Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
QUOTATION-9044456778.pdf (83kb).com.exe

Overview

General Information

Sample name:QUOTATION-9044456778.pdf (83kb).com.exe
Analysis ID:1587580
MD5:902afcb6d3f905ff4603200341f02874
SHA1:473fad4ac13e9c8b6b80d17ae3fb658b28d1cd47
SHA256:1787fd4fd81dca24ca10625e93d43168eea906184da17183ba53a306856c0f28
Tags:comexeuser-abuse_ch
Infos:

Detection

PureLog Stealer, Quasar
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected PureLog Stealer
Yara detected Quasar RAT
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • QUOTATION-9044456778.pdf (83kb).com.exe (PID: 2916 cmdline: "C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exe" MD5: 902AFCB6D3F905FF4603200341F02874)
    • QUOTATION-9044456778.pdf (83kb).com.exe (PID: 2848 cmdline: "C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exe" MD5: 902AFCB6D3F905FF4603200341F02874)
      • schtasks.exe (PID: 5920 cmdline: "schtasks" /create /tn "pdfdocument" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe" /rl HIGHEST /f MD5: 48C2FE20575769DE916F48EF0676A965)
        • conhost.exe (PID: 6168 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • Exccelworkbook.exe (PID: 5908 cmdline: "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe" MD5: 902AFCB6D3F905FF4603200341F02874)
        • Exccelworkbook.exe (PID: 6488 cmdline: "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe" MD5: 902AFCB6D3F905FF4603200341F02874)
        • Exccelworkbook.exe (PID: 7140 cmdline: "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe" MD5: 902AFCB6D3F905FF4603200341F02874)
        • Exccelworkbook.exe (PID: 6188 cmdline: "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe" MD5: 902AFCB6D3F905FF4603200341F02874)
          • schtasks.exe (PID: 5408 cmdline: "schtasks" /create /tn "pdfdocument" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe" /rl HIGHEST /f MD5: 48C2FE20575769DE916F48EF0676A965)
            • conhost.exe (PID: 5656 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • Exccelworkbook.exe (PID: 1256 cmdline: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe MD5: 902AFCB6D3F905FF4603200341F02874)
    • Exccelworkbook.exe (PID: 5912 cmdline: "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe" MD5: 902AFCB6D3F905FF4603200341F02874)
    • Exccelworkbook.exe (PID: 3844 cmdline: "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe" MD5: 902AFCB6D3F905FF4603200341F02874)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Quasar RAT, QuasarRATQuasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult.
  • APT33
  • Dropping Elephant
  • Stone Panda
  • The Gorgon Group
https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat

Malware Configuration

Threatname: Quasar

{"Version": "1.4.1", "Host:Port": "twart.myfirewall.org:9792;rency.ydns.eu:5287;wqo9.firewall-gateway.de:8841;code1.ydns.eu:5287;wqo9.firewall-gateway.de:9792;", "SubDirectory": "SubDir", "InstallName": "Exccelworkbook.exe", "MutexName": "025351e291-5d1041-4fa37-932c7-869aeiQec514992", "StartupKey": "pdfdocument", "Tag": "CODE", "LogDirectoryName": "Logs", "ServerSignature": "XBBvS+rvDQy/NRA7cnb+1Bf2zFbsUHBtrkbS5j0N0VYcCxHngz7kKbyn5Jk5bqDEI6eX9AB+bIEClKSPSVh4o0tmRTlCyQR8n6K5WidNbCUdY2+XqfpKSeeSe+/39iGrb9ZLHaZnA9ciC9yC4PwnmFUO4AD6c2tNeWgm2PU1ohA9OikWzIuh/ks9RkLPCX2N5NbpAd+AvnufkOJwDLDXLT4MfcZlD2s7folRvVMxMcO7qQh4qI3ucP90WFCEokdbM4Rp3wOtslDricIMAIkAmogGRz4B5aLGHo+UKGsYDeV1bWBtzFi1XTWQ/6q4qfqiD4xLJpDFMICIRPNdK9raQkGcTP03+NhWNSswQU59I2Ar9A0CAUdysw34N2Kjm/UbGRrW3+j9kbJxMldClUDkeN0cGmVyyaiGpPUQBlBuqH620bBOymsxD3XZ6Ouxl9MgjTV6Il/iiq/NSebMLiET2K09Tvpmc/8DD8KLeu+5NrJnmChJat6LR2NCPqv1vp8xPgJNCm4DSv6HB78QRq0Ni/oqW7UBnQR4da5/ckoEk+1ZyMZ/TftczNdKaLoyii2gXx3EzDhVEQy9OH8iNQqevGPW/pTYqLGAkH4hRs0+kir9p7nSGZpHvgHSJL7DbCzKlTEYyAlb4VFoR4L+DhJ0+A8JWxhOkfSCX2jo3RVCcPs=", "ServerCertificate": "MIIE9DCCAtygAwIBAgIQANqzkhOLx49IztAjuviKazANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI0MDgyMDEyNDQxNVoYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAgCzkFEuivKBaTsClmq/3wI2X1uYUZUxf0vEiobTv72lQBIu1jz/r6PADg+cpeGisY1MV3VsdWhecO8dT7LosHtl/FnpTjASkUp3LF0d6cPTgeLsKbK/xJ06uq5gaKvG8Q5zXq6Jbxv+STJdEgmxCf1SPAXViD1PIiGLt2B24qZyOtsSpTSnM5cQuLAvr/6xZG7GYkCU7PRADMGFUm3Xg6L3vRUU3h6vaddoMBAW9ENXVaym1eN5aax3x4tLNUp+kerM+kb/Ab/mi01+PfutPKTptP/dqEGZuKmVrGdX9A+s2Wo6sPtSl85NJT+HT+SSrROvGbx4GH3d6MSHx71JSzy+dph46LV3brBMzY/2xvLbIuPVHqniL/Y0bsUke6aD9cfXIa4UBi7TiKBuoKJYqoYa/VgdoqB4yDaczAnzzYXov7thvPL1Rwv5TueNsPSrQbXbvEJUDxRazlLIrGLuYzeGrnbFHOTM8KKpSVnE8uiXiSEW31DRNHXyLImklMHjwtGd4sjZD5EfkUcg1v9gVCu80ggT+/l7SflY07DOLFvS1ii2ZUPu3IjcbyPtlFj6pGUYjMbIZj8AdqIKyMh6IWtbsu6TMC2yEPSk5pwXrEf7M89nIfHtuhZio+mZ0MhGyHos3nv51/dDBKQnEtcJiODik24kI3JTMGnfQsp7IMjECAwEAAaMyMDAwHQYDVR0OBBYEFFUq5ihhM0we5AVYMhcmFpT6wUKMMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBAFQvpu2xTTenJ6N6YiRWxJ1cwH673yEt60lfsF/xncTeD79qdjD371b1GzQtcYZtYuSdgajGG4YZ8gBrwthm2fOcfuWK2VRDOe7/++mJVEvvsUzzexNeB5nZCYuu1N4UA7z8RHJy6ycPTTcelqyMKUjAGTCZa2BQhkxoFq+wBrEZrY975RcEe7bNNWg0S8YpvdKXxwy/gDZUoWyWXvgmDFQ6VjzDk3jJb0fonxnP/9F7sjd1uU2t5d6aQdPXzbzgWC/IKRXpfdIIZe15uHs1o1O909ymViRRsyy36cjwZ1M2snHWsU7vO//CptldBoV6k6bKkvXA23Cg1vUT0mj0MW554Vb20afxPhyWqHQa4ffHspH2HxViicHx9YaD+WjNAER0Skdo7/sxVR9Ozms2kb8Tyd18mwtVvwmlBNdtwsw8MX9PeW0AXlJUXkHkj47TVP+yyv1dKdUaGZq+ErPjiGoQGBCeHrrtGh+WryK38T7huLnpt++Q4U+CJ6+u9Mvd+C7MCZmgsO9sn0fTL/z54j3zBaWZoRcUZg8IZ7U+C5eGCrg9VjubVdYSar5CrCQnw8x2Rl63qjLVOwpiRoNnEXxmE23yyx1hkP8r27EcTbH7PpJHI22khScfDhf0X/99HEaBqcs+GI+YnC5dpPHY9koTdT5JckCfPJ9sprOn9Ble"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.1561987446.0000000005C60000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
    00000000.00000002.1541725770.0000000003241000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
      00000003.00000002.1562657049.0000000000720000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
        00000007.00000002.1707022913.0000000004785000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
          0000000A.00000002.3979616638.000000000321E000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
            Click to see the 14 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.QUOTATION-9044456778.pdf (83kb).com.exe.5c60000.3.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
              0.2.QUOTATION-9044456778.pdf (83kb).com.exe.5c60000.3.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                6.2.Exccelworkbook.exe.495b390.1.unpackJoeSecurity_QuasarYara detected Quasar RATJoe Security
                  0.2.QUOTATION-9044456778.pdf (83kb).com.exe.490dcc0.1.unpackJoeSecurity_QuasarYara detected Quasar RATJoe Security
                    0.2.QUOTATION-9044456778.pdf (83kb).com.exe.490dcc0.1.unpackMAL_QuasarRAT_May19_1Detects QuasarRAT malwareFlorian Roth
                    • 0x28d0d8:$x1: Quasar.Common.Messages
                    • 0x29d43b:$x1: Quasar.Common.Messages
                    • 0x2a99f2:$x4: Uninstalling... good bye :-(
                    • 0x2ab1e7:$xc2: 00 70 00 69 00 6E 00 67 00 20 00 2D 00 6E 00 20 00 31 00 30 00 20 00 6C 00 6F 00 63 00 61 00 6C 00 68 00 6F 00 73 00 74 00 20 00 3E 00 20 00 6E 00 75 00 6C 00 0D 00 0A 00 64 00 65 00 6C 00 20 ...
                    Click to see the 29 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Suspicious Add Scheduled Task Parent
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "schtasks" /create /tn "pdfdocument" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe" /rl HIGHEST /f, CommandLine: "schtasks" /create /tn "pdfdocument" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe" /rl HIGHEST /f, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe", ParentImage: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe, ParentProcessId: 6188, ParentProcessName: Exccelworkbook.exe, ProcessCommandLine: "schtasks" /create /tn "pdfdocument" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe" /rl HIGHEST /f, ProcessId: 5408, ProcessName: schtasks.exe
                    Sigma detected: Suspicious Schtasks From Env Var Folder
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "schtasks" /create /tn "pdfdocument" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe" /rl HIGHEST /f, CommandLine: "schtasks" /create /tn "pdfdocument" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe" /rl HIGHEST /f, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exe", ParentImage: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exe, ParentProcessId: 2848, ParentProcessName: QUOTATION-9044456778.pdf (83kb).com.exe, ProcessCommandLine: "schtasks" /create /tn "pdfdocument" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe" /rl HIGHEST /f, ProcessId: 5920, ProcessName: schtasks.exe

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-01-10T15:07:47.099927+010020355951Domain Observed Used for C2 Detected94.156.177.1175287192.168.2.1049716TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-01-10T15:07:47.099927+010020276191Domain Observed Used for C2 Detected94.156.177.1175287192.168.2.1049716TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 6.2.Exccelworkbook.exe.4c789b0.0.raw.unpackMalware Configuration Extractor: Quasar {"Version": "1.4.1", "Host:Port": "twart.myfirewall.org:9792;rency.ydns.eu:5287;wqo9.firewall-gateway.de:8841;code1.ydns.eu:5287;wqo9.firewall-gateway.de:9792;", "SubDirectory": "SubDir", "InstallName": "Exccelworkbook.exe", "MutexName": "025351e291-5d1041-4fa37-932c7-869aeiQec514992", "StartupKey": "pdfdocument", "Tag": "CODE", "LogDirectoryName": "Logs", "ServerSignature": "XBBvS+rvDQy/NRA7cnb+1Bf2zFbsUHBtrkbS5j0N0VYcCxHngz7kKbyn5Jk5bqDEI6eX9AB+bIEClKSPSVh4o0tmRTlCyQR8n6K5WidNbCUdY2+XqfpKSeeSe+/39iGrb9ZLHaZnA9ciC9yC4PwnmFUO4AD6c2tNeWgm2PU1ohA9OikWzIuh/ks9RkLPCX2N5NbpAd+AvnufkOJwDLDXLT4MfcZlD2s7folRvVMxMcO7qQh4qI3ucP90WFCEokdbM4Rp3wOtslDricIMAIkAmogGRz4B5aLGHo+UKGsYDeV1bWBtzFi1XTWQ/6q4qfqiD4xLJpDFMICIRPNdK9raQkGcTP03+NhWNSswQU59I2Ar9A0CAUdysw34N2Kjm/UbGRrW3+j9kbJxMldClUDkeN0cGmVyyaiGpPUQBlBuqH620bBOymsxD3XZ6Ouxl9MgjTV6Il/iiq/NSebMLiET2K09Tvpmc/8DD8KLeu+5NrJnmChJat6LR2NCPqv1vp8xPgJNCm4DSv6HB78QRq0Ni/oqW7UBnQR4da5/ckoEk+1ZyMZ/TftczNdKaLoyii2gXx3EzDhVEQy9OH8iNQqevGPW/pTYqLGAkH4hRs0+kir9p7nSGZpHvgHSJL7DbCzKlTEYyAlb4VFoR4L+DhJ0+A8JWxhOkfSCX2jo3RVCcPs=", "ServerCertificate": "MIIE9DCCAtygAwIBAgIQANqzkhOLx49IztAjuviKazANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI0MDgyMDEyNDQxNVoYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAgCzkFEuivKBaTsClmq/3wI2X1uYUZUxf0vEiobTv72lQBIu1jz/r6PADg+cpeGisY1MV3VsdWhecO8dT7LosHtl/FnpTjASkUp3LF0d6cPTgeLsKbK/xJ06uq5gaKvG8Q5zXq6Jbxv+STJdEgmxCf1SPAXViD1PIiGLt2B24qZyOtsSpTSnM5cQuLAvr/6xZG7GYkCU7PRADMGFUm3Xg6L3vRUU3h6vaddoMBAW9ENXVaym1eN5aax3x4tLNUp+kerM+kb/Ab/mi01+PfutPKTptP/dqEGZuKmVrGdX9A+s2Wo6sPtSl85NJT+HT+SSrROvGbx4GH3d6MSHx71JSzy+dph46LV3brBMzY/2xvLbIuPVHqniL/Y0bsUke6aD9cfXIa4UBi7TiKBuoKJYqoYa/VgdoqB4yDaczAnzzYXov7thvPL1Rwv5TueNsPSrQbXbvEJUDxRazlLIrGLuYzeGrnbFHOTM8KKpSVnE8uiXiSEW31DRNHXyLImklMHjwtGd4sjZD5EfkUcg1v9gVCu80ggT+/l7SflY07DOLFvS1ii2ZUPu3IjcbyPtlFj6pGUYjMbIZj8AdqIKyMh6IWtbsu6TMC2yEPSk5pwXrEf7M89nIfHtuhZio+mZ0MhGyHos3nv51/dDBKQnEtcJiODik24kI3JTMGnfQsp7IMjECAwEAAaMyMDAwHQYDVR0OBBYEFFUq5ihhM0we5AVYMhcmFpT6wUKMMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBAFQvpu2xTTenJ6N6YiRWxJ1cwH673yEt60lfsF/xncTeD79qdjD371b1GzQtcYZtYuSdgajGG4YZ8gBrwthm2fOcfuWK2VRDOe7/++mJVEvvsUzzexNeB5nZCYuu1N4UA7z8RHJy6ycPTTcelqyMKUjAGTCZa2BQhkxoFq+wBrEZrY975RcEe7bNNWg0S8YpvdKXxwy/gDZUoWyWXvgmDFQ6VjzDk3jJb0fonxnP/9F7sjd1uU2t5d6aQdPXzbzgWC/IKRXpfdIIZe15uHs1o1O909ymViRRsyy36cjwZ1M2snHWsU7vO//CptldBoV6k6bKkvXA23Cg1vUT0mj0MW554Vb20afxPhyWqHQa4ffHspH2HxViicHx9YaD+WjNAER0Skdo7/sxVR9Ozms2kb8Tyd18mwtVvwmlBNdtwsw8MX9PeW0AXlJUXkHkj47TVP+yyv1dKdUaGZq+ErPjiGoQGBCeHrrtGh+WryK38T7huLnpt++Q4U+CJ6+u9Mvd+C7MCZmgsO9sn0fTL/z54j3zBaWZoRcUZg8IZ7U+C5eGCrg9VjubVdYSar5CrCQnw8x2Rl63qjLVOwpiRoNnEXxmE23yyx1hkP8r27EcTbH7PpJHI22khScfDhf0X/99HEaBqcs+GI+YnC5dpPHY9koTdT5JckCfPJ9sprOn9Ble"}
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeReversingLabs: Detection: 57%
                    Multi AV Scanner detection for submitted file
                    Source: QUOTATION-9044456778.pdf (83kb).com.exeVirustotal: Detection: 62%Perma Link
                    Source: QUOTATION-9044456778.pdf (83kb).com.exeReversingLabs: Detection: 57%
                    Yara detected Quasar RAT
                    Source: Yara matchFile source: 6.2.Exccelworkbook.exe.495b390.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.QUOTATION-9044456778.pdf (83kb).com.exe.490dcc0.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.Exccelworkbook.exe.4c789b0.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.QUOTATION-9044456778.pdf (83kb).com.exe.490dcc0.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.QUOTATION-9044456778.pdf (83kb).com.exe.4249970.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.QUOTATION-9044456778.pdf (83kb).com.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.Exccelworkbook.exe.4c789b0.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.QUOTATION-9044456778.pdf (83kb).com.exe.4249970.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.1541725770.0000000003241000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.1562657049.0000000000720000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.1707022913.0000000004785000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.3979616638.000000000321E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.1619359768.00000000035F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1571245849.0000000008C52000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.1681657823.0000000002E10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.1562657049.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.1632944704.0000000004C77000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1544040906.0000000004249000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: QUOTATION-9044456778.pdf (83kb).com.exe PID: 2916, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: QUOTATION-9044456778.pdf (83kb).com.exe PID: 2848, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Exccelworkbook.exe PID: 5908, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Exccelworkbook.exe PID: 1256, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Exccelworkbook.exe PID: 6188, type: MEMORYSTR
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeJoe Sandbox ML: detected
                    Machine Learning detection for sample
                    Source: QUOTATION-9044456778.pdf (83kb).com.exeJoe Sandbox ML: detected
                    Source: QUOTATION-9044456778.pdf (83kb).com.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: unknownHTTPS traffic detected: 195.201.57.90:443 -> 192.168.2.10:49718 version: TLS 1.2
                    Source: QUOTATION-9044456778.pdf (83kb).com.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeCode function: 4x nop then jmp 052B7B26h0_2_052B7532
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeCode function: 4x nop then jmp 03427B26h6_2_03427532
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeCode function: 4x nop then jmp 02C87B26h7_2_02C87532

