API calls 14946->14948 14947->14927 14948->14947 14950 185c46f 14949->14950 14952 185e1d8 14950->14952 14953 185c498 14950->14953 14952->14952 14954 185c4a3 14953->14954 14955 18585e0 4 API calls 14954->14955 14956 185e247 14955->14956 14957 185e256 14956->14957 14960 185e2c0 14956->14960 14966 185e2b0 14956->14966 14957->14952 14961 185e2ee 14960->14961 14962 185c530 GetFocus 14961->14962 14963 185e317 14961->14963 14965 185e3bf 14961->14965 14962->14963 14964 185e3ba KiUserCallbackDispatcher 14963->14964 14963->14965 14964->14965 14967 185e2ee 14966->14967 14968 185c530 GetFocus 14967->14968 14969 185e3bf 14967->14969 14970 185e317 14967->14970 14968->14970 14970->14969 14971 185e3ba KiUserCallbackDispatcher 14970->14971 14971->14969

                                                                                              Executed Functions

                                                                                              Function 01856540 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 536 1856540-18565cf GetCurrentProcess 540 18565d1-18565d7 536->540 541 18565d8-185660c GetCurrentThread 536->541 540->541 542 1856615-1856649 GetCurrentProcess 541->542 543 185660e-1856614 541->543 544 1856652-185666a 542->544 545 185664b-1856651 542->545 543->542 557 185666d call 1856780 544->557 558 185666d call 185670f 544->558 545->544 549 1856673-18566a2 GetCurrentThreadId 550 18566a4-18566aa 549->550 551 18566ab-185670d 549->551 550->551 557->549 558->549
                                                                                              APIs
                                                                                              • GetCurrentProcess.KERNEL32 ref: 018565BE
                                                                                              • GetCurrentThread.KERNEL32 ref: 018565FB
                                                                                              • GetCurrentProcess.KERNEL32 ref: 01856638
                                                                                              • GetCurrentThreadId.KERNEL32 ref: 01856691
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1784353686.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_1850000_QUOTATION - RFQ2496_PO 08775622879.jbxd
                                                                                              Similarity
                                                                                              • API ID: Current$ProcessThread
                                                                                              • String ID:
                                                                                              • API String ID: 2063062207-0
                                                                                              • Opcode ID: 7e9e6c64192b995b34a72decace2f50cbda874f9a2bd1db5dbeb59274031a4af
                                                                                              • Instruction ID: d19486372a05a1e78e8a368383749b37b5f51f5b1623084598f8863f81548d35
                                                                                              • Opcode Fuzzy Hash: 7e9e6c64192b995b34a72decace2f50cbda874f9a2bd1db5dbeb59274031a4af
                                                                                              • Instruction Fuzzy Hash: 895134B0900209CFDB54DFA9D548B9EBFF1EF48304F248469E519A73A0DB34A948CF65
                                                                                              Function 0185BFF0 Relevance: 1.7, APIs: 1, Instructions: 199COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 613 185bff0-185c00f 614 185c011-185c01e call 185af60 613->614 615 185c03b-185c03f 613->615 622 185c034 614->622 623 185c020-185c02e call 185c698 614->623 616 185c041-185c04b 615->616 617 185c053-185c094 615->617 616->617 624 185c096-185c09e 617->624 625 185c0a1-185c0af 617->625 622->615 623->622 632 185c170-185c230 623->632 624->625 626 185c0b1-185c0b6 625->626 627 185c0d3-185c0d5 625->627 630 185c0c1 626->630 631 185c0b8-185c0bf call 185af6c 626->631 629 185c0d8-185c0df 627->629 633 185c0e1-185c0e9 629->633 634 185c0ec-185c0f3 629->634 636 185c0c3-185c0d1 630->636 631->636 663 185c232-185c235 632->663 664 185c238-185c263 GetModuleHandleW 632->664 633->634 637 185c0f5-185c0fd 634->637 638 185c100-185c109 call 185af7c 634->638 636->629 637->638 644 185c116-185c11b 638->644 645 185c10b-185c113 638->645 646 185c11d-185c124 644->646 647 185c139-185c146 644->647 645->644 646->647 649 185c126-185c136 call 185af8c call 185af9c 646->649 653 185c169-185c16f 647->653 654 185c148-185c166 647->654 649->647 654->653 663->664 665 185c265-185c26b 664->665 666 185c26c-185c280 664->666 665->666
                                                                                              APIs
                                                                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 0185C256
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1784353686.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_1850000_QUOTATION - RFQ2496_PO 08775622879.jbxd
                                                                                              Similarity
                                                                                              • API ID: HandleModule
                                                                                              • String ID:
                                                                                              • API String ID: 4139908857-0
                                                                                              • Opcode ID: b1cd8c764916413e0b5295bc0a3c2e299671d8966e48d998fc762c42c0aeb67e
                                                                                              • Instruction ID: 14e277d35ccca25bdaa876ccb1a512c9012c4bbe9eeb99ff1b100def5159e35f
                                                                                              • Opcode Fuzzy Hash: b1cd8c764916413e0b5295bc0a3c2e299671d8966e48d998fc762c42c0aeb67e
                                                                                              • Instruction Fuzzy Hash: AB8121B0A00B058FD764DF69C44475ABBF5FB48304F008A2ED88ADBA50DB75EA49CF91
                                                                                              Function 01856780 Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 669 1856780-1856781 670 1856783-185681c DuplicateHandle 669->670 671 1856718-1856749 call 185611c 669->671 674 1856825-1856842 670->674 675 185681e-1856824 670->675 676 185674e-1856774 671->676 675->674
                                                                                              APIs
                                                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0185680F
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1784353686.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_1850000_QUOTATION - RFQ2496_PO 08775622879.jbxd
                                                                                              Similarity
                                                                                              • API ID: DuplicateHandle
                                                                                              • String ID:
                                                                                              • API String ID: 3793708945-0
                                                                                              • Opcode ID: cbb155af61f9a6630b6e446476c0c30e3c310bda484c41948c8f23f28af0b3e1
                                                                                              • Instruction ID: a12849e96663784335cc41c626e213cb5791c35387ea6bfdcb551460263de529
                                                                                              • Opcode Fuzzy Hash: cbb155af61f9a6630b6e446476c0c30e3c310bda484c41948c8f23f28af0b3e1
                                                                                              • Instruction Fuzzy Hash: B94137B6900219AFCB01CF99D844AEEBFF9FB48310F14806AE914E7321D735A914DFA5
                                                                                              Function 01856414 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 681 1856414-1857431 CreateActCtxA 684 1857433-1857439 681->684 685 185743a-1857494 681->685 684->685 692 1857496-1857499 685->692 693 18574a3-18574a7 685->693 692->693 694 18574a9-18574b5 693->694 695 18574b8 693->695 694->695 697 18574b9 695->697 697->697
                                                                                              APIs
                                                                                              • CreateActCtxA.KERNEL32(?), ref: 01857421
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1784353686.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_1850000_QUOTATION - RFQ2496_PO 08775622879.jbxd
                                                                                              Similarity
                                                                                              • API ID: Create
                                                                                              • String ID:
                                                                                              • API String ID: 2289755597-0
                                                                                              • Opcode ID: fc8d2cdc4548be71b16b828902f8b0ad7a3efedbb48fdd554cf0b19c3054de6f
                                                                                              • Instruction ID: 02d52cd639460aee9433f55791342945e716eb480a6f10b0c99319cb46f5f502
                                                                                              • Opcode Fuzzy Hash: fc8d2cdc4548be71b16b828902f8b0ad7a3efedbb48fdd554cf0b19c3054de6f
                                                                                              • Instruction Fuzzy Hash: DF41A2B0C0061DCEDB24DFA9C98479DBBB6BF45304F64805AD408AB255DB756949CF90
                                                                                              Function 01857364 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 698 1857364-185736b 699 1857370-1857431 CreateActCtxA 698->699 701 1857433-1857439 699->701 702 185743a-1857494 699->702 701->702 709 1857496-1857499 702->709 710 18574a3-18574a7 702->710 709->710 711 18574a9-18574b5 710->711 712 18574b8 710->712 711->712 714 18574b9 712->714 714->714
                                                                                              APIs
                                                                                              • CreateActCtxA.KERNEL32(?), ref: 01857421
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1784353686.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_1850000_QUOTATION - RFQ2496_PO 08775622879.jbxd
                                                                                              Similarity
                                                                                              • API ID: Create
                                                                                              • String ID:
                                                                                              • API String ID: 2289755597-0
                                                                                              • Opcode ID: a2b8ee0c058570f7f4ce1f32d9e7a80d10e353f0cbd9d4fc2b134c6b1c806b0a
                                                                                              • Instruction ID: 465ff1f55518b216d99cc9d9460e538eb5109fa64b3996f30d327b3c243ec513
                                                                                              • Opcode Fuzzy Hash: a2b8ee0c058570f7f4ce1f32d9e7a80d10e353f0cbd9d4fc2b134c6b1c806b0a
                                                                                              • Instruction Fuzzy Hash: 9C41B0B1C00619CFDB24CFA9C984B9EBBB6BF49304F64806AD408AB255DB756949CF90
                                                                                              Function 01856788 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 715 1856788-185681c DuplicateHandle 716 1856825-1856842 715->716 717 185681e-1856824 715->717 717->716
                                                                                              APIs
                                                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0185680F
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1784353686.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_1850000_QUOTATION - RFQ2496_PO 08775622879.jbxd
                                                                                              Similarity
                                                                                              • API ID: DuplicateHandle
                                                                                              • String ID:
                                                                                              • API String ID: 3793708945-0
                                                                                              • Opcode ID: 0a93294764d108960bab3f0213f5bb5e3aa3674376f77aa571d3e3cfbfd8a728
                                                                                              • Instruction ID: ccf4e5931f733d1da66fe123765b10ab3930b4aa3fe8b542ec5f08a380fdd763
                                                                                              • Opcode Fuzzy Hash: 0a93294764d108960bab3f0213f5bb5e3aa3674376f77aa571d3e3cfbfd8a728
                                                                                              • Instruction Fuzzy Hash: 6721E4B59002189FDB10CF9AD984ADEBFF4FB48320F14801AE958A3310D374A944CFA5
                                                                                              Function 0185C1F0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 720 185c1f0-185c230 721 185c232-185c235 720->721 722 185c238-185c263 GetModuleHandleW 720->722 721->722 723 185c265-185c26b 722->723 724 185c26c-185c280 722->724 723->724
                                                                                              APIs
                                                                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 0185C256
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1784353686.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_1850000_QUOTATION - RFQ2496_PO 08775622879.jbxd
                                                                                              Similarity
                                                                                              • API ID: HandleModule
                                                                                              • String ID:
                                                                                              • API String ID: 4139908857-0
                                                                                              • Opcode ID: 8460c2ed4219281bc68d4a1d48cdc1950602ace75fa72b2f7995a874d4a90445
                                                                                              • Instruction ID: 7ca90fee7a21de3bc7e4107ec33a3add41ad7ad3a81c7faa1474d5a9b7bf0ac5
                                                                                              • Opcode Fuzzy Hash: 8460c2ed4219281bc68d4a1d48cdc1950602ace75fa72b2f7995a874d4a90445
                                                                                              • Instruction Fuzzy Hash: 0C11E0B5C003498FDB10DF9AC444ADEFBF8EB89324F10852AD969B7610C375A645CFA5
                                                                                              Function 0180D01C Relevance: .1, Instructions: 72COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1783930870.000000000180D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0180D000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_180d000_QUOTATION - RFQ2496_PO 08775622879.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 30546d301508e5a721ced23b35f89431c4cec8d519db8eb0be2c05330c4e6574
                                                                                              • Instruction ID: c7c13fa3f33de672235758ef9ce6d36fcd87056ce7d150c174f10cbbe9a1da45
                                                                                              • Opcode Fuzzy Hash: 30546d301508e5a721ced23b35f89431c4cec8d519db8eb0be2c05330c4e6574
                                                                                              • Instruction Fuzzy Hash: BB212271604208DFDB56DF98D9C4B26BFA5EB84318F20C66DD80E8B296C33AD547CA61
                                                                                              Function 0180D017 Relevance: .1, Instructions: 53COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000002.00000002.1783930870.000000000180D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0180D000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_2_2_180d000_QUOTATION - RFQ2496_PO 08775622879.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                              • Instruction ID: 5da5a7f5bb88ce04c9648fb7e8881effa279815cffe308459cd76f80887ce241
                                                                                              • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                              • Instruction Fuzzy Hash: E711BE75504284CFDB12CF54D9C4B15BF61FB44314F24C6AAD8098B696C33AD50ACB62

                                                                                              Execution Graph

                                                                                              Execution Coverage:10.1%
                                                                                              Dynamic/Decrypted Code Coverage:100%
                                                                                              Signature Coverage:0%
                                                                                              Total number of Nodes:193
                                                                                              Total number of Limit Nodes:11
                                                                                              execution_graph 28703 c3d040 28704 c3d086 GetCurrentProcess 28703->28704 28706 c3d0d1 28704->28706 28707 c3d0d8 GetCurrentThread 28704->28707 28706->28707 28708 c3d115 GetCurrentProcess 28707->28708 28709 c3d10e 28707->28709 28712 c3d14b 28708->28712 28709->28708 28710 c3d173 GetCurrentThreadId 28711 c3d1a4 28710->28711 28712->28710 28713 c3d690 DuplicateHandle 28714 c3d726 28713->28714 28939 c3acb0 28940 c3acbf 28939->28940 28943 c3ad97 28939->28943 28948 c3ada8 28939->28948 28944 c3addc 28943->28944 28945 c3adb9 28943->28945 28944->28940 28945->28944 28946 c3afe0 GetModuleHandleW 28945->28946 28947 c3b00d 28946->28947 28947->28940 28949 c3addc 28948->28949 28950 c3adb9 28948->28950 28949->28940 28950->28949 28951 c3afe0 GetModuleHandleW 28950->28951 28952 c3b00d 28951->28952 28952->28940 28715 28c2428 28716 28c25b3 28715->28716 28717 28c244e 28715->28717 28717->28716 28720 28c26a8 PostMessageW 28717->28720 28722 28c26a0 PostMessageW 28717->28722 28721 28c2714 28720->28721 28721->28717 28723 28c2714 28722->28723 28723->28717 28724 28c07e8 28726 28c080a 28724->28726 28725 28c088f 28726->28725 28729 28c1240 28726->28729 28750 28c1233 28726->28750 28730 28c125a 28729->28730 28742 28c1262 28730->28742 28771 28c1984 28730->28771 28776 28c1fca 28730->28776 28781 28c1caf 28730->28781 28785 28c1eee 28730->28785 28790 28c1dce 28730->28790 28796 28c162c 28730->28796 28801 28c17b1 28730->28801 28806 28c1550 28730->28806 28812 28c1877 28730->28812 28817 28c1a97 28730->28817 28823 28c1af7 28730->28823 28828 28c1655 28730->28828 28834 28c1a3d 28730->28834 28840 28c18dd 28730->28840 28846 28c1ba3 28730->28846 28850 28c1841 28730->28850 28855 28c1560 28730->28855 28861 28c1c66 28730->28861 28742->28725 28751 28c125a 28750->28751 28752 28c1262 28751->28752 28753 28c162c 2 API calls 28751->28753 28754 28c1dce 4 API calls 28751->28754 28755 28c1eee 2 API calls 28751->28755 28756 28c1caf 3 API calls 28751->28756 28757 28c1fca 2 API calls 28751->28757 28758 28c1984 2 API calls 28751->28758 28759 28c1c66 4 API calls 28751->28759 28760 28c1560 2 API calls 28751->28760 28761 28c1841 2 API calls 28751->28761 28762 28c1ba3 2 API calls 28751->28762 28763 28c18dd 2 API calls 28751->28763 28764 28c1a3d 4 API calls 28751->28764 28765 28c1655 2 API calls 28751->28765 28766 28c1af7 2 API calls 28751->28766 28767 28c1a97 4 API calls 28751->28767 28768 28c1877 2 API calls 28751->28768 28769 28c1550 2 API calls 28751->28769 28770 28c17b1 2 API calls 28751->28770 28752->28725 28753->28752 28754->28752 28755->28752 28756->28752 28757->28752 28758->28752 28759->28752 28760->28752 28761->28752 28762->28752 28763->28752 28764->28752 28765->28752 28766->28752 28767->28752 28768->28752 28769->28752 28770->28752 28772 28c18a3 28771->28772 28773 28c188e 28771->28773 28772->28742 28773->28772 28867 502ff40 28773->28867 28871 502ff3a 28773->28871 28777 28c1ffb 28776->28777 28875 28c01d8 28777->28875 28879 28c01d0 28777->28879 28778 28c201c 28883 28c0110 28781->28883 28890 28c0118 28781->28890 28782 28c1ccd 28786 28c1eff 28785->28786 28788 28c01d8 WriteProcessMemory 28786->28788 28789 28c01d0 WriteProcessMemory 28786->28789 28787 28c201c 28788->28787 28789->28787 28791 28c1b9c 28790->28791 28792 28c1e6d 28791->28792 28795 28c0110 2 API calls 28791->28795 28894 28c0007 28791->28894 28898 28c0040 28791->28898 28792->28792 28795->28791 28797 28c1635 28796->28797 28902 28c0460 28797->28902 28906 28c0454 28797->28906 28802 28c17bd 28801->28802 28804 28c01d8 WriteProcessMemory 28802->28804 28805 28c01d0 WriteProcessMemory 28802->28805 28803 28c19d5 28803->28742 28804->28803 28805->28803 28807 28c1593 28806->28807 28808 28c166a 28807->28808 28810 28c0454 CreateProcessA 28807->28810 28811 28c0460 CreateProcessA 28807->28811 28808->28742 28809 28c1795 28809->28742 28809->28809 28810->28809 28811->28809 28813 28c187d 28812->28813 28815 502ff40 ResumeThread 28813->28815 28816 502ff3a ResumeThread 28813->28816 28814 28c18a3 28814->28742 28815->28814 28816->28814 28818 28c1a48 28817->28818 28820 28c0007 Wow64SetThreadContext 28818->28820 28821 28c0040 Wow64SetThreadContext 28818->28821 28822 28c0110 2 API calls 28818->28822 28819 28c183d 28819->28742 28820->28819 28821->28819 28822->28819 28824 28c1b04 28823->28824 28826 28c01d8 WriteProcessMemory 28824->28826 28827 28c01d0 WriteProcessMemory 28824->28827 28825 28c1e05 28826->28825 28827->28825 28830 28c1635 28828->28830 28829 28c166a 28829->28742 28830->28829 28832 28c0454 CreateProcessA 28830->28832 28833 28c0460 CreateProcessA 28830->28833 28831 28c1795 28831->28742 28831->28831 28832->28831 28833->28831 28835 28c1a48 28834->28835 28837 28c0007 Wow64SetThreadContext 28835->28837 28838 28c0040 Wow64SetThreadContext 28835->28838 28839 28c0110 2 API calls 28835->28839 28836 28c183d 28836->28742 28837->28836 28838->28836 28839->28836 28841 28c17bd 28840->28841 28842 28c192b 28841->28842 28844 28c01d8 WriteProcessMemory 28841->28844 28845 28c01d0 WriteProcessMemory 28841->28845 28842->28742 28843 28c19d5 28843->28742 28844->28843 28845->28843 28910 28c02c8 28846->28910 28914 28c02c2 28846->28914 28847 28c1a36 28847->28742 28851 28c1ef2 28850->28851 28853 28c01d8 WriteProcessMemory 28851->28853 28854 28c01d0 WriteProcessMemory 28851->28854 28852 28c201c 28853->28852 28854->28852 28857 28c1593 28855->28857 28856 28c166a 28856->28742 28857->28856 28859 28c0454 CreateProcessA 28857->28859 28860 28c0460 CreateProcessA 28857->28860 28858 28c1795 28858->28742 28858->28858 28859->28858 28860->28858 28864 28c0007 Wow64SetThreadContext 28861->28864 28865 28c0040 Wow64SetThreadContext 28861->28865 28866 28c0110 2 API calls 28861->28866 28862 28c1b9c 28862->28861 28863 28c1e6d 28862->28863 28864->28862 28865->28862 28866->28862 28868 502ff80 ResumeThread 28867->28868 28870 502ffb1 28868->28870 28870->28772 28872 502ff40 ResumeThread 28871->28872 28874 502ffb1 28872->28874 28874->28772 28876 28c0220 WriteProcessMemory 28875->28876 28878 28c0277 28876->28878 28878->28778 28880 28c01d8 WriteProcessMemory 28879->28880 28882 28c0277 28880->28882 28882->28778 28884 28c009d Wow64SetThreadContext 28883->28884 28885 28c0113 VirtualAllocEx 28883->28885 28887 28c00cd 28884->28887 28889 28c0195 28885->28889 28887->28782 28889->28782 28891 28c0158 VirtualAllocEx 28890->28891 28893 28c0195 28891->28893 28893->28782 28895 28c0040 Wow64SetThreadContext 28894->28895 28897 28c00cd 28895->28897 28897->28791 28899 28c0085 Wow64SetThreadContext 28898->28899 28901 28c00cd 28899->28901 28901->28791 28903 28c04e9 CreateProcessA 28902->28903 28905 28c06ab 28903->28905 28907 28c04e9 CreateProcessA 28906->28907 28909 28c06ab 28907->28909 28909->28909 28911 28c0313 ReadProcessMemory 28910->28911 28913 28c0357 28911->28913 28913->28847 28915 28c02c8 ReadProcessMemory 28914->28915 28917 28c0357 28915->28917 28917->28847 28918 c34668 28919 c3467a 28918->28919 28920 c34686 28919->28920 28922 c34779 28919->28922 28923 c3479d 28922->28923 28927 c34879 28923->28927 28931 c34888 28923->28931 28928 c348af 28927->28928 28929 c3498c 28928->28929 28935 c344c4 28928->28935 28933 c348af 28931->28933 28932 c3498c 28932->28932 28933->28932 28934 c344c4 CreateActCtxA 28933->28934 28934->28932 28936 c35918 CreateActCtxA 28935->28936 28938 c359db 28936->28938