                    Networking

                    barindex
                    Suricata IDS alerts for network traffic
                    Source: Network trafficSuricata IDS: 2027619 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (Quasar CnC) : 94.156.177.117:5287 -> 192.168.2.10:49716
                    Source: Network trafficSuricata IDS: 2035595 - Severity 1 - ET MALWARE Generic AsyncRAT Style SSL Cert : 94.156.177.117:5287 -> 192.168.2.10:49716
                    C2 URLs / IPs found in malware configuration
                    Source: Malware configuration extractorURLs: twart.myfirewall.org
                    Yara detected Generic Downloader
                    Source: Yara matchFile source: 0.2.QUOTATION-9044456778.pdf (83kb).com.exe.490dcc0.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.QUOTATION-9044456778.pdf (83kb).com.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.Exccelworkbook.exe.4c789b0.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.QUOTATION-9044456778.pdf (83kb).com.exe.4249970.2.raw.unpack, type: UNPACKEDPE
                    Source: global trafficTCP traffic: 192.168.2.10:49716 -> 94.156.177.117:5287
                    Source: Joe Sandbox ViewIP Address: 195.201.57.90 195.201.57.90
                    Source: Joe Sandbox ViewIP Address: 195.201.57.90 195.201.57.90
                    Source: Joe Sandbox ViewASN Name: NET1-ASBG NET1-ASBG
                    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                    Source: unknownDNS query: name: ipwho.is
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0Host: ipwho.isConnection: Keep-Alive
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0Host: ipwho.isConnection: Keep-Alive
                    Source: global trafficDNS traffic detected: DNS query: twart.myfirewall.org
                    Source: global trafficDNS traffic detected: DNS query: rency.ydns.eu
                    Source: global trafficDNS traffic detected: DNS query: ipwho.is
                    Source: Exccelworkbook.exe, 0000000A.00000002.3976727963.0000000001483000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
                    Source: 77EC63BDA74BD0D0E0426DC8F8008506.10.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                    Source: Exccelworkbook.exe, 0000000A.00000002.3976727963.00000000014B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab9
                    Source: Exccelworkbook.exe, 0000000A.00000002.3979616638.00000000031D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ipwho.is
                    Source: Exccelworkbook.exe, 0000000A.00000002.3979616638.00000000031D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ipwho.isd
                    Source: Exccelworkbook.exe, 0000000A.00000002.3979616638.000000000321E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/
                    Source: Exccelworkbook.exe, 0000000A.00000002.3979616638.000000000321E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/d
                    Source: QUOTATION-9044456778.pdf (83kb).com.exe, 00000003.00000002.1585378847.00000000034B1000.00000004.00000800.00020000.00000000.sdmp, Exccelworkbook.exe, 0000000A.00000002.3979616638.000000000301C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: QUOTATION-9044456778.pdf (83kb).com.exe, 00000000.00000002.1571245849.0000000008C52000.00000004.00000800.00020000.00000000.sdmp, QUOTATION-9044456778.pdf (83kb).com.exe, 00000000.00000002.1544040906.0000000004249000.00000004.00000800.00020000.00000000.sdmp, QUOTATION-9044456778.pdf (83kb).com.exe, 00000003.00000002.1562657049.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Exccelworkbook.exe, 00000006.00000002.1632944704.0000000004C77000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                    Source: Exccelworkbook.exe, 0000000A.00000002.3979616638.00000000031C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ipwho.is
                    Source: QUOTATION-9044456778.pdf (83kb).com.exe, 00000000.00000002.1571245849.0000000008C52000.00000004.00000800.00020000.00000000.sdmp, QUOTATION-9044456778.pdf (83kb).com.exe, 00000000.00000002.1544040906.0000000004249000.00000004.00000800.00020000.00000000.sdmp, QUOTATION-9044456778.pdf (83kb).com.exe, 00000003.00000002.1562657049.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Exccelworkbook.exe, 00000006.00000002.1632944704.0000000004C77000.00000004.00000800.00020000.00000000.sdmp, Exccelworkbook.exe, 0000000A.00000002.3979616638.00000000031C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ipwho.is/
                    Source: QUOTATION-9044456778.pdf (83kb).com.exe, 00000000.00000002.1571245849.0000000008C52000.00000004.00000800.00020000.00000000.sdmp, QUOTATION-9044456778.pdf (83kb).com.exe, 00000000.00000002.1544040906.0000000004249000.00000004.00000800.00020000.00000000.sdmp, QUOTATION-9044456778.pdf (83kb).com.exe, 00000003.00000002.1562657049.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Exccelworkbook.exe, 00000006.00000002.1632944704.0000000004C77000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/11564914/23354;
                    Source: QUOTATION-9044456778.pdf (83kb).com.exe, 00000000.00000002.1571245849.0000000008C52000.00000004.00000800.00020000.00000000.sdmp, QUOTATION-9044456778.pdf (83kb).com.exe, 00000000.00000002.1544040906.0000000004249000.00000004.00000800.00020000.00000000.sdmp, QUOTATION-9044456778.pdf (83kb).com.exe, 00000003.00000002.1562657049.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Exccelworkbook.exe, 00000006.00000002.1632944704.0000000004C77000.00000004.00000800.00020000.00000000.sdmp, Exccelworkbook.exe, 0000000A.00000002.3979616638.0000000003042000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/14436606/23354
                    Source: QUOTATION-9044456778.pdf (83kb).com.exe, 00000000.00000002.1571245849.0000000008C52000.00000004.00000800.00020000.00000000.sdmp, QUOTATION-9044456778.pdf (83kb).com.exe, 00000000.00000002.1544040906.0000000004249000.00000004.00000800.00020000.00000000.sdmp, QUOTATION-9044456778.pdf (83kb).com.exe, 00000003.00000002.1562657049.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Exccelworkbook.exe, 00000006.00000002.1632944704.0000000004C77000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/2152978/23354sCannot
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
                    Source: unknownHTTPS traffic detected: 195.201.57.90:443 -> 192.168.2.10:49718 version: TLS 1.2

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Installs a global keyboard hook
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeJump to behavior

                    E-Banking Fraud

                    barindex
                    Yara detected Quasar RAT
                    Source: Yara matchFile source: 6.2.Exccelworkbook.exe.495b390.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.QUOTATION-9044456778.pdf (83kb).com.exe.490dcc0.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.Exccelworkbook.exe.4c789b0.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.QUOTATION-9044456778.pdf (83kb).com.exe.490dcc0.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.QUOTATION-9044456778.pdf (83kb).com.exe.4249970.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.QUOTATION-9044456778.pdf (83kb).com.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.Exccelworkbook.exe.4c789b0.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.QUOTATION-9044456778.pdf (83kb).com.exe.4249970.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.1541725770.0000000003241000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.1562657049.0000000000720000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.1707022913.0000000004785000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.3979616638.000000000321E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.1619359768.00000000035F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1571245849.0000000008C52000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.1681657823.0000000002E10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.1562657049.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.1632944704.0000000004C77000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1544040906.0000000004249000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: QUOTATION-9044456778.pdf (83kb).com.exe PID: 2916, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: QUOTATION-9044456778.pdf (83kb).com.exe PID: 2848, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Exccelworkbook.exe PID: 5908, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Exccelworkbook.exe PID: 1256, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Exccelworkbook.exe PID: 6188, type: MEMORYSTR

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 0.2.QUOTATION-9044456778.pdf (83kb).com.exe.490dcc0.1.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
                    Source: 0.2.QUOTATION-9044456778.pdf (83kb).com.exe.490dcc0.1.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                    Source: 0.2.QUOTATION-9044456778.pdf (83kb).com.exe.490dcc0.1.unpack, type: UNPACKEDPEMatched rule: Detects Quasar infostealer Author: ditekshen
                    Source: 6.2.Exccelworkbook.exe.4c789b0.0.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
                    Source: 6.2.Exccelworkbook.exe.4c789b0.0.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                    Source: 6.2.Exccelworkbook.exe.4c789b0.0.unpack, type: UNPACKEDPEMatched rule: Detects Quasar infostealer Author: ditekshen
                    Source: 0.2.QUOTATION-9044456778.pdf (83kb).com.exe.490dcc0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
                    Source: 0.2.QUOTATION-9044456778.pdf (83kb).com.exe.490dcc0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                    Source: 0.2.QUOTATION-9044456778.pdf (83kb).com.exe.490dcc0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Quasar infostealer Author: ditekshen
                    Source: 0.2.QUOTATION-9044456778.pdf (83kb).com.exe.4249970.2.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
                    Source: 0.2.QUOTATION-9044456778.pdf (83kb).com.exe.4249970.2.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                    Source: 0.2.QUOTATION-9044456778.pdf (83kb).com.exe.4249970.2.unpack, type: UNPACKEDPEMatched rule: Detects Quasar infostealer Author: ditekshen
                    Source: 3.2.QUOTATION-9044456778.pdf (83kb).com.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
                    Source: 3.2.QUOTATION-9044456778.pdf (83kb).com.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                    Source: 3.2.QUOTATION-9044456778.pdf (83kb).com.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Quasar infostealer Author: ditekshen
                    Source: 6.2.Exccelworkbook.exe.4c789b0.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
                    Source: 6.2.Exccelworkbook.exe.4c789b0.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                    Source: 6.2.Exccelworkbook.exe.4c789b0.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Quasar infostealer Author: ditekshen
                    Source: 0.2.QUOTATION-9044456778.pdf (83kb).com.exe.4249970.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                    Source: 0.2.QUOTATION-9044456778.pdf (83kb).com.exe.4249970.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Quasar infostealer Author: ditekshen
                    Initial sample is a PE file and has a suspicious name
                    Source: initial sampleStatic PE information: Filename: QUOTATION-9044456778.pdf (83kb).com.exe
                    Source: initial sampleStatic PE information: Filename: QUOTATION-9044456778.pdf (83kb).com.exe
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeCode function: 0_2_052B2C280_2_052B2C28
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeCode function: 0_2_052B2C380_2_052B2C38
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeCode function: 0_2_052B34A80_2_052B34A8
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeCode function: 0_2_052B56600_2_052B5660
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeCode function: 0_2_052B513F0_2_052B513F
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeCode function: 0_2_052B51500_2_052B5150
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeCode function: 0_2_052B30700_2_052B3070
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeCode function: 3_2_0188F03C3_2_0188F03C
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeCode function: 3_2_05A190683_2_05A19068
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeCode function: 3_2_05A105083_2_05A10508
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeCode function: 3_2_05A105183_2_05A10518
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeCode function: 3_2_05A19EE03_2_05A19EE0
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeCode function: 6_2_034251506_2_03425150
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeCode function: 6_2_034230706_2_03423070
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeCode function: 6_2_034256606_2_03425660
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeCode function: 6_2_03422C386_2_03422C38
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeCode function: 6_2_03428CE06_2_03428CE0
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeCode function: 6_2_034234A86_2_034234A8
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeCode function: 6_2_05B743226_2_05B74322
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeCode function: 6_2_05B743226_2_05B74322
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeCode function: 6_2_05B726F86_2_05B726F8
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeCode function: 6_2_05B726EB6_2_05B726EB
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeCode function: 6_2_05B7061C6_2_05B7061C
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeCode function: 6_2_05B742B36_2_05B742B3
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeCode function: 6_2_05B708C06_2_05B708C0
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeCode function: 6_2_05B708CC6_2_05B708CC
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeCode function: 6_2_05BBA6686_2_05BBA668
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeCode function: 6_2_05BBA6636_2_05BBA663
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeCode function: 7_2_02C830707_2_02C83070
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeCode function: 7_2_02C851507_2_02C85150
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeCode function: 7_2_02C856607_2_02C85660
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeCode function: 7_2_02C834A87_2_02C834A8
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeCode function: 7_2_02C88CE07_2_02C88CE0
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeCode function: 7_2_02C82C287_2_02C82C28
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeCode function: 7_2_02C82C387_2_02C82C38
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeCode function: 10_2_015DF03C10_2_015DF03C
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeCode function: 10_2_0803B6D010_2_0803B6D0
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeCode function: 10_2_08037E4810_2_08037E48
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeCode function: 14_2_0136F03C14_2_0136F03C
                    Source: QUOTATION-9044456778.pdf (83kb).com.exe, 00000000.00000002.1541725770.0000000003241000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameClient.exe. vs QUOTATION-9044456778.pdf (83kb).com.exe
                    Source: QUOTATION-9044456778.pdf (83kb).com.exe, 00000000.00000002.1561987446.0000000005C60000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameCaptive.dll" vs QUOTATION-9044456778.pdf (83kb).com.exe
                    Source: QUOTATION-9044456778.pdf (83kb).com.exe, 00000000.00000000.1509291300.0000000000EEE000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamemgfs.exe@ vs QUOTATION-9044456778.pdf (83kb).com.exe
                    Source: QUOTATION-9044456778.pdf (83kb).com.exe, 00000000.00000002.1544040906.0000000004249000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameClient.exe. vs QUOTATION-9044456778.pdf (83kb).com.exe
                    Source: QUOTATION-9044456778.pdf (83kb).com.exe, 00000000.00000002.1540669375.000000000150E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs QUOTATION-9044456778.pdf (83kb).com.exe
                    Source: QUOTATION-9044456778.pdf (83kb).com.exe, 00000003.00000002.1562657049.0000000000720000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameClient.exe. vs QUOTATION-9044456778.pdf (83kb).com.exe
                    Source: QUOTATION-9044456778.pdf (83kb).com.exe, 00000003.00000002.1569402928.0000000001718000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs QUOTATION-9044456778.pdf (83kb).com.exe
                    Source: QUOTATION-9044456778.pdf (83kb).com.exeBinary or memory string: OriginalFilenamemgfs.exe@ vs QUOTATION-9044456778.pdf (83kb).com.exe
                    Source: QUOTATION-9044456778.pdf (83kb).com.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 0.2.QUOTATION-9044456778.pdf (83kb).com.exe.490dcc0.1.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                    Source: 0.2.QUOTATION-9044456778.pdf (83kb).com.exe.490dcc0.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                    Source: 0.2.QUOTATION-9044456778.pdf (83kb).com.exe.490dcc0.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
                    Source: 6.2.Exccelworkbook.exe.4c789b0.0.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                    Source: 6.2.Exccelworkbook.exe.4c789b0.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                    Source: 6.2.Exccelworkbook.exe.4c789b0.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
                    Source: 0.2.QUOTATION-9044456778.pdf (83kb).com.exe.490dcc0.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                    Source: 0.2.QUOTATION-9044456778.pdf (83kb).com.exe.490dcc0.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                    Source: 0.2.QUOTATION-9044456778.pdf (83kb).com.exe.490dcc0.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
                    Source: 0.2.QUOTATION-9044456778.pdf (83kb).com.exe.4249970.2.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                    Source: 0.2.QUOTATION-9044456778.pdf (83kb).com.exe.4249970.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                    Source: 0.2.QUOTATION-9044456778.pdf (83kb).com.exe.4249970.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
                    Source: 3.2.QUOTATION-9044456778.pdf (83kb).com.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                    Source: 3.2.QUOTATION-9044456778.pdf (83kb).com.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                    Source: 3.2.QUOTATION-9044456778.pdf (83kb).com.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
                    Source: 6.2.Exccelworkbook.exe.4c789b0.0.raw.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                    Source: 6.2.Exccelworkbook.exe.4c789b0.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                    Source: 6.2.Exccelworkbook.exe.4c789b0.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
                    Source: 0.2.QUOTATION-9044456778.pdf (83kb).com.exe.4249970.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                    Source: 0.2.QUOTATION-9044456778.pdf (83kb).com.exe.4249970.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@22/5@3/3
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\QUOTATION-9044456778.pdf (83kb).com.exe.logJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeMutant created: NULL
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeMutant created: \Sessions\1\BaseNamedObjects\Local\025351e291-5d1041-4fa37-932c7-869aeiQec514992
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5656:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6168:120:WilError_03
                    Source: QUOTATION-9044456778.pdf (83kb).com.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: QUOTATION-9044456778.pdf (83kb).com.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: QUOTATION-9044456778.pdf (83kb).com.exeVirustotal: Detection: 62%
                    Source: QUOTATION-9044456778.pdf (83kb).com.exeReversingLabs: Detection: 57%
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeFile read: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exe "C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exe"
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeProcess created: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exe "C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exe"
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /create /tn "pdfdocument" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe" /rl HIGHEST /f
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe"
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe"
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe"
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe"
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /create /tn "pdfdocument" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe" /rl HIGHEST /f
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe"
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe"
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeProcess created: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exe "C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /create /tn "pdfdocument" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe" /rl HIGHEST /fJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /create /tn "pdfdocument" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe" /rl HIGHEST /fJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeSection loaded: iconcodecservice.dllJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: iconcodecservice.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: iconcodecservice.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: cryptnet.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: webio.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: cabinet.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: QUOTATION-9044456778.pdf (83kb).com.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: QUOTATION-9044456778.pdf (83kb).com.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                    Source: QUOTATION-9044456778.pdf (83kb).com.exeStatic file information: File size 3791872 > 1048576
                    Source: QUOTATION-9044456778.pdf (83kb).com.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x39b000
                    Source: QUOTATION-9044456778.pdf (83kb).com.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeCode function: 0_2_052B8F6D push FFFFFF8Bh; iretd 0_2_052B8F6F
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeCode function: 0_2_052B5650 push 28052835h; retf 0_2_052B565D
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeCode function: 0_2_052B10E1 push 7C05280Bh; retf 0_2_052B10ED
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeCode function: 7_2_01103950 push eax; retf 7_2_01103959
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeCode function: 7_2_02C8A162 push edx; retf 7_2_02C8A163
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeCode function: 7_2_02C85650 push 2802C535h; retf 7_2_02C8565D
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeFile created: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeJump to dropped file

                    Boot Survival

                    barindex
                    Uses schtasks.exe or at.exe to add and modify task schedules
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /create /tn "pdfdocument" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe" /rl HIGHEST /f

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Hides that the sample has been downloaded from the Internet (zone.identifier)
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeFile opened: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exe:Zone.Identifier read attributes | deleteJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeFile opened: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe:Zone.Identifier read attributes | deleteJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeFile opened: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe:Zone.Identifier read attributes | deleteJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: QUOTATION-9044456778.pdf (83kb).com.exe PID: 2916, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Exccelworkbook.exe PID: 5908, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Exccelworkbook.exe PID: 1256, type: MEMORYSTR
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeMemory allocated: 3020000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeMemory allocated: 3240000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeMemory allocated: 5240000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeMemory allocated: 80E0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeMemory allocated: 90E0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeMemory allocated: A600000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeMemory allocated: 9290000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeMemory allocated: B600000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeMemory allocated: 1880000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeMemory allocated: 34B0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeMemory allocated: 32A0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeMemory allocated: 1AB0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeMemory allocated: 35F0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeMemory allocated: 33B0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeMemory allocated: 8310000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeMemory allocated: 7A00000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeMemory allocated: A590000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeMemory allocated: 9310000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeMemory allocated: B590000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeMemory allocated: 1100000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeMemory allocated: 2DE0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeMemory allocated: 2C10000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeMemory allocated: 77A0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeMemory allocated: 87A0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeMemory allocated: 9CC0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeMemory allocated: 8940000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeMemory allocated: ACC0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeMemory allocated: 15D0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeMemory allocated: 3010000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeMemory allocated: 2F60000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeMemory allocated: 1360000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeMemory allocated: 2EC0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeMemory allocated: 4EC0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeWindow / User API: threadDelayed 6664Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeWindow / User API: threadDelayed 3054Jump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exe TID: 3228Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exe TID: 6864Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe TID: 5900Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe TID: 6196Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe TID: 364Thread sleep time: -23980767295822402s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe TID: 5440Thread sleep time: -30000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe TID: 5924Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BaseBoard
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BIOS
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: Exccelworkbook.exe, 0000000A.00000002.3998671060.0000000005AB7000.00000004.00000020.00020000.00000000.sdmp, Exccelworkbook.exe, 0000000A.00000002.3998671060.0000000005AD5000.00000004.00000020.00020000.00000000.sdmp, Exccelworkbook.exe, 0000000A.00000002.3998671060.0000000005A03000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeMemory written: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeMemory written: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeMemory written: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeProcess created: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exe "C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /create /tn "pdfdocument" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe" /rl HIGHEST /fJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess created: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /create /tn "pdfdocument" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe" /rl HIGHEST /fJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeQueries volume information: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeQueries volume information: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeQueries volume information: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeQueries volume information: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeQueries volume information: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeQueries volume information: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected PureLog Stealer
                    Source: Yara matchFile source: 0.2.QUOTATION-9044456778.pdf (83kb).com.exe.5c60000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.QUOTATION-9044456778.pdf (83kb).com.exe.5c60000.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.1561987446.0000000005C60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Yara detected Quasar RAT
                    Source: Yara matchFile source: 6.2.Exccelworkbook.exe.495b390.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.QUOTATION-9044456778.pdf (83kb).com.exe.490dcc0.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.Exccelworkbook.exe.4c789b0.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.QUOTATION-9044456778.pdf (83kb).com.exe.490dcc0.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.QUOTATION-9044456778.pdf (83kb).com.exe.4249970.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.QUOTATION-9044456778.pdf (83kb).com.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.Exccelworkbook.exe.4c789b0.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.QUOTATION-9044456778.pdf (83kb).com.exe.4249970.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.1541725770.0000000003241000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.1562657049.0000000000720000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.1707022913.0000000004785000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.3979616638.000000000321E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.1619359768.00000000035F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1571245849.0000000008C52000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.1681657823.0000000002E10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.1562657049.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.1632944704.0000000004C77000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1544040906.0000000004249000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: QUOTATION-9044456778.pdf (83kb).com.exe PID: 2916, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: QUOTATION-9044456778.pdf (83kb).com.exe PID: 2848, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Exccelworkbook.exe PID: 5908, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Exccelworkbook.exe PID: 1256, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Exccelworkbook.exe PID: 6188, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected PureLog Stealer
                    Source: Yara matchFile source: 0.2.QUOTATION-9044456778.pdf (83kb).com.exe.5c60000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.QUOTATION-9044456778.pdf (83kb).com.exe.5c60000.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.1561987446.0000000005C60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Yara detected Quasar RAT
                    Source: Yara matchFile source: 6.2.Exccelworkbook.exe.495b390.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.QUOTATION-9044456778.pdf (83kb).com.exe.490dcc0.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.Exccelworkbook.exe.4c789b0.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.QUOTATION-9044456778.pdf (83kb).com.exe.490dcc0.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.QUOTATION-9044456778.pdf (83kb).com.exe.4249970.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.QUOTATION-9044456778.pdf (83kb).com.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.Exccelworkbook.exe.4c789b0.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.QUOTATION-9044456778.pdf (83kb).com.exe.4249970.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.1541725770.0000000003241000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.1562657049.0000000000720000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.1707022913.0000000004785000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.3979616638.000000000321E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.1619359768.00000000035F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1571245849.0000000008C52000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.1681657823.0000000002E10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.1562657049.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.1632944704.0000000004C77000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1544040906.0000000004249000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: QUOTATION-9044456778.pdf (83kb).com.exe PID: 2916, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: QUOTATION-9044456778.pdf (83kb).com.exe PID: 2848, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Exccelworkbook.exe PID: 5908, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Exccelworkbook.exe PID: 1256, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Exccelworkbook.exe PID: 6188, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts21
                    Windows Management Instrumentation                    		1
                    Scheduled Task/Job                    		111
                    Process Injection                    		1
                    Masquerading                    		11
                    Input Capture                    		1
                    Query Registry                    		Remote Services11
                    Input Capture                    		11
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts1
                    Scheduled Task/Job                    		1
                    DLL Side-Loading                    		1
                    Scheduled Task/Job                    		1
                    Disable or Modify Tools                    		LSASS Memory111
                    Security Software Discovery                    		Remote Desktop Protocol1
                    Archive Collected Data                    		1
                    Non-Standard Port                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                    DLL Side-Loading                    		41
                    Virtualization/Sandbox Evasion                    		Security Account Manager1
                    Process Discovery                    		SMB/Windows Admin SharesData from Network Shared Drive1
                    Ingress Tool Transfer                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
                    Process Injection                    		NTDS41
                    Virtualization/Sandbox Evasion                    		Distributed Component Object ModelInput Capture2
                    Non-Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    Hidden Files and Directories                    		LSA Secrets1
                    Application Window Discovery                    		SSHKeylogging113
                    Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
                    Obfuscated Files or Information                    		Cached Domain Credentials1
                    System Network Configuration Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    DLL Side-Loading                    		DCSync23
                    System Information Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1587580 Sample: QUOTATION-9044456778.pdf (8... Startdate: 10/01/2025 Architecture: WINDOWS Score: 100 48 rency.ydns.eu 2->48 50 twart.myfirewall.org 2->50 52 2 other IPs or domains 2->52 62 Suricata IDS alerts for network traffic 2->62 64 Found malware configuration 2->64 66 Malicious sample detected (through community Yara rule) 2->66 68 10 other signatures 2->68 11 QUOTATION-9044456778.pdf (83kb).com.exe 3 2->11         started        15 Exccelworkbook.exe 2 2->15         started        signatures3 process4 file5 46 QUOTATION-90444567... (83kb).com.exe.log, ASCII 11->46 dropped 76 Injects a PE file into a foreign processes 11->76 17 QUOTATION-9044456778.pdf (83kb).com.exe 4 11->17         started        21 Exccelworkbook.exe 2 15->21         started        23 Exccelworkbook.exe 15->23         started        signatures6 process7 file8 44 C:\Users\user\AppData\...xccelworkbook.exe, PE32 17->44 dropped 60 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->60 25 Exccelworkbook.exe 3 17->25         started        28 schtasks.exe 1 17->28         started        signatures9 process10 signatures11 70 Multi AV Scanner detection for dropped file 25->70 72 Machine Learning detection for dropped file 25->72 74 Injects a PE file into a foreign processes 25->74 30 Exccelworkbook.exe 15 2 25->30         started        34 Exccelworkbook.exe 25->34         started        36 Exccelworkbook.exe 25->36         started        38 conhost.exe 28->38         started        process12 dnsIp13 54 rency.ydns.eu 94.156.177.117, 49716, 5287 NET1-ASBG Bulgaria 30->54 56 ipwho.is 195.201.57.90, 443, 49718 HETZNER-ASDE Germany 30->56 58 twart.myfirewall.org 127.0.0.4 unknown unknown 30->58 78 Hides that the sample has been downloaded from the Internet (zone.identifier) 30->78 80 Installs a global keyboard hook 30->80 40 schtasks.exe 1 30->40         started        signatures14 process15 process16 42 conhost.exe 40->42         started       

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    QUOTATION-9044456778.pdf (83kb).com.exe62%VirustotalBrowse
                    QUOTATION-9044456778.pdf (83kb).com.exe58%ReversingLabsByteCode-MSIL.Backdoor.Quasarrat
                    QUOTATION-9044456778.pdf (83kb).com.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe58%ReversingLabsByteCode-MSIL.Backdoor.Quasarrat

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://schemas.datacontract.org/2004/07/d0%Avira URL Cloudsafe
                    http://ipwho.isd0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    bg.microsoft.map.fastly.net
                    		199.232.214.172
                    		truefalse
                      		high
                      rency.ydns.eu
                      		94.156.177.117
                      		truetrue
                        		unknown
                        ipwho.is
                        		195.201.57.90
                        		truefalse
                          		high
                          twart.myfirewall.org
                          		127.0.0.4
                          		truefalse
                            		high

                            Contacted URLs

                            NameMaliciousAntivirus DetectionReputation
                            https://ipwho.is/false
                              		high
                              twart.myfirewall.orgfalse
                                		high

                                URLs from Memory and Binaries

                                NameSourceMaliciousAntivirus DetectionReputation
                                https://api.ipify.org/QUOTATION-9044456778.pdf (83kb).com.exe, 00000000.00000002.1571245849.0000000008C52000.00000004.00000800.00020000.00000000.sdmp, QUOTATION-9044456778.pdf (83kb).com.exe, 00000000.00000002.1544040906.0000000004249000.00000004.00000800.00020000.00000000.sdmp, QUOTATION-9044456778.pdf (83kb).com.exe, 00000003.00000002.1562657049.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Exccelworkbook.exe, 00000006.00000002.1632944704.0000000004C77000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://schemas.datacontract.org/2004/07/dExccelworkbook.exe, 0000000A.00000002.3979616638.000000000321E000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://stackoverflow.com/q/14436606/23354QUOTATION-9044456778.pdf (83kb).com.exe, 00000000.00000002.1571245849.0000000008C52000.00000004.00000800.00020000.00000000.sdmp, QUOTATION-9044456778.pdf (83kb).com.exe, 00000000.00000002.1544040906.0000000004249000.00000004.00000800.00020000.00000000.sdmp, QUOTATION-9044456778.pdf (83kb).com.exe, 00000003.00000002.1562657049.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Exccelworkbook.exe, 00000006.00000002.1632944704.0000000004C77000.00000004.00000800.00020000.00000000.sdmp, Exccelworkbook.exe, 0000000A.00000002.3979616638.0000000003042000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://stackoverflow.com/q/2152978/23354sCannotQUOTATION-9044456778.pdf (83kb).com.exe, 00000000.00000002.1571245849.0000000008C52000.00000004.00000800.00020000.00000000.sdmp, QUOTATION-9044456778.pdf (83kb).com.exe, 00000000.00000002.1544040906.0000000004249000.00000004.00000800.00020000.00000000.sdmp, QUOTATION-9044456778.pdf (83kb).com.exe, 00000003.00000002.1562657049.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Exccelworkbook.exe, 00000006.00000002.1632944704.0000000004C77000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://schemas.datacontract.org/2004/07/Exccelworkbook.exe, 0000000A.00000002.3979616638.000000000321E000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameQUOTATION-9044456778.pdf (83kb).com.exe, 00000003.00000002.1585378847.00000000034B1000.00000004.00000800.00020000.00000000.sdmp, Exccelworkbook.exe, 0000000A.00000002.3979616638.000000000301C000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://ipwho.isExccelworkbook.exe, 0000000A.00000002.3979616638.00000000031D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://stackoverflow.com/q/11564914/23354;QUOTATION-9044456778.pdf (83kb).com.exe, 00000000.00000002.1571245849.0000000008C52000.00000004.00000800.00020000.00000000.sdmp, QUOTATION-9044456778.pdf (83kb).com.exe, 00000000.00000002.1544040906.0000000004249000.00000004.00000800.00020000.00000000.sdmp, QUOTATION-9044456778.pdf (83kb).com.exe, 00000003.00000002.1562657049.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Exccelworkbook.exe, 00000006.00000002.1632944704.0000000004C77000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://ipwho.isdExccelworkbook.exe, 0000000A.00000002.3979616638.00000000031D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://ipwho.isExccelworkbook.exe, 0000000A.00000002.3979616638.00000000031C0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high

                                                World Map of Contacted IPs

                                                • No. of IPs < 25%
                                                • 25% < No. of IPs < 50%
                                                • 50% < No. of IPs < 75%
                                                • 75% < No. of IPs

                                                Public IPs

                                                IPDomainCountryFlagASNASN NameMalicious
                                                94.156.177.117
                                                		rency.ydns.euBulgaria
                                                		43561NET1-ASBGtrue
                                                195.201.57.90
                                                		ipwho.isGermany
                                                		24940HETZNER-ASDEfalse

                                                Private

                                                IP
                                                127.0.0.4

                                                General Information

                                                Joe Sandbox version:42.0.0 Malachite
                                                Analysis ID:1587580
                                                Start date and time:2025-01-10 15:06:14 +01:00
                                                Joe Sandbox product:CloudBasic
                                                Overall analysis duration:0h 9m 52s
                                                Hypervisor based Inspection enabled:false
                                                Report type:full
                                                Cookbook file name:default.jbs
                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                Number of analysed new started processes analysed:18
                                                Number of new started drivers analysed:0
                                                Number of existing processes analysed:0
                                                Number of existing drivers analysed:0
                                                Number of injected processes analysed:0
                                                Technologies:
                                                • HCA enabled
                                                • EGA enabled
                                                • AMSI enabled
                                                Analysis Mode:default
                                                Analysis stop reason:Timeout
                                                Sample name:QUOTATION-9044456778.pdf (83kb).com.exe
                                                Detection:MAL
                                                Classification:mal100.troj.spyw.evad.winEXE@22/5@3/3
                                                EGA Information:
                                                • Successful, ratio: 100%
                                                HCA Information:
                                                • Successful, ratio: 96%
                                                • Number of executed functions: 289
                                                • Number of non-executed functions: 8
                                                Cookbook Comments:
                                                • Found application associated with file extension: .exe
                                                • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                Warnings

                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, conhost.exe, svchost.exe
                                                • Excluded IPs from analysis (whitelisted): 199.232.214.172, 172.202.163.200, 2.23.242.162, 52.149.20.212
                                                • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                                                • Not all processes where analyzed, report is missing behavior information
                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                • Report size getting too big, too many NtReadVirtualMemory calls found.

                                                Simulations

                                                Behavior and APIs

                                                TimeTypeDescription
                                                09:07:29API Interceptor1x Sleep call for process: QUOTATION-9044456778.pdf (83kb).com.exe modified
                                                09:07:35API Interceptor11108510x Sleep call for process: Exccelworkbook.exe modified
                                                15:07:36Task SchedulerRun new task: pdfdocument path: C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe

                                                Joe Sandbox View / Context

                                                IPs

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                94.156.177.117QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeGet hashmaliciousQuasarBrowse
                                                  195.201.57.90SPt4FUjZMt.exeGet hashmaliciousAsyncRAT, Luca Stealer, MicroClip, PythonCryptoHijacker, RedLineBrowse
                                                  • /?output=json
                                                  765iYbgWn9.exeGet hashmaliciousLuca StealerBrowse
                                                  • /?output=json
                                                  765iYbgWn9.exeGet hashmaliciousLuca StealerBrowse
                                                  • /?output=json
                                                  WfKynArKjH.exeGet hashmaliciousAsyncRAT, Luca Stealer, MicroClip, RedLineBrowse
                                                  • /?output=json
                                                  ubes6SC7Vd.exeGet hashmaliciousUnknownBrowse
                                                  • ipwhois.app/xml/
                                                  cOQD62FceM.exeGet hashmaliciousLuca Stealer, Rusty StealerBrowse
                                                  • /?output=json
                                                  Clipper.exeGet hashmaliciousUnknownBrowse
                                                  • /?output=json
                                                  cOQD62FceM.exeGet hashmaliciousLuca StealerBrowse
                                                  • /?output=json
                                                  Cryptor.exeGet hashmaliciousLuca StealerBrowse
                                                  • /?output=json
                                                  Cryptor.exeGet hashmaliciousLuca Stealer, Rusty StealerBrowse
                                                  • /?output=json

                                                  Domains

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  ipwho.isQUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeGet hashmaliciousQuasarBrowse
                                                  • 195.201.57.90
                                                  UXxZ4m65ro.exeGet hashmaliciousQuasarBrowse
                                                  • 195.201.57.90
                                                  ny9LDJr6pA.exeGet hashmaliciousQuasarBrowse
                                                  • 195.201.57.90
                                                  jaTDEkWCbs.exeGet hashmaliciousQuasarBrowse
                                                  • 195.201.57.90
                                                  2Mi3lKoJfj.exeGet hashmaliciousQuasarBrowse
                                                  • 195.201.57.90
                                                  YJaaZuNHwI.exeGet hashmaliciousQuasarBrowse
                                                  • 195.201.57.90
                                                  Flasher.exeGet hashmaliciousLuca Stealer, Rusty StealerBrowse
                                                  • 108.181.61.49
                                                  msgde.exeGet hashmaliciousQuasarBrowse
                                                  • 108.181.61.49
                                                  6ee7HCp9cD.exeGet hashmaliciousQuasarBrowse
                                                  • 108.181.61.49
                                                  wUSt04rfJ0.exeGet hashmaliciousQuasarBrowse
                                                  • 108.181.61.49
                                                  rency.ydns.euQUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeGet hashmaliciousQuasarBrowse
                                                  • 94.156.177.117
                                                  Zam#U00f3wienie 89118 _ Metal-Constructions.pdf.com.exeGet hashmaliciousQuasarBrowse
                                                  • 93.123.85.234
                                                  bg.microsoft.map.fastly.netShipping Document.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                  • 199.232.210.172
                                                  3254519122657813770.jsGet hashmaliciousStrela DownloaderBrowse
                                                  • 199.232.210.172
                                                  1712226379134618467.jsGet hashmaliciousStrela DownloaderBrowse
                                                  • 199.232.214.172
                                                  7401990642713807.jsGet hashmaliciousStrela DownloaderBrowse
                                                  • 199.232.214.172
                                                  A5815BC0-FA26-4ECC-9A97-EE9DB31273CA_12272024154104847.dllGet hashmaliciousUnknownBrowse
                                                  • 199.232.210.172
                                                  382215884163542302.jsGet hashmaliciousStrela DownloaderBrowse
                                                  • 199.232.214.172
                                                  2503475573085815370.jsGet hashmaliciousStrela DownloaderBrowse
                                                  • 199.232.214.172
                                                  17772451271118687.jsGet hashmaliciousStrela DownloaderBrowse
                                                  • 199.232.210.172
                                                  1353125634235611874.jsGet hashmaliciousStrela DownloaderBrowse
                                                  • 199.232.214.172
                                                  1947415746274847548.jsGet hashmaliciousStrela DownloaderBrowse
                                                  • 199.232.210.172

                                                  ASNs

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  HETZNER-ASDEhttp://pdfdrive.com.coGet hashmaliciousUnknownBrowse
                                                  • 178.63.248.53
                                                  1162-201.exeGet hashmaliciousFormBookBrowse
                                                  • 136.243.64.147
                                                  3.elfGet hashmaliciousUnknownBrowse
                                                  • 197.242.86.251
                                                  https://199.188.109.181Get hashmaliciousUnknownBrowse
                                                  • 188.40.164.54
                                                  n41dQbiw1Y.exeGet hashmaliciousBabuk, DjvuBrowse
                                                  • 188.40.141.211
                                                  https://downloads.jam-software.de/ultrasearch/UltraSearch-Setup.exeGet hashmaliciousUnknownBrowse
                                                  • 116.202.5.43
                                                  https://customers.jam-software.de/downloadTrialProcess.php?article_no=671&Get hashmaliciousUnknownBrowse
                                                  • 78.47.225.43
                                                  Appraisal-nation-Review_and_Signature_Request46074.pdfGet hashmaliciousUnknownBrowse
                                                  • 195.201.80.48
                                                  Appraisal-nation-Review_and_Signature_Request46074.pdfGet hashmaliciousUnknownBrowse
                                                  • 195.201.80.48
                                                  NET1-ASBGFantazy.i486.elfGet hashmaliciousUnknownBrowse
                                                  • 95.87.199.40
                                                  Fantazy.x86_64.elfGet hashmaliciousUnknownBrowse
                                                  • 93.123.77.220
                                                  Kloki.arm7.elfGet hashmaliciousUnknownBrowse
                                                  • 83.222.191.90
                                                  Kloki.m68k.elfGet hashmaliciousUnknownBrowse
                                                  • 83.222.191.90
                                                  Kloki.x86_64.elfGet hashmaliciousUnknownBrowse
                                                  • 83.222.189.67
                                                  Kloki.x86.elfGet hashmaliciousUnknownBrowse
                                                  • 83.222.190.214
                                                  Kloki.arm4.elfGet hashmaliciousUnknownBrowse
                                                  • 83.222.191.90
                                                  Kloki.spc.elfGet hashmaliciousUnknownBrowse
                                                  • 83.222.191.90
                                                  Kloki.arm5.elfGet hashmaliciousUnknownBrowse
                                                  • 83.222.189.126
                                                  QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeGet hashmaliciousQuasarBrowse
                                                  • 94.156.177.117

                                                  JA3 Fingerprints

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  3b5074b1b5d032e5620f69f9f700ff0ePO#17971.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                  • 195.201.57.90
                                                  https://sign.zoho.com/zsguest?locale=en&sign_id=234b4d535f4956237c699124bb06f6840075804affff79070f72fbd27ec4885c3a2ba06657b8a52338eb80052baee9f74c4e2e0e7f85c073df939f1ac4dff75f76c95d46ac2361c7b14335e4f12c5c5d49c49b1d2f4c838a&action_type=SIGNGet hashmaliciousUnknownBrowse
                                                  • 195.201.57.90
                                                  IMG_10503677.exeGet hashmaliciousMassLogger RATBrowse
                                                  • 195.201.57.90
                                                  XClient.exeGet hashmaliciousXWormBrowse
                                                  • 195.201.57.90
                                                  RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exeGet hashmaliciousDarkTortilla, Snake Keylogger, VIP KeyloggerBrowse
                                                  • 195.201.57.90
                                                  1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeGet hashmaliciousAsyncRAT, DcRatBrowse
                                                  • 195.201.57.90
                                                  https://aqctslc.com/Get hashmaliciousUnknownBrowse
                                                  • 195.201.57.90
                                                  https://sacredartscommunications.com/Get hashmaliciousHTMLPhisherBrowse
                                                  • 195.201.57.90
                                                  http://stonecoldstalley.com/Get hashmaliciousUnknownBrowse
                                                  • 195.201.57.90