                                                                                              Executed Functions

                                                                                              Function 00C3D031 Relevance: 6.1, APIs: 4, Instructions: 132threadCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 294 c3d031-c3d0cf GetCurrentProcess 298 c3d0d1-c3d0d7 294->298 299 c3d0d8-c3d10c GetCurrentThread 294->299 298->299 300 c3d115-c3d149 GetCurrentProcess 299->300 301 c3d10e-c3d114 299->301 303 c3d152-c3d16d call c3d618 300->303 304 c3d14b-c3d151 300->304 301->300 306 c3d173-c3d1a2 GetCurrentThreadId 303->306 304->303 308 c3d1a4-c3d1aa 306->308 309 c3d1ab-c3d20d 306->309 308->309
                                                                                              APIs
                                                                                              • GetCurrentProcess.KERNEL32 ref: 00C3D0BE
                                                                                              • GetCurrentThread.KERNEL32 ref: 00C3D0FB
                                                                                              • GetCurrentProcess.KERNEL32 ref: 00C3D138
                                                                                              • GetCurrentThreadId.KERNEL32 ref: 00C3D191
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.1812699600.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_c30000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID: Current$ProcessThread
                                                                                              • String ID:
                                                                                              • API String ID: 2063062207-0
                                                                                              • Opcode ID: 2e21b49f06ad225f53f03d519e3dabb38968a9bf4984b7f29d1f38ad892484f3
                                                                                              • Instruction ID: 9e518536a902e4ffe16624875a153b413a8bee43879ffbc17cfccf0d1463c510
                                                                                              • Opcode Fuzzy Hash: 2e21b49f06ad225f53f03d519e3dabb38968a9bf4984b7f29d1f38ad892484f3
                                                                                              • Instruction Fuzzy Hash: 8A5165B09103498FDB14DFAAD548BAEBBF1AF48314F208459D019A73A1DB359984CF65
                                                                                              Function 00C3D040 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 316 c3d040-c3d0cf GetCurrentProcess 320 c3d0d1-c3d0d7 316->320 321 c3d0d8-c3d10c GetCurrentThread 316->321 320->321 322 c3d115-c3d149 GetCurrentProcess 321->322 323 c3d10e-c3d114 321->323 325 c3d152-c3d16d call c3d618 322->325 326 c3d14b-c3d151 322->326 323->322 328 c3d173-c3d1a2 GetCurrentThreadId 325->328 326->325 330 c3d1a4-c3d1aa 328->330 331 c3d1ab-c3d20d 328->331 330->331
                                                                                              APIs
                                                                                              • GetCurrentProcess.KERNEL32 ref: 00C3D0BE
                                                                                              • GetCurrentThread.KERNEL32 ref: 00C3D0FB
                                                                                              • GetCurrentProcess.KERNEL32 ref: 00C3D138
                                                                                              • GetCurrentThreadId.KERNEL32 ref: 00C3D191
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.1812699600.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_c30000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID: Current$ProcessThread
                                                                                              • String ID:
                                                                                              • API String ID: 2063062207-0
                                                                                              • Opcode ID: 879fae28cee7dd79a63a4794f8c379801c35ec38e7253be022d1b3fa5205fa73
                                                                                              • Instruction ID: f051b09e203a7968aad78d8559b5072c99d2f421fad661c09c002203b41fe073
                                                                                              • Opcode Fuzzy Hash: 879fae28cee7dd79a63a4794f8c379801c35ec38e7253be022d1b3fa5205fa73
                                                                                              • Instruction Fuzzy Hash: 275144B09103098FDB14DFAAD548BAEBBF1BF88314F208459E419A7360DB74A984CF65
                                                                                              Function 028C0110 Relevance: 3.1, APIs: 2, Instructions: 92memorythreadCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 360 28c0110-28c0111 361 28c009d-28c00cb Wow64SetThreadContext 360->361 362 28c0113-28c0193 VirtualAllocEx 360->362 365 28c00cd-28c00d3 361->365 366 28c00d4-28c0104 361->366 372 28c019c-28c01c1 362->372 373 28c0195-28c019b 362->373 365->366 373->372
                                                                                              APIs
                                                                                              • Wow64SetThreadContext.KERNELBASE(?,00000000), ref: 028C00BE
                                                                                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 028C0186
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.1815630375.00000000028C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_28c0000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID: AllocContextThreadVirtualWow64
                                                                                              • String ID:
                                                                                              • API String ID: 2727713192-0
                                                                                              • Opcode ID: 2713bbb46a7ceb3d0276181c8f2ba13345b7477f99f45f0892a8569818eaf547
                                                                                              • Instruction ID: 7d0c4a6450f6a415f0a57274ae199d26cc1d442239ef0a128125c0eae9f5168c
                                                                                              • Opcode Fuzzy Hash: 2713bbb46a7ceb3d0276181c8f2ba13345b7477f99f45f0892a8569818eaf547
                                                                                              • Instruction Fuzzy Hash: 03316876900209CFDB10DFAAC8447EEFBF5EF88324F24842AD559A7250CB799945CBA1
                                                                                              Function 028C0454 Relevance: 1.7, APIs: 1, Instructions: 246processCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 441 28c0454-28c04f5 443 28c052e-28c054e 441->443 444 28c04f7-28c0501 441->444 449 28c0587-28c05b6 443->449 450 28c0550-28c055a 443->450 444->443 445 28c0503-28c0505 444->445 447 28c0528-28c052b 445->447 448 28c0507-28c0511 445->448 447->443 451 28c0515-28c0524 448->451 452 28c0513 448->452 460 28c05ef-28c06a9 CreateProcessA 449->460 461 28c05b8-28c05c2 449->461 450->449 453 28c055c-28c055e 450->453 451->451 454 28c0526 451->454 452->451 455 28c0560-28c056a 453->455 456 28c0581-28c0584 453->456 454->447 458 28c056c 455->458 459 28c056e-28c057d 455->459 456->449 458->459 459->459 462 28c057f 459->462 472 28c06ab-28c06b1 460->472 473 28c06b2-28c0738 460->473 461->460 463 28c05c4-28c05c6 461->463 462->456 464 28c05c8-28c05d2 463->464 465 28c05e9-28c05ec 463->465 467 28c05d4 464->467 468 28c05d6-28c05e5 464->468 465->460 467->468 468->468 469 28c05e7 468->469 469->465 472->473 483 28c0748-28c074c 473->483 484 28c073a-28c073e 473->484 485 28c075c-28c0760 483->485 486 28c074e-28c0752 483->486 484->483 487 28c0740 484->487 489 28c0770-28c0774 485->489 490 28c0762-28c0766 485->490 486->485 488 28c0754 486->488 487->483 488->485 492 28c0786-28c078d 489->492 493 28c0776-28c077c 489->493 490->489 491 28c0768 490->491 491->489 494 28c078f-28c079e 492->494 495 28c07a4 492->495 493->492 494->495 496 28c07a5 495->496 496->496
                                                                                              APIs
                                                                                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 028C0696
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.1815630375.00000000028C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_28c0000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID: CreateProcess
                                                                                              • String ID:
                                                                                              • API String ID: 963392458-0
                                                                                              • Opcode ID: c9643776a70139b5c3def38b7ffde55e9c88b87989e9238909dd3ff8281ec47d
                                                                                              • Instruction ID: 0c80e32fdace76d23428c1ba14b511e2ed1f944c14069474b32ef47ec6d6876b
                                                                                              • Opcode Fuzzy Hash: c9643776a70139b5c3def38b7ffde55e9c88b87989e9238909dd3ff8281ec47d
                                                                                              • Instruction Fuzzy Hash: 97A16B79D00219DFDB14CFA8C841BDEBBB2BF48354F2481A9E848E7250DB759985CF91
                                                                                              Function 028C0460 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 498 28c0460-28c04f5 500 28c052e-28c054e 498->500 501 28c04f7-28c0501 498->501 506 28c0587-28c05b6 500->506 507 28c0550-28c055a 500->507 501->500 502 28c0503-28c0505 501->502 504 28c0528-28c052b 502->504 505 28c0507-28c0511 502->505 504->500 508 28c0515-28c0524 505->508 509 28c0513 505->509 517 28c05ef-28c06a9 CreateProcessA 506->517 518 28c05b8-28c05c2 506->518 507->506 510 28c055c-28c055e 507->510 508->508 511 28c0526 508->511 509->508 512 28c0560-28c056a 510->512 513 28c0581-28c0584 510->513 511->504 515 28c056c 512->515 516 28c056e-28c057d 512->516 513->506 515->516 516->516 519 28c057f 516->519 529 28c06ab-28c06b1 517->529 530 28c06b2-28c0738 517->530 518->517 520 28c05c4-28c05c6 518->520 519->513 521 28c05c8-28c05d2 520->521 522 28c05e9-28c05ec 520->522 524 28c05d4 521->524 525 28c05d6-28c05e5 521->525 522->517 524->525 525->525 526 28c05e7 525->526 526->522 529->530 540 28c0748-28c074c 530->540 541 28c073a-28c073e 530->541 542 28c075c-28c0760 540->542 543 28c074e-28c0752 540->543 541->540 544 28c0740 541->544 546 28c0770-28c0774 542->546 547 28c0762-28c0766 542->547 543->542 545 28c0754 543->545 544->540 545->542 549 28c0786-28c078d 546->549 550 28c0776-28c077c 546->550 547->546 548 28c0768 547->548 548->546 551 28c078f-28c079e 549->551 552 28c07a4 549->552 550->549 551->552 553 28c07a5 552->553 553->553
                                                                                              APIs
                                                                                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 028C0696
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.1815630375.00000000028C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_28c0000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID: CreateProcess
                                                                                              • String ID:
                                                                                              • API String ID: 963392458-0
                                                                                              • Opcode ID: 869e3902516427ba855c1b45b071d76fdeef8279b1887c79c89167c69349b2f6
                                                                                              • Instruction ID: 2a4c7ae572ff707f4e00faac18be80d75a9f938eb6847ca2e67c3031b097bea5
                                                                                              • Opcode Fuzzy Hash: 869e3902516427ba855c1b45b071d76fdeef8279b1887c79c89167c69349b2f6
                                                                                              • Instruction Fuzzy Hash: 68916A79D00219CFDB24CFA8C841BDEBBB2BF48354F2481A9E808E7250DB759985CF91
                                                                                              Function 00C3ADA8 Relevance: 1.7, APIs: 1, Instructions: 199COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 555 c3ada8-c3adb7 556 c3ade3-c3ade7 555->556 557 c3adb9-c3adc6 call c3a0cc 555->557 558 c3adfb-c3ae3c 556->558 559 c3ade9-c3adf3 556->559 564 c3adc8 557->564 565 c3addc 557->565 566 c3ae49-c3ae57 558->566 567 c3ae3e-c3ae46 558->567 559->558 610 c3adce call c3b031 564->610 611 c3adce call c3b040 564->611 565->556 569 c3ae7b-c3ae7d 566->569 570 c3ae59-c3ae5e 566->570 567->566 568 c3add4-c3add6 568->565 571 c3af18-c3afd8 568->571 574 c3ae80-c3ae87 569->574 572 c3ae60-c3ae67 call c3a0d8 570->572 573 c3ae69 570->573 605 c3afe0-c3b00b GetModuleHandleW 571->605 606 c3afda-c3afdd 571->606 577 c3ae6b-c3ae79 572->577 573->577 575 c3ae94-c3ae9b 574->575 576 c3ae89-c3ae91 574->576 580 c3aea8-c3aeaa call c3a0e8 575->580 581 c3ae9d-c3aea5 575->581 576->575 577->574 585 c3aeaf-c3aeb1 580->585 581->580 586 c3aeb3-c3aebb 585->586 587 c3aebe-c3aec3 585->587 586->587 589 c3aee1-c3aeee 587->589 590 c3aec5-c3aecc 587->590 595 c3af11-c3af17 589->595 596 c3aef0-c3af0e 589->596 590->589 591 c3aece-c3aede call c3a0f8 call c3a108 590->591 591->589 596->595 607 c3b014-c3b028 605->607 608 c3b00d-c3b013 605->608 606->605 608->607 610->568 611->568
                                                                                              APIs
                                                                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 00C3AFFE
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.1812699600.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_c30000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID: HandleModule
                                                                                              • String ID:
                                                                                              • API String ID: 4139908857-0
                                                                                              • Opcode ID: d347a4a291c1238ba7ee68ad794b995367cf24968418de2d1c944e4fdfa86181
                                                                                              • Instruction ID: 4089e451cb5b158bdfb20b67c296fe7f123b6b35e6be4f00282927c9985a7e9c
                                                                                              • Opcode Fuzzy Hash: d347a4a291c1238ba7ee68ad794b995367cf24968418de2d1c944e4fdfa86181
                                                                                              • Instruction Fuzzy Hash: 63815470A10B058FD724DF2AD44579ABBF1FF88700F008A2DD49AD7A50D735E969CB91
                                                                                              Function 00C3590C Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 612 c3590c-c359d9 CreateActCtxA 614 c359e2-c35a3c 612->614 615 c359db-c359e1 612->615 622 c35a4b-c35a4f 614->622 623 c35a3e-c35a41 614->623 615->614 624 c35a51-c35a5d 622->624 625 c35a60 622->625 623->622 624->625 627 c35a61 625->627 627->627
                                                                                              APIs
                                                                                              • CreateActCtxA.KERNEL32(?), ref: 00C359C9
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.1812699600.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_c30000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID: Create
                                                                                              • String ID:
                                                                                              • API String ID: 2289755597-0
                                                                                              • Opcode ID: e69d62afc01269816f4e3e123143df8a2722960a1df3f9eb01c4109fd39a812f
                                                                                              • Instruction ID: 5f4dfa190658a23f4be6a32cebb83d809db490e5c5a347eaeb784cea563db0d7
                                                                                              • Opcode Fuzzy Hash: e69d62afc01269816f4e3e123143df8a2722960a1df3f9eb01c4109fd39a812f
                                                                                              • Instruction Fuzzy Hash: 9241C2B0C00619CFDB24CFA9C884BDEBBF5BF49304F24816AD418AB255DB756946CF90
                                                                                              Function 00C344C4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 628 c344c4-c359d9 CreateActCtxA 631 c359e2-c35a3c 628->631 632 c359db-c359e1 628->632 639 c35a4b-c35a4f 631->639 640 c35a3e-c35a41 631->640 632->631 641 c35a51-c35a5d 639->641 642 c35a60 639->642 640->639 641->642 644 c35a61 642->644 644->644
                                                                                              APIs
                                                                                              • CreateActCtxA.KERNEL32(?), ref: 00C359C9
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.1812699600.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_c30000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID: Create
                                                                                              • String ID:
                                                                                              • API String ID: 2289755597-0
                                                                                              • Opcode ID: 49e7f2a184094d76fb05396de06e80f0f5b263cbeac4f9d3a18ff271531e7246
                                                                                              • Instruction ID: f3cec6d075265abb560d0e3e873d3e3a82f656eb38e9eb6cdd9cb9f94394fe1e
                                                                                              • Opcode Fuzzy Hash: 49e7f2a184094d76fb05396de06e80f0f5b263cbeac4f9d3a18ff271531e7246
                                                                                              • Instruction Fuzzy Hash: 3041DFB0C00B1DCBDB24DFAAC884B9EBBF5BF49304F24816AD418AB255DB756945CF90
                                                                                              Function 028C0007 Relevance: 1.6, APIs: 1, Instructions: 86threadCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 645 28c0007-28c008b 648 28c008d-28c0099 645->648 649 28c009b-28c00cb Wow64SetThreadContext 645->649 648->649 651 28c00cd-28c00d3 649->651 652 28c00d4-28c0104 649->652 651->652
                                                                                              APIs
                                                                                              • Wow64SetThreadContext.KERNELBASE(?,00000000), ref: 028C00BE
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.1815630375.00000000028C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_28c0000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID: ContextThreadWow64
                                                                                              • String ID:
                                                                                              • API String ID: 983334009-0
                                                                                              • Opcode ID: 244569ee14b2d93c75227a97353c75ad919a9b2fdedc18aa65060ac6bd08e9d4
                                                                                              • Instruction ID: e4c8a624feafaf413c771509453e023585863c241b2f76a1afeb61db55942a70
                                                                                              • Opcode Fuzzy Hash: 244569ee14b2d93c75227a97353c75ad919a9b2fdedc18aa65060ac6bd08e9d4
                                                                                              • Instruction Fuzzy Hash: 2931E2759093888FCB11CFB9C4447DEBFF4AF4A324F1984AED488AB252C7389544CB65
                                                                                              Function 028C01D0 Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 656 28c01d0-28c0226 659 28c0228-28c0234 656->659 660 28c0236-28c0275 WriteProcessMemory 656->660 659->660 662 28c027e-28c02ae 660->662 663 28c0277-28c027d 660->663 663->662
                                                                                              APIs
                                                                                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 028C0268
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.1815630375.00000000028C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_28c0000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID: MemoryProcessWrite
                                                                                              • String ID:
                                                                                              • API String ID: 3559483778-0
                                                                                              • Opcode ID: 339e945dbafb183acd19daa72db2c7d6502789bc9fddaad266eaf4626878e9bd
                                                                                              • Instruction ID: dbb401006d84e2741e416be7da741400771cc31d4f425b9588035a7364ac7896
                                                                                              • Opcode Fuzzy Hash: 339e945dbafb183acd19daa72db2c7d6502789bc9fddaad266eaf4626878e9bd
                                                                                              • Instruction Fuzzy Hash: FA214875900349DFCB10CFA9C985BEEBBF5FF48320F108429E958A7250D7789944CBA0
                                                                                              Function 028C01D8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 667 28c01d8-28c0226 669 28c0228-28c0234 667->669 670 28c0236-28c0275 WriteProcessMemory 667->670 669->670 672 28c027e-28c02ae 670->672 673 28c0277-28c027d 670->673 673->672
                                                                                              APIs
                                                                                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 028C0268
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.1815630375.00000000028C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_28c0000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID: MemoryProcessWrite
                                                                                              • String ID:
                                                                                              • API String ID: 3559483778-0
                                                                                              • Opcode ID: d3723245b7b4f932b407834eba04e7e0b5c2ca33f75198a2298236dea70f3158
                                                                                              • Instruction ID: 3f47e3834ce28ad2d2b61d9780cefe2004f9bd1ee9f82c1abb02062848081a5c
                                                                                              • Opcode Fuzzy Hash: d3723245b7b4f932b407834eba04e7e0b5c2ca33f75198a2298236dea70f3158
                                                                                              • Instruction Fuzzy Hash: BB2127B5900359DFCB10CFA9C985BEEBBF5FF48320F108429E958A7251D7789944CBA4
                                                                                              Function 028C02C2 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 028C0348
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.1815630375.00000000028C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_28c0000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID: MemoryProcessRead
                                                                                              • String ID:
                                                                                              • API String ID: 1726664587-0
                                                                                              • Opcode ID: d7e6472c8d705f23109b4d8b2322c329d9dbd109dd53dcac7c84b813a1e3ca2b
                                                                                              • Instruction ID: d5d47491b6bff44f9420ad6c19b9d2fc9b5812238eab5411cd64509ae94e3d22
                                                                                              • Opcode Fuzzy Hash: d7e6472c8d705f23109b4d8b2322c329d9dbd109dd53dcac7c84b813a1e3ca2b
                                                                                              • Instruction Fuzzy Hash: 0E2136B5900349DFCB10DFAAC980AEEFBF5FF48320F148429E558A7250C7349944CBA4
                                                                                              Function 00C3D689 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00C3D717
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.1812699600.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_c30000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID: DuplicateHandle
                                                                                              • String ID:
                                                                                              • API String ID: 3793708945-0
                                                                                              • Opcode ID: 9936ffa0c02ec083fbe1a38bb0de3b47b5132a03581cdde81dd63e52ca9ea842
                                                                                              • Instruction ID: 4300596d12a4a9fee75781ec83036be2788cec1b7656f3d0e2530325b165aa81
                                                                                              • Opcode Fuzzy Hash: 9936ffa0c02ec083fbe1a38bb0de3b47b5132a03581cdde81dd63e52ca9ea842
                                                                                              • Instruction Fuzzy Hash: 632114B5900258DFDB10CF9AD584ADEBFF4EB48320F14841AE918A7310C378A940CFA1
                                                                                              Function 028C02C8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 028C0348
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.1815630375.00000000028C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_28c0000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID: MemoryProcessRead
                                                                                              • String ID:
                                                                                              • API String ID: 1726664587-0
                                                                                              • Opcode ID: 504760644b7b526f17f8255be21866414b6fe6feee5c2ad2acf7568e9570bb27
                                                                                              • Instruction ID: 4e614f1c7b1550e35ff32e8705678180b0ebeed6613e0ee23f73d734116b70a9
                                                                                              • Opcode Fuzzy Hash: 504760644b7b526f17f8255be21866414b6fe6feee5c2ad2acf7568e9570bb27
                                                                                              • Instruction Fuzzy Hash: 602128B5900359DFCB10DFAAC980ADEBBF5FF48320F148429E558A7250C7759544CBA4
                                                                                              Function 028C0040 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • Wow64SetThreadContext.KERNELBASE(?,00000000), ref: 028C00BE
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.1815630375.00000000028C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_28c0000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID: ContextThreadWow64
                                                                                              • String ID:
                                                                                              • API String ID: 983334009-0
                                                                                              • Opcode ID: b92b849ed48e303e663e6dd1add0852fd0e5ea7523108eec5019a901d4f0f26d
                                                                                              • Instruction ID: c10f4ee2cd0f3d971de3ba3c2cd6d8739b8ee5bb329d5f46552f58ef55cdabf8
                                                                                              • Opcode Fuzzy Hash: b92b849ed48e303e663e6dd1add0852fd0e5ea7523108eec5019a901d4f0f26d
                                                                                              • Instruction Fuzzy Hash: 812135B5900309CFDB10DFAAC5857EEBBF4EF48324F20842AD559A7240CB78A944CFA5
                                                                                              Function 00C3D690 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00C3D717
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.1812699600.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_c30000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID: DuplicateHandle
                                                                                              • String ID:
                                                                                              • API String ID: 3793708945-0
                                                                                              • Opcode ID: c2dcd2934a28874a364446afca24ed9c8f4ae3bcaa622b5b019af7ccd571742e
                                                                                              • Instruction ID: b1ee6ec7f108f1613e4de702fb4e109061ea5ae7ba0b9bd1033a000abb5460bb
                                                                                              • Opcode Fuzzy Hash: c2dcd2934a28874a364446afca24ed9c8f4ae3bcaa622b5b019af7ccd571742e
                                                                                              • Instruction Fuzzy Hash: 1321E4B5900248DFDB10CF9AD584ADEBBF8EB48320F14841AE915A3350D374A940CFA5
                                                                                              Function 028C0118 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 028C0186
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.1815630375.00000000028C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_28c0000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID: AllocVirtual
                                                                                              • String ID:
                                                                                              • API String ID: 4275171209-0
                                                                                              • Opcode ID: 91d35bedbe179913f1af35c9c341acc60d03be7607e829717dfbebe43c93b25a
                                                                                              • Instruction ID: fc8fb366a4dd4aa1320aae6f8702279b5b3dc0502d986890b431a555f4d16230
                                                                                              • Opcode Fuzzy Hash: 91d35bedbe179913f1af35c9c341acc60d03be7607e829717dfbebe43c93b25a
                                                                                              • Instruction Fuzzy Hash: 3B112675900249DFCB10DFAAC944BDFBFF5EB48320F20881AE559A7250C775A944CFA0
                                                                                              Function 0502FF3A Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.1846547828.0000000005020000.00000040.00000800.00020000.00000000.sdmp, Offset: 05020000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_5020000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID: ResumeThread
                                                                                              • String ID:
                                                                                              • API String ID: 947044025-0
                                                                                              • Opcode ID: 1a4b5c6d8db9c44c73cabce9ffb6e9fa6a2394cf42f5bae8f0d2d688c0a750f3
                                                                                              • Instruction ID: f97f9790f6458a9bf825fb77990b60af4c57b75fa8ee37bd37b209c8fce717f3
                                                                                              • Opcode Fuzzy Hash: 1a4b5c6d8db9c44c73cabce9ffb6e9fa6a2394cf42f5bae8f0d2d688c0a750f3
                                                                                              • Instruction Fuzzy Hash: F21158B19042898FCB10DFAAC5457DEFBF8EF89324F208429D459A7250CB35A944CFA4
                                                                                              Function 0502FF40 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.1846547828.0000000005020000.00000040.00000800.00020000.00000000.sdmp, Offset: 05020000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_5020000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID: ResumeThread
                                                                                              • String ID:
                                                                                              • API String ID: 947044025-0
                                                                                              • Opcode ID: bcbaa10668746b58edb53617590de5127bf0f9660776b7bd50271eb5490b8db0
                                                                                              • Instruction ID: 0434de71e0ee4eb11757e5f611552d441c8b0bd8b5e2456aca9adb139bc7190a
                                                                                              • Opcode Fuzzy Hash: bcbaa10668746b58edb53617590de5127bf0f9660776b7bd50271eb5490b8db0
                                                                                              • Instruction Fuzzy Hash: 9E1136B19043598FDB20DFAAC5457DEFBF8EF88324F208829D459A7250CB75A944CFA4
                                                                                              Function 00C3AF98 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 00C3AFFE
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.1812699600.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_c30000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID: HandleModule
                                                                                              • String ID:
                                                                                              • API String ID: 4139908857-0
                                                                                              • Opcode ID: e783b82a021101ea4f3e6cccbb9e9c4713f5cb72b42743ff72f719df6c9303a6
                                                                                              • Instruction ID: ed71f7ae2a40b4844ff046cf090a4cdba8c4820419643e6624496d6f030178f9
                                                                                              • Opcode Fuzzy Hash: e783b82a021101ea4f3e6cccbb9e9c4713f5cb72b42743ff72f719df6c9303a6
                                                                                              • Instruction Fuzzy Hash: FF11E0B5C002498FDB14CF9AC544ADEFBF4AB88324F10842AD969A7210D375AA45CFA5
                                                                                              Function 028C26A0 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • PostMessageW.USER32(?,?,?,?), ref: 028C2705
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.1815630375.00000000028C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_28c0000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessagePost
                                                                                              • String ID:
                                                                                              • API String ID: 410705778-0
                                                                                              • Opcode ID: 053ae97ed88ccf2eab8571bb7bca6eb54d7124dd7935e211512a81f6cae42033
                                                                                              • Instruction ID: 9330485a749cd603d2b3b3063b27b30f0581028bce40ee5871b1b760f69b809f
                                                                                              • Opcode Fuzzy Hash: 053ae97ed88ccf2eab8571bb7bca6eb54d7124dd7935e211512a81f6cae42033
                                                                                              • Instruction Fuzzy Hash: 6F11E3B58002499FDB10CF99D585BDEBBF8EB48324F208459D958A7251C375A944CFA1
                                                                                              Function 028C26A8 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • PostMessageW.USER32(?,?,?,?), ref: 028C2705
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.1815630375.00000000028C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_28c0000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessagePost
                                                                                              • String ID:
                                                                                              • API String ID: 410705778-0
                                                                                              • Opcode ID: 3f933c0c286df2c18b426e9596e59e5f73c77a42a70e800446d62c7a25779e60
                                                                                              • Instruction ID: 370714769344ece884fe523cbd995222ffc0a148405cdc8d607f12a5db037a52
                                                                                              • Opcode Fuzzy Hash: 3f933c0c286df2c18b426e9596e59e5f73c77a42a70e800446d62c7a25779e60
                                                                                              • Instruction Fuzzy Hash: 151103B9800348DFDB10CF9AC984BDEBBF8EB48324F208459D958A7250C375A544CFA1
                                                                                              Function 00B8D3D8 Relevance: .1, Instructions: 75COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.1806667015.0000000000B8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B8D000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_b8d000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: ae505882361efc24b18d87f0cedcd127b74812a760b64a1677f1949fc1379a00
                                                                                              • Instruction ID: 770c3b8b9fef83106fe1e2bd5b980ea012fa8f21e580add168c3b8ac4affa169
                                                                                              • Opcode Fuzzy Hash: ae505882361efc24b18d87f0cedcd127b74812a760b64a1677f1949fc1379a00
                                                                                              • Instruction Fuzzy Hash: 1E210A71504204DFDB05EF14D9C4B17BFA5FB94324F28C5AAD9094B3A6C336E856C7A1
                                                                                              Function 00B8D4C4 Relevance: .1, Instructions: 75COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.1806667015.0000000000B8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B8D000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_b8d000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: b86b54aca0811bc175a7302eddb6c1029d812f7c7f0b7e0aaef32cc2d21c15ac
                                                                                              • Instruction ID: 6fc4a4927b7253b64aa308988bbfd6d724d80ebff695c2743d2ff972f5b33d05
                                                                                              • Opcode Fuzzy Hash: b86b54aca0811bc175a7302eddb6c1029d812f7c7f0b7e0aaef32cc2d21c15ac
                                                                                              • Instruction Fuzzy Hash: 2521C471504240DFDB05EF14D9C0B66BFA5FBA4318F24C5ABD9054A2A6C336D856C7A1
                                                                                              Function 00B9D01C Relevance: .1, Instructions: 72COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.1806725572.0000000000B9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B9D000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_b9d000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 741b79f5e43fbcbc6290ed8d05d411f1b4a6004c5a0f7ead29c1139b660ac707
                                                                                              • Instruction ID: f6500fad0ab4746a9da0fb49a3cb2f007df13a8c975506b0288b10a5e7585e64
                                                                                              • Opcode Fuzzy Hash: 741b79f5e43fbcbc6290ed8d05d411f1b4a6004c5a0f7ead29c1139b660ac707
                                                                                              • Instruction Fuzzy Hash: 5D21DE71604200DFDF14DF25D9D4B26BBA5EB88314F20C6B9E84A4B296C33AD846CA61
                                                                                              Function 00B9D1D4 Relevance: .1, Instructions: 72COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.1806725572.0000000000B9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B9D000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_b9d000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 7a89ac9c536af73cfa7013df294514790cc8286227b74a0df36537027751138b
                                                                                              • Instruction ID: bc44893e97646d7825343f04d92d29f591ae7a41e847027b5f6c7d05a7b537f7
                                                                                              • Opcode Fuzzy Hash: 7a89ac9c536af73cfa7013df294514790cc8286227b74a0df36537027751138b
                                                                                              • Instruction Fuzzy Hash: 05212371604200EFDF05DF15DAC0B26BBE5FB88314F20C6BDE9094B296C33AD846CA61
                                                                                              Function 00B9D006 Relevance: .1, Instructions: 60COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.1806725572.0000000000B9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B9D000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_b9d000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 438be6f1d441c551f0e1e629f73a0fe8c74213f4ea99c9281ca23474a010f71c
                                                                                              • Instruction ID: 007b875b7ece79b4f96b84653d7961185f7080661c091d804b7627c932f1d8fe
                                                                                              • Opcode Fuzzy Hash: 438be6f1d441c551f0e1e629f73a0fe8c74213f4ea99c9281ca23474a010f71c
                                                                                              • Instruction Fuzzy Hash: 4621A4755093808FDB06CF24D5A4715BFB1EB45314F28C5EAD8498B297C33A980ACB62
                                                                                              Function 00B8D4BF Relevance: .1, Instructions: 56COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.1806667015.0000000000B8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B8D000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_b8d000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                              • Instruction ID: 55a287b6cafc172676a04ebbed4d45830be1c776ebff26e666c797e3c5ad6b99
                                                                                              • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                              • Instruction Fuzzy Hash: 22110372504280CFCB02DF10D5C4B56BFB1FBA4318F24C6ABD8090B666C336D85ACBA1
                                                                                              Function 00B8D3D3 Relevance: .1, Instructions: 56COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.1806667015.0000000000B8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B8D000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_b8d000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                              • Instruction ID: 91c6d6a8ed4bb326f18c4264613658aa4bff159436fc4d601d334a5edef4bf21
                                                                                              • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                              • Instruction Fuzzy Hash: E711E172504240DFCB02DF00D5C4B16BFB1FB94324F28C2AAD8090B366C33AE85ACBA1
                                                                                              Function 00B9D1CF Relevance: .1, Instructions: 53COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.1806725572.0000000000B9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B9D000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_b9d000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                              • Instruction ID: 7a8f23bab797aeb2d8c4b64587589c8ae5cf4963c57336190a21d3a89495505c
                                                                                              • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                              • Instruction Fuzzy Hash: 10118B75504280DFDB16CF14D5C4B15BBA1FB94314F24C6AAD8494B6A6C33AD84ACB61