                                                  Dropped Files

                                                  No context

                                                  Created / dropped Files

                                                  C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe
                                                  File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                                                  Category:dropped
                                                  Size (bytes):71954
                                                  Entropy (8bit):7.996617769952133
                                                  Encrypted:true
                                                  SSDEEP:1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
                                                  MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
                                                  SHA1:1723BE06719828DDA65AD804298D0431F6AFF976
                                                  SHA-256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
                                                  SHA-512:BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
                                                  Malicious:false
                                                  Reputation:high, very likely benign file
                                                  Preview:MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..*Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=*....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.|.c.&>?..^t. ..;..X.d.E.0G....[Q.*,*......#.Dp..L.o|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

                                                  C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):328
                                                  Entropy (8bit):3.2345913795203645
                                                  Encrypted:false
                                                  SSDEEP:6:kKxWtL9UswD8HGsL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:pWtiDImsLNkPlE99SNxAhUe/3
                                                  MD5:AD030E2DAB9F570C3AB9FB59EFBBD28B
                                                  SHA1:FFFC808ED708ED979767AD9474F0C2F309F5CF7A
                                                  SHA-256:0B342966E005EF1E1597CEABC18F05606205C680113837A7C1ABC73AFCEBD6A6
                                                  SHA-512:A20884A673CECAC82A20E251E812246E30B3FF0060AC3DD5F26DC867420CDD95E12921F0A9EFFD776592225ECCBB516591B5487A668D544BE4A16F94754A1AFB
                                                  Malicious:false
                                                  Reputation:low
                                                  Preview:p...... ...........ic..(....................................................... ........G..@.......&......X........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Exccelworkbook.exe.log

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1216
                                                  Entropy (8bit):5.34331486778365
                                                  Encrypted:false
                                                  SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                  MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                  SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                  SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                  SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                  Malicious:false
                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\QUOTATION-9044456778.pdf (83kb).com.exe.log

                                                  Download File
                                                  Process:C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1216
                                                  Entropy (8bit):5.34331486778365
                                                  Encrypted:false
                                                  SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                  MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                  SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                  SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                  SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                  Malicious:true
                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                  C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe

                                                  Download File
                                                  Process:C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exe
                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):3791872
                                                  Entropy (8bit):7.994905688236858
                                                  Encrypted:true
                                                  SSDEEP:49152:Bg6eXlKawrTTN8CaimN0G0LI1yfuJDqHkN0IrmRZiLTqK2W3rcKmUd5mgo:BKVtw7N1aim/0pMtNrmRZu32W+Kgj
                                                  MD5:902AFCB6D3F905FF4603200341F02874
                                                  SHA1:473FAD4AC13E9C8B6B80D17AE3FB658B28D1CD47
                                                  SHA-256:1787FD4FD81DCA24CA10625E93D43168EEA906184DA17183BA53A306856C0F28
                                                  SHA-512:E405EC77372DBF367C873D3531FC6455C44C4D185BD1A0B60C9314EA21B1B51F72818503366EFAA8D2D322C7819763986A837E06845A0F81EACB6E4C1A98EC3C
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                  • Antivirus: ReversingLabs, Detection: 58%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...7_.g..................9..*........9.. ........@.. .......................@:...........`.................................p.9.K.....9..(................... :...................................................... ............... ..H............text....9.. ....9................. ..`.rsrc....(....9..(....9.............@..@.reloc....... :.......9.............@..B..................9.....H........v9..X......z....................................................0..A....... .........%.....(......... .........%.....(.........(....*.....&*....0..@.........}.......|.....t....}:....(......}...... 0... ....(...+*.....&*.0..E.......+$.E.............................&..+..{.........~.... ....~........*....0..F.......~.....+-.E.............................&..Y. ....Y.+..|....{:........*...0..........~......+0.E....U...C...C............................&..+..(.........~...

                                                  Static File Info

                                                  General

                                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Entropy (8bit):7.994905688236858
                                                  TrID:
                                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                  • Win32 Executable (generic) a (10002005/4) 49.78%
                                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                  • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                                  File name:QUOTATION-9044456778.pdf (83kb).com.exe
                                                  File size:3'791'872 bytes
                                                  MD5:902afcb6d3f905ff4603200341f02874
                                                  SHA1:473fad4ac13e9c8b6b80d17ae3fb658b28d1cd47
                                                  SHA256:1787fd4fd81dca24ca10625e93d43168eea906184da17183ba53a306856c0f28
                                                  SHA512:e405ec77372dbf367c873d3531fc6455c44c4d185bd1a0b60c9314ea21b1b51f72818503366efaa8d2d322c7819763986a837e06845a0f81eacb6e4c1a98ec3c
                                                  SSDEEP:49152:Bg6eXlKawrTTN8CaimN0G0LI1yfuJDqHkN0IrmRZiLTqK2W3rcKmUd5mgo:BKVtw7N1aim/0pMtNrmRZu32W+Kgj
                                                  TLSH:4E06331DBB42C872DB6D227FE9C3B3494845E725F835F67A4DD0386389318C9C1A66E1
                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...7_.g..................9..*........9.. ........@.. .......................@:...........`................................

                                                  File Icon

                                                  Icon Hash:33362c2d36335470

                                                  Static PE Info

                                                  General

                                                  Entrypoint:0x79cfbe
                                                  Entrypoint Section:.text
                                                  Digitally signed:false
                                                  Imagebase:0x400000
                                                  Subsystem:windows gui
                                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                  DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                  Time Stamp:0x677F5F37 [Thu Jan 9 05:31:35 2025 UTC]
                                                  TLS Callbacks:
                                                  CLR (.Net) Version:
                                                  OS Version Major:4
                                                  OS Version Minor:0
                                                  File Version Major:4
                                                  File Version Minor:0
                                                  Subsystem Version Major:4
                                                  Subsystem Version Minor:0
                                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                  Entrypoint Preview

                                                  Instruction
                                                  jmp dword ptr [00402000h]
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al

                                                  Data Directories

                                                  NameVirtual AddressVirtual Size Is in Section
                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x39cf700x4b.text
                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x39e0000x2800.rsrc
                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x3a20000xc.reloc
                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                  Sections

                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                  .text0x20000x39afc40x39b000867135dfbdc022fc17b1a44ba7fd1a91unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                  .rsrc0x39e0000x28000x2800822b2f5732ea3fdbc214c946e4a1d293False0.87939453125data7.615533991634477IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                  .reloc0x3a20000xc0x200e0419931c0eb7457218e8feb1f59bf7aFalse0.044921875data0.09800417566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                  Resources

                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                  RT_ICON0x39e0c80x2356PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9427371213796153
                                                  RT_GROUP_ICON0x3a04300x14data1.05
                                                  RT_VERSION0x3a04540x378data0.393018018018018

                                                  Imports

                                                  DLLImport
                                                  mscoree.dll_CorExeMain

                                                  Network Behavior

                                                  Suricata IDS Alerts

                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                  2025-01-10T15:07:47.099927+01002027619ET MALWARE Observed Malicious SSL Cert (Quasar CnC)194.156.177.1175287192.168.2.1049716TCP
                                                  2025-01-10T15:07:47.099927+01002035595ET MALWARE Generic AsyncRAT Style SSL Cert194.156.177.1175287192.168.2.1049716TCP

                                                  Network Port Distribution

                                                  TCP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Jan 10, 2025 15:07:45.885696888 CET497165287192.168.2.1094.156.177.117
                                                  Jan 10, 2025 15:07:45.890474081 CET52874971694.156.177.117192.168.2.10
                                                  Jan 10, 2025 15:07:45.890548944 CET497165287192.168.2.1094.156.177.117
                                                  Jan 10, 2025 15:07:45.895016909 CET497165287192.168.2.1094.156.177.117
                                                  Jan 10, 2025 15:07:45.899756908 CET52874971694.156.177.117192.168.2.10
                                                  Jan 10, 2025 15:07:47.032551050 CET52874971694.156.177.117192.168.2.10
                                                  Jan 10, 2025 15:07:47.032572031 CET52874971694.156.177.117192.168.2.10
                                                  Jan 10, 2025 15:07:47.032676935 CET497165287192.168.2.1094.156.177.117
                                                  Jan 10, 2025 15:07:47.095107079 CET497165287192.168.2.1094.156.177.117
                                                  Jan 10, 2025 15:07:47.099926949 CET52874971694.156.177.117192.168.2.10
                                                  Jan 10, 2025 15:07:47.404448986 CET52874971694.156.177.117192.168.2.10
                                                  Jan 10, 2025 15:07:47.463459015 CET497165287192.168.2.1094.156.177.117
                                                  Jan 10, 2025 15:07:48.364149094 CET49718443192.168.2.10195.201.57.90
                                                  Jan 10, 2025 15:07:48.364191055 CET44349718195.201.57.90192.168.2.10
                                                  Jan 10, 2025 15:07:48.364265919 CET49718443192.168.2.10195.201.57.90
                                                  Jan 10, 2025 15:07:48.365380049 CET49718443192.168.2.10195.201.57.90
                                                  Jan 10, 2025 15:07:48.365392923 CET44349718195.201.57.90192.168.2.10
                                                  Jan 10, 2025 15:07:49.292956114 CET44349718195.201.57.90192.168.2.10
                                                  Jan 10, 2025 15:07:49.293024063 CET49718443192.168.2.10195.201.57.90
                                                  Jan 10, 2025 15:07:49.297560930 CET49718443192.168.2.10195.201.57.90
                                                  Jan 10, 2025 15:07:49.297569990 CET44349718195.201.57.90192.168.2.10
                                                  Jan 10, 2025 15:07:49.297923088 CET44349718195.201.57.90192.168.2.10
                                                  Jan 10, 2025 15:07:49.303962946 CET49718443192.168.2.10195.201.57.90
                                                  Jan 10, 2025 15:07:49.347326994 CET44349718195.201.57.90192.168.2.10
                                                  Jan 10, 2025 15:07:49.499241114 CET44349718195.201.57.90192.168.2.10
                                                  Jan 10, 2025 15:07:49.499310017 CET44349718195.201.57.90192.168.2.10
                                                  Jan 10, 2025 15:07:49.499511003 CET49718443192.168.2.10195.201.57.90
                                                  Jan 10, 2025 15:07:49.568619013 CET49718443192.168.2.10195.201.57.90
                                                  Jan 10, 2025 15:07:50.133191109 CET497165287192.168.2.1094.156.177.117
                                                  Jan 10, 2025 15:07:50.137974977 CET52874971694.156.177.117192.168.2.10
                                                  Jan 10, 2025 15:07:50.138025999 CET497165287192.168.2.1094.156.177.117
                                                  Jan 10, 2025 15:07:50.142855883 CET52874971694.156.177.117192.168.2.10
                                                  Jan 10, 2025 15:07:50.597393990 CET52874971694.156.177.117192.168.2.10
                                                  Jan 10, 2025 15:07:50.650966883 CET497165287192.168.2.1094.156.177.117
                                                  Jan 10, 2025 15:07:50.807670116 CET52874971694.156.177.117192.168.2.10
                                                  Jan 10, 2025 15:07:50.950557947 CET497165287192.168.2.1094.156.177.117
                                                  Jan 10, 2025 15:08:15.822876930 CET497165287192.168.2.1094.156.177.117
                                                  Jan 10, 2025 15:08:15.827677011 CET52874971694.156.177.117192.168.2.10
                                                  Jan 10, 2025 15:08:40.838608980 CET497165287192.168.2.1094.156.177.117
                                                  Jan 10, 2025 15:08:40.843641043 CET52874971694.156.177.117192.168.2.10
                                                  Jan 10, 2025 15:09:05.854217052 CET497165287192.168.2.1094.156.177.117
                                                  Jan 10, 2025 15:09:05.858999014 CET52874971694.156.177.117192.168.2.10
                                                  Jan 10, 2025 15:09:30.917192936 CET497165287192.168.2.1094.156.177.117
                                                  Jan 10, 2025 15:09:30.922152042 CET52874971694.156.177.117192.168.2.10
                                                  Jan 10, 2025 15:09:56.026200056 CET497165287192.168.2.1094.156.177.117
                                                  Jan 10, 2025 15:09:56.031214952 CET52874971694.156.177.117192.168.2.10
                                                  Jan 10, 2025 15:10:21.041959047 CET497165287192.168.2.1094.156.177.117
                                                  Jan 10, 2025 15:10:21.047112942 CET52874971694.156.177.117192.168.2.10
                                                  Jan 10, 2025 15:10:46.151496887 CET497165287192.168.2.1094.156.177.117
                                                  Jan 10, 2025 15:10:46.157124043 CET52874971694.156.177.117192.168.2.10
                                                  Jan 10, 2025 15:11:11.168843985 CET497165287192.168.2.1094.156.177.117
                                                  Jan 10, 2025 15:11:11.173832893 CET52874971694.156.177.117192.168.2.10
                                                  Jan 10, 2025 15:11:36.182663918 CET497165287192.168.2.1094.156.177.117
                                                  Jan 10, 2025 15:11:36.187850952 CET52874971694.156.177.117192.168.2.10

                                                  UDP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Jan 10, 2025 15:07:43.512339115 CET5945753192.168.2.101.1.1.1
                                                  Jan 10, 2025 15:07:43.523461103 CET53594571.1.1.1192.168.2.10
                                                  Jan 10, 2025 15:07:45.871052980 CET5679553192.168.2.101.1.1.1
                                                  Jan 10, 2025 15:07:45.884888887 CET53567951.1.1.1192.168.2.10
                                                  Jan 10, 2025 15:07:48.351814032 CET6244553192.168.2.101.1.1.1
                                                  Jan 10, 2025 15:07:48.358643055 CET53624451.1.1.1192.168.2.10

                                                  DNS Queries

                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                  Jan 10, 2025 15:07:43.512339115 CET192.168.2.101.1.1.10x333cStandard query (0)twart.myfirewall.orgA (IP address)IN (0x0001)false
                                                  Jan 10, 2025 15:07:45.871052980 CET192.168.2.101.1.1.10x17feStandard query (0)rency.ydns.euA (IP address)IN (0x0001)false
                                                  Jan 10, 2025 15:07:48.351814032 CET192.168.2.101.1.1.10x2820Standard query (0)ipwho.isA (IP address)IN (0x0001)false

                                                  DNS Answers

                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                  Jan 10, 2025 15:07:26.318697929 CET1.1.1.1192.168.2.100x661aNo error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                  Jan 10, 2025 15:07:26.318697929 CET1.1.1.1192.168.2.100x661aNo error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                  Jan 10, 2025 15:07:43.523461103 CET1.1.1.1192.168.2.100x333cNo error (0)twart.myfirewall.org127.0.0.4A (IP address)IN (0x0001)false
                                                  Jan 10, 2025 15:07:45.884888887 CET1.1.1.1192.168.2.100x17feNo error (0)rency.ydns.eu94.156.177.117A (IP address)IN (0x0001)false
                                                  Jan 10, 2025 15:07:47.568933964 CET1.1.1.1192.168.2.100xd5e8No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                  Jan 10, 2025 15:07:47.568933964 CET1.1.1.1192.168.2.100xd5e8No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                  Jan 10, 2025 15:07:48.358643055 CET1.1.1.1192.168.2.100x2820No error (0)ipwho.is195.201.57.90A (IP address)IN (0x0001)false

                                                  HTTP Request Dependency Graph

                                                  • ipwho.is

                                                  HTTPS Proxied Packets

                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  0192.168.2.1049718195.201.57.904436188C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe
                                                  TimestampBytes transferredDirectionData
                                                  2025-01-10 14:07:49 UTC150OUTGET / HTTP/1.1
                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0
                                                  Host: ipwho.is
                                                  Connection: Keep-Alive
                                                  2025-01-10 14:07:49 UTC223INHTTP/1.1 200 OK
                                                  Date: Fri, 10 Jan 2025 14:07:49 GMT
                                                  Content-Type: application/json; charset=utf-8
                                                  Transfer-Encoding: chunked
                                                  Connection: close
                                                  Server: ipwhois
                                                  Access-Control-Allow-Headers: *
                                                  X-Robots-Tag: noindex
                                                  2025-01-10 14:07:49 UTC1021INData Raw: 33 66 31 0d 0a 7b 0a 20 20 20 20 22 41 62 6f 75 74 20 55 73 22 3a 20 22 68 74 74 70 73 3a 5c 2f 5c 2f 69 70 77 68 6f 69 73 2e 69 6f 22 2c 0a 20 20 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 0a 20 20 20 20 22 73 75 63 63 65 73 73 22 3a 20 74 72 75 65 2c 0a 20 20 20 20 22 74 79 70 65 22 3a 20 22 49 50 76 34 22 2c 0a 20 20 20 20 22 63 6f 6e 74 69 6e 65 6e 74 22 3a 20 22 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 22 2c 0a 20 20 20 20 22 63 6f 6e 74 69 6e 65 6e 74 5f 63 6f 64 65 22 3a 20 22 4e 41 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f
                                                  Data Ascii: 3f1{ "About Us": "https:\/\/ipwhois.io", "ip": "8.46.123.189", "success": true, "type": "IPv4", "continent": "North America", "continent_code": "NA", "country": "United States", "country_code": "US", "region": "New Yo


                                                  Statistics

                                                  CPU Usage

                                                  Click to jump to process

                                                  Memory Usage

                                                  Click to jump to process

                                                  High Level Behavior Distribution

                                                  Click to dive into process behavior distribution

                                                  Behavior

                                                  Click to jump to process

                                                  System Behavior

                                                  General

                                                  Target ID:0
                                                  Start time:09:07:29
                                                  Start date:10/01/2025
                                                  Path:C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exe"
                                                  Imagebase:0xb50000
                                                  File size:3'791'872 bytes
                                                  MD5 hash:902AFCB6D3F905FF4603200341F02874
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1561987446.0000000005C60000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000002.1541725770.0000000003241000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000002.1571245849.0000000008C52000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000002.1544040906.0000000004249000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  Reputation:low
                                                  Has exited:true

                                                  General

                                                  Target ID:3
                                                  Start time:09:07:32
                                                  Start date:10/01/2025
                                                  Path:C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\Desktop\QUOTATION-9044456778.pdf (83kb).com.exe"
                                                  Imagebase:0xda0000
                                                  File size:3'791'872 bytes
                                                  MD5 hash:902AFCB6D3F905FF4603200341F02874
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000003.00000002.1562657049.0000000000720000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000003.00000002.1562657049.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  Reputation:low
                                                  Has exited:true

                                                  General

                                                  Target ID:4
                                                  Start time:09:07:34
                                                  Start date:10/01/2025
                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"schtasks" /create /tn "pdfdocument" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe" /rl HIGHEST /f
                                                  Imagebase:0x180000
                                                  File size:187'904 bytes
                                                  MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:5
                                                  Start time:09:07:34
                                                  Start date:10/01/2025
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff620390000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:6
                                                  Start time:09:07:34
                                                  Start date:10/01/2025
                                                  Path:C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe"
                                                  Imagebase:0xd50000
                                                  File size:3'791'872 bytes
                                                  MD5 hash:902AFCB6D3F905FF4603200341F02874
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000006.00000002.1619359768.00000000035F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000006.00000002.1632944704.0000000004C77000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  Antivirus matches:
                                                  • Detection: 100%, Joe Sandbox ML
                                                  • Detection: 58%, ReversingLabs
                                                  Reputation:low
                                                  Has exited:true