                                                                                              Execution Graph

                                                                                              Execution Coverage:11.5%
                                                                                              Dynamic/Decrypted Code Coverage:100%
                                                                                              Signature Coverage:0%
                                                                                              Total number of Nodes:254
                                                                                              Total number of Limit Nodes:12
                                                                                              execution_graph 52003 51b2428 52004 51b25b3 52003->52004 52005 51b244e 52003->52005 52005->52004 52008 51b26a8 PostMessageW 52005->52008 52010 51b26a0 52005->52010 52009 51b2714 52008->52009 52009->52005 52011 51b26a8 PostMessageW 52010->52011 52012 51b2714 52011->52012 52012->52005 52013 51b0a6e 52014 51b087a 52013->52014 52015 51b08f3 52014->52015 52019 51b1230 52014->52019 52040 51b12a6 52014->52040 52062 51b1240 52014->52062 52020 51b123b 52019->52020 52021 51b1262 52020->52021 52083 51b1eee 52020->52083 52088 51b1caf 52020->52088 52092 51b1fca 52020->52092 52097 51b1554 52020->52097 52103 51b1655 52020->52103 52109 51b1af7 52020->52109 52114 51b1a97 52020->52114 52119 51b1877 52020->52119 52124 51b17b1 52020->52124 52129 51b1a3d 52020->52129 52134 51b18dd 52020->52134 52140 51b1984 52020->52140 52145 51b1c66 52020->52145 52150 51b1560 52020->52150 52156 51b1841 52020->52156 52161 51b1ba3 52020->52161 52165 51b162c 52020->52165 52171 51b1dce 52020->52171 52021->52015 52041 51b1234 52040->52041 52042 51b12a9 52040->52042 52043 51b1262 52041->52043 52044 51b18dd 2 API calls 52041->52044 52045 51b1a3d 2 API calls 52041->52045 52046 51b17b1 2 API calls 52041->52046 52047 51b1877 2 API calls 52041->52047 52048 51b1a97 2 API calls 52041->52048 52049 51b1af7 2 API calls 52041->52049 52050 51b1655 2 API calls 52041->52050 52051 51b1554 2 API calls 52041->52051 52052 51b1fca 2 API calls 52041->52052 52053 51b1caf 2 API calls 52041->52053 52054 51b1eee 2 API calls 52041->52054 52055 51b1dce 2 API calls 52041->52055 52056 51b162c 2 API calls 52041->52056 52057 51b1ba3 2 API calls 52041->52057 52058 51b1841 2 API calls 52041->52058 52059 51b1560 2 API calls 52041->52059 52060 51b1c66 2 API calls 52041->52060 52061 51b1984 2 API calls 52041->52061 52043->52015 52044->52043 52045->52043 52046->52043 52047->52043 52048->52043 52049->52043 52050->52043 52051->52043 52052->52043 52053->52043 52054->52043 52055->52043 52056->52043 52057->52043 52058->52043 52059->52043 52060->52043 52061->52043 52063 51b1254 52062->52063 52064 51b1262 52063->52064 52065 51b18dd 2 API calls 52063->52065 52066 51b1a3d 2 API calls 52063->52066 52067 51b17b1 2 API calls 52063->52067 52068 51b1877 2 API calls 52063->52068 52069 51b1a97 2 API calls 52063->52069 52070 51b1af7 2 API calls 52063->52070 52071 51b1655 2 API calls 52063->52071 52072 51b1554 2 API calls 52063->52072 52073 51b1fca 2 API calls 52063->52073 52074 51b1caf 2 API calls 52063->52074 52075 51b1eee 2 API calls 52063->52075 52076 51b1dce 2 API calls 52063->52076 52077 51b162c 2 API calls 52063->52077 52078 51b1ba3 2 API calls 52063->52078 52079 51b1841 2 API calls 52063->52079 52080 51b1560 2 API calls 52063->52080 52081 51b1c66 2 API calls 52063->52081 52082 51b1984 2 API calls 52063->52082 52064->52015 52065->52064 52066->52064 52067->52064 52068->52064 52069->52064 52070->52064 52071->52064 52072->52064 52073->52064 52074->52064 52075->52064 52076->52064 52077->52064 52078->52064 52079->52064 52080->52064 52081->52064 52082->52064 52084 51b1eff 52083->52084 52176 51b01d8 52084->52176 52180 51b01d0 52084->52180 52085 51b201c 52184 51b0118 52088->52184 52188 51b0110 52088->52188 52089 51b1ccd 52093 51b1ffb 52092->52093 52095 51b01d8 WriteProcessMemory 52093->52095 52096 51b01d0 WriteProcessMemory 52093->52096 52094 51b201c 52095->52094 52096->52094 52099 51b1560 52097->52099 52098 51b166a 52098->52021 52099->52098 52192 51b0460 52099->52192 52196 51b0454 52099->52196 52105 51b1635 52103->52105 52104 51b166a 52104->52021 52105->52104 52107 51b0460 CreateProcessA 52105->52107 52108 51b0454 CreateProcessA 52105->52108 52106 51b1795 52106->52021 52107->52106 52108->52106 52110 51b1b04 52109->52110 52112 51b01d8 WriteProcessMemory 52110->52112 52113 51b01d0 WriteProcessMemory 52110->52113 52111 51b1e05 52112->52111 52113->52111 52115 51b1a48 52114->52115 52116 51b183d 52114->52116 52200 51b0040 52115->52200 52204 51b0006 52115->52204 52116->52021 52120 51b187d 52119->52120 52208 582ff40 52120->52208 52212 582ff3b 52120->52212 52121 51b18a3 52121->52021 52125 51b17bd 52124->52125 52127 51b01d8 WriteProcessMemory 52125->52127 52128 51b01d0 WriteProcessMemory 52125->52128 52126 51b19d5 52126->52021 52127->52126 52128->52126 52130 51b1a48 52129->52130 52132 51b0040 Wow64SetThreadContext 52130->52132 52133 51b0006 Wow64SetThreadContext 52130->52133 52131 51b183d 52131->52021 52132->52131 52133->52131 52136 51b17bd 52134->52136 52135 51b192b 52136->52135 52138 51b01d8 WriteProcessMemory 52136->52138 52139 51b01d0 WriteProcessMemory 52136->52139 52137 51b19d5 52137->52021 52138->52137 52139->52137 52141 51b188e 52140->52141 52142 51b18a3 52141->52142 52143 582ff40 ResumeThread 52141->52143 52144 582ff3b ResumeThread 52141->52144 52142->52021 52143->52142 52144->52142 52148 51b0040 Wow64SetThreadContext 52145->52148 52149 51b0006 Wow64SetThreadContext 52145->52149 52146 51b1b9c 52146->52145 52147 51b1e6d 52146->52147 52148->52146 52149->52146 52152 51b1593 52150->52152 52151 51b166a 52151->52021 52152->52151 52154 51b0460 CreateProcessA 52152->52154 52155 51b0454 CreateProcessA 52152->52155 52153 51b1795 52153->52021 52154->52153 52155->52153 52157 51b1ef2 52156->52157 52159 51b01d8 WriteProcessMemory 52157->52159 52160 51b01d0 WriteProcessMemory 52157->52160 52158 51b201c 52159->52158 52160->52158 52216 51b02c8 52161->52216 52220 51b02c3 52161->52220 52162 51b1a36 52162->52021 52168 51b1635 52165->52168 52166 51b166a 52166->52021 52167 51b1795 52167->52021 52168->52166 52169 51b0460 CreateProcessA 52168->52169 52170 51b0454 CreateProcessA 52168->52170 52169->52167 52170->52167 52172 51b1b9c 52171->52172 52173 51b1e6d 52172->52173 52174 51b0040 Wow64SetThreadContext 52172->52174 52175 51b0006 Wow64SetThreadContext 52172->52175 52174->52172 52175->52172 52177 51b0220 WriteProcessMemory 52176->52177 52179 51b0277 52177->52179 52179->52085 52181 51b0220 WriteProcessMemory 52180->52181 52183 51b0277 52181->52183 52183->52085 52185 51b0158 VirtualAllocEx 52184->52185 52187 51b0195 52185->52187 52187->52089 52189 51b0113 VirtualAllocEx 52188->52189 52191 51b0195 52189->52191 52191->52089 52193 51b04e9 52192->52193 52193->52193 52194 51b064e CreateProcessA 52193->52194 52195 51b06ab 52194->52195 52197 51b04e9 52196->52197 52197->52197 52198 51b064e CreateProcessA 52197->52198 52199 51b06ab 52198->52199 52199->52199 52201 51b0054 Wow64SetThreadContext 52200->52201 52203 51b00cd 52201->52203 52203->52116 52205 51b003b Wow64SetThreadContext 52204->52205 52207 51b00cd 52205->52207 52207->52116 52209 582ff80 ResumeThread 52208->52209 52211 582ffb1 52209->52211 52211->52121 52213 582ff40 ResumeThread 52212->52213 52215 582ffb1 52213->52215 52215->52121 52217 51b0313 ReadProcessMemory 52216->52217 52219 51b0357 52217->52219 52219->52162 52221 51b02c8 ReadProcessMemory 52220->52221 52223 51b0357 52221->52223 52223->52162 51929 17ad01c 51930 17ad034 51929->51930 51931 17ad08e 51930->51931 51934 5742818 51930->51934 51939 5742808 51930->51939 51935 5742845 51934->51935 51936 5742877 51935->51936 51944 57429a0 51935->51944 51949 5742991 51935->51949 51940 5742845 51939->51940 51941 5742877 51940->51941 51942 57429a0 4 API calls 51940->51942 51943 5742991 4 API calls 51940->51943 51942->51941 51943->51941 51946 57429b4 51944->51946 51945 5742a40 51945->51936 51954 5742a58 51946->51954 51957 5742a48 51946->51957 51951 57429b4 51949->51951 51950 5742a40 51950->51936 51952 5742a58 4 API calls 51951->51952 51953 5742a48 4 API calls 51951->51953 51952->51950 51953->51950 51955 5742a69 51954->51955 51960 574401b 51954->51960 51955->51945 51958 5742a69 51957->51958 51959 574401b 4 API calls 51957->51959 51958->51945 51959->51958 51966 5744040 51960->51966 51970 5743fe8 51960->51970 51974 5743f2c 51960->51974 51978 5744030 51960->51978 51961 574402a 51961->51955 51967 574405e 51966->51967 51968 5744089 51967->51968 51969 57440da CallWindowProcW 51967->51969 51968->51961 51969->51968 51971 5743fe9 51970->51971 51972 57440da CallWindowProcW 51971->51972 51973 5744002 51971->51973 51972->51973 51973->51961 51975 5743f60 51974->51975 51976 57440da CallWindowProcW 51975->51976 51977 5744002 51975->51977 51976->51977 51977->51961 51979 574405e 51978->51979 51980 57440da CallWindowProcW 51979->51980 51981 5744089 51979->51981 51980->51981 51981->51961 51915 187d040 51916 187d086 51915->51916 51920 187d618 51916->51920 51923 187d628 51916->51923 51917 187d173 51926 187d27c 51920->51926 51924 187d27c DuplicateHandle 51923->51924 51925 187d656 51923->51925 51924->51925 51925->51917 51927 187d690 DuplicateHandle 51926->51927 51928 187d656 51927->51928 51928->51917 52224 187acb0 52228 187ad97 52224->52228 52233 187ada8 52224->52233 52225 187acbf 52229 187addc 52228->52229 52230 187adb9 52228->52230 52229->52225 52230->52229 52231 187afe0 GetModuleHandleW 52230->52231 52232 187b00d 52231->52232 52232->52225 52234 187addc 52233->52234 52235 187adb9 52233->52235 52234->52225 52235->52234 52236 187afe0 GetModuleHandleW 52235->52236 52237 187b00d 52236->52237 52237->52225 51982 1874668 51983 187467a 51982->51983 51984 1874686 51983->51984 51986 1874779 51983->51986 51987 187479d 51986->51987 51991 1874879 51987->51991 51995 1874888 51987->51995 51993 18748af 51991->51993 51992 187498c 51993->51992 51999 18744c4 51993->51999 51996 18748af 51995->51996 51997 18744c4 CreateActCtxA 51996->51997 51998 187498c 51996->51998 51997->51998 52000 1875918 CreateActCtxA 51999->52000 52002 18759db 52000->52002

                                                                                              Executed Functions

                                                                                              Function 07680D8A Relevance: 2.9, Strings: 2, Instructions: 380COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 502 7680d8a-7680d8c 503 7680e0d-7680e68 502->503 504 7680d8e-7680d9b 502->504 505 7680e6a 503->505 506 7680e6f-7680f25 503->506 504->503 505->506 510 7680f2c-7680f68 506->510 511 7680f27 506->511 578 7680f6a call 76814b0 510->578 579 7680f6a call 76814a2 510->579 511->510 513 7680f70-7680f72 514 7680f75 513->514 515 7680f7c-7680f98 514->515 516 7680f9a 515->516 517 7680fa1-7680fa2 515->517 516->514 516->517 518 76812d9-76812e0 516->518 519 7681188-768119c 516->519 520 7681128-768112c 516->520 521 76811cb-76811d7 516->521 522 76812ac-76812b8 516->522 523 7680fce-7680fe0 516->523 524 76811a1-76811ad 516->524 525 7681202-7681219 516->525 526 7680fe2-7680ff4 516->526 527 76810e2-76810ee 516->527 528 7680fa7-7680fcc 516->528 529 7681027-7681039 516->529 530 7681158-768115c 516->530 531 7681058-7681078 516->531 532 768107d-7681086 516->532 533 768121e-768122a 516->533 534 768103e-7681053 516->534 535 76810b2-76810b6 516->535 536 7681116-7681123 516->536 537 7680ff6-7681022 516->537 517->518 519->515 546 768112e-768113d 520->546 547 768113f-7681146 520->547 554 76811d9 521->554 555 76811de-76811fd 521->555 552 76812ba 522->552 553 76812bf-76812d4 522->553 523->515 550 76811af 524->550 551 76811b4-76811c6 524->551 525->515 526->515 544 76810f0 527->544 545 76810f5-7681111 527->545 528->515 529->515 548 768115e-768116d 530->548 549 768116f-7681176 530->549 531->515 538 7681088-7681097 532->538 539 7681099-76810a0 532->539 542 768122c 533->542 543 7681231-7681247 533->543 534->515 540 76810b8-76810c7 535->540 541 76810c9-76810d0 535->541 536->515 537->515 556 76810a7-76810ad 538->556 539->556 557 76810d7-76810dd 540->557 541->557 542->543 568 7681249 543->568 569 768124e-7681264 543->569 544->545 545->515 558 768114d-7681153 546->558 547->558 560 768117d-7681183 548->560 549->560 550->551 551->515 552->553 553->515 554->555 555->515 556->515 557->515 558->515 560->515 568->569 572 768126b-7681281 569->572 573 7681266 569->573 575 7681288-76812a7 572->575 576 7681283 572->576 573->572 575->515 576->575 578->513 579->513
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1916575623.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_7680000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: 0%p1$0%p1
                                                                                              • API String ID: 0-3740086479
                                                                                              • Opcode ID: 91ba78a34c8595b2901112598e1594ebb444814280ed5200d424cda2d6a91cbd
                                                                                              • Instruction ID: 000f6b33f4eefa53961ee260fcac3fe2aa18b23f7cf3fb4425bb11f5e163b5e8
                                                                                              • Opcode Fuzzy Hash: 91ba78a34c8595b2901112598e1594ebb444814280ed5200d424cda2d6a91cbd
                                                                                              • Instruction Fuzzy Hash: 75E1C2B0D14249DFCB44DF99D8808EEFBB2FF49310B14CA5AE416AB215C7349A82CF95
                                                                                              Function 07680E10 Relevance: 2.9, Strings: 2, Instructions: 360COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 580 7680e10-7680e68 581 7680e6a 580->581 582 7680e6f-7680f25 580->582 581->582 586 7680f2c-7680f68 582->586 587 7680f27 582->587 654 7680f6a call 76814b0 586->654 655 7680f6a call 76814a2 586->655 587->586 589 7680f70-7680f72 590 7680f75 589->590 591 7680f7c-7680f98 590->591 592 7680f9a 591->592 593 7680fa1-7680fa2 591->593 592->590 592->593 594 76812d9-76812e0 592->594 595 7681188-768119c 592->595 596 7681128-768112c 592->596 597 76811cb-76811d7 592->597 598 76812ac-76812b8 592->598 599 7680fce-7680fe0 592->599 600 76811a1-76811ad 592->600 601 7681202-7681219 592->601 602 7680fe2-7680ff4 592->602 603 76810e2-76810ee 592->603 604 7680fa7-7680fcc 592->604 605 7681027-7681039 592->605 606 7681158-768115c 592->606 607 7681058-7681078 592->607 608 768107d-7681086 592->608 609 768121e-768122a 592->609 610 768103e-7681053 592->610 611 76810b2-76810b6 592->611 612 7681116-7681123 592->612 613 7680ff6-7681022 592->613 593->594 595->591 622 768112e-768113d 596->622 623 768113f-7681146 596->623 630 76811d9 597->630 631 76811de-76811fd 597->631 628 76812ba 598->628 629 76812bf-76812d4 598->629 599->591 626 76811af 600->626 627 76811b4-76811c6 600->627 601->591 602->591 620 76810f0 603->620 621 76810f5-7681111 603->621 604->591 605->591 624 768115e-768116d 606->624 625 768116f-7681176 606->625 607->591 614 7681088-7681097 608->614 615 7681099-76810a0 608->615 618 768122c 609->618 619 7681231-7681247 609->619 610->591 616 76810b8-76810c7 611->616 617 76810c9-76810d0 611->617 612->591 613->591 632 76810a7-76810ad 614->632 615->632 633 76810d7-76810dd 616->633 617->633 618->619 644 7681249 619->644 645 768124e-7681264 619->645 620->621 621->591 634 768114d-7681153 622->634 623->634 636 768117d-7681183 624->636 625->636 626->627 627->591 628->629 629->591 630->631 631->591 632->591 633->591 634->591 636->591 644->645 648 768126b-7681281 645->648 649 7681266 645->649 651 7681288-76812a7 648->651 652 7681283 648->652 649->648 651->591 652->651 654->589 655->589
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1916575623.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_7680000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: 0%p1$0%p1
                                                                                              • API String ID: 0-3740086479
                                                                                              • Opcode ID: 8a01aa7a10918226d54e9d71b7edbab5ad261b66587d374339b768f9d44eee11
                                                                                              • Instruction ID: 1ba487646f3b4494b46206c327f36af3b9280e2d0c7d974b71dcedc3151c97cf
                                                                                              • Opcode Fuzzy Hash: 8a01aa7a10918226d54e9d71b7edbab5ad261b66587d374339b768f9d44eee11
                                                                                              • Instruction Fuzzy Hash: 92E1C1B0D14249DFCB44DF99D8808EEFBB2FF49310B14DA5AE416AB215C7349A86CF91
                                                                                              Function 07680F00 Relevance: 2.8, Strings: 2, Instructions: 278COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 656 7680f00-7680f25 657 7680f2c-7680f68 656->657 658 7680f27 656->658 725 7680f6a call 76814b0 657->725 726 7680f6a call 76814a2 657->726 658->657 660 7680f70-7680f72 661 7680f75 660->661 662 7680f7c-7680f98 661->662 663 7680f9a 662->663 664 7680fa1-7680fa2 662->664 663->661 663->664 665 76812d9-76812e0 663->665 666 7681188-768119c 663->666 667 7681128-768112c 663->667 668 76811cb-76811d7 663->668 669 76812ac-76812b8 663->669 670 7680fce-7680fe0 663->670 671 76811a1-76811ad 663->671 672 7681202-7681219 663->672 673 7680fe2-7680ff4 663->673 674 76810e2-76810ee 663->674 675 7680fa7-7680fcc 663->675 676 7681027-7681039 663->676 677 7681158-768115c 663->677 678 7681058-7681078 663->678 679 768107d-7681086 663->679 680 768121e-768122a 663->680 681 768103e-7681053 663->681 682 76810b2-76810b6 663->682 683 7681116-7681123 663->683 684 7680ff6-7681022 663->684 664->665 666->662 693 768112e-768113d 667->693 694 768113f-7681146 667->694 701 76811d9 668->701 702 76811de-76811fd 668->702 699 76812ba 669->699 700 76812bf-76812d4 669->700 670->662 697 76811af 671->697 698 76811b4-76811c6 671->698 672->662 673->662 691 76810f0 674->691 692 76810f5-7681111 674->692 675->662 676->662 695 768115e-768116d 677->695 696 768116f-7681176 677->696 678->662 685 7681088-7681097 679->685 686 7681099-76810a0 679->686 689 768122c 680->689 690 7681231-7681247 680->690 681->662 687 76810b8-76810c7 682->687 688 76810c9-76810d0 682->688 683->662 684->662 703 76810a7-76810ad 685->703 686->703 704 76810d7-76810dd 687->704 688->704 689->690 715 7681249 690->715 716 768124e-7681264 690->716 691->692 692->662 705 768114d-7681153 693->705 694->705 707 768117d-7681183 695->707 696->707 697->698 698->662 699->700 700->662 701->702 702->662 703->662 704->662 705->662 707->662 715->716 719 768126b-7681281 716->719 720 7681266 716->720 722 7681288-76812a7 719->722 723 7681283 719->723 720->719 722->662 723->722 725->660 726->660
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1916575623.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_7680000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: 0%p1$0%p1
                                                                                              • API String ID: 0-3740086479
                                                                                              • Opcode ID: 45f68b7c92e5b7c5f1394e1ed0b8f943325db46598822f3253b6875d91744822
                                                                                              • Instruction ID: 8321da3844e410b456b801bcabd4512df8f99b3a91847f2a10eb2188e700ba74
                                                                                              • Opcode Fuzzy Hash: 45f68b7c92e5b7c5f1394e1ed0b8f943325db46598822f3253b6875d91744822
                                                                                              • Instruction Fuzzy Hash: E4C139B0D1520ADFCB48DF99C4818AEFBB2FF89340F14D659E416AB254D734A982CF94
                                                                                              Function 07686DD1 Relevance: 1.5, Strings: 1, Instructions: 268COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1916575623.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_7680000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: O5>M
                                                                                              • API String ID: 0-2302383708
                                                                                              • Opcode ID: 65f7535ae15104c54568bdd5b2958a0b42bf61a1566f1da3044deac6289f6ddb
                                                                                              • Instruction ID: a92517d9bd68ad375e17525274312538580c3167620bee826722058f865c5dff
                                                                                              • Opcode Fuzzy Hash: 65f7535ae15104c54568bdd5b2958a0b42bf61a1566f1da3044deac6289f6ddb
                                                                                              • Instruction Fuzzy Hash: 1BB159B1E19619DFCB44DFAAD98089EFBB2FF89300F14D626D416BB215D73099028F64
                                                                                              Function 07686DE0 Relevance: 1.5, Strings: 1, Instructions: 267COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1916575623.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_7680000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: O5>M
                                                                                              • API String ID: 0-2302383708
                                                                                              • Opcode ID: 1552eabfdcbc657b9371066ba90b011747074b6b7b71aa3ab1f7c1aff4877548
                                                                                              • Instruction ID: 4b8f9878dd5d6f7b48bffeb5e35d70054ed4c452c9cd2e65349c1d7703f6022b
                                                                                              • Opcode Fuzzy Hash: 1552eabfdcbc657b9371066ba90b011747074b6b7b71aa3ab1f7c1aff4877548
                                                                                              • Instruction Fuzzy Hash: 23B13AB0E19619DFCB44DFAAD98489EFBB2FF89300F14D626D416BB215D73099028F64
                                                                                              Function 07684538 Relevance: 1.5, Strings: 1, Instructions: 244COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1916575623.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_7680000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: 7{f'
                                                                                              • API String ID: 0-2192695807
                                                                                              • Opcode ID: 95a0aa929dbcae72f3f8aa616c8045d1839fce3ba43d7cd01904e0911fa27868
                                                                                              • Instruction ID: 51332d8687e3b85bd88f0d349276bf741a6fb747d7bf790247a1194d6dcbe21d
                                                                                              • Opcode Fuzzy Hash: 95a0aa929dbcae72f3f8aa616c8045d1839fce3ba43d7cd01904e0911fa27868
                                                                                              • Instruction Fuzzy Hash: 0DA14AB0E1624ADFCB44DFE5D6809DDFBB2EB8A310F20952AD406B7254DB349946CB14
                                                                                              Function 07684548 Relevance: 1.5, Strings: 1, Instructions: 243COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1916575623.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_7680000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: 7{f'
                                                                                              • API String ID: 0-2192695807
                                                                                              • Opcode ID: f80e85ed43dfececaba01344f61896a40a838cf7427b5b3a8aa1e3bd334450b8
                                                                                              • Instruction ID: 12e2d9e67381f52c60b9a824fe767d4306b4d35b7a21db0b80d28dccfef971ba
                                                                                              • Opcode Fuzzy Hash: f80e85ed43dfececaba01344f61896a40a838cf7427b5b3a8aa1e3bd334450b8
                                                                                              • Instruction Fuzzy Hash: 85A128B0E1624ADFCB44DFE5D680ADDFFB2EB8A310F20A51AD406B7254DB349946CB14
                                                                                              Function 07684210 Relevance: 1.5, Strings: 1, Instructions: 212COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1916575623.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_7680000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: Z
                                                                                              • API String ID: 0-1862792848
                                                                                              • Opcode ID: 95ee93b7c0ef91989351cdd493508b999314e9e53cf1ce29c02e1ed92cbef0f6
                                                                                              • Instruction ID: 42b1023044be89c299cc43cc76550b8e1239ba6dfd305e496ae87f5eab192689
                                                                                              • Opcode Fuzzy Hash: 95ee93b7c0ef91989351cdd493508b999314e9e53cf1ce29c02e1ed92cbef0f6
                                                                                              • Instruction Fuzzy Hash: 2F9119B4E1522ACFCB44DFA9C4419EEFBB2FB89200F10951AD816B7358D7399902CF54
                                                                                              Function 07684201 Relevance: 1.5, Strings: 1, Instructions: 210COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1916575623.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_7680000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: Z
                                                                                              • API String ID: 0-1862792848
                                                                                              • Opcode ID: 807473e20ec5f950233aca1903dfa50032c7e692e6c73b82a07a2ce0698b4e40
                                                                                              • Instruction ID: 8e71e735ea590de81908dd43cdf3027ad0dafb71f65cace7f9180a11ea337c88
                                                                                              • Opcode Fuzzy Hash: 807473e20ec5f950233aca1903dfa50032c7e692e6c73b82a07a2ce0698b4e40
                                                                                              • Instruction Fuzzy Hash: F99128B4E1522ACFCB44DFA9C8419EEFBB2FF89200F10955AD815A7358D7389906CF54
                                                                                              Function 0768368A Relevance: .1, Instructions: 99COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1916575623.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_7680000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: f9721c3ef9eddd2ca6b15570885018e33a35cc988457c1feb3535e0b4d748c9b
                                                                                              • Instruction ID: 0db7e15a936b02d83cd462e9d3c3fdce14a87cca1593edec7a325c6603681aae
                                                                                              • Opcode Fuzzy Hash: f9721c3ef9eddd2ca6b15570885018e33a35cc988457c1feb3535e0b4d748c9b
                                                                                              • Instruction Fuzzy Hash: 934104B4E11508EFC748CF9AE18499DFBF2FF89210B55C1E6D459AB325D731DA108B04
                                                                                              Function 07683698 Relevance: .1, Instructions: 97COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1916575623.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_7680000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: d0bc40c2b76a5b31666264100882da28a2944e209ef584e886f2e6c64549be88
                                                                                              • Instruction ID: ff30f287dd307cf538d2f1c17bc6aeaab18125444bc16196076ea0d85bae76ae
                                                                                              • Opcode Fuzzy Hash: d0bc40c2b76a5b31666264100882da28a2944e209ef584e886f2e6c64549be88
                                                                                              • Instruction Fuzzy Hash: 5F41EFB4E11508EFC748CF9AE18499DFBF2EF89210F55D1E6D459AB324EB31DA118B04
                                                                                              Function 07680006 Relevance: .1, Instructions: 82COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1916575623.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_7680000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: f87ee9d78fa097736334bb7c95fa610362f16a0a4d24148af13d39868e92e70a
                                                                                              • Instruction ID: 31402d6ae70453ec9348edf593da651cace313bc3083d28023f68fb331a08e54
                                                                                              • Opcode Fuzzy Hash: f87ee9d78fa097736334bb7c95fa610362f16a0a4d24148af13d39868e92e70a
                                                                                              • Instruction Fuzzy Hash: 983163B1D053848FDB45CFA6C8502DEBFB2AFC6310F18C1ABD444AB265DA350945CF51
                                                                                              Function 07680040 Relevance: .1, Instructions: 66COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1916575623.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_7680000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 88b1d2c73897626c67a6ddfa86d15386ba071a874a2bb6cd69b59cbcecefa28c
                                                                                              • Instruction ID: 37db26f4f6bb7e0520e8f0a91290c9194a8a1f0e80a34cc19b6dd155e2ba7834
                                                                                              • Opcode Fuzzy Hash: 88b1d2c73897626c67a6ddfa86d15386ba071a874a2bb6cd69b59cbcecefa28c
                                                                                              • Instruction Fuzzy Hash: 052112B1E006189BDB58CFAAD8442DEBBF3AFC8310F14C16AD409A6228DB340A49CF50
                                                                                              Function 051B0454 Relevance: 1.7, APIs: 1, Instructions: 244processCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1191 51b0454-51b04f5 1193 51b052e-51b054e 1191->1193 1194 51b04f7-51b0501 1191->1194 1199 51b0550-51b055a 1193->1199 1200 51b0587-51b05b6 1193->1200 1194->1193 1195 51b0503-51b0505 1194->1195 1196 51b0528-51b052b 1195->1196 1197 51b0507-51b0511 1195->1197 1196->1193 1201 51b0513 1197->1201 1202 51b0515-51b0524 1197->1202 1199->1200 1203 51b055c-51b055e 1199->1203 1210 51b05b8-51b05c2 1200->1210 1211 51b05ef-51b06a9 CreateProcessA 1200->1211 1201->1202 1202->1202 1204 51b0526 1202->1204 1205 51b0581-51b0584 1203->1205 1206 51b0560-51b056a 1203->1206 1204->1196 1205->1200 1208 51b056e-51b057d 1206->1208 1209 51b056c 1206->1209 1208->1208 1212 51b057f 1208->1212 1209->1208 1210->1211 1213 51b05c4-51b05c6 1210->1213 1222 51b06ab-51b06b1 1211->1222 1223 51b06b2-51b0738 1211->1223 1212->1205 1215 51b05e9-51b05ec 1213->1215 1216 51b05c8-51b05d2 1213->1216 1215->1211 1217 51b05d6-51b05e5 1216->1217 1218 51b05d4 1216->1218 1217->1217 1220 51b05e7 1217->1220 1218->1217 1220->1215 1222->1223 1233 51b073a-51b073e 1223->1233 1234 51b0748-51b074c 1223->1234 1233->1234 1235 51b0740 1233->1235 1236 51b074e-51b0752 1234->1236 1237 51b075c-51b0760 1234->1237 1235->1234 1236->1237 1238 51b0754 1236->1238 1239 51b0762-51b0766 1237->1239 1240 51b0770-51b0774 1237->1240 1238->1237 1239->1240 1241 51b0768 1239->1241 1242 51b0786-51b078d 1240->1242 1243 51b0776-51b077c 1240->1243 1241->1240 1244 51b078f-51b079e 1242->1244 1245 51b07a4 1242->1245 1243->1242 1244->1245 1247 51b07a5 1245->1247 1247->1247
                                                                                              APIs
                                                                                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 051B0696
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1900548536.00000000051B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051B0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_51b0000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID: CreateProcess
                                                                                              • String ID:
                                                                                              • API String ID: 963392458-0
                                                                                              • Opcode ID: ebc5e8a001cae3686eac08cacb633e55dab236aa08fb45b09801d74b3cc1f7e3
                                                                                              • Instruction ID: d48dc2273644b22328f1b1918f62be6a276a4652e4f19a2490b76ccfdeeeed20
                                                                                              • Opcode Fuzzy Hash: ebc5e8a001cae3686eac08cacb633e55dab236aa08fb45b09801d74b3cc1f7e3
                                                                                              • Instruction Fuzzy Hash: 29A15F71D00219DFEB10DF68C8497EEBBB2FF48310F1485A9E849A7250DB749A85CF91
                                                                                              Function 051B0460 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1248 51b0460-51b04f5 1250 51b052e-51b054e 1248->1250 1251 51b04f7-51b0501 1248->1251 1256 51b0550-51b055a 1250->1256 1257 51b0587-51b05b6 1250->1257 1251->1250 1252 51b0503-51b0505 1251->1252 1253 51b0528-51b052b 1252->1253 1254 51b0507-51b0511 1252->1254 1253->1250 1258 51b0513 1254->1258 1259 51b0515-51b0524 1254->1259 1256->1257 1260 51b055c-51b055e 1256->1260 1267 51b05b8-51b05c2 1257->1267 1268 51b05ef-51b06a9 CreateProcessA 1257->1268 1258->1259 1259->1259 1261 51b0526 1259->1261 1262 51b0581-51b0584 1260->1262 1263 51b0560-51b056a 1260->1263 1261->1253 1262->1257 1265 51b056e-51b057d 1263->1265 1266 51b056c 1263->1266 1265->1265 1269 51b057f 1265->1269 1266->1265 1267->1268 1270 51b05c4-51b05c6 1267->1270 1279 51b06ab-51b06b1 1268->1279 1280 51b06b2-51b0738 1268->1280 1269->1262 1272 51b05e9-51b05ec 1270->1272 1273 51b05c8-51b05d2 1270->1273 1272->1268 1274 51b05d6-51b05e5 1273->1274 1275 51b05d4 1273->1275 1274->1274 1277 51b05e7 1274->1277 1275->1274 1277->1272 1279->1280 1290 51b073a-51b073e 1280->1290 1291 51b0748-51b074c 1280->1291 1290->1291 1292 51b0740 1290->1292 1293 51b074e-51b0752 1291->1293 1294 51b075c-51b0760 1291->1294 1292->1291 1293->1294 1295 51b0754 1293->1295 1296 51b0762-51b0766 1294->1296 1297 51b0770-51b0774 1294->1297 1295->1294 1296->1297 1298 51b0768 1296->1298 1299 51b0786-51b078d 1297->1299 1300 51b0776-51b077c 1297->1300 1298->1297 1301 51b078f-51b079e 1299->1301 1302 51b07a4 1299->1302 1300->1299 1301->1302 1304 51b07a5 1302->1304 1304->1304
                                                                                              APIs
                                                                                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 051B0696
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1900548536.00000000051B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051B0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_51b0000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID: CreateProcess
                                                                                              • String ID:
                                                                                              • API String ID: 963392458-0
                                                                                              • Opcode ID: c8c867c658dc7e2d851925312b977a0976cecd2c12fdd5e3816b4b9fa0d0a8a7
                                                                                              • Instruction ID: d514ba60d3709eb8c09269dae945978311bf5ded637de957c14a1f24e7bfb605
                                                                                              • Opcode Fuzzy Hash: c8c867c658dc7e2d851925312b977a0976cecd2c12fdd5e3816b4b9fa0d0a8a7
                                                                                              • Instruction Fuzzy Hash: B1913F71D00619DFEB10DF68C849BEEBBB2FF48310F148169D849A7250DB749A85CF91
                                                                                              Function 0187ADA8 Relevance: 1.7, APIs: 1, Instructions: 197COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1305 187ada8-187adb7 1306 187ade3-187ade7 1305->1306 1307 187adb9-187adc6 call 187a0cc 1305->1307 1309 187adfb-187ae3c 1306->1309 1310 187ade9-187adf3 1306->1310 1313 187addc 1307->1313 1314 187adc8 1307->1314 1316 187ae3e-187ae46 1309->1316 1317 187ae49-187ae57 1309->1317 1310->1309 1313->1306 1360 187adce call 187b031 1314->1360 1361 187adce call 187b040 1314->1361 1316->1317 1318 187ae7b-187ae7d 1317->1318 1319 187ae59-187ae5e 1317->1319 1324 187ae80-187ae87 1318->1324 1321 187ae60-187ae67 call 187a0d8 1319->1321 1322 187ae69 1319->1322 1320 187add4-187add6 1320->1313 1323 187af18-187afd8 1320->1323 1328 187ae6b-187ae79 1321->1328 1322->1328 1355 187afe0-187b00b GetModuleHandleW 1323->1355 1356 187afda-187afdd 1323->1356 1326 187ae94-187ae9b 1324->1326 1327 187ae89-187ae91 1324->1327 1331 187ae9d-187aea5 1326->1331 1332 187aea8-187aeaa call 187a0e8 1326->1332 1327->1326 1328->1324 1331->1332 1335 187aeaf-187aeb1 1332->1335 1336 187aeb3-187aebb 1335->1336 1337 187aebe-187aec3 1335->1337 1336->1337 1338 187aec5-187aecc 1337->1338 1339 187aee1-187aeee 1337->1339 1338->1339 1341 187aece-187aede call 187a0f8 call 187a108 1338->1341 1346 187af11-187af17 1339->1346 1347 187aef0-187af0e 1339->1347 1341->1339 1347->1346 1357 187b014-187b028 1355->1357 1358 187b00d-187b013 1355->1358 1356->1355 1358->1357 1360->1320 1361->1320
                                                                                              APIs
                                                                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 0187AFFE
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1874491758.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_1870000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID: HandleModule
                                                                                              • String ID:
                                                                                              • API String ID: 4139908857-0
                                                                                              • Opcode ID: 605de201aa574577382fc760eb3a70e2c75e881a92fe25420ae64fbf5ebd3e45
                                                                                              • Instruction ID: 047555648692ff10e7d7a502c5b74bfea2eb9e79dbcaf5d85bc68b83d9eace54
                                                                                              • Opcode Fuzzy Hash: 605de201aa574577382fc760eb3a70e2c75e881a92fe25420ae64fbf5ebd3e45
                                                                                              • Instruction Fuzzy Hash: EA713370A00B058FD728DF2AD44579ABBF1FF88304F048A2DD08AD7A50DB75EA49CB91
                                                                                              Function 0768E538 Relevance: 1.6, Strings: 1, Instructions: 361COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1916575623.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_7680000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: 4'kq
                                                                                              • API String ID: 0-3255046985
                                                                                              • Opcode ID: a0d9ecbd38053632bb106ee1c6d23ff42cc1cce9955f4cdad8bef222c0831bca
                                                                                              • Instruction ID: 4eed76f44bc84462c46b72cf202a9d8faaa3c028d9f42bb9f31ed66aded7422b
                                                                                              • Opcode Fuzzy Hash: a0d9ecbd38053632bb106ee1c6d23ff42cc1cce9955f4cdad8bef222c0831bca
                                                                                              • Instruction Fuzzy Hash: 84E172B4B00209DFDB45DFB9D944AAEBBB6FF88300F108558E405A73A8DE369D85CB51
                                                                                              Function 018744C4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CreateActCtxA.KERNEL32(?), ref: 018759C9
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1874491758.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_1870000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID: Create
                                                                                              • String ID:
                                                                                              • API String ID: 2289755597-0
                                                                                              • Opcode ID: a79741462f76dabc39ead56b4fda5c12a2d574f9b10ce2b8547050f3874fe9ef
                                                                                              • Instruction ID: 8dd9e3e43e18bd7e1dcbdf1a54e2727a22bb4e866a68b5c226acc969284c88e8
                                                                                              • Opcode Fuzzy Hash: a79741462f76dabc39ead56b4fda5c12a2d574f9b10ce2b8547050f3874fe9ef
                                                                                              • Instruction Fuzzy Hash: 3B41A2B0C0071DCBDB24DFA9C984B9DBBB5FF49304F2480AAD409AB255DB756945CF90
                                                                                              Function 0187590C Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CreateActCtxA.KERNEL32(?), ref: 018759C9
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1874491758.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_1870000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID: Create
                                                                                              • String ID:
                                                                                              • API String ID: 2289755597-0
                                                                                              • Opcode ID: 9f96d8c3238f52488a659359f81313c40b07150fb4f5dae41c547c068b24e88b
                                                                                              • Instruction ID: a1a0b755f28bd4f69cd48a8b8cfa633838c22d8a7970a7a93ffd640faa402b1e
                                                                                              • Opcode Fuzzy Hash: 9f96d8c3238f52488a659359f81313c40b07150fb4f5dae41c547c068b24e88b
                                                                                              • Instruction Fuzzy Hash: 7B41B2B0C00719CFDB24DFA9C984B9DBBB5BF49304F2480AAD409AB255DB756A85CF90
                                                                                              Function 05744040 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CallWindowProcW.USER32(?,?,?,?,?), ref: 05744101
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1902332019.0000000005740000.00000040.00000800.00020000.00000000.sdmp, Offset: 05740000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_5740000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID: CallProcWindow
                                                                                              • String ID:
                                                                                              • API String ID: 2714655100-0
                                                                                              • Opcode ID: 8defc09666c57bea27b9c325d46f29995e7a7797946c818109bb2aef06bddd93
                                                                                              • Instruction ID: d7691cbd683749780398e992e4ad0859e716499f0def237aef433108f00a5a5a
                                                                                              • Opcode Fuzzy Hash: 8defc09666c57bea27b9c325d46f29995e7a7797946c818109bb2aef06bddd93
                                                                                              • Instruction Fuzzy Hash: 3F41F7B4900249DFCB14CF99C848BAABBF6FB98314F24C499D519AB321D775A841DFA0
                                                                                              Function 051B0006 Relevance: 1.6, APIs: 1, Instructions: 90threadCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 051B00BE
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1900548536.00000000051B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051B0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_51b0000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID: ContextThreadWow64
                                                                                              • String ID:
                                                                                              • API String ID: 983334009-0
                                                                                              • Opcode ID: fe0afdd74c692c2aba81f9ff03c0b7fd538fda163e4ed5f0372498bc07749ccf
                                                                                              • Instruction ID: 50bb5d228aaf4449337a4764fb94e70284f9b8da7c6710d2ef36ca782032a0ab
                                                                                              • Opcode Fuzzy Hash: fe0afdd74c692c2aba81f9ff03c0b7fd538fda163e4ed5f0372498bc07749ccf
                                                                                              • Instruction Fuzzy Hash: C5319A718043488FDB11CFA9C9847EEBFF5FF49324F18846AD459AB252D7789948CBA0
                                                                                              Function 051B01D8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 051B0268
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1900548536.00000000051B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051B0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_51b0000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID: MemoryProcessWrite
                                                                                              • String ID:
                                                                                              • API String ID: 3559483778-0
                                                                                              • Opcode ID: df2cda2adec5ac19b7f6d0190fe227e529a0fe8cf67d10772d6126558d5c876b
                                                                                              • Instruction ID: 37d71bd5dc2918c8c27833144bde7fe466eaececffe7954ef6a28190670c5b56
                                                                                              • Opcode Fuzzy Hash: df2cda2adec5ac19b7f6d0190fe227e529a0fe8cf67d10772d6126558d5c876b
                                                                                              • Instruction Fuzzy Hash: 9A2155B19003499FDF10CFA9C984BDEBBF5FF48320F10842AE959A7250C778A944CBA0
                                                                                              Function 051B01D0 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 051B0268
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1900548536.00000000051B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051B0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_51b0000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID: MemoryProcessWrite
                                                                                              • String ID:
                                                                                              • API String ID: 3559483778-0
                                                                                              • Opcode ID: 4a113609868026f88b8bc35bee8998d7c97be757640d9dd59add7afe56a507dd
                                                                                              • Instruction ID: 0a113c21afe3f68f08a2483f40266dcb574e9cb0a3d5970273dd08787ee42a74
                                                                                              • Opcode Fuzzy Hash: 4a113609868026f88b8bc35bee8998d7c97be757640d9dd59add7afe56a507dd
                                                                                              • Instruction Fuzzy Hash: 222157B59003598FDF10CFA9C9857EEBBF5FF48310F10842AE959A7250C778A954CBA0
                                                                                              Function 0187D27C Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0187D656,?,?,?,?,?), ref: 0187D717
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1874491758.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_1870000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID: DuplicateHandle
                                                                                              • String ID:
                                                                                              • API String ID: 3793708945-0
                                                                                              • Opcode ID: 0cd7231cae04d5be99f18be92af0db01c55852aaffc2b631ea920f124879037f
                                                                                              • Instruction ID: e6bef48db08186ebdc333cfdb3de331c12f88a55dfbd3fe959b60579dab1675b
                                                                                              • Opcode Fuzzy Hash: 0cd7231cae04d5be99f18be92af0db01c55852aaffc2b631ea920f124879037f
                                                                                              • Instruction Fuzzy Hash: E221D2B5900248AFDB10CF9AD984AEEFBF4EB48314F14855AE918A7310D374A954CFA5
                                                                                              Function 051B02C3 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 051B0348
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1900548536.00000000051B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051B0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_51b0000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID: MemoryProcessRead
                                                                                              • String ID:
                                                                                              • API String ID: 1726664587-0
                                                                                              • Opcode ID: 72273d4c849e26dc0d7b2e54b6417b24476c5c6b1757f0f2f1a00f3b0b190534
                                                                                              • Instruction ID: 74efb51c0f6074091b33f0cd6ce38db7fda06fe886db6b1fced74c16430a11a8
                                                                                              • Opcode Fuzzy Hash: 72273d4c849e26dc0d7b2e54b6417b24476c5c6b1757f0f2f1a00f3b0b190534
                                                                                              • Instruction Fuzzy Hash: 6D2148B18003499FCB10DFAAC984BDEBBF5FF48320F108429E559A7250C7789944CBA0
                                                                                              Function 051B0040 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 051B00BE
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1900548536.00000000051B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051B0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_51b0000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID: ContextThreadWow64
                                                                                              • String ID:
                                                                                              • API String ID: 983334009-0
                                                                                              • Opcode ID: 479944499fdf95522bb45004b76ab13460b0b2e44800993cde2befcf4fe8bf54
                                                                                              • Instruction ID: 78273ef2dfda2d7ca8eb1df923b0c2de2e871266381debda48b7130038fb19ed
                                                                                              • Opcode Fuzzy Hash: 479944499fdf95522bb45004b76ab13460b0b2e44800993cde2befcf4fe8bf54
                                                                                              • Instruction Fuzzy Hash: E72115B19003098FDB10DFAAC5857EEBBF4EF48364F14842AD559A7240DB78A944CFA5
                                                                                              Function 051B02C8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 051B0348
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1900548536.00000000051B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051B0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_51b0000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID: MemoryProcessRead
                                                                                              • String ID:
                                                                                              • API String ID: 1726664587-0
                                                                                              • Opcode ID: 4518ef2737fbe739c7c5d838e0a15d145fb09211ab83e94be26de92e3a7ddb69
                                                                                              • Instruction ID: 4aadac47667fed2f18ee66806aa795f26e0892546f0f41f926386305929868df
                                                                                              • Opcode Fuzzy Hash: 4518ef2737fbe739c7c5d838e0a15d145fb09211ab83e94be26de92e3a7ddb69
                                                                                              • Instruction Fuzzy Hash: C22125B18003599FDB10DFAAC984AEEBBF5FF48320F10842AE559A7250C7799944CBA4