                                                  General

                                                  Target ID:7
                                                  Start time:09:07:36
                                                  Start date:10/01/2025
                                                  Path:C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe
                                                  Imagebase:0x670000
                                                  File size:3'791'872 bytes
                                                  MD5 hash:902AFCB6D3F905FF4603200341F02874
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000007.00000002.1707022913.0000000004785000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000007.00000002.1681657823.0000000002E10000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  Reputation:low
                                                  Has exited:true

                                                  General

                                                  Target ID:8
                                                  Start time:09:07:37
                                                  Start date:10/01/2025
                                                  Path:C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe"
                                                  Imagebase:0x370000
                                                  File size:3'791'872 bytes
                                                  MD5 hash:902AFCB6D3F905FF4603200341F02874
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:low
                                                  Has exited:true

                                                  General

                                                  Target ID:9
                                                  Start time:09:07:37
                                                  Start date:10/01/2025
                                                  Path:C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe"
                                                  Imagebase:0x480000
                                                  File size:3'791'872 bytes
                                                  MD5 hash:902AFCB6D3F905FF4603200341F02874
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:low
                                                  Has exited:true

                                                  General

                                                  Target ID:10
                                                  Start time:09:07:37
                                                  Start date:10/01/2025
                                                  Path:C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe"
                                                  Imagebase:0xa60000
                                                  File size:3'791'872 bytes
                                                  MD5 hash:902AFCB6D3F905FF4603200341F02874
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 0000000A.00000002.3979616638.000000000321E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  Reputation:low
                                                  Has exited:false

                                                  General

                                                  Target ID:11
                                                  Start time:09:07:40
                                                  Start date:10/01/2025
                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"schtasks" /create /tn "pdfdocument" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe" /rl HIGHEST /f
                                                  Imagebase:0x180000
                                                  File size:187'904 bytes
                                                  MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:12
                                                  Start time:09:07:40
                                                  Start date:10/01/2025
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff620390000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:13
                                                  Start time:09:07:45
                                                  Start date:10/01/2025
                                                  Path:C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe"
                                                  Imagebase:0x10000
                                                  File size:3'791'872 bytes
                                                  MD5 hash:902AFCB6D3F905FF4603200341F02874
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:low
                                                  Has exited:true

                                                  General

                                                  Target ID:14
                                                  Start time:09:07:45
                                                  Start date:10/01/2025
                                                  Path:C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\AppData\Roaming\SubDir\Exccelworkbook.exe"
                                                  Imagebase:0x8b0000
                                                  File size:3'791'872 bytes
                                                  MD5 hash:902AFCB6D3F905FF4603200341F02874
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:low
                                                  Has exited:true

                                                  Disassembly

                                                  Reset < >

                                                    Execution Graph

                                                    Execution Coverage:9.8%
                                                    Dynamic/Decrypted Code Coverage:100%
                                                    Signature Coverage:0%
                                                    Total number of Nodes:195
                                                    Total number of Limit Nodes:5
                                                    execution_graph 19670 52b7da8 19671 52b7f33 19670->19671 19673 52b7dce 19670->19673 19673->19671 19674 52b4348 19673->19674 19675 52b8028 PostMessageW 19674->19675 19676 52b8094 19675->19676 19676->19673 19879 306da60 19880 306daa2 19879->19880 19881 306daa8 GetModuleHandleW 19879->19881 19880->19881 19882 306dad5 19881->19882 19677 52b62a3 19678 52b6271 19677->19678 19683 52b61fc 19677->19683 19678->19683 19684 52b6b78 19678->19684 19704 52b6bee 19678->19704 19725 52b6b88 19678->19725 19679 52b6613 19685 52b6b88 19684->19685 19698 52b6baa 19685->19698 19745 52b702e 19685->19745 19750 52b7274 19685->19750 19755 52b7335 19685->19755 19759 52b74d5 19685->19759 19763 52b7256 19685->19763 19768 52b71f0 19685->19768 19773 52b721d 19685->19773 19780 52b6fdd 19685->19780 19785 52b72fe 19685->19785 19790 52b717e 19685->19790 19795 52b72bf 19685->19795 19800 52b713a 19685->19800 19805 52b6fbb 19685->19805 19810 52b76a4 19685->19810 19815 52b75e5 19685->19815 19819 52b7140 19685->19819 19824 52b7103 19685->19824 19698->19679 19705 52b6bf1 19704->19705 19706 52b6b7c 19704->19706 19705->19679 19707 52b702e 2 API calls 19706->19707 19708 52b7103 2 API calls 19706->19708 19709 52b7140 2 API calls 19706->19709 19710 52b6baa 19706->19710 19711 52b75e5 2 API calls 19706->19711 19712 52b76a4 2 API calls 19706->19712 19713 52b6fbb 2 API calls 19706->19713 19714 52b713a 2 API calls 19706->19714 19715 52b72bf 2 API calls 19706->19715 19716 52b717e 2 API calls 19706->19716 19717 52b72fe 2 API calls 19706->19717 19718 52b6fdd 2 API calls 19706->19718 19719 52b721d 4 API calls 19706->19719 19720 52b71f0 2 API calls 19706->19720 19721 52b7256 2 API calls 19706->19721 19722 52b74d5 2 API calls 19706->19722 19723 52b7335 2 API calls 19706->19723 19724 52b7274 2 API calls 19706->19724 19707->19710 19708->19710 19709->19710 19710->19679 19711->19710 19712->19710 19713->19710 19714->19710 19715->19710 19716->19710 19717->19710 19718->19710 19719->19710 19720->19710 19721->19710 19722->19710 19723->19710 19724->19710 19726 52b6ba2 19725->19726 19727 52b702e 2 API calls 19726->19727 19728 52b7103 2 API calls 19726->19728 19729 52b7140 2 API calls 19726->19729 19730 52b75e5 2 API calls 19726->19730 19731 52b76a4 2 API calls 19726->19731 19732 52b6fbb 2 API calls 19726->19732 19733 52b713a 2 API calls 19726->19733 19734 52b72bf 2 API calls 19726->19734 19735 52b717e 2 API calls 19726->19735 19736 52b72fe 2 API calls 19726->19736 19737 52b6fdd 2 API calls 19726->19737 19738 52b721d 4 API calls 19726->19738 19739 52b6baa 19726->19739 19740 52b71f0 2 API calls 19726->19740 19741 52b7256 2 API calls 19726->19741 19742 52b74d5 2 API calls 19726->19742 19743 52b7335 2 API calls 19726->19743 19744 52b7274 2 API calls 19726->19744 19727->19739 19728->19739 19729->19739 19730->19739 19731->19739 19732->19739 19733->19739 19734->19739 19735->19739 19736->19739 19737->19739 19738->19739 19739->19679 19740->19739 19741->19739 19742->19739 19743->19739 19744->19739 19746 52b7040 19745->19746 19829 52b5ddf 19746->19829 19833 52b5de0 19746->19833 19751 52b727a 19750->19751 19837 52b5099 19751->19837 19841 52b50a0 19751->19841 19752 52b72a0 19752->19698 19845 52b5a98 19755->19845 19849 52b5a90 19755->19849 19756 52b7353 19853 52b5588 19759->19853 19857 52b5587 19759->19857 19760 52b74ef 19764 52b71a8 19763->19764 19765 52b76cd 19764->19765 19861 52b5c48 19764->19861 19865 52b5c40 19764->19865 19769 52b71f9 19768->19769 19869 52b5b58 19769->19869 19873 52b5b50 19769->19873 19770 52b7878 19778 52b5588 Wow64SetThreadContext 19773->19778 19779 52b5587 Wow64SetThreadContext 19773->19779 19774 52b71a8 19775 52b76cd 19774->19775 19776 52b5c48 ReadProcessMemory 19774->19776 19777 52b5c40 ReadProcessMemory 19774->19777 19776->19775 19777->19775 19778->19774 19779->19774 19781 52b6fbf 19780->19781 19783 52b5ddf CreateProcessA 19781->19783 19784 52b5de0 CreateProcessA 19781->19784 19782 52b70cb 19782->19698 19783->19782 19784->19782 19786 52b728b 19785->19786 19787 52b72a0 19785->19787 19788 52b5099 ResumeThread 19786->19788 19789 52b50a0 ResumeThread 19786->19789 19787->19698 19788->19787 19789->19787 19791 52b71a7 19790->19791 19792 52b76cd 19791->19792 19793 52b5c48 ReadProcessMemory 19791->19793 19794 52b5c40 ReadProcessMemory 19791->19794 19793->19792 19794->19792 19796 52b728c 19795->19796 19797 52b72a0 19796->19797 19798 52b5099 ResumeThread 19796->19798 19799 52b50a0 ResumeThread 19796->19799 19797->19698 19798->19797 19799->19797 19801 52b71a7 19800->19801 19802 52b76cd 19801->19802 19803 52b5c48 ReadProcessMemory 19801->19803 19804 52b5c40 ReadProcessMemory 19801->19804 19803->19802 19804->19802 19806 52b7036 19805->19806 19808 52b5ddf CreateProcessA 19806->19808 19809 52b5de0 CreateProcessA 19806->19809 19807 52b70cb 19807->19698 19808->19807 19809->19807 19811 52b76aa 19810->19811 19813 52b5c48 ReadProcessMemory 19811->19813 19814 52b5c40 ReadProcessMemory 19811->19814 19812 52b76cd 19813->19812 19814->19812 19817 52b5b58 WriteProcessMemory 19815->19817 19818 52b5b50 WriteProcessMemory 19815->19818 19816 52b70f3 19816->19698 19817->19816 19818->19816 19820 52b714d 19819->19820 19822 52b5b58 WriteProcessMemory 19820->19822 19823 52b5b50 WriteProcessMemory 19820->19823 19821 52b70f3 19821->19698 19822->19821 19823->19821 19825 52b7116 19824->19825 19826 52b76cd 19825->19826 19827 52b5c48 ReadProcessMemory 19825->19827 19828 52b5c40 ReadProcessMemory 19825->19828 19827->19826 19828->19826 19830 52b5e69 19829->19830 19830->19830 19831 52b5fce CreateProcessA 19830->19831 19832 52b602b 19831->19832 19832->19832 19834 52b5e69 19833->19834 19834->19834 19835 52b5fce CreateProcessA 19834->19835 19836 52b602b 19835->19836 19836->19836 19838 52b50a0 ResumeThread 19837->19838 19840 52b5111 19838->19840 19840->19752 19842 52b50e0 ResumeThread 19841->19842 19844 52b5111 19842->19844 19844->19752 19846 52b5ad8 VirtualAllocEx 19845->19846 19848 52b5b15 19846->19848 19848->19756 19850 52b5a98 VirtualAllocEx 19849->19850 19852 52b5b15 19850->19852 19852->19756 19854 52b55cd Wow64SetThreadContext 19853->19854 19856 52b5615 19854->19856 19856->19760 19858 52b55cd Wow64SetThreadContext 19857->19858 19860 52b5615 19858->19860 19860->19760 19862 52b5c93 ReadProcessMemory 19861->19862 19864 52b5cd7 19862->19864 19864->19765 19866 52b5c48 ReadProcessMemory 19865->19866 19868 52b5cd7 19866->19868 19868->19765 19870 52b5ba0 WriteProcessMemory 19869->19870 19872 52b5bf7 19870->19872 19872->19770 19874 52b5b58 WriteProcessMemory 19873->19874 19876 52b5bf7 19874->19876 19876->19770 19877 306fd48 DuplicateHandle 19878 306fdde 19877->19878 19883 30664f8 19884 3066501 19883->19884 19885 3066539 19884->19885 19888 3066570 19884->19888 19894 3066580 19884->19894 19890 30665a3 19888->19890 19889 306663b 19889->19884 19890->19889 19891 3066570 CreateActCtxA 19890->19891 19892 3066580 CreateActCtxA 19890->19892 19900 3066741 19890->19900 19891->19890 19892->19890 19895 30665a3 19894->19895 19896 306663b 19895->19896 19897 3066570 CreateActCtxA 19895->19897 19898 3066580 CreateActCtxA 19895->19898 19899 3066741 CreateActCtxA 19895->19899 19896->19884 19897->19895 19898->19895 19899->19895 19901 3066765 19900->19901 19905 3066850 19901->19905 19909 3066842 19901->19909 19906 3066855 19905->19906 19907 3066954 19906->19907 19913 3066404 19906->19913 19910 3066850 19909->19910 19911 3066954 19910->19911 19912 3066404 CreateActCtxA 19910->19912 19912->19911 19914 3067ce0 CreateActCtxA 19913->19914 19916 3067da3 19914->19916

                                                    Executed Functions

                                                    Function 052B5DE0 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 243processCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 0 52b5de0-52b5e75 2 52b5eae-52b5ece 0->2 3 52b5e77-52b5e81 0->3 10 52b5ed0-52b5eda 2->10 11 52b5f07-52b5f36 2->11 3->2 4 52b5e83-52b5e85 3->4 5 52b5ea8-52b5eab 4->5 6 52b5e87-52b5e91 4->6 5->2 8 52b5e93 6->8 9 52b5e95-52b5ea4 6->9 8->9 9->9 12 52b5ea6 9->12 10->11 13 52b5edc-52b5ede 10->13 19 52b5f38-52b5f42 11->19 20 52b5f6f-52b6029 CreateProcessA 11->20 12->5 15 52b5f01-52b5f04 13->15 16 52b5ee0-52b5eea 13->16 15->11 17 52b5eee-52b5efd 16->17 18 52b5eec 16->18 17->17 21 52b5eff 17->21 18->17 19->20 22 52b5f44-52b5f46 19->22 31 52b602b-52b6031 20->31 32 52b6032-52b60b8 20->32 21->15 24 52b5f69-52b5f6c 22->24 25 52b5f48-52b5f52 22->25 24->20 26 52b5f56-52b5f65 25->26 27 52b5f54 25->27 26->26 29 52b5f67 26->29 27->26 29->24 31->32 42 52b60ba-52b60be 32->42 43 52b60c8-52b60cc 32->43 42->43 44 52b60c0 42->44 45 52b60ce-52b60d2 43->45 46 52b60dc-52b60e0 43->46 44->43 45->46 49 52b60d4 45->49 47 52b60e2-52b60e6 46->47 48 52b60f0-52b60f4 46->48 47->48 50 52b60e8 47->50 51 52b6106-52b610d 48->51 52 52b60f6-52b60fc 48->52 49->46 50->48 53 52b610f-52b611e 51->53 54 52b6124 51->54 52->51 53->54 56 52b6125 54->56 56->56
                                                    APIs
                                                    • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 052B6016
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1558597176.00000000052B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_52b0000_QUOTATION-9044456778.jbxd
                                                    Similarity
                                                    • API ID: CreateProcess
                                                    • String ID: BEjL$BEjL
                                                    • API String ID: 963392458-3006919381
                                                    • Opcode ID: 1cbb2f5ba7f2003d4c36f838668e3f24d5676a6bea442a20374f877c317a7f45
                                                    • Instruction ID: 634e1fbfa876a1f5b08109cd5ba778b7c3a84c52d4798f552edd019eaf381f3b
                                                    • Opcode Fuzzy Hash: 1cbb2f5ba7f2003d4c36f838668e3f24d5676a6bea442a20374f877c317a7f45
                                                    • Instruction Fuzzy Hash: 7F914971D10219DFEF20CF69C840BEDBBB2BF49350F148569E819A7240EBB59985CF91
                                                    Function 052B5DDF Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241processCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 57 52b5ddf-52b5e75 59 52b5eae-52b5ece 57->59 60 52b5e77-52b5e81 57->60 67 52b5ed0-52b5eda 59->67 68 52b5f07-52b5f36 59->68 60->59 61 52b5e83-52b5e85 60->61 62 52b5ea8-52b5eab 61->62 63 52b5e87-52b5e91 61->63 62->59 65 52b5e93 63->65 66 52b5e95-52b5ea4 63->66 65->66 66->66 69 52b5ea6 66->69 67->68 70 52b5edc-52b5ede 67->70 76 52b5f38-52b5f42 68->76 77 52b5f6f-52b6029 CreateProcessA 68->77 69->62 72 52b5f01-52b5f04 70->72 73 52b5ee0-52b5eea 70->73 72->68 74 52b5eee-52b5efd 73->74 75 52b5eec 73->75 74->74 78 52b5eff 74->78 75->74 76->77 79 52b5f44-52b5f46 76->79 88 52b602b-52b6031 77->88 89 52b6032-52b60b8 77->89 78->72 81 52b5f69-52b5f6c 79->81 82 52b5f48-52b5f52 79->82 81->77 83 52b5f56-52b5f65 82->83 84 52b5f54 82->84 83->83 86 52b5f67 83->86 84->83 86->81 88->89 99 52b60ba-52b60be 89->99 100 52b60c8-52b60cc 89->100 99->100 101 52b60c0 99->101 102 52b60ce-52b60d2 100->102 103 52b60dc-52b60e0 100->103 101->100 102->103 106 52b60d4 102->106 104 52b60e2-52b60e6 103->104 105 52b60f0-52b60f4 103->105 104->105 107 52b60e8 104->107 108 52b6106-52b610d 105->108 109 52b60f6-52b60fc 105->109 106->103 107->105 110 52b610f-52b611e 108->110 111 52b6124 108->111 109->108 110->111 113 52b6125 111->113 113->113
                                                    APIs
                                                    • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 052B6016
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1558597176.00000000052B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_52b0000_QUOTATION-9044456778.jbxd
                                                    Similarity
                                                    • API ID: CreateProcess
                                                    • String ID: BEjL$BEjL
                                                    • API String ID: 963392458-3006919381
                                                    • Opcode ID: e53a0c179c43ea9ef2bcb45326e3c252f4acb898aa2dcd15f61f2df18a9e9207
                                                    • Instruction ID: 10d275fe1d223713ed87b19b165778ffa569c61a57ecd04da6990f4f8aa0eaa3
                                                    • Opcode Fuzzy Hash: e53a0c179c43ea9ef2bcb45326e3c252f4acb898aa2dcd15f61f2df18a9e9207
                                                    • Instruction Fuzzy Hash: 1F914A71D10219DFEF20CF69C840BEDBBB2BF48350F148569E819A7240EBB59985CF91
                                                    Function 03066404 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 114 3066404-3067da1 CreateActCtxA 118 3067da3-3067da9 114->118 119 3067daa-3067e04 114->119 118->119 126 3067e06-3067e09 119->126 127 3067e13-3067e17 119->127 126->127 128 3067e28 127->128 129 3067e19-3067e25 127->129 131 3067e29 128->131 129->128 131->131
                                                    APIs
                                                    • CreateActCtxA.KERNEL32(?), ref: 03067D91
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1541063975.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_3060000_QUOTATION-9044456778.jbxd
                                                    Similarity
                                                    • API ID: Create
                                                    • String ID: BEjL
                                                    • API String ID: 2289755597-2255523351
                                                    • Opcode ID: 61c507016ad8261c3fb0a00d394c5860a4513fc550b4c2cf296a7f578902db56
                                                    • Instruction ID: c28f54b01b4310e71b65f983fb5217ef0ef03ccb0eb424ae1c6ce65e4886812a
                                                    • Opcode Fuzzy Hash: 61c507016ad8261c3fb0a00d394c5860a4513fc550b4c2cf296a7f578902db56
                                                    • Instruction Fuzzy Hash: 2041D2B0C0071CCBEB24CFA9C844B9DBBF6BF49704F60846AD408AB255D7B56946CF90
                                                    Function 03067CD5 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 132 3067cd5-3067cde 133 3067ce5-3067da1 CreateActCtxA 132->133 134 3067ce0-3067ce4 132->134 136 3067da3-3067da9 133->136 137 3067daa-3067e04 133->137 134->133 136->137 144 3067e06-3067e09 137->144 145 3067e13-3067e17 137->145 144->145 146 3067e28 145->146 147 3067e19-3067e25 145->147 149 3067e29 146->149 147->146 149->149
                                                    APIs
                                                    • CreateActCtxA.KERNEL32(?), ref: 03067D91
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1541063975.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_3060000_QUOTATION-9044456778.jbxd
                                                    Similarity
                                                    • API ID: Create
                                                    • String ID: BEjL
                                                    • API String ID: 2289755597-2255523351
                                                    • Opcode ID: 76b09db4fdad984a4960c4b28cbb52b056d7d0b9b9f645161ec8e44322ae19b4
                                                    • Instruction ID: 3b78b441e588d57e722d3d2c83635c610041d69beae180cde3a790a21e029d2c
                                                    • Opcode Fuzzy Hash: 76b09db4fdad984a4960c4b28cbb52b056d7d0b9b9f645161ec8e44322ae19b4
                                                    • Instruction Fuzzy Hash: 2641D0B0C01718DBEB24CFA9C884B9DBBF6BF49704F24846AD408AB255D7B56946CF90
                                                    Function 052B5B50 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 71injectionCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 150 52b5b50-52b5ba6 153 52b5ba8-52b5bb4 150->153 154 52b5bb6-52b5bf5 WriteProcessMemory 150->154 153->154 156 52b5bfe-52b5c2e 154->156 157 52b5bf7-52b5bfd 154->157 157->156
                                                    APIs
                                                    • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 052B5BE8
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1558597176.00000000052B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_52b0000_QUOTATION-9044456778.jbxd
                                                    Similarity
                                                    • API ID: MemoryProcessWrite
                                                    • String ID: BEjL
                                                    • API String ID: 3559483778-2255523351
                                                    • Opcode ID: b0e66caf4f8d9a4ff8f634415ae16e66c9cff42ba37fdc11802630f34b845c39
                                                    • Instruction ID: 65d455149d6a3fab54a43d01ba80c0faab18385dbf55fe0ffa7539a22d448adc
                                                    • Opcode Fuzzy Hash: b0e66caf4f8d9a4ff8f634415ae16e66c9cff42ba37fdc11802630f34b845c39
                                                    • Instruction Fuzzy Hash: 232157759003499FDB10CFAAC885BEEBBF5FF49310F14842AE959A7240DB789941CBA0
                                                    Function 052B5B58 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 69injectionCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 161 52b5b58-52b5ba6 163 52b5ba8-52b5bb4 161->163 164 52b5bb6-52b5bf5 WriteProcessMemory 161->164 163->164 166 52b5bfe-52b5c2e 164->166 167 52b5bf7-52b5bfd 164->167 167->166
                                                    APIs
                                                    • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 052B5BE8
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1558597176.00000000052B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_52b0000_QUOTATION-9044456778.jbxd
                                                    Similarity
                                                    • API ID: MemoryProcessWrite
                                                    • String ID: BEjL
                                                    • API String ID: 3559483778-2255523351
                                                    • Opcode ID: 744d455cc80d6f1f02a01b914b451cd3e52ba68480732fb7f06171864a94df58
                                                    • Instruction ID: e3907b3b8d5258f54c4fddc29ca46d38c8793ea953a54d8d9431139fb44ed72a
                                                    • Opcode Fuzzy Hash: 744d455cc80d6f1f02a01b914b451cd3e52ba68480732fb7f06171864a94df58
                                                    • Instruction Fuzzy Hash: F02127759003599FDB10CFAAC885BEEBBF5FF48310F108429E919A7240D7789941CBA0
                                                    Function 052B5C40 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 171 52b5c40-52b5cd5 ReadProcessMemory 175 52b5cde-52b5d0e 171->175 176 52b5cd7-52b5cdd 171->176 176->175
                                                    APIs
                                                    • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 052B5CC8
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1558597176.00000000052B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_52b0000_QUOTATION-9044456778.jbxd
                                                    Similarity
                                                    • API ID: MemoryProcessRead
                                                    • String ID: BEjL
                                                    • API String ID: 1726664587-2255523351
                                                    • Opcode ID: a0b4d8631ffe7818037ddb7b2fc0a6a397debedf00927e22774e935a9cd45f64
                                                    • Instruction ID: 5b4d02a25d5379f34f496db27a9fd8c34b8f0ee5f6786ea8c24a3063eeb5b827
                                                    • Opcode Fuzzy Hash: a0b4d8631ffe7818037ddb7b2fc0a6a397debedf00927e22774e935a9cd45f64
                                                    • Instruction Fuzzy Hash: 38212871D003599FDB10CFAAC885BEEBBF5FF48310F14842AE919A7250D7799941CBA0
                                                    Function 052B5588 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63threadCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 180 52b5588-52b55d3 182 52b55e3-52b5613 Wow64SetThreadContext 180->182 183 52b55d5-52b55e1 180->183 185 52b561c-52b564c 182->185 186 52b5615-52b561b 182->186 183->182 186->185
                                                    APIs
                                                    • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 052B5606
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1558597176.00000000052B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_52b0000_QUOTATION-9044456778.jbxd
                                                    Similarity
                                                    • API ID: ContextThreadWow64
                                                    • String ID: BEjL
                                                    • API String ID: 983334009-2255523351
                                                    • Opcode ID: 39ab396693dd42788c5dd181b1dcce57fc45f59f64b06e0b5140ffe0bbd28b7c
                                                    • Instruction ID: 637e08821f827b306d6119c5c4afbfb4aeb32c8b0a9783f5aab65ea6dec202c5
                                                    • Opcode Fuzzy Hash: 39ab396693dd42788c5dd181b1dcce57fc45f59f64b06e0b5140ffe0bbd28b7c
                                                    • Instruction Fuzzy Hash: 35212371D103098FEB10DFAAC4857EEBBF5EF48360F14842AD419A7240DBB8A945CFA4
                                                    Function 052B5C48 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 190 52b5c48-52b5cd5 ReadProcessMemory 193 52b5cde-52b5d0e 190->193 194 52b5cd7-52b5cdd 190->194 194->193
                                                    APIs
                                                    • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 052B5CC8
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1558597176.00000000052B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_52b0000_QUOTATION-9044456778.jbxd
                                                    Similarity
                                                    • API ID: MemoryProcessRead
                                                    • String ID: BEjL
                                                    • API String ID: 1726664587-2255523351
                                                    • Opcode ID: 71da744acb47f6e2d650d6cb36e6b06daf1384b5a0199c657084116d93b358ad
                                                    • Instruction ID: 5296db9ce35b91b94ddf7ef2d66fa6285edbc3db428c2c02a6223112f8309bdc
                                                    • Opcode Fuzzy Hash: 71da744acb47f6e2d650d6cb36e6b06daf1384b5a0199c657084116d93b358ad
                                                    • Instruction Fuzzy Hash: 4221F871D003599FDB10DFAAC885BEEBBF5FF48310F108429E919A7250D7799941CBA4
                                                    Function 0306FD48 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 198 306fd48-306fddc DuplicateHandle 199 306fde5-306fe02 198->199 200 306fdde-306fde4 198->200 200->199
                                                    APIs
                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0306FDCF
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1541063975.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_3060000_QUOTATION-9044456778.jbxd
                                                    Similarity
                                                    • API ID: DuplicateHandle
                                                    • String ID: BEjL
                                                    • API String ID: 3793708945-2255523351
                                                    • Opcode ID: 7df7cfa39a478700987d8540496bbcc1040c0f03e65a637aed3b00bd841337dd
                                                    • Instruction ID: d45f6ea12dadad54890679f3350248876bd719f74335fc198a5f3187886f3408
                                                    • Opcode Fuzzy Hash: 7df7cfa39a478700987d8540496bbcc1040c0f03e65a637aed3b00bd841337dd
                                                    • Instruction Fuzzy Hash: 2D21E2B59002499FDB10CFAAD884ADEFBF9FB48310F14841AE918A7310D378A940CFA4
                                                    Function 052B5587 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 61threadCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 203 52b5587-52b55d3 205 52b55e3-52b5613 Wow64SetThreadContext 203->205 206 52b55d5-52b55e1 203->206 208 52b561c-52b564c 205->208 209 52b5615-52b561b 205->209 206->205 209->208
                                                    APIs
                                                    • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 052B5606
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1558597176.00000000052B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_52b0000_QUOTATION-9044456778.jbxd
                                                    Similarity
                                                    • API ID: ContextThreadWow64
                                                    • String ID: BEjL
                                                    • API String ID: 983334009-2255523351
                                                    • Opcode ID: 4b10379f52ab9ec4380c147f1bd711406b2cb5a15bec8fd808e1fd8509a67eb9
                                                    • Instruction ID: e298575dd5d85b16d94a1e1207b742ba35de19c8c2969164e6fd931e5b25a59a
                                                    • Opcode Fuzzy Hash: 4b10379f52ab9ec4380c147f1bd711406b2cb5a15bec8fd808e1fd8509a67eb9
                                                    • Instruction Fuzzy Hash: FF2134B5D103098FEB10CFAAC4857EEBBF5BF48360F14842AD419A7240DB789945CFA0
                                                    Function 052B5A90 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55memoryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 213 52b5a90-52b5b13 VirtualAllocEx 217 52b5b1c-52b5b41 213->217 218 52b5b15-52b5b1b 213->218 218->217
                                                    APIs
                                                    • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 052B5B06
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1558597176.00000000052B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_52b0000_QUOTATION-9044456778.jbxd
                                                    Similarity
                                                    • API ID: AllocVirtual
                                                    • String ID: BEjL
                                                    • API String ID: 4275171209-2255523351
                                                    • Opcode ID: 969b70d52abe79870c23d190fef2110e5c6276a6d69f08d6b83323eb6c05cd0e
                                                    • Instruction ID: 0b4edc329f9d6bf423e6caac0fd69f15da982041c4b74618cbd2bce8bdf06b69
                                                    • Opcode Fuzzy Hash: 969b70d52abe79870c23d190fef2110e5c6276a6d69f08d6b83323eb6c05cd0e
                                                    • Instruction Fuzzy Hash: BF1136719002499BDB20DFAAC845BDEBBF5EF49320F148419E919A7250CA799941CBA0
                                                    Function 052B5A98 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53memoryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 222 52b5a98-52b5b13 VirtualAllocEx 225 52b5b1c-52b5b41 222->225 226 52b5b15-52b5b1b 222->226 226->225
                                                    APIs
                                                    • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 052B5B06
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1558597176.00000000052B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_52b0000_QUOTATION-9044456778.jbxd
                                                    Similarity
                                                    • API ID: AllocVirtual
                                                    • String ID: BEjL
                                                    • API String ID: 4275171209-2255523351
                                                    • Opcode ID: e17429ee44155e84717ea9760eb923509ba5cf64bb747d8bded6227233acbda1
                                                    • Instruction ID: 360f4023193ddfb36a8108158cf32c4e483c0dda788d8a6761c17b4c22d0cf0a
                                                    • Opcode Fuzzy Hash: e17429ee44155e84717ea9760eb923509ba5cf64bb747d8bded6227233acbda1
                                                    • Instruction Fuzzy Hash: A41137759003499FDB20DFAAC844BDEBBF5FF48320F148419E519A7250CB79A941CFA0
                                                    Function 052B5099 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 51threadCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 230 52b5099-52b510f ResumeThread 234 52b5118-52b513d 230->234 235 52b5111-52b5117 230->235 235->234
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1558597176.00000000052B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_52b0000_QUOTATION-9044456778.jbxd
                                                    Similarity
                                                    • API ID: ResumeThread
                                                    • String ID: BEjL
                                                    • API String ID: 947044025-2255523351
                                                    • Opcode ID: d1de5d4b0199caaf2308d8ac9d56dadc4d966b93e4949df0c979d7f309879910
                                                    • Instruction ID: 864ff058c06fbf9ed53af8cd76bf5987307c166d0065762166301acfe4e26eaa
                                                    • Opcode Fuzzy Hash: d1de5d4b0199caaf2308d8ac9d56dadc4d966b93e4949df0c979d7f309879910
                                                    • Instruction Fuzzy Hash: 90111971D003498FDB20DFAAC4457DEBBF5EF48324F148419D519A7240DA79A941CFA4
                                                    Function 052B50A0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49threadCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 239 52b50a0-52b510f ResumeThread 242 52b5118-52b513d 239->242 243 52b5111-52b5117 239->243 243->242
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1558597176.00000000052B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_52b0000_QUOTATION-9044456778.jbxd
                                                    Similarity
                                                    • API ID: ResumeThread
                                                    • String ID: BEjL
                                                    • API String ID: 947044025-2255523351
                                                    • Opcode ID: 45f27a1a31fc7fa0e71526a52767e67fe5828440d22a0c471c7830eefc486670
                                                    • Instruction ID: 32eb7a190d0a0038def84895ba906a25c6a2edfd75d320c78e0cd863ea75302d
                                                    • Opcode Fuzzy Hash: 45f27a1a31fc7fa0e71526a52767e67fe5828440d22a0c471c7830eefc486670
                                                    • Instruction Fuzzy Hash: 291125B1D003488FDB20DFAAC8457EEFBF5EF88320F248419D519A7240DA79A941CFA4
                                                    Function 052B4348 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • PostMessageW.USER32(?,00000010,00000000,?), ref: 052B8085
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1558597176.00000000052B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_52b0000_QUOTATION-9044456778.jbxd
                                                    Similarity
                                                    • API ID: MessagePost
                                                    • String ID: BEjL
                                                    • API String ID: 410705778-2255523351
                                                    • Opcode ID: 6846001782e94422414df88c4a34b7321bd4284f2cd327a6fa3281ec023bcf99
                                                    • Instruction ID: b292b0fdb5b91d0baf2c15643361382d34d848f2530384406a968c3233eb012e
                                                    • Opcode Fuzzy Hash: 6846001782e94422414df88c4a34b7321bd4284f2cd327a6fa3281ec023bcf99
                                                    • Instruction Fuzzy Hash: 491106B5800349DFDB20CF9AC445BDEBBF8FB48350F108819E959A7200C3B9A944CFA5
                                                    Function 0306DA60 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 0306DAC6
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1541063975.0000000003060000.00000040.00000800.00020000.00000000.sdmp, Offset: 03060000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_3060000_QUOTATION-9044456778.jbxd
                                                    Similarity
                                                    • API ID: HandleModule
                                                    • String ID: BEjL
                                                    • API String ID: 4139908857-2255523351
                                                    • Opcode ID: 5a7d2a6e4ab936060b119ca4debf4f856d02d9ee998376e4919e67b73369821a
                                                    • Instruction ID: 9f73dc9125e86b195ba2bb9ed3262589201e52735b8703f2035bad90c32a73a8
                                                    • Opcode Fuzzy Hash: 5a7d2a6e4ab936060b119ca4debf4f856d02d9ee998376e4919e67b73369821a
                                                    • Instruction Fuzzy Hash: F51110B5D042498FCB20CF9AC844BDEFBF5EF88220F14841AD829A7610C379A545CFA1
                                                    Function 052B8020 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • PostMessageW.USER32(?,00000010,00000000,?), ref: 052B8085
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1558597176.00000000052B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_52b0000_QUOTATION-9044456778.jbxd
                                                    Similarity
                                                    • API ID: MessagePost
                                                    • String ID: BEjL
                                                    • API String ID: 410705778-2255523351
                                                    • Opcode ID: 38755ecdbd7d274bb970bf512f9236f74f73fcb17dbcc7bceb1220436b10d1b4
                                                    • Instruction ID: 52c392f46d4fefd0979f66028a6fde2f92c30df743c3f8b9f386817c387dc36b
                                                    • Opcode Fuzzy Hash: 38755ecdbd7d274bb970bf512f9236f74f73fcb17dbcc7bceb1220436b10d1b4
                                                    • Instruction Fuzzy Hash: 061106B58003499FDB10CF9AC885BDEBFF8FB48364F148819E959A7200C379A944CFA5
                                                    Function 014CD4C4 Relevance: .1, Instructions: 75COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1540514745.00000000014CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014CD000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_14cd000_QUOTATION-9044456778.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f5a6ab57471d1d885da2e61a1c646315d8bf9fa993096716801a6fc37cb44bf2
                                                    • Instruction ID: 62dad13cb4a5a8924b86ac9f5b4f43e5643172f7fed439c31a3a232a69ec9bbb
                                                    • Opcode Fuzzy Hash: f5a6ab57471d1d885da2e61a1c646315d8bf9fa993096716801a6fc37cb44bf2
                                                    • Instruction Fuzzy Hash: A521007A900240DFDB45DF54D8C0B26BB61EB98618F20C57EE9090A266C336D446CAA2
                                                    Function 014CD3D8 Relevance: .1, Instructions: 75COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1540514745.00000000014CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014CD000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_14cd000_QUOTATION-9044456778.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9ac7f1a24f9401bc1f294f224536a3e56e8137dc4afdd117cb1573ce21bbd758
                                                    • Instruction ID: a6cff78442a1d0c65b1cd5fade43ae81bdd5f0625fe3482d96b05a54fcf47ba9
                                                    • Opcode Fuzzy Hash: 9ac7f1a24f9401bc1f294f224536a3e56e8137dc4afdd117cb1573ce21bbd758
                                                    • Instruction Fuzzy Hash: 4A21F479900204DFDB45DF54D9C0B66FB65FB88714F20C17EDA090B266C336E456CAE6
                                                    Function 014ED01C Relevance: .1, Instructions: 72COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1540589225.00000000014ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 014ED000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_14ed000_QUOTATION-9044456778.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6462df40d29ca9d1dc65fc142876c3244711fac028ed41a048fe2e7e16712641
                                                    • Instruction ID: ac81ce5dbb686fec2235dce2b5375761a6015ba7fe3a5d0eb14c8212cb35e916
                                                    • Opcode Fuzzy Hash: 6462df40d29ca9d1dc65fc142876c3244711fac028ed41a048fe2e7e16712641
                                                    • Instruction Fuzzy Hash: 962103B1904300DFDB15DF54D888B16BFA1EB84259F28C56AD80A0B366C33AD447CA61
                                                    Function 014ED1D4 Relevance: .1, Instructions: 72COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1540589225.00000000014ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 014ED000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_14ed000_QUOTATION-9044456778.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ac21540ffd42525cc728f7bbe21eb075bdb4ca65baef12b68363f367ce88ea55
                                                    • Instruction ID: b039ad253fc8ca8d8e53de6385f06d3b6553a0307143641bd53b4564175a29f1
                                                    • Opcode Fuzzy Hash: ac21540ffd42525cc728f7bbe21eb075bdb4ca65baef12b68363f367ce88ea55
                                                    • Instruction Fuzzy Hash: 00210775904344DFDB05DF94D9C4F16BBA5FB84325F20C56ED8494B3A2C336D446CA61
                                                    Function 014ED006 Relevance: .1, Instructions: 62COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1540589225.00000000014ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 014ED000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_14ed000_QUOTATION-9044456778.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9c5d7ded5bcc810353d8ad08c6c578eae9b35ae65d158ebf50897100848193ad
                                                    • Instruction ID: 27a6be93199dadebd28653827faf810ba82e93c31d3f638a2aaf428dd7712dd2
                                                    • Opcode Fuzzy Hash: 9c5d7ded5bcc810353d8ad08c6c578eae9b35ae65d158ebf50897100848193ad
                                                    • Instruction Fuzzy Hash: B12183755093808FCB06CF24D594716BFB1EB46214F28C5DBD8498B267C33A980ACB62
                                                    Function 014CD3D3 Relevance: .1, Instructions: 56COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1540514745.00000000014CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014CD000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_14cd000_QUOTATION-9044456778.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1166f709330a6c50fb0ccab333658baa4cf0de4601631cd9e1789cef95a599a7
                                                    • Instruction ID: 53e696a8fdaef5fb851bb8c4912880cee2863694efe567e272249dad271e9b73
                                                    • Opcode Fuzzy Hash: 1166f709330a6c50fb0ccab333658baa4cf0de4601631cd9e1789cef95a599a7
                                                    • Instruction Fuzzy Hash: AA11CD76804240DFCB06CF44D9C0B56BF61FB84224F2482BED9090B266C33AE456CBA1
                                                    Function 014CD4BF Relevance: .1, Instructions: 56COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1540514745.00000000014CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014CD000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_14cd000_QUOTATION-9044456778.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1166f709330a6c50fb0ccab333658baa4cf0de4601631cd9e1789cef95a599a7
                                                    • Instruction ID: 8fdb9b4af38adf290400e739b28d6b52e876607fe833e446238ac27731d5511e
                                                    • Opcode Fuzzy Hash: 1166f709330a6c50fb0ccab333658baa4cf0de4601631cd9e1789cef95a599a7
                                                    • Instruction Fuzzy Hash: 3411AF76904280CFCB16CF54D9C4B16BF71FB98714F24C6AED8490B666C336D456CBA1
                                                    Function 014ED1CF Relevance: .1, Instructions: 53COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1540589225.00000000014ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 014ED000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_14ed000_QUOTATION-9044456778.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5930c3722e95abe2067eb95ddfb8aa1848112c8b53b048d5b6b565b5491e75cf
                                                    • Instruction ID: 18b9cb934944c6518b24ef09bddfcc4d6e31dfb8b3e614e791db30afe6e26c47
                                                    • Opcode Fuzzy Hash: 5930c3722e95abe2067eb95ddfb8aa1848112c8b53b048d5b6b565b5491e75cf
                                                    • Instruction Fuzzy Hash: 2711BB75904280DFCB06CF54C5C4B16BFA1FB84224F24C6AAD8494B3A6C33AD40ACB61
                                                    Function 014CD745 Relevance: .0, Instructions: 45COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1540514745.00000000014CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014CD000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_14cd000_QUOTATION-9044456778.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ff50cc45545e3e130ca3e524d1325c58d9abbac5807e5914fdd9c2e7e0b13d76
                                                    • Instruction ID: 3b4f3debd68060a52cfd74df11555de907e67bcb7db81579a3d91248ad598493
                                                    • Opcode Fuzzy Hash: ff50cc45545e3e130ca3e524d1325c58d9abbac5807e5914fdd9c2e7e0b13d76
                                                    • Instruction Fuzzy Hash: E801F7398063809AF7619A55CC84B67BBA8DF41A64F04C53FED090A292D3799842CAF5
                                                    Function 014CD744 Relevance: .0, Instructions: 36COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1540514745.00000000014CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014CD000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_14cd000_QUOTATION-9044456778.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 41e6dec0ea62ee914941cf117353d98aae2c1bae850af6a8e2a0a3d87faf5d48
                                                    • Instruction ID: 3a9d116866c7bf29f9423359de4a3c683efc39a82591f33d71b49923d3786e40
                                                    • Opcode Fuzzy Hash: 41e6dec0ea62ee914941cf117353d98aae2c1bae850af6a8e2a0a3d87faf5d48
                                                    • Instruction Fuzzy Hash: 78F06275405384AEE7208E19CCC4B63FF98EB81674F18C46AED095F696C2799845CEB1