                                                                                              Function 0187D689 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0187D656,?,?,?,?,?), ref: 0187D717
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1874491758.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_1870000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID: DuplicateHandle
                                                                                              • String ID:
                                                                                              • API String ID: 3793708945-0
                                                                                              • Opcode ID: 178549ada40087ad00aecafd8646f685839f732bc6a0d88ea7cf8a51598716e6
                                                                                              • Instruction ID: 6327a119f85c681d74b1288416d1194fba7b1914546b96599ca6815e38a94ef8
                                                                                              • Opcode Fuzzy Hash: 178549ada40087ad00aecafd8646f685839f732bc6a0d88ea7cf8a51598716e6
                                                                                              • Instruction Fuzzy Hash: D921DFB99002599FDB10CFA9D984ADEBBF5EF48314F14841AE918A3350D374AA54CFA4
                                                                                              Function 051B0110 Relevance: 1.6, APIs: 1, Instructions: 59memoryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 051B0186
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1900548536.00000000051B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051B0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_51b0000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID: AllocVirtual
                                                                                              • String ID:
                                                                                              • API String ID: 4275171209-0
                                                                                              • Opcode ID: 01263993bee4470b53753f31b03b91b3cc95f5eaa1cd3ebe4f27986cb239ee01
                                                                                              • Instruction ID: 1cec6a049cab309c306aefcd3c4d0b3549ec1a32b186b62121a7f400ad13e754
                                                                                              • Opcode Fuzzy Hash: 01263993bee4470b53753f31b03b91b3cc95f5eaa1cd3ebe4f27986cb239ee01
                                                                                              • Instruction Fuzzy Hash: 5C215672900249ABDB10DFAAC844ADFFFF5FB48320F248419E55AA7210C775A954CBA0
                                                                                              Function 051B0118 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 051B0186
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1900548536.00000000051B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051B0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_51b0000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID: AllocVirtual
                                                                                              • String ID:
                                                                                              • API String ID: 4275171209-0
                                                                                              • Opcode ID: a9fa7562dc79e5bf523941cfe28111fedd5cc2b02fd0c29fd40c885c76af4b71
                                                                                              • Instruction ID: 9c00db26e5ae6d496273fc8c2a13c996e31529ae9d908362c0d0885e996751a0
                                                                                              • Opcode Fuzzy Hash: a9fa7562dc79e5bf523941cfe28111fedd5cc2b02fd0c29fd40c885c76af4b71
                                                                                              • Instruction Fuzzy Hash: 5F1123729002499FDB10DFAAC844ADFBFF5EF88320F208819E559A7250CB75A954CFA0
                                                                                              Function 0582FF3B Relevance: 1.6, APIs: 1, Instructions: 50threadCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1903469950.0000000005820000.00000040.00000800.00020000.00000000.sdmp, Offset: 05820000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_5820000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID: ResumeThread
                                                                                              • String ID:
                                                                                              • API String ID: 947044025-0
                                                                                              • Opcode ID: 6c30a6d6e9a02941b13d23aae3c80e2385293892adcebedfeaf072b98fdaf240
                                                                                              • Instruction ID: 9a627a26a09f0017b0c1847b38ea5bc3e146e487642ab66ba85d1dc37bbffd14
                                                                                              • Opcode Fuzzy Hash: 6c30a6d6e9a02941b13d23aae3c80e2385293892adcebedfeaf072b98fdaf240
                                                                                              • Instruction Fuzzy Hash: C81128B1D043588BCB10DFAAC54579EFFF4EF88324F248419D559A7250CB75A944CB94
                                                                                              Function 0582FF40 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1903469950.0000000005820000.00000040.00000800.00020000.00000000.sdmp, Offset: 05820000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_5820000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID: ResumeThread
                                                                                              • String ID:
                                                                                              • API String ID: 947044025-0
                                                                                              • Opcode ID: dbd4d52a34539e29e0866a608d31c49262929d28d0f29774cb4f90248b191130
                                                                                              • Instruction ID: 32f7204c67b6f8edd26844806eb9b9988446e085d8a7a49e00168eba4acacdf1
                                                                                              • Opcode Fuzzy Hash: dbd4d52a34539e29e0866a608d31c49262929d28d0f29774cb4f90248b191130
                                                                                              • Instruction Fuzzy Hash: DA1125B19042988BCB20DFAAC54579EFBF8AF88324F208429D559A7250CB75A944CBA4
                                                                                              Function 0187AF98 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 0187AFFE
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1874491758.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_1870000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID: HandleModule
                                                                                              • String ID:
                                                                                              • API String ID: 4139908857-0
                                                                                              • Opcode ID: 1660f0860faf6b207d9f8afd607ae61fe45282359c2c3cb849e6884efbb14faa
                                                                                              • Instruction ID: f8282948648c56f39ac0cd6237f519384d984151e69dc2f9b4c68a50782d644c
                                                                                              • Opcode Fuzzy Hash: 1660f0860faf6b207d9f8afd607ae61fe45282359c2c3cb849e6884efbb14faa
                                                                                              • Instruction Fuzzy Hash: 091110B5C002498FDB14CF9AC444ADEFBF4AF88324F10842AD529A7210D375A645CFA1
                                                                                              Function 051B26A0 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • PostMessageW.USER32(?,?,?,?), ref: 051B2705
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1900548536.00000000051B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051B0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_51b0000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessagePost
                                                                                              • String ID:
                                                                                              • API String ID: 410705778-0
                                                                                              • Opcode ID: 113d967529dfa201d04c19bc64e7a1192863d1a573985d8de71f72c93b7b6911
                                                                                              • Instruction ID: f4443dc5abb7725cdfce66b10b9dc62efbfa9a8d99f4136cfd492eca0b208f2e
                                                                                              • Opcode Fuzzy Hash: 113d967529dfa201d04c19bc64e7a1192863d1a573985d8de71f72c93b7b6911
                                                                                              • Instruction Fuzzy Hash: 9411F2B98003489FDB10DF9AD985BDEBBF8FB48324F208459E559A7210C3B9A544CFA5
                                                                                              Function 051B26A8 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • PostMessageW.USER32(?,?,?,?), ref: 051B2705
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1900548536.00000000051B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051B0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_51b0000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID: MessagePost
                                                                                              • String ID:
                                                                                              • API String ID: 410705778-0
                                                                                              • Opcode ID: fa20621343dfce09f68d359aa4441f1be5388272954bc5699b1cd42d2c9501df
                                                                                              • Instruction ID: 3ad221e3ad7dc8006adb28b826ba890dc46ce5e56570ed95494cf36b317970bd
                                                                                              • Opcode Fuzzy Hash: fa20621343dfce09f68d359aa4441f1be5388272954bc5699b1cd42d2c9501df
                                                                                              • Instruction Fuzzy Hash: 2111D3B58003499FDB10DF9AC985BDEBBF8FB48324F108459D559A7210C379A544CFA5
                                                                                              Function 07689D00 Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1916575623.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_7680000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: Tekq
                                                                                              • API String ID: 0-2319236580
                                                                                              • Opcode ID: 21b19c8b9308b0b1be18b468b268b10ffc5bddb55c36a63ff1ecfb3eedd839d8
                                                                                              • Instruction ID: 6525c9128287b95fc64e8df880345f9e3182233980d6c9b904a251159639a5b3
                                                                                              • Opcode Fuzzy Hash: 21b19c8b9308b0b1be18b468b268b10ffc5bddb55c36a63ff1ecfb3eedd839d8
                                                                                              • Instruction Fuzzy Hash: 0F41DBB4E157088BDB44DFAAC4486EEBBF6AF89300F14912AD41AAB354DB706906CF50
                                                                                              Function 07689D86 Relevance: 1.3, Strings: 1, Instructions: 73COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1916575623.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_7680000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: Tekq
                                                                                              • API String ID: 0-2319236580
                                                                                              • Opcode ID: 606bb80bf39d0f0b7c454f36442b0cc5f62b39f54f096dc0c230b51a9bc1f6da
                                                                                              • Instruction ID: dad87c1350f597190dde351c267809e5b6b4beda960c6df50fd28a45b45f12c2
                                                                                              • Opcode Fuzzy Hash: 606bb80bf39d0f0b7c454f36442b0cc5f62b39f54f096dc0c230b51a9bc1f6da
                                                                                              • Instruction Fuzzy Hash: CC31B1B4E04209CFCB08DFE9C4849ADBBB5FF89310F20916AE91AAB365C7316945CF50
                                                                                              Function 07689CF0 Relevance: 1.3, Strings: 1, Instructions: 68COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1916575623.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_7680000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: Tekq
                                                                                              • API String ID: 0-2319236580
                                                                                              • Opcode ID: d4dc7e79372b3fc142a4d4183fca12ff29fdd8fe1d6d66bbf61165d0110db9cd
                                                                                              • Instruction ID: e7af6f3f3fcf2339f396e0c902a09e97fe6fd84d40609f0fa36e5a45741b524a
                                                                                              • Opcode Fuzzy Hash: d4dc7e79372b3fc142a4d4183fca12ff29fdd8fe1d6d66bbf61165d0110db9cd
                                                                                              • Instruction Fuzzy Hash: 2121E7B1D046088BDB58DFAAC8486EEFBF6AF89300F14C12AD415AB354DB741946CF51
                                                                                              Function 07685AC0 Relevance: 1.3, Strings: 1, Instructions: 58COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1916575623.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_7680000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: Tekq
                                                                                              • API String ID: 0-2319236580
                                                                                              • Opcode ID: 1edd6e47df3e2485b231277ec1f6ca39b47104b55ff9cbeb1dc38747e9454165
                                                                                              • Instruction ID: 4364fe7d8adaecadc2bcfdd69e48f7eb52fd6e8cf8eaea8e9118040717ab1e17
                                                                                              • Opcode Fuzzy Hash: 1edd6e47df3e2485b231277ec1f6ca39b47104b55ff9cbeb1dc38747e9454165
                                                                                              • Instruction Fuzzy Hash: 6E115EB1B0020A8BCF54EBB999105EFB7B6AF99311B204179C506EB354EB359E11CBA1
                                                                                              Function 0768D486 Relevance: 1.3, Strings: 1, Instructions: 36COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1916575623.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_7680000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: Lfo
                                                                                              • API String ID: 0-3361531095
                                                                                              • Opcode ID: 1b21c4589866813141385297b2936252fe97b10033af42eaeb5803485ae319ea
                                                                                              • Instruction ID: 8410675909de320c4e88bb9ad0377a1a46e93487b944e85c82dc41a834e19a23
                                                                                              • Opcode Fuzzy Hash: 1b21c4589866813141385297b2936252fe97b10033af42eaeb5803485ae319ea
                                                                                              • Instruction Fuzzy Hash: 7A010474A10214CFD712DFB4D58569CBB75FB88200B20991AD425A77D9DF309C418F00
                                                                                              Function 07683BA4 Relevance: .2, Instructions: 234COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1916575623.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_7680000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 182176b1f5d7e6fd90075a4217d7f89c12a92a512dd22f3f4db07a17761872e5
                                                                                              • Instruction ID: 470e7777a40d2ea46e8df5d12338b63cca0b5b2573313d2ff99b203629c32b2d
                                                                                              • Opcode Fuzzy Hash: 182176b1f5d7e6fd90075a4217d7f89c12a92a512dd22f3f4db07a17761872e5
                                                                                              • Instruction Fuzzy Hash: 9281D9B5B10215DFCB51DBB8D848ABEBBB6EF85310F14852AE917E7342DA308815CB61
                                                                                              Function 0768954C Relevance: .2, Instructions: 196COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1916575623.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_7680000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 27f5701e891586891de107161bb958bb9552486b5cc88b24688f602f78f4799b
                                                                                              • Instruction ID: 9a617da4817dd3fbc52a0728d6731858662a0dcf9c37a582e5c1d2ae765c10da
                                                                                              • Opcode Fuzzy Hash: 27f5701e891586891de107161bb958bb9552486b5cc88b24688f602f78f4799b
                                                                                              • Instruction Fuzzy Hash: 4A8136B0915215CFDB90EF69C584AAEBBF6FF09315F14E295E00AAB212D730E885CF54
                                                                                              Function 076867B0 Relevance: .2, Instructions: 156COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1916575623.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_7680000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 82ce5a14223aa49d7697a72478ba757aeb37a8a45b27f01a2e65f2519765f581
                                                                                              • Instruction ID: 153de3f4eeb5b5de9aa5369055ab4a2606001973ad908ceb8c7c520a69ff0e3c
                                                                                              • Opcode Fuzzy Hash: 82ce5a14223aa49d7697a72478ba757aeb37a8a45b27f01a2e65f2519765f581
                                                                                              • Instruction Fuzzy Hash: A251B5B0A10219DFDB44EBA9D9417BEB6B2FF84310F108566E506AB3DADB709C41CB91
                                                                                              Function 07687270 Relevance: .2, Instructions: 152COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1916575623.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_7680000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: bba2d7b219f1587636f7726dd15ba298d1de8e87562795bdbb867b0ec9fa4eef
                                                                                              • Instruction ID: 14655f554171383a4b805c31747b99850864aa660e6a3af6624401e861f9aa1e
                                                                                              • Opcode Fuzzy Hash: bba2d7b219f1587636f7726dd15ba298d1de8e87562795bdbb867b0ec9fa4eef
                                                                                              • Instruction Fuzzy Hash: 9751D1B0A54211CFD754ABB8C8017BABBA2EF45310F388667F516CB3A6D735D845C721
                                                                                              Function 076867A1 Relevance: .1, Instructions: 147COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1916575623.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_7680000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: c6c15ba78f9cc4df0bd00a3aa5ba5818fc3b1a0bbac8636824c6382f39956fc7
                                                                                              • Instruction ID: 09112c1b25bd4779d4b07e9a9c6e5dda793129743a06ccca54ce69177693e045
                                                                                              • Opcode Fuzzy Hash: c6c15ba78f9cc4df0bd00a3aa5ba5818fc3b1a0bbac8636824c6382f39956fc7
                                                                                              • Instruction Fuzzy Hash: 7051C3B0F00219DFDB44EBA5D9407AEBAB2FF88310F108566E506AB3D9DB709C41CB91
                                                                                              Function 0768A4B0 Relevance: .1, Instructions: 128COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1916575623.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_7680000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: b4c9c0542c790288faba44840ad6e23368e60af548179824d779ffd0f9af14cc
                                                                                              • Instruction ID: 8ba90b4e95b86313840d4de3d57f150670ca09f3b07ed4effdc9fefe7b59b30f
                                                                                              • Opcode Fuzzy Hash: b4c9c0542c790288faba44840ad6e23368e60af548179824d779ffd0f9af14cc
                                                                                              • Instruction Fuzzy Hash: EF4138B0D152098FCB44DFEAC4446FEBBF6AB8D301F14E26AD80AA3201D7344A81CF65
                                                                                              Function 07685C70 Relevance: .1, Instructions: 126COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1916575623.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_7680000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 70af7c7968f0632ce222bee5826daefd17199f33230112bd2830c58441a18d53
                                                                                              • Instruction ID: 77a4534a6e149e1bed34acaf6b25514f3e6357abad25d4c78bba8fddabf5d4d8
                                                                                              • Opcode Fuzzy Hash: 70af7c7968f0632ce222bee5826daefd17199f33230112bd2830c58441a18d53
                                                                                              • Instruction Fuzzy Hash: 1C41B6B5A10205DFCB919FA8D884ABDBBB6EF44700F00822BE503EB352DB719951CF65
                                                                                              Function 07689580 Relevance: .1, Instructions: 119COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1916575623.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_7680000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 8491d6be2a3ab5a91bcf8cb19c55b8c2853f884002b97edd4ca51a7e147d2792
                                                                                              • Instruction ID: 231c19ba61ee020eac15ed544ff53388df1ddfab98ea575ed6a99f7c15e83396
                                                                                              • Opcode Fuzzy Hash: 8491d6be2a3ab5a91bcf8cb19c55b8c2853f884002b97edd4ca51a7e147d2792
                                                                                              • Instruction Fuzzy Hash: 36515AF0905216CFDB90DF68C540AAEBBB1FF0A304F04E295D00A9B602DB30E985CF55
                                                                                              Function 07683988 Relevance: .1, Instructions: 118COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1916575623.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_7680000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 52dbf3ca116067e4d863faff815aac10ec88fc383aafa87ae144dc8132cc35ee
                                                                                              • Instruction ID: 6c245dc2f687324e827c22c3ec9cb893b026c7be14409d7fdffe9b5b75659b61
                                                                                              • Opcode Fuzzy Hash: 52dbf3ca116067e4d863faff815aac10ec88fc383aafa87ae144dc8132cc35ee
                                                                                              • Instruction Fuzzy Hash: 41417BB0E1520A9FCF44DFDAD9419EEFBB2FF89310F109526D509AB354E7709A018BA0
                                                                                              Function 07683982 Relevance: .1, Instructions: 118COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1916575623.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_7680000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 88c7476ea8fe98d2f742afc7d7f8bc432bbb9dfee235a6342120d06cad2b02ab
                                                                                              • Instruction ID: 27625b1a11a4b3c059a8dd395a82dd5b21ea851f6768f8e7b4dd173a0c53761b
                                                                                              • Opcode Fuzzy Hash: 88c7476ea8fe98d2f742afc7d7f8bc432bbb9dfee235a6342120d06cad2b02ab
                                                                                              • Instruction Fuzzy Hash: 274149B4E1120A9FCF44DFE6D9419EEFBB2FB89320F10952AD505A7354E7709A418BA0
                                                                                              Function 0768A49F Relevance: .1, Instructions: 111COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1916575623.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_7680000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 5b36ce85ab17412cd397d08eae86f360d7f1221939cb3ab66aae5c6dcce31039
                                                                                              • Instruction ID: da90cca0a65f1f5ea70bb4bb6c8300f8ccacf58478c12008d2b96714b1927b78
                                                                                              • Opcode Fuzzy Hash: 5b36ce85ab17412cd397d08eae86f360d7f1221939cb3ab66aae5c6dcce31039
                                                                                              • Instruction Fuzzy Hash: BE4149B0D152088FDB44DFAAD4446EEBBF2AB8D311F14D26AE80AA7251D7344981CF65
                                                                                              Function 07689138 Relevance: .1, Instructions: 109COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1916575623.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_7680000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 6c504aafcf31dd586d04fa694f560bd35ecc47e6105944efcebc1dfb5fcf1bef
                                                                                              • Instruction ID: 07b9033d7e95ac5adfe9967ab88e7488d4fbd7b85f7ca6ae48dd693984fe0f42
                                                                                              • Opcode Fuzzy Hash: 6c504aafcf31dd586d04fa694f560bd35ecc47e6105944efcebc1dfb5fcf1bef
                                                                                              • Instruction Fuzzy Hash: 3F41C1B1D28716CFDB819FA9C8456BEB7B5FF49304F00822AE566E6280C334B950CA50
                                                                                              Function 076837FA Relevance: .1, Instructions: 97COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1916575623.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_7680000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 372b25d4ee0e48053406ec029c3345e6f38a5546cd1ecf300da681acd2e915db
                                                                                              • Instruction ID: 09c915c9dbdfdf8e5821b5248bfee484eb0fcce163ec0275daedf408db544805
                                                                                              • Opcode Fuzzy Hash: 372b25d4ee0e48053406ec029c3345e6f38a5546cd1ecf300da681acd2e915db
                                                                                              • Instruction Fuzzy Hash: 9D416DB0E2120ADFCB48DF99D58599EFFB1FB89310FA0D596D405A7314D7309A15CB14
                                                                                              Function 07683800 Relevance: .1, Instructions: 97COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1916575623.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_7680000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 393ec0514bf1754e8d97b426cf7ca4d7661da560ce5410b4dd74602ca6a512d9
                                                                                              • Instruction ID: 5e6387e5b854e461c571c450561db86f71177e8d343ed5ef4bdbd85be3a2af69
                                                                                              • Opcode Fuzzy Hash: 393ec0514bf1754e8d97b426cf7ca4d7661da560ce5410b4dd74602ca6a512d9
                                                                                              • Instruction Fuzzy Hash: 64416DB0E2120AEFCB88DF99D58599EFBB1FB89310FA0D596D415A7318DB309A11CB14
                                                                                              Function 0768D12F Relevance: .1, Instructions: 76COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1916575623.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_7680000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 0f134fc8097e4670bfcdd17971e3fad79fb4733036bc262849e8981b50ba514e
                                                                                              • Instruction ID: 1ca54927afe1bd6095a061ed303216586f0cd30b89e675ac26d376e313491639
                                                                                              • Opcode Fuzzy Hash: 0f134fc8097e4670bfcdd17971e3fad79fb4733036bc262849e8981b50ba514e
                                                                                              • Instruction Fuzzy Hash: 7531E5B4A51148CFD705EF68C954BADBBB2FF49304F009A95D01AAB395DB309C86CF20
                                                                                              Function 076814A2 Relevance: .1, Instructions: 75COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1916575623.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_7680000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 304cc20c06b0dee8a4f41600df4b57debfcfb3a23707f2b0f050b64d8f5858ef
                                                                                              • Instruction ID: 13b4298b759479b082170490fa0153571dfa7ae22b1548ac021c57ac64fab202
                                                                                              • Opcode Fuzzy Hash: 304cc20c06b0dee8a4f41600df4b57debfcfb3a23707f2b0f050b64d8f5858ef
                                                                                              • Instruction Fuzzy Hash: 00318FB090524ADFCB48CFA9C5405AEFFF1EF8A210F28C69AC412A7350D7308B42DB11
                                                                                              Function 076814B0 Relevance: .1, Instructions: 75COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1916575623.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_7680000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: a97cc9dd76ee383eb6d51ee89aa5aa9c8a5947468de493dd7033e32f0d1c4138
                                                                                              • Instruction ID: 4206b30cc2f07c72ea2c273173d7beaa33af213cac9b8a9863f399a1ff3acfdd
                                                                                              • Opcode Fuzzy Hash: a97cc9dd76ee383eb6d51ee89aa5aa9c8a5947468de493dd7033e32f0d1c4138
                                                                                              • Instruction Fuzzy Hash: 0C314CB0D15209DFCB48DFA9C5406AEFBF5EB8A300F24D6AAD406A7214E7309A42CB51
                                                                                              Function 0179D3D8 Relevance: .1, Instructions: 75COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1873903279.000000000179D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0179D000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_179d000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: e08c12754615b12e45d45bb32fbfdd7af7ff734b268ca5c5e1f21871fc49f933
                                                                                              • Instruction ID: 5286242c5e7b91a9c5bd643624a6f0f2435e7685e33b0dc6a8fff1ad579580cf
                                                                                              • Opcode Fuzzy Hash: e08c12754615b12e45d45bb32fbfdd7af7ff734b268ca5c5e1f21871fc49f933
                                                                                              • Instruction Fuzzy Hash: CD2128B1500204DFDF15DF98E9C0B66FF65FB94314F20C1A9DD094B266C336E45AC6A1
                                                                                              Function 0179D4C4 Relevance: .1, Instructions: 75COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1873903279.000000000179D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0179D000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_179d000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 8af3f1b317bd193203a4debe818ca06ba523213d43f4895a9c3fb2bd205c6f6b
                                                                                              • Instruction ID: 28bf47dee65c0ed88647ef44325ed9ea83ed85cde9da6f24a253d5206c305406
                                                                                              • Opcode Fuzzy Hash: 8af3f1b317bd193203a4debe818ca06ba523213d43f4895a9c3fb2bd205c6f6b
                                                                                              • Instruction Fuzzy Hash: A521F171500240DFDF25DF58EA80B26FF65FB88318F30C5A9E9094B256C336D45ACBA1
                                                                                              Function 0768FEF3 Relevance: .1, Instructions: 74COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1916575623.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_7680000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: ac382bc337f8babcf0a11dfc557a1ae8ee21b0514213c24bd5828fc381982e0f
                                                                                              • Instruction ID: bf3ad9e89a6b6ee4f38eca1383fa77b851b81bf1a1304d2b3bef73b0862eae00
                                                                                              • Opcode Fuzzy Hash: ac382bc337f8babcf0a11dfc557a1ae8ee21b0514213c24bd5828fc381982e0f
                                                                                              • Instruction Fuzzy Hash: 5C3118B5E112199FCB45EFA8D584AEDBBF1FF49310F04812AE801A7360DB34A945CFA4
                                                                                              Function 07686BB0 Relevance: .1, Instructions: 73COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1916575623.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_7680000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: ac68719bdcabd1b188abf4aa65fca356835c56924dc2406e52b3ac5c4bf7733f
                                                                                              • Instruction ID: e0264129d6b9a6d08f873d4839de024a0368bc06dceda52fc87b11dbdf162eca
                                                                                              • Opcode Fuzzy Hash: ac68719bdcabd1b188abf4aa65fca356835c56924dc2406e52b3ac5c4bf7733f
                                                                                              • Instruction Fuzzy Hash: 5E21C3B0618255CBC750AFB9E9402BAFBA4FB46304F108637B513C6387D274996AC792
                                                                                              Function 0768FF00 Relevance: .1, Instructions: 72COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1916575623.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_7680000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: f9fb3ad8acbb37cf5f80e9d962388fe6007aa7ae34e920cb3e7c56ee13e1b4c7
                                                                                              • Instruction ID: d19078b5fc700acd4b5cb9ce8f983837c71e2573d6d3546453ccfe452301baff
                                                                                              • Opcode Fuzzy Hash: f9fb3ad8acbb37cf5f80e9d962388fe6007aa7ae34e920cb3e7c56ee13e1b4c7
                                                                                              • Instruction Fuzzy Hash: 5D31E9B4E112199FCB45DFA8D4949EDBBF1FF49310F04812AE801A7360DB34A945CF90
                                                                                              Function 017AD01C Relevance: .1, Instructions: 72COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1874123364.00000000017AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017AD000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_17ad000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: f3c897a895243155408ec3ad6c31a9df293a87663f840c170d7008cf1dbdb117
                                                                                              • Instruction ID: a62ae6198af4aadef18dd7eb65ea1ba21a3678d0f87abb4dd35f053559027403
                                                                                              • Opcode Fuzzy Hash: f3c897a895243155408ec3ad6c31a9df293a87663f840c170d7008cf1dbdb117
                                                                                              • Instruction Fuzzy Hash: C7210071684200DFCB25DF68D984B27FBA5EB88314F60C6A9E80A4B656C33AD446CA61
                                                                                              Function 017AD1D4 Relevance: .1, Instructions: 72COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1874123364.00000000017AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017AD000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_17ad000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: c62ac0fac18e95c2f06e1cc71d1b6c21bfa6de4f42023b83c5f9f97ffeab87e1
                                                                                              • Instruction ID: dde3901a65482191c7ae623d902f7ccfbcdda5a557c76adeb75c3e86889d713c
                                                                                              • Opcode Fuzzy Hash: c62ac0fac18e95c2f06e1cc71d1b6c21bfa6de4f42023b83c5f9f97ffeab87e1
                                                                                              • Instruction Fuzzy Hash: E3212971508200DFDB15DF98D5C4B26FBA5FBC4324F60C7ADD9094B696C336D446CA61
                                                                                              Function 07686BA1 Relevance: .1, Instructions: 71COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1916575623.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_7680000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: d05c2bd9212675aad187b6e71e8b65e581b015832b95c2f8c41d4a800bdbc238
                                                                                              • Instruction ID: 9a38365e64d4ea7ca9bde2150acf03dfd06fef9dad211096668a0060bd93cc0e
                                                                                              • Opcode Fuzzy Hash: d05c2bd9212675aad187b6e71e8b65e581b015832b95c2f8c41d4a800bdbc238
                                                                                              • Instruction Fuzzy Hash: 2621D2F1614115CBC7509FA9E9402BAFB74FB4A315F108737E11396382C2748A6AC7A1
                                                                                              Function 07686D78 Relevance: .1, Instructions: 69COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1916575623.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_7680000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 2c3de46dd9e8af9690551d41fe90258a0f4a4bc0002cc9d93d1fae8ab82f8a0e
                                                                                              • Instruction ID: b2efa158818d414c88eecc731f23abaf38b81da8b2993401e2d3cb3d1c78abe8
                                                                                              • Opcode Fuzzy Hash: 2c3de46dd9e8af9690551d41fe90258a0f4a4bc0002cc9d93d1fae8ab82f8a0e
                                                                                              • Instruction Fuzzy Hash: AB1103B2614105CFD790EFA8E9427AABBB1FB06710F108A67E443DB253D275C52ADB50
                                                                                              Function 0768B5BB Relevance: .1, Instructions: 67COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1916575623.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_7680000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 078d96420b740f04734ea903d77fc76b97c3a0f4fcffdebd3092e5b1e1cdeacb
                                                                                              • Instruction ID: a005d027ad0aece15a1fd9cc5b069aca424a731287e8cc2a14088bf1fae575ab
                                                                                              • Opcode Fuzzy Hash: 078d96420b740f04734ea903d77fc76b97c3a0f4fcffdebd3092e5b1e1cdeacb
                                                                                              • Instruction Fuzzy Hash: 2C2190B4D192489FC744CFAAD8409EDBFB6AF8A310F44D16AE849AB352C7709446CF90
                                                                                              Function 0768D231 Relevance: .1, Instructions: 66COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1916575623.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_7680000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 1fc1f3cea7098ad9cdc1847147886c2180bf3273d9653bf3aa8db6bb5e500dc7
                                                                                              • Instruction ID: a1c47dab6af80f2809a6e7c9400a7a6cdefae0b583c2c88b1542982d9e78e971
                                                                                              • Opcode Fuzzy Hash: 1fc1f3cea7098ad9cdc1847147886c2180bf3273d9653bf3aa8db6bb5e500dc7
                                                                                              • Instruction Fuzzy Hash: 67216DB4A65205CFC744EFA9E19456CBFB6FB09311B049266F42A97391DF309C81CF60
                                                                                              Function 0768A650 Relevance: .1, Instructions: 62COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1916575623.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_7680000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 2eebe8914f0baa2d8c738487f3e0c46c3a6af6a460ec4ae4e6861157b863a93d
                                                                                              • Instruction ID: 55f9373b2c7c73162183cb87ffe9bc636c14a497e9bbc9719db719bcede8fbb0
                                                                                              • Opcode Fuzzy Hash: 2eebe8914f0baa2d8c738487f3e0c46c3a6af6a460ec4ae4e6861157b863a93d
                                                                                              • Instruction Fuzzy Hash: F52130B4919109CFCB40DFE9C181AAEBBF5EF4A310F209296D806B7755C7319A81CF61
                                                                                              Function 0768E480 Relevance: .1, Instructions: 61COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1916575623.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_7680000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: c78afbd72f293ae5b59e28260f50b92be0805ad8e4a2be9ee4e630561ce38487