                                                    Non-executed Functions

                                                    Function 052B2C38 Relevance: .3, Instructions: 312COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1558597176.00000000052B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_52b0000_QUOTATION-9044456778.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e3b611462f0b6b52f8c130e137d5cc95652d5bbfc8f2062f6dbcbe54446f3aa7
                                                    • Instruction ID: 3e35c1857870208f12809fe0cfc445951fcc56e691bbe437cfc968528c072316
                                                    • Opcode Fuzzy Hash: e3b611462f0b6b52f8c130e137d5cc95652d5bbfc8f2062f6dbcbe54446f3aa7
                                                    • Instruction Fuzzy Hash: 47E1F874E142198FEB14CFA9C580AAEFBB2FF89304F248169D454AB355D771AD42CF60
                                                    Function 052B34A8 Relevance: .3, Instructions: 312COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1558597176.00000000052B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_52b0000_QUOTATION-9044456778.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 61cd4f55caff9e18beab85719ba3fcf5693eb0da809dcaddaebdc3554ebb67b6
                                                    • Instruction ID: f301501071b232cc145b0289c03a9e3730251bae467dce6a2ec8bde81fb19a2e
                                                    • Opcode Fuzzy Hash: 61cd4f55caff9e18beab85719ba3fcf5693eb0da809dcaddaebdc3554ebb67b6
                                                    • Instruction Fuzzy Hash: 60E12774E142198FEB14CFA9C580AAEFBB2FF89304F248569D454AB355D770AD42CFA0
                                                    Function 052B5660 Relevance: .3, Instructions: 312COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1558597176.00000000052B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_52b0000_QUOTATION-9044456778.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3a139e78b2ccc03af8deedb31576d4fb727e8801cac66d57469320ae4fbd4be2
                                                    • Instruction ID: 0f56fa114453fe5119d334cfe26e20ea6ec804cf6d0357b381640283d0365ba5
                                                    • Opcode Fuzzy Hash: 3a139e78b2ccc03af8deedb31576d4fb727e8801cac66d57469320ae4fbd4be2
                                                    • Instruction Fuzzy Hash: 6EE1E674E142198FEB14CFA9C580AAEFBB2FF89304F248169D455AB355D770AD42CF60
                                                    Function 052B5150 Relevance: .3, Instructions: 312COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1558597176.00000000052B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_52b0000_QUOTATION-9044456778.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 69f03d9753c99541cac2aaac3d9f5dcf5858bf88d4d2ee193a4408bfebce1d9d
                                                    • Instruction ID: c2be132eb30af4cdf6ab2c357b6adad4f925ef0164f0e4c6f696920c80bb830a
                                                    • Opcode Fuzzy Hash: 69f03d9753c99541cac2aaac3d9f5dcf5858bf88d4d2ee193a4408bfebce1d9d
                                                    • Instruction Fuzzy Hash: 32E10474E142198FEB14CFA8D580AAEBBF2FF89305F248169D458AB355D770AD42CF60
                                                    Function 052B3070 Relevance: .3, Instructions: 312COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1558597176.00000000052B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_52b0000_QUOTATION-9044456778.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a659193743632cf7a9ee41589f1e44459efac33e6d11b6595da0a6cbf1b35cc2
                                                    • Instruction ID: 67a6c627e9aea034609af8db2139acf6a1381ec3e451ab6249b6f4aae4f9c865
                                                    • Opcode Fuzzy Hash: a659193743632cf7a9ee41589f1e44459efac33e6d11b6595da0a6cbf1b35cc2
                                                    • Instruction Fuzzy Hash: 8CE11974E142198FEB14CFA9C580AAEFBB2FF89304F248569D454AB355D770AD42CFA0
                                                    Function 052B2C28 Relevance: .1, Instructions: 132COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1558597176.00000000052B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_52b0000_QUOTATION-9044456778.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b338b6c3f670830eb38ed93b224df04e7805636d2696379f93d08b9883e72e38
                                                    • Instruction ID: c48c5afb78b0926eeb682b7eaa64bdb394613f3dcb013b499e621cedc2f39156
                                                    • Opcode Fuzzy Hash: b338b6c3f670830eb38ed93b224df04e7805636d2696379f93d08b9883e72e38
                                                    • Instruction Fuzzy Hash: 98512A74E142198FDB14CFA9C580AAEFBF2FF89304F24C169D418A7256D7719942CFA1
                                                    Function 052B513F Relevance: .1, Instructions: 132COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1558597176.00000000052B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_52b0000_QUOTATION-9044456778.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b880155a5caa907ea893bfb0441933a7ac5b81619cdcc1c2099522c15d9f2877
                                                    • Instruction ID: f99fd1d4bfb881bda8c288fec944ca517f2fc3529f12c10d97577b8947325000
                                                    • Opcode Fuzzy Hash: b880155a5caa907ea893bfb0441933a7ac5b81619cdcc1c2099522c15d9f2877
                                                    • Instruction Fuzzy Hash: FD512874E142198FDB14CFA9C9806AEFBF2FF89300F248169D458AB355D7709A42CFA1
                                                    Function 052B7532 Relevance: .0, Instructions: 16COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1558597176.00000000052B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_52b0000_QUOTATION-9044456778.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7f14598d860b8a0b009819487454100f92e3fc9414653e7e0a3dea28c7c93d2c
                                                    • Instruction ID: 8cc6d05915478155a686f7e4728a2c876a6841475782d9fe89c8761afdcb42b3
                                                    • Opcode Fuzzy Hash: 7f14598d860b8a0b009819487454100f92e3fc9414653e7e0a3dea28c7c93d2c
                                                    • Instruction Fuzzy Hash: F2C04C269BE108DAA9108984A5054F8BB3EDADB3A6F053051D11EA24024FE051544A94

                                                    Execution Graph

                                                    Execution Coverage:9.7%
                                                    Dynamic/Decrypted Code Coverage:100%
                                                    Signature Coverage:0%
                                                    Total number of Nodes:433
                                                    Total number of Limit Nodes:37
                                                    execution_graph 24929 1884668 24930 1884676 24929->24930 24938 1886de0 24930->24938 24933 1884704 24947 5a16b10 24933->24947 24951 5a16b00 24933->24951 24939 1886e05 24938->24939 24955 1886edf 24939->24955 24959 1886ef0 24939->24959 24940 18846e9 24943 188421c 24940->24943 24944 1884227 24943->24944 24967 1888560 24944->24967 24946 1888806 24946->24933 24948 5a16b22 24947->24948 25033 5a15ad8 24948->25033 24952 5a16b22 24951->24952 24953 5a15ad8 7 API calls 24952->24953 24954 188470c 24953->24954 24956 1886f17 24955->24956 24957 1886ff4 24956->24957 24963 1886414 24956->24963 24961 1886f17 24959->24961 24960 1886ff4 24961->24960 24962 1886414 CreateActCtxA 24961->24962 24962->24960 24964 1887370 CreateActCtxA 24963->24964 24966 1887433 24964->24966 24968 188856b 24967->24968 24971 1888580 24968->24971 24970 18888dd 24970->24946 24972 188858b 24971->24972 24975 18885b0 24972->24975 24974 18889ba 24974->24970 24976 18885bb 24975->24976 24979 18885e0 24976->24979 24978 1888aad 24978->24974 24980 18885eb 24979->24980 24982 1889e93 24980->24982 24985 188bed1 24980->24985 24981 1889ed1 24981->24978 24982->24981 24991 188df70 24982->24991 24986 188beda 24985->24986 24988 188be91 24985->24988 24995 188bf08 24986->24995 24998 188bef8 24986->24998 24987 188bee6 24987->24982 24988->24982 24992 188df91 24991->24992 24993 188dfb5 24992->24993 25006 188e120 24992->25006 24993->24981 25001 188bff0 24995->25001 24996 188bf17 24996->24987 24999 188bf17 24998->24999 25000 188bff0 GetModuleHandleW 24998->25000 24999->24987 25000->24999 25002 188c034 25001->25002 25003 188c011 25001->25003 25002->24996 25003->25002 25004 188c238 GetModuleHandleW 25003->25004 25005 188c265 25004->25005 25005->24996 25007 188e12d 25006->25007 25008 188e166 25007->25008 25010 188c464 25007->25010 25008->24993 25011 188c46f 25010->25011 25012 188e1d8 25011->25012 25014 188c498 25011->25014 25015 188c4a3 25014->25015 25016 18885e0 8 API calls 25015->25016 25017 188e247 25016->25017 25024 188e2c0 25017->25024 25018 188e256 25019 188c4a8 7 API calls 25018->25019 25020 188e270 25019->25020 25021 188c4b8 7 API calls 25020->25021 25022 188e277 25021->25022 25022->25012 25025 188e2ee 25024->25025 25026 188e3bf 25025->25026 25030 188e42b 25025->25030 25031 5a14630 6 API calls 25025->25031 25032 5a1461f 6 API calls 25025->25032 25027 188c4b8 6 API calls 25026->25027 25026->25030 25027->25030 25028 188e366 25029 188e3ba KiUserCallbackDispatcher 25028->25029 25029->25026 25031->25028 25032->25028 25034 5a15ae3 25033->25034 25037 5a15b14 25034->25037 25036 5a16c54 25038 5a15b1f 25037->25038 25041 5a1716e 25038->25041 25042 5a172c9 25038->25042 25043 5a16e00 25038->25043 25039 5a16e00 7 API calls 25039->25042 25041->25039 25041->25042 25042->25036 25044 5a16e0b 25043->25044 25048 5a17507 25044->25048 25060 5a17518 25044->25060 25045 5a17504 25045->25041 25052 5a1753e 25048->25052 25049 5a17552 25049->25045 25050 5a1762f 25059 188e2c0 7 API calls 25050->25059 25051 5a1763d 25054 5a17665 25051->25054 25072 5a14630 25051->25072 25052->25049 25052->25050 25055 5a17692 25052->25055 25054->25045 25055->25054 25056 5a14630 7 API calls 25055->25056 25057 5a17737 25056->25057 25057->25054 25077 5a17030 25057->25077 25059->25051 25064 5a1753e 25060->25064 25061 5a17552 25061->25045 25062 5a1762f 25071 188e2c0 7 API calls 25062->25071 25063 5a1763d 25065 5a14630 7 API calls 25063->25065 25066 5a17665 25063->25066 25064->25061 25064->25062 25067 5a17692 25064->25067 25065->25066 25066->25045 25067->25066 25068 5a14630 7 API calls 25067->25068 25069 5a17737 25068->25069 25069->25066 25070 5a17030 7 API calls 25069->25070 25070->25066 25071->25063 25073 5a14640 25072->25073 25074 5a1467d 25073->25074 25091 5a17cb0 25073->25091 25110 5a17cc0 25073->25110 25074->25054 25081 5a1703b 25077->25081 25078 5a197e1 25079 5a1981a 25078->25079 25082 5a15a6c 7 API calls 25078->25082 25083 5a15a6c 7 API calls 25079->25083 25080 5a19834 25087 5a14630 7 API calls 25080->25087 25090 5a19868 25080->25090 25081->25078 25081->25080 25081->25090 25188 5a18fe4 25081->25188 25085 5a1980c 25082->25085 25084 5a19826 25083->25084 25086 5a18ff4 7 API calls 25084->25086 25192 5a18ff4 25085->25192 25086->25080 25087->25090 25090->25054 25098 5a17cf9 25091->25098 25093 5a17e03 25094 5a17030 7 API calls 25093->25094 25095 5a17e0d 25094->25095 25133 5a178bc 25095->25133 25129 5a178ac 25098->25129 25100 5a17e3c 25101 5a17f1f 25100->25101 25102 5a14630 7 API calls 25100->25102 25103 5a17f80 25101->25103 25151 188f01c 25101->25151 25105 5a17ec5 25102->25105 25155 5a1cf90 25103->25155 25159 5a1cf80 25103->25159 25104 5a17f94 25105->25101 25144 5a15a6c 25105->25144 25117 5a17cf9 25110->25117 25111 5a178ac 7 API calls 25112 5a17e03 25111->25112 25113 5a17030 7 API calls 25112->25113 25114 5a17e0d 25113->25114 25115 5a178bc 7 API calls 25114->25115 25116 5a17e15 25115->25116 25118 5a178cc 7 API calls 25116->25118 25119 5a17e3c 25116->25119 25117->25111 25118->25119 25120 5a17f1f 25119->25120 25121 5a14630 7 API calls 25119->25121 25122 5a17f80 25120->25122 25128 188f01c 7 API calls 25120->25128 25124 5a17ec5 25121->25124 25126 5a1cf80 7 API calls 25122->25126 25127 5a1cf90 7 API calls 25122->25127 25123 5a17f94 25124->25120 25125 5a15a6c 7 API calls 25124->25125 25125->25120 25126->25123 25127->25123 25128->25122 25130 5a178b7 25129->25130 25131 5a14630 7 API calls 25130->25131 25132 5a196b8 25130->25132 25131->25132 25132->25093 25135 5a178c7 25133->25135 25134 5a17e15 25134->25100 25139 5a178cc 25134->25139 25135->25134 25136 5a14630 7 API calls 25135->25136 25137 5a1b5ec 25136->25137 25163 5a19de8 25137->25163 25142 5a178d7 25139->25142 25140 5a1bcb6 25140->25100 25141 5a14630 7 API calls 25143 5a1bd86 25141->25143 25142->25140 25142->25141 25143->25100 25146 5a15a77 25144->25146 25145 5a1b4ae 25145->25101 25146->25145 25147 5a14630 7 API calls 25146->25147 25148 5a1b508 25147->25148 25173 5a19dc0 25148->25173 25152 188f027 25151->25152 25154 188f8f5 25152->25154 25176 188c4b8 25152->25176 25154->25103 25156 5a1cf9d 25155->25156 25157 5a178bc 7 API calls 25156->25157 25158 5a1cfa4 25157->25158 25158->25104 25160 5a1cf90 25159->25160 25161 5a178bc 7 API calls 25160->25161 25162 5a1cfa4 25161->25162 25162->25104 25164 5a19df3 25163->25164 25167 5a17ae8 25164->25167 25166 5a1b6d4 25166->25134 25169 5a17af3 25167->25169 25168 5a1bab7 25168->25166 25169->25168 25170 5a14630 7 API calls 25169->25170 25171 5a1b8d4 25170->25171 25171->25168 25172 5a178bc 7 API calls 25171->25172 25172->25168 25174 5a1b530 SendMessageW 25173->25174 25175 5a1b519 25174->25175 25175->25101 25177 188c4c3 25176->25177 25180 188f104 25177->25180 25179 188fdcf 25179->25154 25183 188f10f 25180->25183 25181 188ff78 25181->25179 25182 188ff41 25185 5a1d260 7 API calls 25182->25185 25186 5a1d250 7 API calls 25182->25186 25187 5a1d2b8 7 API calls 25182->25187 25183->25181 25183->25182 25184 188f104 7 API calls 25183->25184 25184->25183 25185->25181 25186->25181 25187->25181 25189 5a18fef 25188->25189 25198 5a19d94 7 API calls 25189->25198 25191 5a1b35d 25191->25078 25193 5a18fff 25192->25193 25194 5a14630 7 API calls 25193->25194 25195 5a1b508 25194->25195 25196 5a19dc0 SendMessageW 25195->25196 25197 5a1b519 25196->25197 25197->25079 25198->25191 25199 5a15eb3 25200 5a15ebc 25199->25200 25202 5a15eda 25199->25202 25201 5a14630 7 API calls 25200->25201 25200->25202 25201->25202 25203 5a14630 7 API calls 25202->25203 25204 5a16013 25202->25204 25203->25204 25205 1886540 25206 1886586 25205->25206 25211 188670f 25206->25211 25216 1886720 25206->25216 25219 1886780 25206->25219 25207 1886673 25212 18866ab 25211->25212 25213 1886713 25211->25213 25212->25207 25226 188611c 25213->25226 25217 188611c DuplicateHandle 25216->25217 25218 188674e 25217->25218 25218->25207 25220 188671b 25219->25220 25221 1886783 DuplicateHandle 25219->25221 25223 188611c DuplicateHandle 25220->25223 25225 188681e 25221->25225 25224 188674e 25223->25224 25224->25207 25225->25207 25227 1886788 DuplicateHandle 25226->25227 25228 188674e 25227->25228 25228->25207 25229 5a144b8 25230 5a144c8 25229->25230 25234 5a18df9 25230->25234 25240 5a18e08 25230->25240 25231 5a144f1 25235 5a18e3d 25234->25235 25246 5a15c08 25235->25246 25237 5a18e92 25258 5a17c50 25237->25258 25239 5a18e99 25239->25231 25241 5a18e3d 25240->25241 25242 5a15c08 7 API calls 25241->25242 25243 5a18e92 25242->25243 25244 5a17c50 7 API calls 25243->25244 25245 5a18e99 25244->25245 25245->25231 25247 5a15c34 25246->25247 25249 5a15e6c 25247->25249 25268 5a155fc 25247->25268 25250 5a14630 7 API calls 25249->25250 25251 5a16013 25249->25251 25250->25251 25251->25237 25252 5a15ced 25253 5a14630 7 API calls 25252->25253 25257 5a15d95 25252->25257 25254 5a15d5f 25253->25254 25255 5a14630 7 API calls 25254->25255 25255->25257 25256 5a14630 7 API calls 25256->25249 25257->25256 25259 5a17c5b 25258->25259 25260 5a19435 25259->25260 25261 5a193fd 25259->25261 25267 5a19404 25259->25267 25263 5a19486 25260->25263 25264 5a1945a 25260->25264 25262 5a14630 7 API calls 25261->25262 25262->25267 25265 5a14630 7 API calls 25263->25265 25266 5a14630 7 API calls 25264->25266 25265->25267 25266->25267 25267->25239 25272 5a15607 25268->25272 25269 5a161a7 25269->25252 25270 5a16169 25270->25269 25271 5a14630 7 API calls 25270->25271 25271->25270 25272->25269 25272->25270 25273 5a14630 7 API calls 25272->25273 25273->25270 25274 5a1c388 25275 5a14630 7 API calls 25274->25275 25276 5a1c398 25275->25276 25277 5a199c8 25278 5a199d9 25277->25278 25281 5a19a43 25278->25281 25282 5a19068 25278->25282 25284 5a19073 25282->25284 25283 5a19a3c 25284->25283 25287 5a1b159 25284->25287 25293 5a1b168 25284->25293 25290 5a1b182 25287->25290 25299 5a19d7c 25287->25299 25289 5a1b18f 25289->25283 25290->25289 25291 5a1b1b8 CreateIconFromResourceEx 25290->25291 25292 5a1b236 25291->25292 25292->25283 25294 5a19d7c CreateIconFromResourceEx 25293->25294 25295 5a1b182 25294->25295 25296 5a1b18f 25295->25296 25297 5a1b1b8 CreateIconFromResourceEx 25295->25297 25296->25283 25298 5a1b236 25297->25298 25298->25283 25300 5a1b1b8 CreateIconFromResourceEx 25299->25300 25301 5a1b236 25300->25301 25301->25290 25302 5a12018 SetWindowLongW 25303 5a12084 25302->25303 25304 183d01c 25305 183d034 25304->25305 25306 183d08e 25305->25306 25309 5a12f28 25305->25309 25318 5a12f18 25305->25318 25312 5a12f55 25309->25312 25310 5a12f89 25343 5a12b64 25310->25343 25312->25310 25313 5a12f79 25312->25313 25327 5a130a0 25313->25327 25332 5a130b0 25313->25332 25337 5a1317c 25313->25337 25314 5a12f87 25319 5a12f28 25318->25319 25320 5a12f89 25319->25320 25322 5a12f79 25319->25322 25321 5a12b64 CallWindowProcW 25320->25321 25323 5a12f87 25321->25323 25324 5a130a0 8 API calls 25322->25324 25325 5a130b0 8 API calls 25322->25325 25326 5a1317c 8 API calls 25322->25326 25324->25323 25325->25323 25326->25323 25329 5a130b0 25327->25329 25328 5a13150 25328->25314 25347 5a13159 25329->25347 25353 5a13168 25329->25353 25334 5a130c4 25332->25334 25333 5a13150 25333->25314 25335 5a13159 8 API calls 25334->25335 25336 5a13168 8 API calls 25334->25336 25335->25333 25336->25333 25338 5a1313a 25337->25338 25339 5a1318a 25337->25339 25341 5a13159 8 API calls 25338->25341 25342 5a13168 8 API calls 25338->25342 25340 5a13150 25340->25314 25341->25340 25342->25340 25344 5a12b6f 25343->25344 25345 5a14399 25344->25345 25346 5a143ea CallWindowProcW 25344->25346 25345->25314 25346->25345 25348 5a13168 25347->25348 25349 5a13179 25348->25349 25358 5a18260 25348->25358 25376 5a14320 25348->25376 25379 5a18270 25348->25379 25349->25328 25354 5a18260 8 API calls 25353->25354 25355 5a18270 8 API calls 25353->25355 25356 5a14320 CallWindowProcW 25353->25356 25357 5a13179 25353->25357 25354->25357 25355->25357 25356->25357 25357->25328 25359 5a18289 25358->25359 25365 5a1829c 25358->25365 25360 5a182d0 25359->25360 25361 5a1828e 25359->25361 25360->25365 25366 5a1855c 25360->25366 25362 5a18293 25361->25362 25363 5a182aa 25361->25363 25364 5a184ba 25362->25364 25362->25365 25363->25365 25369 5a18524 25363->25369 25370 5a184c8 25363->25370 25373 5a183d6 25363->25373 25397 5a17ad8 25364->25397 25365->25373 25411 5a189f0 25365->25411 25416 5a18a00 25365->25416 25405 5a17b88 25366->25405 25401 5a17b48 25369->25401 25372 5a17ae8 7 API calls 25370->25372 25372->25373 25373->25349 25377 5a12b64 CallWindowProcW 25376->25377 25378 5a1433a 25377->25378 25378->25349 25380 5a18289 25379->25380 25386 5a1829c 25379->25386 25381 5a182d0 25380->25381 25382 5a1828e 25380->25382 25381->25386 25387 5a1855c 25381->25387 25383 5a18293 25382->25383 25384 5a182aa 25382->25384 25385 5a184ba 25383->25385 25383->25386 25384->25386 25390 5a18524 25384->25390 25391 5a184c8 25384->25391 25394 5a183d6 25384->25394 25388 5a17ad8 8 API calls 25385->25388 25386->25394 25395 5a189f0 8 API calls 25386->25395 25396 5a18a00 8 API calls 25386->25396 25389 5a17b88 8 API calls 25387->25389 25388->25394 25389->25394 25392 5a17b48 8 API calls 25390->25392 25393 5a17ae8 7 API calls 25391->25393 25392->25394 25393->25394 25394->25349 25395->25394 25396->25394 25398 5a17ae3 25397->25398 25399 5a18a00 8 API calls 25398->25399 25400 5a18c16 25398->25400 25399->25400 25400->25373 25402 5a17b53 25401->25402 25403 5a18a00 8 API calls 25402->25403 25404 5a1d0fc 25403->25404 25404->25373 25406 5a17b93 25405->25406 25407 5a17ae8 7 API calls 25406->25407 25408 5a1c980 25407->25408 25409 5a18a00 8 API calls 25408->25409 25410 5a1c989 25409->25410 25410->25373 25412 5a18a12 25411->25412 25413 5a18a0b 25411->25413 25421 5a18a20 25412->25421 25413->25373 25414 5a18a18 25414->25373 25417 5a18a12 25416->25417 25418 5a18a0b 25416->25418 25420 5a18a20 8 API calls 25417->25420 25418->25373 25419 5a18a18 25419->25373 25420->25419 25422 5a18a60 25421->25422 25423 5a18a3e 25421->25423 25424 5a13720 8 API calls 25422->25424 25425 5a18a4c 25423->25425 25429 5a13720 25423->25429 25428 5a18a67 25424->25428 25425->25414 25427 5a18a88 25427->25414 25428->25414 25430 5a1376c 25429->25430 25431 5a13edc 25430->25431 25434 5a137b0 25430->25434 25437 5a1351c 25431->25437 25433 5a13a0c 25433->25427 25434->25433 25441 5a18a90 25434->25441 25445 5a18aa0 25434->25445 25438 5a13527 25437->25438 25439 5a1d198 25438->25439 25440 188c4b8 7 API calls 25438->25440 25439->25433 25440->25439 25442 5a18ae6 25441->25442 25443 5a12b64 CallWindowProcW 25442->25443 25444 5a18b09 25442->25444 25443->25444 25444->25433 25446 5a18ae6 25445->25446 25447 5a12b64 CallWindowProcW 25446->25447 25448 5a18b09 25446->25448 25447->25448 25448->25433