                                                                                              • Instruction ID: 331e8e0878a430fbbc935c17e68f2422b0248e1e31abe014130b66b5e9a1a2f8
                                                                                              • Opcode Fuzzy Hash: c78afbd72f293ae5b59e28260f50b92be0805ad8e4a2be9ee4e630561ce38487
                                                                                              • Instruction Fuzzy Hash: E11106B4B002199BCB98AE79990467F7AA6FF84720F048739E81BD7354EE32CD4587D1
                                                                                              Function 0768A660 Relevance: .1, Instructions: 59COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1916575623.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_7680000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: ede6d7ea4738cad9c171722b45e4fcc00e8ca0a54bd8ed0cb059cb0b6244e767
                                                                                              • Instruction ID: f13cf23351c097a106c92ea2c237eb85107d6ec29d4e7b50a822918480e4edc9
                                                                                              • Opcode Fuzzy Hash: ede6d7ea4738cad9c171722b45e4fcc00e8ca0a54bd8ed0cb059cb0b6244e767
                                                                                              • Instruction Fuzzy Hash: 3521DBB4D19209CFCB84DFE9C1819AEBBF5EB49300F609156D909B7715D7309A81CFA1
                                                                                              Function 0768AB98 Relevance: .1, Instructions: 57COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1916575623.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_7680000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 0fa26b7f92b1a3068a5f9f23c81786215f567ed235e53803365a12da8b456dca
                                                                                              • Instruction ID: 33e1bdd5b47826b1f5d6c507a4f3d8b54a44db4311dfafc3a92a4702151eaa83
                                                                                              • Opcode Fuzzy Hash: 0fa26b7f92b1a3068a5f9f23c81786215f567ed235e53803365a12da8b456dca
                                                                                              • Instruction Fuzzy Hash: B621D6B1D006189BEB58DFABD8457DEFEF6AFC8300F14C16AD40976254DB7409468FA0
                                                                                              Function 07685B90 Relevance: .1, Instructions: 57COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1916575623.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_7680000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 92a2a49543231656540030b09702b0bbe712d553344fdb478bc014dc4ac31491
                                                                                              • Instruction ID: db16c68f54f57f096009a5c9b71234fdf4190d30f373d7a27d6eda7cd92c9eca
                                                                                              • Opcode Fuzzy Hash: 92a2a49543231656540030b09702b0bbe712d553344fdb478bc014dc4ac31491
                                                                                              • Instruction Fuzzy Hash: 5611ACB5A006164B8B15EFB999849BFB7F7EFC82607244A2DD42AD7340EF308D058B60
                                                                                              Function 076815E0 Relevance: .1, Instructions: 56COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1916575623.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_7680000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 3d9b3e4e2d642670ad5be023503cbfdc68dcd32b40180f6124fa3bfcf5650b30
                                                                                              • Instruction ID: 60f0489d2222edc2843e07dea844ef30465909ac6ccc7ce1e0b8b0e14f06f831
                                                                                              • Opcode Fuzzy Hash: 3d9b3e4e2d642670ad5be023503cbfdc68dcd32b40180f6124fa3bfcf5650b30
                                                                                              • Instruction Fuzzy Hash: E811E7B4E01109EFCB48DFA9C545A9DFBF6EB89300F18C5AA9419A7355DB309A41CB00
                                                                                              Function 0179D4BF Relevance: .1, Instructions: 56COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1873903279.000000000179D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0179D000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_179d000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                              • Instruction ID: 578fb8abe385dfaaa52af2772d41dbd5c2ff4e8704c68c57513b4dc2aba2a667
                                                                                              • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                              • Instruction Fuzzy Hash: C711CD76404280CFCF12CF54D5C4B16BF62FB84218F24C6A9D8090B256C336D45ACBA1
                                                                                              Function 0179D3D3 Relevance: .1, Instructions: 56COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1873903279.000000000179D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0179D000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_179d000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                              • Instruction ID: b65e9f97dbd0374c0535f9086790c219d9e279f6b7d4e543e881d1363be881fb
                                                                                              • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                              • Instruction Fuzzy Hash: 9611CD72404240CFDF12CF44D5C4B56BF62FB94224F24C2A9DD090B266C33AE45ACBA1
                                                                                              Function 0768A709 Relevance: .1, Instructions: 55COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1916575623.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_7680000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 2e8716973d508d4681b44cd774f2d0222399fe8ce07345dd46b5051a23cbcd53
                                                                                              • Instruction ID: 0c26505d3aeed4dad87c85856ec30005d6039717d98bb4cc2f9d2c6312c23b78
                                                                                              • Opcode Fuzzy Hash: 2e8716973d508d4681b44cd774f2d0222399fe8ce07345dd46b5051a23cbcd53
                                                                                              • Instruction Fuzzy Hash: 4E114FB8D09108DFCB44EFE9C540AADBBF5FB49300F45D696985AA7305D330AA42DF40
                                                                                              Function 076815D0 Relevance: .1, Instructions: 55COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1916575623.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_7680000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 3faba440dd0a5f7a80196f8e99d6e39f36c26a1d42aca91fa3f0f4acefc15bb1
                                                                                              • Instruction ID: 7c3c03b4f5781cdac82e29fd329ee3cd57880371abf009f632700b2d2e2f4a15
                                                                                              • Opcode Fuzzy Hash: 3faba440dd0a5f7a80196f8e99d6e39f36c26a1d42aca91fa3f0f4acefc15bb1
                                                                                              • Instruction Fuzzy Hash: 34211AB4A05109DFCB49CFA9C585A9EFBF2EF89310F18C59AD4159B355DB309A41CB40
                                                                                              Function 07686B62 Relevance: .1, Instructions: 55COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1916575623.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_7680000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: e7509bd911d5e2cb6c9986b25f6483998a84446bbcf0e661abce4f54ccda0da0
                                                                                              • Instruction ID: 58b6b1a15780958b1c441f1b794d4e40c221874f68f24b0cab8014422f40d8d0
                                                                                              • Opcode Fuzzy Hash: e7509bd911d5e2cb6c9986b25f6483998a84446bbcf0e661abce4f54ccda0da0
                                                                                              • Instruction Fuzzy Hash: CD11E1E0624025CBC7906EA8E5403BAF260EB45309F009B32A2138A786D2349ABB8691
                                                                                              Function 0768B224 Relevance: .1, Instructions: 53COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1916575623.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_7680000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 25e7020c2d366422772ee13df2b6974703383980d3b5d42e7e7f9d8f9c3c56f2
                                                                                              • Instruction ID: b8793aacfa16e061b4519049971f4014cf77d72d14ab58f3fb0858aeb4d1c943
                                                                                              • Opcode Fuzzy Hash: 25e7020c2d366422772ee13df2b6974703383980d3b5d42e7e7f9d8f9c3c56f2
                                                                                              • Instruction Fuzzy Hash: 981106B0915218CFCB94EFA4C594AACB7B6FB0A311F109299D40AAB345CB359D86CF10
                                                                                              Function 017AD1CF Relevance: .1, Instructions: 53COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1874123364.00000000017AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017AD000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_17ad000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                              • Instruction ID: c366b9269d557a12a49a5d9bd2d15fe7d96dd5251048ce307a60298435f386a5
                                                                                              • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                              • Instruction Fuzzy Hash: 62118B75508280DFDB16CF54D5C4B15FFA1FB84224F24C6AAD8494B6A6C33AD44ACB61
                                                                                              Function 017AD017 Relevance: .1, Instructions: 53COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1874123364.00000000017AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017AD000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_17ad000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                              • Instruction ID: 419d6aafbf7d59bc346cc06f69d9f5a5c96972454d0e9d79c5284401ade81e32
                                                                                              • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                              • Instruction Fuzzy Hash: 0C11D075544280CFDB12CF54D5C4B16FF71FB88314F24C6AAD8494B656C33AD40ACB61
                                                                                              Function 0768ABA8 Relevance: .1, Instructions: 52COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1916575623.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_7680000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 656dea5958b5924e9010a50066eeb4d2164c9be0e80ef582eea32fdf5ffbba44
                                                                                              • Instruction ID: 9404423f0f6243fb86b05301a2e664fa489fa8c71f7a55c5480a30f192437d0a
                                                                                              • Opcode Fuzzy Hash: 656dea5958b5924e9010a50066eeb4d2164c9be0e80ef582eea32fdf5ffbba44
                                                                                              • Instruction Fuzzy Hash: 9211C3B1D016188BEB58DFABD8457DEFAF7AFC8310F14C16AD40976264DB7409468FA0
                                                                                              Function 0768D284 Relevance: .1, Instructions: 51COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1916575623.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_7680000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 172dfeb4b98af6d21848289ea453a955adc532025f75961597cb911e7a6c8b2d
                                                                                              • Instruction ID: 152c69625712d787f3503224c4974eea8e15cb9875d89d502c52f8b678b04184
                                                                                              • Opcode Fuzzy Hash: 172dfeb4b98af6d21848289ea453a955adc532025f75961597cb911e7a6c8b2d
                                                                                              • Instruction Fuzzy Hash: 56116AB4A61206CFC740EFA9E19996DBFF6FF09310B149216E41A9B391CF309C81CB60
                                                                                              Function 0768A718 Relevance: .0, Instructions: 50COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1916575623.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_7680000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 4320aab29ae7736b2913e6f9089e240d738e2c2a387819ae85c5cc36f4dc152d
                                                                                              • Instruction ID: 639bcf0099a9d10eda448f589d48f3f060ed08e74a2658decd2d6dc55827bdf9
                                                                                              • Opcode Fuzzy Hash: 4320aab29ae7736b2913e6f9089e240d738e2c2a387819ae85c5cc36f4dc152d
                                                                                              • Instruction Fuzzy Hash: 04113CB8D08208DFCB44EFE9D5409ADBBF5FB49310F01D6A6981AA7301D330AA41DF80
                                                                                              Function 0768B5F8 Relevance: .0, Instructions: 46COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1916575623.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_7680000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: e843d2e6747f54dfa11150f10cf2ed23bc400d489d28ec26b8919e20c12a37d8
                                                                                              • Instruction ID: 7664882fb201e9cdd5732f840b60d88dcd33cb9f72bc079739de79f46184c72e
                                                                                              • Opcode Fuzzy Hash: e843d2e6747f54dfa11150f10cf2ed23bc400d489d28ec26b8919e20c12a37d8
                                                                                              • Instruction Fuzzy Hash: 5E010CB4E152199BDB48DFAAD4449AEBBF6AF8D300F00D12AE90AA7350DB705545CF90
                                                                                              Function 0768D1C7 Relevance: .0, Instructions: 46COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1916575623.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_7680000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: a1164ba975ade87f4fff08a76550aadf28cdcc1cc5b5bdb7bff417622f5fdc59
                                                                                              • Instruction ID: fcfa92f75e435d2e60c96854c14f2b2ea3b858fe65cdb4e06b12160c9b0d611d
                                                                                              • Opcode Fuzzy Hash: a1164ba975ade87f4fff08a76550aadf28cdcc1cc5b5bdb7bff417622f5fdc59
                                                                                              • Instruction Fuzzy Hash: 17115E74A61205CFC740DFA9E1954ADBFF6FF49314B009656E42A9B395CB309881CB60
                                                                                              Function 0768948E Relevance: .0, Instructions: 45COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1916575623.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_7680000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 333503ac5bd14a4d27e527e10abbdd331d180da108a69ff4de27529ab862260f
                                                                                              • Instruction ID: e9840d3d27e6552cafa540795d8f4c445f7736509074e301e52e534e167cb133
                                                                                              • Opcode Fuzzy Hash: 333503ac5bd14a4d27e527e10abbdd331d180da108a69ff4de27529ab862260f
                                                                                              • Instruction Fuzzy Hash: 3C110CF4E19359CFDB90EF65C8407A9B7BAFB4A300F1092E9C00E97255C7306A85CB12
                                                                                              Function 0768BA79 Relevance: .0, Instructions: 45COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1916575623.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_7680000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 0c1475ac2004165f25bfe2b3cd781272a5793bd77e123835490f36fbca9fd0d4
                                                                                              • Instruction ID: ed6e7942ae16f6e59ca8931a005fa5fa42ac7c5443321de8f2a8cd96f265004b
                                                                                              • Opcode Fuzzy Hash: 0c1475ac2004165f25bfe2b3cd781272a5793bd77e123835490f36fbca9fd0d4
                                                                                              • Instruction Fuzzy Hash: 2A015AB4A14208EFC740EFB8D688AADBBF5FF49300F10D195A40AAB365DB309E01DB50
                                                                                              Function 07689517 Relevance: .0, Instructions: 44COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1916575623.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_7680000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 09c2dfe8fd2f1b0d0a74f36e5be09ff48adfc99ca1f58b6c7d6470250d80199c
                                                                                              • Instruction ID: 4eb11acb94f730de8a228f90e982612ebba6f947c333ebba9257cbde610af159
                                                                                              • Opcode Fuzzy Hash: 09c2dfe8fd2f1b0d0a74f36e5be09ff48adfc99ca1f58b6c7d6470250d80199c
                                                                                              • Instruction Fuzzy Hash: B3011BF4E19319CFDB90EF55C9407AEB7BAFB45300F109695D00AA7251C7306A85CF01
                                                                                              Function 07689D6F Relevance: .0, Instructions: 44COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1916575623.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_7680000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 9a2b841eb77a7df4f93feb9da510b6966bbe74047f0e957eb824ba402e80ef44
                                                                                              • Instruction ID: 2b94a53dca9baeaf1dc8db4f64e22ebb7a2412f0e5470bd17e3a282e6e5eb338
                                                                                              • Opcode Fuzzy Hash: 9a2b841eb77a7df4f93feb9da510b6966bbe74047f0e957eb824ba402e80ef44
                                                                                              • Instruction Fuzzy Hash: 8001DAB4E19318CFCB84DFA5D944ABDBBF9BF4A301F14A519E40AAB355D770A802CB50
                                                                                              Function 0768BA01 Relevance: .0, Instructions: 44COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1916575623.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_7680000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: f83f9b2201142948e01698bd8980750ebba0a92104919269ab52ffa8a36a8689
                                                                                              • Instruction ID: 1b3173e11e98814d235c15e127d1e311d2365b0523d7777de534fedb8d46e2a0
                                                                                              • Opcode Fuzzy Hash: f83f9b2201142948e01698bd8980750ebba0a92104919269ab52ffa8a36a8689
                                                                                              • Instruction Fuzzy Hash: 280162F0969108DFC745EFAAD5416B9BBB8EF4A300F00E365E40E6F615DB309A46DB50
                                                                                              Function 0768BA88 Relevance: .0, Instructions: 41COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1916575623.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_7680000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 0d3e68a4041e052279d19806d2c379ce51ea9f8bc57613dc3c18f1395db2a8f4
                                                                                              • Instruction ID: 013c82429703e68831dcfbf6b6736b55b63bd7b9f789ff5b94c925acbb8018b8
                                                                                              • Opcode Fuzzy Hash: 0d3e68a4041e052279d19806d2c379ce51ea9f8bc57613dc3c18f1395db2a8f4
                                                                                              • Instruction Fuzzy Hash: 26014FB4A14108DFC740EFA9C684AADBFF5EF49300F15D194A40DAB355DB309E01DB50
                                                                                              Function 07687260 Relevance: .0, Instructions: 39COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1916575623.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_7680000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 29c8934f8a524ac8e4c0585bf91ff4d414af782a8575c3ae81af28480c8a7eb4
                                                                                              • Instruction ID: 08e97e2344b8f193523dc696310bde8b25a1007aa57a071e3c01fa15571f2d36
                                                                                              • Opcode Fuzzy Hash: 29c8934f8a524ac8e4c0585bf91ff4d414af782a8575c3ae81af28480c8a7eb4
                                                                                              • Instruction Fuzzy Hash: 0D01D6317C53009FE31597B08916F95BBB2EB46720F294096F10A5F1F7C672C800C715
                                                                                              Function 0768BA10 Relevance: .0, Instructions: 39COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1916575623.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_7680000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 9232438c13f63ba7fe7d0007677a64d14d43b00b7c1752b43592d027abddcdd6
                                                                                              • Instruction ID: a7eb776b0fa2bdba1a22982bfbec6ede2adb22f47638ca99e33381ada17de7d9
                                                                                              • Opcode Fuzzy Hash: 9232438c13f63ba7fe7d0007677a64d14d43b00b7c1752b43592d027abddcdd6
                                                                                              • Instruction Fuzzy Hash: DEF044F0919108DFC755EF9AD5405B9BBB8EB4A300F00E2A5940E6F616DB309B46DB54
                                                                                              Function 0768D25E Relevance: .0, Instructions: 36COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1916575623.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_7680000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 114e3aa1eb58d68d2717917b26cc8de73215bb74d25a00cdf8f86b6fd4baf56a
                                                                                              • Instruction ID: a4b6a9f2612b9403353c84e17567ee1f5a3196826cd0b4402e93815e0f9e6d51
                                                                                              • Opcode Fuzzy Hash: 114e3aa1eb58d68d2717917b26cc8de73215bb74d25a00cdf8f86b6fd4baf56a
                                                                                              • Instruction Fuzzy Hash: 5B018474A15204CFD745EF68E895768BB71EB4E210F209A97E41AA7384CF304D81CF20
                                                                                              Function 0768E410 Relevance: .0, Instructions: 26COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1916575623.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_7680000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 47a43d30901d815c0670d17f2552396875ece0975d4d437a55ccb86572832d1f
                                                                                              • Instruction ID: ae3f31c3dfb7e6d0946515d9d4e425e1f8baf1cefc82361d8214c0b2a9fd6729
                                                                                              • Opcode Fuzzy Hash: 47a43d30901d815c0670d17f2552396875ece0975d4d437a55ccb86572832d1f
                                                                                              • Instruction Fuzzy Hash: F5F08275A00249ABCF11DFB8D4046EDBFB1EF44325F24C29BE8146A351C7369643DB62
                                                                                              Function 0768AC83 Relevance: .0, Instructions: 26COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1916575623.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_7680000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: fb847846af685f4ef59cb574ad9fa60d95c42d8c5121b4b3d19e3e72c9b679ce
                                                                                              • Instruction ID: 86868a5b68495adc756f5a7dfe68bacb1b1739cca6dade46139b068482909620
                                                                                              • Opcode Fuzzy Hash: fb847846af685f4ef59cb574ad9fa60d95c42d8c5121b4b3d19e3e72c9b679ce
                                                                                              • Instruction Fuzzy Hash: 52F01CF46151088BC790EF98C4919ADB7B9BF09300F0AD241D41E67219C630F849CBA4
                                                                                              Function 0768B71C Relevance: .0, Instructions: 24COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1916575623.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_7680000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 900a2a868bde249c6120075ac814ec556c7531d1a23a35427a7870614b3f1d0c
                                                                                              • Instruction ID: 808914b8422676f8040fad33596b4cf0e92c000f1ef2865dd1711a2a93be3658
                                                                                              • Opcode Fuzzy Hash: 900a2a868bde249c6120075ac814ec556c7531d1a23a35427a7870614b3f1d0c
                                                                                              • Instruction Fuzzy Hash: 24E065B49141489FC740DF69C5458AD7FF8AB4E311B00D205F82EA7296C7709485CF20
                                                                                              Function 07689503 Relevance: .0, Instructions: 24COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1916575623.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_7680000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 3e9a073b90688a4551ffd8a2cf7246c710dd09ff5abd71bc1a86600296813bbf
                                                                                              • Instruction ID: cff860f1d15118db4e981953e8ace285ac31441e86e9d5df519c247abbf67aa9
                                                                                              • Opcode Fuzzy Hash: 3e9a073b90688a4551ffd8a2cf7246c710dd09ff5abd71bc1a86600296813bbf
                                                                                              • Instruction Fuzzy Hash: 34F030F0A1631ACFDF90DF54C894BBD7B79EB05304F0456A9D00B97261CA746985CB05
                                                                                              Function 0768E420 Relevance: .0, Instructions: 23COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1916575623.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_7680000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: e46cbd44ff434e1db4fbc8d82186b0d8a35b7a7f3cf505542e65818cffe20fb0
                                                                                              • Instruction ID: 5b870775ace51d74d1c23ac64f01405bcb3b22ec8844b721fbbf5163d1fd475c
                                                                                              • Opcode Fuzzy Hash: e46cbd44ff434e1db4fbc8d82186b0d8a35b7a7f3cf505542e65818cffe20fb0
                                                                                              • Instruction Fuzzy Hash: DDF039B5E0120CEBCF40EFB8D40569CFBB1EF48310F10C0AAA808A3350DA359A55DF51
                                                                                              Function 07689CB0 Relevance: .0, Instructions: 23COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1916575623.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_7680000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 75a8e6ea8223ca382b15bf806f5dfa20257ceff726c6e2eea8a6f75654cfc108
                                                                                              • Instruction ID: 454060d63b1cd637aeadd07527cc45df32cd4b59a452f51dc876ce2692a1a023
                                                                                              • Opcode Fuzzy Hash: 75a8e6ea8223ca382b15bf806f5dfa20257ceff726c6e2eea8a6f75654cfc108
                                                                                              • Instruction Fuzzy Hash: 38E04872D11208AFCB80DFBCD84639D7BF4D704315F54906AD844A2340E67567419F51
                                                                                              Function 0768985E Relevance: .0, Instructions: 22COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1916575623.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_7680000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 9390efb548b9be1bd1380b42de6e7a81d480664673fab147694ba402de313cd1
                                                                                              • Instruction ID: 3580cd84338062410257be6f8b9bc8fc5c5857a11abab0579d2ee47830b2ec8a
                                                                                              • Opcode Fuzzy Hash: 9390efb548b9be1bd1380b42de6e7a81d480664673fab147694ba402de313cd1
                                                                                              • Instruction Fuzzy Hash: 7EE0EDB0A16316CFDF91DF54CC94BACB775EB05304F1456A9D00AD7261CA746E89CF05
                                                                                              Function 0768AC61 Relevance: .0, Instructions: 21COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1916575623.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_7680000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: f7f666bea3e815f3d509a97e622c21078d3631526fdd418283b49a766f83fd09
                                                                                              • Instruction ID: 046254b538cba00cfd670924c9e4a2c32f6a50ff891ba57c4c566220720d5b4a
                                                                                              • Opcode Fuzzy Hash: f7f666bea3e815f3d509a97e622c21078d3631526fdd418283b49a766f83fd09
                                                                                              • Instruction Fuzzy Hash: E6E0C2B0115214CFC364EF68D155A687B76FF0E212F40A299E40EAB711CB35DC86CF24
                                                                                              Function 07680B7B Relevance: .0, Instructions: 21COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1916575623.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_7680000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 290859f1ab6d024e24659b98acb8afcc277ea962253609ddf33403fa478c1f32
                                                                                              • Instruction ID: 28e64b6740973f71ac9696e8325a158d49f3beb5c142d18f7c18853f5ba12d87
                                                                                              • Opcode Fuzzy Hash: 290859f1ab6d024e24659b98acb8afcc277ea962253609ddf33403fa478c1f32
                                                                                              • Instruction Fuzzy Hash: 4BF039749222199FDB50DF98C98499DBBB1FF88310F15D595E406AB329EB30EE85CF10
                                                                                              Function 0768B9B8 Relevance: .0, Instructions: 20COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1916575623.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_7680000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 971c8c79ed18a0730699ea83e0bcaac5d8fa4a8ad6e87fbfb7b301007382af3e
                                                                                              • Instruction ID: ddc31a3017efdd3c3f208c06657fe3dd78a8f18b79af52d4727a4f943da03ec6
                                                                                              • Opcode Fuzzy Hash: 971c8c79ed18a0730699ea83e0bcaac5d8fa4a8ad6e87fbfb7b301007382af3e
                                                                                              • Instruction Fuzzy Hash: EAE0D8F15191959FC716D778E0156AD7F30BB07211F1081DAE84456241CB360D56C791
                                                                                              Function 07680B62 Relevance: .0, Instructions: 19COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1916575623.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_7680000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 5bcb2dbba832ca6275fff2bdce77f251f295fc2d9a14cdf64c55cece4dad5c0c
                                                                                              • Instruction ID: b09708f68509f43e0f5e1c7ee0409afc537600249f0498895c065f8fbda033ba
                                                                                              • Opcode Fuzzy Hash: 5bcb2dbba832ca6275fff2bdce77f251f295fc2d9a14cdf64c55cece4dad5c0c
                                                                                              • Instruction Fuzzy Hash: 26E0CD749222159FCB45DBA0DD9529DBB74FB82321F545B514037B93ACF7394845C610
                                                                                              Function 0768B695 Relevance: .0, Instructions: 18COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1916575623.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_7680000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 076b75de4c1a5799f1de48132f7bc31d039ecb586668abb77019982c73108130
                                                                                              • Instruction ID: 054c8ceb47eb3269981d1cc9ddb46893f8c7e4db73316e40bc6698ca3de3db1e
                                                                                              • Opcode Fuzzy Hash: 076b75de4c1a5799f1de48132f7bc31d039ecb586668abb77019982c73108130
                                                                                              • Instruction Fuzzy Hash: 51E086F450C3459FCB82CB5184454FA3FB99F4A200B445095E54E4A212DA748446CB51
                                                                                              Function 07686D88 Relevance: .0, Instructions: 18COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1916575623.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_7680000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 2b531e7dc77834a588990883b71e6dd72d2a832ae6af5b31f833fae3983c8015
                                                                                              • Instruction ID: 7c5cf6c3c0e8dff383bebb2f9175b50543ba85ae6efebc5a314b14757cee21f5
                                                                                              • Opcode Fuzzy Hash: 2b531e7dc77834a588990883b71e6dd72d2a832ae6af5b31f833fae3983c8015
                                                                                              • Instruction Fuzzy Hash: EFE092B0D40209DFD780EFA9C909B9EBBF1AB08600F1185A9D41AE7352EB7496058F91
                                                                                              Function 0768B9C8 Relevance: .0, Instructions: 18COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1916575623.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_7680000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 4df44b0e7a4c0b85802f970b6aa37e1b3fe41f5e52219b9d7adc72272795334d
                                                                                              • Instruction ID: bf82c41f42d1374f5e143134a2a96466cef9b161f8fb55693ba2b3a1fd1ae987
                                                                                              • Opcode Fuzzy Hash: 4df44b0e7a4c0b85802f970b6aa37e1b3fe41f5e52219b9d7adc72272795334d
                                                                                              • Instruction Fuzzy Hash: 0AE086B1801208DBC704DFA8D40559DBF74AB05301F10C1A9E50462340CB314A41DBA0
                                                                                              Function 0768D6A7 Relevance: .0, Instructions: 17COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1916575623.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_7680000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 97030477de9c756f300bffe7fc5347bd4453734ca80bb03e42e326e25d225af3
                                                                                              • Instruction ID: 0426a64763b28dc2b9dd3b5855a92bf2653d6dd708945d0956f23dd8c8807d30
                                                                                              • Opcode Fuzzy Hash: 97030477de9c756f300bffe7fc5347bd4453734ca80bb03e42e326e25d225af3
                                                                                              • Instruction Fuzzy Hash: A2E01A74A50219DFCB40DF94D5496ACBBB6FB48320F104315E425AB3D8DB305C42CB80
                                                                                              Function 07689CC0 Relevance: .0, Instructions: 17COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1916575623.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_7680000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 8049e64ccb3c18b7f5b2907f7f64bb3787e1f30b12deba6b3c1886f8e35e760b
                                                                                              • Instruction ID: 110d3dee3aee1d2a42874fb9a1c071b8e1f98aa7892169f3b0677cd6688ca028
                                                                                              • Opcode Fuzzy Hash: 8049e64ccb3c18b7f5b2907f7f64bb3787e1f30b12deba6b3c1886f8e35e760b
                                                                                              • Instruction Fuzzy Hash: F8E01270D51208DFCB80EFBCD94569CBFF4AB04311F1041AAE804A3340EA315B40CF51
                                                                                              Function 076801FD Relevance: .0, Instructions: 14COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1916575623.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_7680000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: e80d05d27c40831e4b44a26c0f5e782a1a174f6b3957ade31b48b0439a810a19
                                                                                              • Instruction ID: 2df0fd07b57b547e523ce45fcb96d1378d7a8978f8ce62b598b9b645681c00cb
                                                                                              • Opcode Fuzzy Hash: e80d05d27c40831e4b44a26c0f5e782a1a174f6b3957ade31b48b0439a810a19
                                                                                              • Instruction Fuzzy Hash: 59E0EC75617304CFC759CF68C185959BBB6FF49311F5044A9E0069B355CB36EA81CF00
                                                                                              Function 0768AD24 Relevance: .0, Instructions: 14COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1916575623.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_7680000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 9c867aba32f2f7c289768dbb47a405b92aed742d7954cfbe144e7837c681344a
                                                                                              • Instruction ID: 82605f1b73e1d368e523150f63b8971416255431cd415579327a21f8ec57ec40
                                                                                              • Opcode Fuzzy Hash: 9c867aba32f2f7c289768dbb47a405b92aed742d7954cfbe144e7837c681344a
                                                                                              • Instruction Fuzzy Hash: EBE0E2B4219254CFC364EF24C058A653B7AAF0B312F4052E9E00E5B752CB35D885CF14
                                                                                              Function 07686040 Relevance: .0, Instructions: 11COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1916575623.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_7680000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 5469aaad4d7801ad5c62897c7b38efcb6f849d85bd37d624b2377c52c10d9309
                                                                                              • Instruction ID: 246003361e6ae6c9cdd6615bfdf99be13eb861f9d1124a5e746b28ddf105ccfb
                                                                                              • Opcode Fuzzy Hash: 5469aaad4d7801ad5c62897c7b38efcb6f849d85bd37d624b2377c52c10d9309
                                                                                              • Instruction Fuzzy Hash: 85C08C5A2987A2CEC3079B60690A4F6BBB0BEA7B1031000C3D2449B193C2240B29C377
                                                                                              Function 07683B84 Relevance: .0, Instructions: 9COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1916575623.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_7680000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 119a182edf289e449201455cf4e52db5d142fbe9f57763ae6a166526344b07ea
                                                                                              • Instruction ID: bd377ea5bebef7d8eb57af0dec57e94cff90214e65b5db3bd013772682d466eb
                                                                                              • Opcode Fuzzy Hash: 119a182edf289e449201455cf4e52db5d142fbe9f57763ae6a166526344b07ea
                                                                                              • Instruction Fuzzy Hash: 85C04C75055001DAC641BB5489C481AFAA1FBA6700F40D955664685135D622C82D9716
                                                                                              Function 07683C2C Relevance: .0, Instructions: 8COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1916575623.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_7680000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 4f8e5118c6ddcd79faa5e5bb2939b0267e6c24395b35dd2282c32885fabe5c25
                                                                                              • Instruction ID: b938e9bc9b0d32e21c9bdcfd12154d1c7ac58d78cd65b1f82fdc1238eeaf767b
                                                                                              • Opcode Fuzzy Hash: 4f8e5118c6ddcd79faa5e5bb2939b0267e6c24395b35dd2282c32885fabe5c25
                                                                                              • Instruction Fuzzy Hash: 21B012B52E9110E5C90077648F89F3ED6E1EBE3700F509C153347A0055C421D86DE12F
                                                                                              Function 07685A89 Relevance: .0, Instructions: 8COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000006.00000002.1916575623.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_6_2_7680000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 9df842828702483ccf0a6a08d99a8220785b299cb2035eeedb882810a8f13181
                                                                                              • Instruction ID: da49ca8a6b6b252c1e1d48c542b0ce361970ec3a4f62870d8b04a8d06d6fe28f
                                                                                              • Opcode Fuzzy Hash: 9df842828702483ccf0a6a08d99a8220785b299cb2035eeedb882810a8f13181
                                                                                              • Instruction Fuzzy Hash: E2C08C6900D1C0CFC7076F61A91C851BF71EF2A20470840CAE0C40A133C51A0835DB1A

                                                                                              Execution Graph

                                                                                              Execution Coverage:7.6%
                                                                                              Dynamic/Decrypted Code Coverage:100%
                                                                                              Signature Coverage:0%
                                                                                              Total number of Nodes:75
                                                                                              Total number of Limit Nodes:7
                                                                                              execution_graph 14143 1416540 14144 1416586 14143->14144 14148 1416720 14144->14148 14151 141670f 14144->14151 14145 1416673 14155 141611c 14148->14155 14152 1416713 14151->14152 14154 141674e 14151->14154 14153 141611c DuplicateHandle 14152->14153 14153->14154 14154->14145 14156 1416788 DuplicateHandle 14155->14156 14157 141674e 14156->14157 14157->14145 14158 1414668 14163 1414676 14158->14163 14161 1414704 14164 1416de0 14163->14164 14165 1416e05 14164->14165 14173 1416ef0 14165->14173 14177 1416edf 14165->14177 14166 14146e9 14169 141421c 14166->14169 14170 1414227 14169->14170 14185 1418560 14170->14185 14172 1418806 14172->14161 14175 1416f17 14173->14175 14174 1416ff4 14174->14174 14175->14174 14181 1416414 14175->14181 14178 1416f17 14177->14178 14179 1416414 CreateActCtxA 14178->14179 14180 1416ff4 14178->14180 14179->14180 14182 1417370 CreateActCtxA 14181->14182 14184 1417433 14182->14184 14184->14184 14186 141856b 14185->14186 14189 1418580 14186->14189 14188 14188dd 14188->14172 14190 141858b 14189->14190 14193 14185b0 14190->14193 14192 14189ba 14192->14188 14194 14185bb 14193->14194 14197 14185e0 14194->14197 14196 1418aad 14196->14192 14198 14185eb 14197->14198 14200 1419e93 14198->14200 14203 141bed1 14198->14203 14199 1419ed1 14199->14196 14200->14199 14209 141df70 14200->14209 14204 141beda 14203->14204 14206 141be91 14203->14206 14213 141bef8 14204->14213 14216 141bf08 14204->14216 14205 141bee6 14205->14200 14206->14200 14211 141df91 14209->14211 14210 141dfb5 14210->14199 14211->14210 14224 141e120 14211->14224 14214 141bf17 14213->14214 14219 141c003 14213->14219 14214->14205 14218 141c003 GetModuleHandleW 14216->14218 14217 141bf17 14217->14205 14218->14217 14220 141c034 14219->14220 14221 141c011 14219->14221 14220->14214 14221->14220 14222 141c238 GetModuleHandleW 14221->14222 14223 141c265 14222->14223 14223->14214 14225 141e12d 14224->14225 14226 141e166 14225->14226 14228 141c464 14225->14228 14226->14210 14229 141c46f 14228->14229 14231 141e1d8 14229->14231 14232 141c498 14229->14232 14233 141c4a3 14232->14233 14234 14185e0 2 API calls 14233->14234 14235 141e247 14234->14235 14238 141e2c0 14235->14238 14236 141e256 14236->14231 14239 141e2ee 14238->14239 14240 141e3ba KiUserCallbackDispatcher 14239->14240 14241 141e3bf 14239->14241 14240->14241

                                                                                              Executed Functions

                                                                                              Function 0141C003 Relevance: 1.7, APIs: 1, Instructions: 194COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 558 141c003-141c00f 559 141c011-141c01e call 141af60 558->559 560 141c03b-141c03f 558->560 567 141c020 559->567 568 141c034 559->568 562 141c041-141c04b 560->562 563 141c053-141c094 560->563 562->563 569 141c0a1-141c0af 563->569 570 141c096-141c09e 563->570 613 141c026 call 141c689 567->613 614 141c026 call 141c698 567->614 568->560 571 141c0b1-141c0b6 569->571 572 141c0d3-141c0d5 569->572 570->569 574 141c0c1 571->574 575 141c0b8-141c0bf call 141af6c 571->575 577 141c0d8-141c0df 572->577 573 141c02c-141c02e 573->568 576 141c170-141c230 573->576 579 141c0c3-141c0d1 574->579 575->579 608 141c232-141c235 576->608 609 141c238-141c263 GetModuleHandleW 576->609 580 141c0e1-141c0e9 577->580 581 141c0ec-141c0f3 577->581 579->577 580->581 582 141c100-141c109 call 141af7c 581->582 583 141c0f5-141c0fd 581->583 589 141c116-141c11b 582->589 590 141c10b-141c113 582->590 583->582 591 141c139-141c146 589->591 592 141c11d-141c124 589->592 590->589 598 141c169-141c16f 591->598 599 141c148-141c166 591->599 592->591 594 141c126-141c136 call 141af8c call 141af9c 592->594 594->591 599->598 608->609 610 141c265-141c26b 609->610 611 141c26c-141c280 609->611 610->611 613->573 614->573
                                                                                              APIs
                                                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 0141C256
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.4181823411.0000000001410000.00000040.00000800.00020000.00000000.sdmp, Offset: 01410000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_1410000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID: HandleModule
                                                                                              • String ID:
                                                                                              • API String ID: 4139908857-0
                                                                                              • Opcode ID: e406f856ae87aac7c6aca518ace5c89716d8756866e0bede7531bcbf7861d6d9
                                                                                              • Instruction ID: 2ef0fd4c024f412ea273b7886e4fb9b00593aabac50209d480bd60c290cecf7e
                                                                                              • Opcode Fuzzy Hash: e406f856ae87aac7c6aca518ace5c89716d8756866e0bede7531bcbf7861d6d9
                                                                                              • Instruction Fuzzy Hash: B07147B0A40B458FD724DF6AC98079BBBF1BF48204F10892ED48AD7B64D775E946CB90
                                                                                              Function 01416414 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 615 1416414-1417431 CreateActCtxA 618 1417433-1417439 615->618 619 141743a-1417494 615->619 618->619 626 14174a3-14174a7 619->626 627 1417496-1417499 619->627 628 14174a9-14174b5 626->628 629 14174b8 626->629 627->626 628->629 631 14174b9 629->631 631->631
                                                                                              APIs
                                                                                              • CreateActCtxA.KERNEL32(?), ref: 01417421
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.4181823411.0000000001410000.00000040.00000800.00020000.00000000.sdmp, Offset: 01410000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_1410000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID: Create
                                                                                              • String ID:
                                                                                              • API String ID: 2289755597-0
                                                                                              • Opcode ID: 95b9808b5b14534447500cb1fcb4e8aab95c651c5d2795623da9ac37bf47a682
                                                                                              • Instruction ID: 0705f5f78a0b6155e7986987b38c7f11f476f80af62e0fefbb8664be555e328f
                                                                                              • Opcode Fuzzy Hash: 95b9808b5b14534447500cb1fcb4e8aab95c651c5d2795623da9ac37bf47a682
                                                                                              • Instruction Fuzzy Hash: 7641C0B0C0061DCFDB24DFA9C944B9EBBF5BF49304F24806AD408AB265DB756985CF90
                                                                                              Function 01417364 Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 632 1417364-1417431 CreateActCtxA 634 1417433-1417439 632->634 635 141743a-1417494 632->635 634->635 642 14174a3-14174a7 635->642 643 1417496-1417499 635->643 644 14174a9-14174b5 642->644 645 14174b8 642->645 643->642 644->645 647 14174b9 645->647 647->647
                                                                                              APIs
                                                                                              • CreateActCtxA.KERNEL32(?), ref: 01417421
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.4181823411.0000000001410000.00000040.00000800.00020000.00000000.sdmp, Offset: 01410000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_1410000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID: Create
                                                                                              • String ID:
                                                                                              • API String ID: 2289755597-0
                                                                                              • Opcode ID: 6ffbc5edb1b716c2c3fede88ff8230bcae394f1f051d64d6c3264eb36a57f7da
                                                                                              • Instruction ID: 9b2184f58bbc7f84b6164db8656115c5aac0376eee03a569e40945c73ee471f0
                                                                                              • Opcode Fuzzy Hash: 6ffbc5edb1b716c2c3fede88ff8230bcae394f1f051d64d6c3264eb36a57f7da
                                                                                              • Instruction Fuzzy Hash: 6A41D1B1C40619CFDB24CFA9C944BDEBBF5BF49304F2480AAD408AB265DB755949CF90
                                                                                              Function 01416780 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 648 1416780-1416783 650 1416788-141681c DuplicateHandle 648->650 651 1416825-1416842 650->651 652 141681e-1416824 650->652 652->651
                                                                                              APIs
                                                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0141674E,?,?,?,?,?), ref: 0141680F
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.4181823411.0000000001410000.00000040.00000800.00020000.00000000.sdmp, Offset: 01410000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_1410000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID: DuplicateHandle
                                                                                              • String ID:
                                                                                              • API String ID: 3793708945-0
                                                                                              • Opcode ID: d2165bb710450dd27bb27be34d869e8d406ef134dadef2b6c001cda40dd26cd8
                                                                                              • Instruction ID: c133e31a02bf28d5a328f97555062f5e13924937ec96167c8cdf9985f85b5a76
                                                                                              • Opcode Fuzzy Hash: d2165bb710450dd27bb27be34d869e8d406ef134dadef2b6c001cda40dd26cd8
                                                                                              • Instruction Fuzzy Hash: BB21F4B5900248AFDB10CFAAD884AEEBFF4EB48320F14801AE954A7311D774A940CFA5
                                                                                              Function 0141611C Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 655 141611c-141681c DuplicateHandle 657 1416825-1416842 655->657 658 141681e-1416824 655->658 658->657
                                                                                              APIs
                                                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0141674E,?,?,?,?,?), ref: 0141680F
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.4181823411.0000000001410000.00000040.00000800.00020000.00000000.sdmp, Offset: 01410000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_1410000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID: DuplicateHandle
                                                                                              • String ID:
                                                                                              • API String ID: 3793708945-0
                                                                                              • Opcode ID: 8714a8e8814f16443782cf9a0935c74ad66f3526b175b84c244b447d2641deee
                                                                                              • Instruction ID: b8d3de53ce2167afbf8084cc465489401f43b4920c96690ce29c8c05ae82c09e
                                                                                              • Opcode Fuzzy Hash: 8714a8e8814f16443782cf9a0935c74ad66f3526b175b84c244b447d2641deee
                                                                                              • Instruction Fuzzy Hash: 2521E3B5900248AFDB10CF9AD984ADEBFF8FB48320F14841AE958A7310D374A940CFA5
                                                                                              Function 0141C1F0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 661 141c1f0-141c230 662 141c232-141c235 661->662 663 141c238-141c263 GetModuleHandleW 661->663 662->663 664 141c265-141c26b 663->664 665 141c26c-141c280 663->665 664->665
                                                                                              APIs
                                                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 0141C256
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.4181823411.0000000001410000.00000040.00000800.00020000.00000000.sdmp, Offset: 01410000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_1410000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID: HandleModule
                                                                                              • String ID:
                                                                                              • API String ID: 4139908857-0
                                                                                              • Opcode ID: 509f9b5db84c950798d986205b83e485351f5aeec68992f06e95b5392f9debd7
                                                                                              • Instruction ID: a57a097482261efa4ed279492e297145c8bca10dd31170d1b97c57e4df1e2401
                                                                                              • Opcode Fuzzy Hash: 509f9b5db84c950798d986205b83e485351f5aeec68992f06e95b5392f9debd7
                                                                                              • Instruction Fuzzy Hash: 721110B5C002498FDB10DF9AC844ADEFBF4AB88320F10842AD829B7210C3B9A545CFA1
                                                                                              Function 0138D01C Relevance: .1, Instructions: 72COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.4181380895.000000000138D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0138D000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_138d000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 4fe525d403c45a5ad86edf7d6317f6d6ab544ca51736af81b5c7b04d84d78602
                                                                                              • Instruction ID: 17b582227c59ba50c3b5ae452d7ab4cebdbec33e3f05d3f282252574df9fdf76
                                                                                              • Opcode Fuzzy Hash: 4fe525d403c45a5ad86edf7d6317f6d6ab544ca51736af81b5c7b04d84d78602
                                                                                              • Instruction Fuzzy Hash: 542122B1604304DFDB15EF98D984B26BFA5FB84318F20C56DD80A4B396C33AD447CA61
                                                                                              Function 0138D017 Relevance: .1, Instructions: 53COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.4181380895.000000000138D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0138D000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_138d000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                              • Instruction ID: af53d568839933dc112eab31eca0de8df607c81ea012b28f3e35ef4ab21a8390
                                                                                              • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                              • Instruction Fuzzy Hash: 7311BEB5504380CFDB12DF54D5C4B15BF61FB44318F24C6AAD8494B696C33AD40BCB61
                                                                                              Function 0137D603 Relevance: .0, Instructions: 37COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.4181284832.000000000137D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0137D000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_137d000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 4844497bdd83abce1c20f006312f9cd53477cc1838d2cc5221dfe092c6e0d30c
                                                                                              • Instruction ID: 357038debfd168db5404b46c2a75024096692687fd79c7ea86f7b432da79ecf2
                                                                                              • Opcode Fuzzy Hash: 4844497bdd83abce1c20f006312f9cd53477cc1838d2cc5221dfe092c6e0d30c
                                                                                              • Instruction Fuzzy Hash: 71F04976200600AFD3208F0AD884C23FBADFFC4634719C05AE84A4B612C271FC42CEA0
                                                                                              Function 0137D5F4 Relevance: .0, Instructions: 35COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000009.00000002.4181284832.000000000137D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0137D000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_9_2_137d000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 7eb68d65dfb7c1b8e160e191d0fc919db0f40903917848f56c0fa952718329b2
                                                                                              • Instruction ID: 69c697c2536dbff9f9968292f02833c24b46dc292541ade97312b77be6d74bf4
                                                                                              • Opcode Fuzzy Hash: 7eb68d65dfb7c1b8e160e191d0fc919db0f40903917848f56c0fa952718329b2
                                                                                              • Instruction Fuzzy Hash: 78F0E775104680AFD725CF16CD84C22BBB9FF8A6647198489E84A9B762C675FC42CFA0

                                                                                              Execution Graph

                                                                                              Execution Coverage:7.2%
                                                                                              Dynamic/Decrypted Code Coverage:100%
                                                                                              Signature Coverage:0%
                                                                                              Total number of Nodes:55
                                                                                              Total number of Limit Nodes:8
                                                                                              execution_graph 14485 330e120 14486 330e12d 14485->14486 14487 330e166 14486->14487 14489 330c464 14486->14489 14491 330c46f 14489->14491 14490 330e1d8 14491->14490 14493 330c498 14491->14493 14494 330c4a3 14493->14494 14497 330e2c0 14494->14497 14495 330e256 14495->14490 14498 330e2ee 14497->14498 14500 330e317 14498->14500 14502 330e3bf 14498->14502 14503 330c530 14498->14503 14501 330e3ba KiUserCallbackDispatcher 14500->14501 14500->14502 14501->14502 14504 330c53b 14503->14504 14507 330c5a4 14504->14507 14506 330e8d5 14506->14500 14508 330c5af 14507->14508 14509 330e990 GetFocus 14508->14509 14510 330e989 14508->14510 14509->14510 14510->14506 14511 3306540 14512 3306586 GetCurrentProcess 14511->14512 14514 33065d1 14512->14514 14515 33065d8 GetCurrentThread 14512->14515 14514->14515 14516 3306615 GetCurrentProcess 14515->14516 14517 330660e 14515->14517 14518 330664b 14516->14518 14517->14516 14519 3306673 GetCurrentThreadId 14518->14519 14520 33066a4 14519->14520 14521 3306788 DuplicateHandle 14522 330681e 14521->14522 14523 330bf08 14526 330bff0 14523->14526 14524 330bf17 14527 330c034 14526->14527 14528 330c011 14526->14528 14527->14524 14528->14527 14529 330c238 GetModuleHandleW 14528->14529 14530 330c265 14529->14530 14530->14524 14531 3304668 14532 3304676 14531->14532 14535 3306de0 14532->14535 14533 33046e9 14536 3306e05 14535->14536 14540 3306ef0 14536->14540 14544 3306edf 14536->14544 14537 3306e0f 14537->14533 14542 3306f17 14540->14542 14541 3306ff4 14541->14541 14542->14541 14548 3306414 14542->14548 14545 3306f17 14544->14545 14546 3306ff4 14545->14546 14547 3306414 CreateActCtxA 14545->14547 14547->14546 14549 3307370 CreateActCtxA 14548->14549 14551 3307433 14549->14551

                                                                                              Executed Functions

                                                                                              Function 03306530 Relevance: 6.1, APIs: 4, Instructions: 142threadCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 536 3306530-3306531 537 3306570-330657c 536->537 538 3306533-330653d 536->538 539 330657d-33065cf GetCurrentProcess 537->539 538->539 540 330653f-330656c 538->540 544 33065d1-33065d7 539->544 545 33065d8-330660c GetCurrentThread 539->545 540->537 544->545 546 3306615-3306649 GetCurrentProcess 545->546 547 330660e-3306614 545->547 549 3306652-330666d call 330670f 546->549 550 330664b-3306651 546->550 547->546 553 3306673-33066a2 GetCurrentThreadId 549->553 550->549 554 33066a4-33066aa 553->554 555 33066ab-330670d 553->555 554->555
                                                                                              APIs
                                                                                              • GetCurrentProcess.KERNEL32 ref: 033065BE
                                                                                              • GetCurrentThread.KERNEL32 ref: 033065FB
                                                                                              • GetCurrentProcess.KERNEL32 ref: 03306638
                                                                                              • GetCurrentThreadId.KERNEL32 ref: 03306691
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000010.00000002.1900792648.0000000003300000.00000040.00000800.00020000.00000000.sdmp, Offset: 03300000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_16_2_3300000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID: Current$ProcessThread
                                                                                              • String ID:
                                                                                              • API String ID: 2063062207-0
                                                                                              • Opcode ID: 5880cfe70bfc56e8391c4c8203e842292008aa411ae5e9cd2a6604bde8e78d86
                                                                                              • Instruction ID: 9bcf41043c96866f7b4f7d21472d8d02da9988e90b8ff753e807bd7729191831
                                                                                              • Opcode Fuzzy Hash: 5880cfe70bfc56e8391c4c8203e842292008aa411ae5e9cd2a6604bde8e78d86
                                                                                              • Instruction Fuzzy Hash: 285187B49002498FDB14DFA9D988BDEBFF1EF48304F248059D049AB3A5DB349944CF65
                                                                                              Function 03306540 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 562 3306540-33065cf GetCurrentProcess 566 33065d1-33065d7 562->566 567 33065d8-330660c GetCurrentThread 562->567 566->567 568 3306615-3306649 GetCurrentProcess 567->568 569 330660e-3306614 567->569 571 3306652-330666d call 330670f 568->571 572 330664b-3306651 568->572 569->568 575 3306673-33066a2 GetCurrentThreadId 571->575 572->571 576 33066a4-33066aa 575->576 577 33066ab-330670d 575->577 576->577
                                                                                              APIs
                                                                                              • GetCurrentProcess.KERNEL32 ref: 033065BE
                                                                                              • GetCurrentThread.KERNEL32 ref: 033065FB
                                                                                              • GetCurrentProcess.KERNEL32 ref: 03306638
                                                                                              • GetCurrentThreadId.KERNEL32 ref: 03306691
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000010.00000002.1900792648.0000000003300000.00000040.00000800.00020000.00000000.sdmp, Offset: 03300000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_16_2_3300000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID: Current$ProcessThread
                                                                                              • String ID:
                                                                                              • API String ID: 2063062207-0
                                                                                              • Opcode ID: df2863f6c97f90a5a2316e19b1b62ca5c6f56779b9f982d69654bdf18d6c94ec
                                                                                              • Instruction ID: 44bf1f61def65ec2ff401211510038f751693047c05df11f971ea081981360a4
                                                                                              • Opcode Fuzzy Hash: df2863f6c97f90a5a2316e19b1b62ca5c6f56779b9f982d69654bdf18d6c94ec
                                                                                              • Instruction Fuzzy Hash: 6F5144B49102098FDB14DFA9C988B9EFBF5EF48304F248459E409A73A4DB34A984CF65
                                                                                              Function 0330BFF0 Relevance: 1.7, APIs: 1, Instructions: 201COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 606 330bff0-330c00f 607 330c011-330c01e call 330af60 606->607 608 330c03b-330c03f 606->608 613 330c020 607->613 614 330c034 607->614 609 330c041-330c04b 608->609 610 330c053-330c094 608->610 609->610 617 330c0a1-330c0af 610->617 618 330c096-330c09e 610->618 661 330c026 call 330c698 613->661 662 330c026 call 330c689 613->662 614->608 620 330c0b1-330c0b6 617->620 621 330c0d3-330c0d5 617->621 618->617 619 330c02c-330c02e 619->614 622 330c170-330c230 619->622 624 330c0c1 620->624 625 330c0b8-330c0bf call 330af6c 620->625 623 330c0d8-330c0df 621->623 656 330c232-330c235 622->656 657 330c238-330c263 GetModuleHandleW 622->657 628 330c0e1-330c0e9 623->628 629 330c0ec-330c0f3 623->629 627 330c0c3-330c0d1 624->627 625->627 627->623 628->629 631 330c100-330c109 call 330af7c 629->631 632 330c0f5-330c0fd 629->632 637 330c116-330c11b 631->637 638 330c10b-330c113 631->638 632->631 639 330c139-330c146 637->639 640 330c11d-330c124 637->640 638->637 647 330c148-330c166 639->647 648 330c169-330c16f 639->648 640->639 642 330c126-330c136 call 330af8c call 330af9c 640->642 642->639 647->648 656->657 658 330c265-330c26b 657->658 659 330c26c-330c280 657->659 658->659 661->619 662->619
                                                                                              APIs
                                                                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 0330C256
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000010.00000002.1900792648.0000000003300000.00000040.00000800.00020000.00000000.sdmp, Offset: 03300000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_16_2_3300000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID: HandleModule
                                                                                              • String ID:
                                                                                              • API String ID: 4139908857-0
                                                                                              • Opcode ID: 91a9d611b60038b6b1809924fa0e8b0581d6947a1cd4deebcff9efb5978ac8d3
                                                                                              • Instruction ID: eeeb69b87656cdfac98e87c52e7cfc01f0745dde3423fbd266f8d7cb260f74a5
                                                                                              • Opcode Fuzzy Hash: 91a9d611b60038b6b1809924fa0e8b0581d6947a1cd4deebcff9efb5978ac8d3
                                                                                              • Instruction Fuzzy Hash: EB8135B0A00B058FD724DF69D99075ABBF5FF48300F048A6DD486DBA90D775E849CB91
                                                                                              Function 03307364 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 663 3307364-330736d 664 3307370-3307431 CreateActCtxA 663->664 666 3307433-3307439 664->666 667 330743a-3307494 664->667 666->667 674 33074a3-33074a7 667->674 675 3307496-3307499 667->675 676 33074b8 674->676 677 33074a9-33074b5 674->677 675->674 679 33074b9 676->679 677->676 679->679
                                                                                              APIs
                                                                                              • CreateActCtxA.KERNEL32(?), ref: 03307421
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000010.00000002.1900792648.0000000003300000.00000040.00000800.00020000.00000000.sdmp, Offset: 03300000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_16_2_3300000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID: Create
                                                                                              • String ID:
                                                                                              • API String ID: 2289755597-0
                                                                                              • Opcode ID: fe03c44c906828528d8b0f76b99e254e6be17824d91d8747f7f2b3599955db4a
                                                                                              • Instruction ID: 7b9b81d18a94a2e6b259961f6aac560d63557b2961b54887a8b7db3b204a79cd
                                                                                              • Opcode Fuzzy Hash: fe03c44c906828528d8b0f76b99e254e6be17824d91d8747f7f2b3599955db4a
                                                                                              • Instruction Fuzzy Hash: 5B41C0B0C00619CFDB25CFA9C98478EBBB5BF49304F24805AD458AB265DB756985CF90
                                                                                              Function 03306414 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 680 3306414-3307431 CreateActCtxA 683 3307433-3307439 680->683 684 330743a-3307494 680->684 683->684 691 33074a3-33074a7 684->691 692 3307496-3307499 684->692 693 33074b8 691->693 694 33074a9-33074b5 691->694 692->691 696 33074b9 693->696 694->693 696->696
                                                                                              APIs
                                                                                              • CreateActCtxA.KERNEL32(?), ref: 03307421
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000010.00000002.1900792648.0000000003300000.00000040.00000800.00020000.00000000.sdmp, Offset: 03300000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_16_2_3300000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID: Create
                                                                                              • String ID:
                                                                                              • API String ID: 2289755597-0
                                                                                              • Opcode ID: ae01b2290800a48cb794c065ea20dd041180712ae31f055fe898baa13dffdd26
                                                                                              • Instruction ID: 550d532fb9fed1b5052e6117f9326153d22e58416311daeca6be881173b55623
                                                                                              • Opcode Fuzzy Hash: ae01b2290800a48cb794c065ea20dd041180712ae31f055fe898baa13dffdd26
                                                                                              • Instruction Fuzzy Hash: 6641D2B0C0461DCFDB25CFA9C8847CEBBB5BF44304F24805AD418AB265DB756985CF90
                                                                                              Function 03306780 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 697 3306780-3306781 698 33067c0-330681c DuplicateHandle 697->698 699 3306783-33067be 697->699 700 3306825-3306842 698->700 701 330681e-3306824 698->701 699->698 701->700
                                                                                              APIs
                                                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0330680F
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000010.00000002.1900792648.0000000003300000.00000040.00000800.00020000.00000000.sdmp, Offset: 03300000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_16_2_3300000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID: DuplicateHandle
                                                                                              • String ID:
                                                                                              • API String ID: 3793708945-0
                                                                                              • Opcode ID: fb897f38c266027339f614a032bbb1a3b22eeb0f0176afe6dc7131f0acbffddf
                                                                                              • Instruction ID: f456514a440cb9d6d5cb1dc49412db1203deb588df147302356d29f2f65823fb
                                                                                              • Opcode Fuzzy Hash: fb897f38c266027339f614a032bbb1a3b22eeb0f0176afe6dc7131f0acbffddf
                                                                                              • Instruction Fuzzy Hash: 8721F4B5D00219DFDB10CF99D984AEEBBF8FB48320F14802AE954A7350D334A954CFA5
                                                                                              Function 03306788 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 704 3306788-330681c DuplicateHandle 705 3306825-3306842 704->705 706 330681e-3306824 704->706 706->705
                                                                                              APIs
                                                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0330680F
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000010.00000002.1900792648.0000000003300000.00000040.00000800.00020000.00000000.sdmp, Offset: 03300000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_16_2_3300000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID: DuplicateHandle
                                                                                              • String ID:
                                                                                              • API String ID: 3793708945-0
                                                                                              • Opcode ID: d3e946b318600b93891a1c0ae6cf5d5a5b5346d86f69dfc0c461e7752303f59e
                                                                                              • Instruction ID: 6d6f982ed1cf9a7c4ff188c752497c1afae91b5e30b69205e47efe4684c07298
                                                                                              • Opcode Fuzzy Hash: d3e946b318600b93891a1c0ae6cf5d5a5b5346d86f69dfc0c461e7752303f59e
                                                                                              • Instruction Fuzzy Hash: CF21E3B59002189FDB10CF9AD984ADEFBF8EB48320F14841AE954A7250D374A950CFA5
                                                                                              Function 0330C1F0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 709 330c1f0-330c230 710 330c232-330c235 709->710 711 330c238-330c263 GetModuleHandleW 709->711 710->711 712 330c265-330c26b 711->712 713 330c26c-330c280 711->713 712->713
                                                                                              APIs
                                                                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 0330C256
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000010.00000002.1900792648.0000000003300000.00000040.00000800.00020000.00000000.sdmp, Offset: 03300000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_16_2_3300000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID: HandleModule
                                                                                              • String ID:
                                                                                              • API String ID: 4139908857-0
                                                                                              • Opcode ID: 1e64bc142d86c39eb35738a3dff9f61f2706bfddf7705acb20057e4d13438461
                                                                                              • Instruction ID: 2a9b949c562cb4762794ca28a790fd6cac61ae720d3ae73778fbf5d3e8a23f00
                                                                                              • Opcode Fuzzy Hash: 1e64bc142d86c39eb35738a3dff9f61f2706bfddf7705acb20057e4d13438461
                                                                                              • Instruction Fuzzy Hash: CA1110B5C002498FCB10DF9AC844ADEFBF8AB88320F14852AD469BB650C375A545CFA5
                                                                                              Function 018CD01C Relevance: .1, Instructions: 72COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000010.00000002.1899335889.00000000018CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 018CD000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_16_2_18cd000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 9d5ca25700e8e800836abc678964da97a5f48001e2720812f32cb2f8b0f1a182
                                                                                              • Instruction ID: 20119832436407fdc6acfe7107aa57b5fc5fce265f1273bf64f7ba1626c41fdf
                                                                                              • Opcode Fuzzy Hash: 9d5ca25700e8e800836abc678964da97a5f48001e2720812f32cb2f8b0f1a182
                                                                                              • Instruction Fuzzy Hash: 43210071604204DFCB15EF58D9C4B26BBA5EB84B18F20C67DD80A8B256C33AD547CAA1
                                                                                              Function 018CD017 Relevance: .1, Instructions: 53COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000010.00000002.1899335889.00000000018CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 018CD000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_16_2_18cd000_Exccelworkbook.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                              • Instruction ID: a7f479fd8260b4b6c8fa89aeca40555210b8e2cddd4b2a457a7cdb97208c5035
                                                                                              • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                              • Instruction Fuzzy Hash: B311EB75504280CFCB02DF18D5C4B16BFA2FB84314F24C6AED8098B656C33AD40ACBA2