                                                    Executed Functions

                                                    Function 0188BFF0 Relevance: 1.7, APIs: 1, Instructions: 199COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 195 188bff0-188c00f 196 188c03b-188c03f 195->196 197 188c011-188c01e call 188af60 195->197 198 188c041-188c04b 196->198 199 188c053-188c094 196->199 204 188c020-188c02e call 188c698 197->204 205 188c034 197->205 198->199 206 188c0a1-188c0af 199->206 207 188c096-188c09e 199->207 204->205 211 188c170-188c230 204->211 205->196 209 188c0b1-188c0b6 206->209 210 188c0d3-188c0d5 206->210 207->206 213 188c0b8-188c0bf call 188af6c 209->213 214 188c0c1 209->214 212 188c0d8-188c0df 210->212 245 188c238-188c263 GetModuleHandleW 211->245 246 188c232-188c235 211->246 216 188c0ec-188c0f3 212->216 217 188c0e1-188c0e9 212->217 215 188c0c3-188c0d1 213->215 214->215 215->212 219 188c100-188c109 call 188af7c 216->219 220 188c0f5-188c0fd 216->220 217->216 226 188c10b-188c113 219->226 227 188c116-188c11b 219->227 220->219 226->227 228 188c139-188c146 227->228 229 188c11d-188c124 227->229 235 188c148-188c166 228->235 236 188c169-188c16f 228->236 229->228 231 188c126-188c136 call 188af8c call 188af9c 229->231 231->228 235->236 247 188c26c-188c280 245->247 248 188c265-188c26b 245->248 246->245 248->247
                                                    APIs
                                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 0188C256
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1573656798.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1880000_QUOTATION-9044456778.jbxd
                                                    Similarity
                                                    • API ID: HandleModule
                                                    • String ID:
                                                    • API String ID: 4139908857-0
                                                    • Opcode ID: f45c2bb9b4310fdd7a58ed02357b695818fe2457294edffce0bbc554d94fe11b
                                                    • Instruction ID: 56a4462ea874057ff3e04b72ebac083101901b9d73a9af04f5c247f0be87ac93
                                                    • Opcode Fuzzy Hash: f45c2bb9b4310fdd7a58ed02357b695818fe2457294edffce0bbc554d94fe11b
                                                    • Instruction Fuzzy Hash: 898169B0A00B058FE725DF69C44079ABBF1FF48344F00892ED58AD7A54D775EA46CBA1
                                                    Function 05A1C90C Relevance: 1.6, APIs: 1, Instructions: 118threadCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 251 5a1c90c-5a1e161 255 5a1e163-5a1e16c 251->255 256 5a1e16e 251->256 257 5a1e170-5a1e175 255->257 256->257 258 5a1e195-5a1e22a 257->258 259 5a1e177-5a1e194 257->259 266 5a1e236-5a1e266 EnumThreadWindows 258->266 267 5a1e22c-5a1e234 258->267 268 5a1e268-5a1e26e 266->268 269 5a1e26f-5a1e29c 266->269 267->266 268->269
                                                    APIs
                                                    • EnumThreadWindows.USER32(?,00000000,?), ref: 05A1E259
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1606407585.0000000005A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_5a10000_QUOTATION-9044456778.jbxd
                                                    Similarity
                                                    • API ID: EnumThreadWindows
                                                    • String ID:
                                                    • API String ID: 2941952884-0
                                                    • Opcode ID: 5e8f1c275d9a2fe72a7ac82bd13a12ad3b30c108489568f38449af5057c309d1
                                                    • Instruction ID: f3643b88540654e461250a813e6ce9686f549c021354c91b7635310c701f3308
                                                    • Opcode Fuzzy Hash: 5e8f1c275d9a2fe72a7ac82bd13a12ad3b30c108489568f38449af5057c309d1
                                                    • Instruction Fuzzy Hash: BE41B471A04219CFDB14CF99C844BAEBBF9FF88320F14842AD819E7350DB789945CB69
                                                    Function 01886780 Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 273 1886780-1886781 274 188671b-1886749 call 188611c 273->274 275 1886783-188681c DuplicateHandle 273->275 281 188674e-1886774 274->281 279 188681e-1886824 275->279 280 1886825-1886842 275->280 279->280
                                                    APIs
                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0188674E,?,?,?,?,?), ref: 0188680F
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1573656798.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1880000_QUOTATION-9044456778.jbxd
                                                    Similarity
                                                    • API ID: DuplicateHandle
                                                    • String ID:
                                                    • API String ID: 3793708945-0
                                                    • Opcode ID: e0428942e546ed148e770327524eff3d01174c9e70c7490568fdbd61a8306288
                                                    • Instruction ID: 09744c791238bd0561cc03ece8ab4f4f2c69b682307dcbd2876e30f1b2aa14a8
                                                    • Opcode Fuzzy Hash: e0428942e546ed148e770327524eff3d01174c9e70c7490568fdbd61a8306288
                                                    • Instruction Fuzzy Hash: E0413876900248AFCF01DF99D884ADEBFF9EB48310F14801AE914E7311D735A950CFA5
                                                    Function 05A12B64 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 286 5a12b64-5a1438c 290 5a14392-5a14397 286->290 291 5a1443c-5a1445c 286->291 292 5a14399-5a143d0 290->292 293 5a143ea-5a14422 CallWindowProcW 290->293 298 5a1445f-5a1446c 291->298 299 5a143d2-5a143d8 292->299 300 5a143d9-5a143e8 292->300 294 5a14424-5a1442a 293->294 295 5a1442b-5a1443a 293->295 294->295 295->298 299->300 300->298
                                                    APIs
                                                    • CallWindowProcW.USER32(?,?,?,?,?), ref: 05A14411
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1606407585.0000000005A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_5a10000_QUOTATION-9044456778.jbxd
                                                    Similarity
                                                    • API ID: CallProcWindow
                                                    • String ID:
                                                    • API String ID: 2714655100-0
                                                    • Opcode ID: d6c51dde30f1ed9b9ff6442385b54c0f4231b3c6e0725904dfbb8bdd7777d304
                                                    • Instruction ID: f8c6f000d4915429a44ae0ff5ffdd809c6d518677e2bcaa196b5ecaf0f03ea52
                                                    • Opcode Fuzzy Hash: d6c51dde30f1ed9b9ff6442385b54c0f4231b3c6e0725904dfbb8bdd7777d304
                                                    • Instruction Fuzzy Hash: DF41F8B99003058FDB14CF99C488EAABBF5FB88314F24C459D929AB321D775A841CBA5
                                                    Function 01886414 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 303 1886414-1887431 CreateActCtxA 306 188743a-1887494 303->306 307 1887433-1887439 303->307 314 18874a3-18874a7 306->314 315 1887496-1887499 306->315 307->306 316 18874b8 314->316 317 18874a9-18874b5 314->317 315->314 319 18874b9 316->319 317->316 319->319
                                                    APIs
                                                    • CreateActCtxA.KERNEL32(?), ref: 01887421
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1573656798.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1880000_QUOTATION-9044456778.jbxd
                                                    Similarity
                                                    • API ID: Create
                                                    • String ID:
                                                    • API String ID: 2289755597-0
                                                    • Opcode ID: 8fec39a30cbd837ffca56db01c83f8a691725ec222100d561e44c2b93862dc13
                                                    • Instruction ID: 0bd925e44ec794fcdb51247de8302ca4fbcb0e54e2dcdee6b44670706da614a6
                                                    • Opcode Fuzzy Hash: 8fec39a30cbd837ffca56db01c83f8a691725ec222100d561e44c2b93862dc13
                                                    • Instruction Fuzzy Hash: 4441A2B0C0471DCBEB24DFA9C884B9DBBB6BF49304F20805AD418AB251D7796946CF90
                                                    Function 01887364 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 320 1887364-188736b 321 1887370-1887431 CreateActCtxA 320->321 323 188743a-1887494 321->323 324 1887433-1887439 321->324 331 18874a3-18874a7 323->331 332 1887496-1887499 323->332 324->323 333 18874b8 331->333 334 18874a9-18874b5 331->334 332->331 336 18874b9 333->336 334->333 336->336
                                                    APIs
                                                    • CreateActCtxA.KERNEL32(?), ref: 01887421
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1573656798.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1880000_QUOTATION-9044456778.jbxd
                                                    Similarity
                                                    • API ID: Create
                                                    • String ID:
                                                    • API String ID: 2289755597-0
                                                    • Opcode ID: 90f15fdba7be3c2c62df2274b84646f364f658e5d447b2f5430e654be528a8d3
                                                    • Instruction ID: 01ee4aa24939e158328387fdb9850c4c15044f12726c1c67c0688040eb153039
                                                    • Opcode Fuzzy Hash: 90f15fdba7be3c2c62df2274b84646f364f658e5d447b2f5430e654be528a8d3
                                                    • Instruction Fuzzy Hash: F041A2B1C00719CFEB24DFA9C884B8DBBB5BF49305F24805AD418AB251D7796946CF90
                                                    Function 05A1B168 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 337 5a1b168-5a1b18d call 5a19d7c 340 5a1b1a2-5a1b234 CreateIconFromResourceEx 337->340 341 5a1b18f-5a1b19f call 5a1ac28 337->341 346 5a1b236-5a1b23c 340->346 347 5a1b23d-5a1b25a 340->347 346->347
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1606407585.0000000005A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_5a10000_QUOTATION-9044456778.jbxd
                                                    Similarity
                                                    • API ID: CreateFromIconResource
                                                    • String ID:
                                                    • API String ID: 3668623891-0
                                                    • Opcode ID: 04a9a024ef784d2faca60bd4b46c207722c8a0f3e2eaf63058474f1342aa8040
                                                    • Instruction ID: 73a2d3b1feed1dc733a2065c4b3c2c1384a912ad9266273853989da599a296a3
                                                    • Opcode Fuzzy Hash: 04a9a024ef784d2faca60bd4b46c207722c8a0f3e2eaf63058474f1342aa8040
                                                    • Instruction Fuzzy Hash: A4317A719003899FCB11DFA9D844AEEBFF8EF09250F14805AE954A7261C3359854CBA5
                                                    Function 0188611C Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 350 188611c-188681c DuplicateHandle 352 188681e-1886824 350->352 353 1886825-1886842 350->353 352->353
                                                    APIs
                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0188674E,?,?,?,?,?), ref: 0188680F
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1573656798.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1880000_QUOTATION-9044456778.jbxd
                                                    Similarity
                                                    • API ID: DuplicateHandle
                                                    • String ID:
                                                    • API String ID: 3793708945-0
                                                    • Opcode ID: 2a6e70b81e0f2ec742701ac8ea72b3041f85b6afa8b9f9c053679d628bdba107
                                                    • Instruction ID: 207cb945dc32e9e4923739ff4f2060660b4555aa224e0951efca5178c315b221
                                                    • Opcode Fuzzy Hash: 2a6e70b81e0f2ec742701ac8ea72b3041f85b6afa8b9f9c053679d628bdba107
                                                    • Instruction Fuzzy Hash: 2721E3B5D00348AFDB10DF9AD984ADEBBF4EB48310F14841AE918A7310D379AA44CFA5
                                                    Function 05A1C91C Relevance: 1.6, APIs: 1, Instructions: 62threadCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 356 5a1c91c-5a1e22a 358 5a1e236-5a1e266 EnumThreadWindows 356->358 359 5a1e22c-5a1e234 356->359 360 5a1e268-5a1e26e 358->360 361 5a1e26f-5a1e29c 358->361 359->358 360->361
                                                    APIs
                                                    • EnumThreadWindows.USER32(?,00000000,?), ref: 05A1E259
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1606407585.0000000005A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_5a10000_QUOTATION-9044456778.jbxd
                                                    Similarity
                                                    • API ID: EnumThreadWindows
                                                    • String ID:
                                                    • API String ID: 2941952884-0
                                                    • Opcode ID: aaa288279c2c6991346e5e239eab5886daa5278384db622d7a5f956fe225df21
                                                    • Instruction ID: f758f25d7993288cc5551f6e03b85622b934fadfa0faf7fd85f17519a37967c0
                                                    • Opcode Fuzzy Hash: aaa288279c2c6991346e5e239eab5886daa5278384db622d7a5f956fe225df21
                                                    • Instruction Fuzzy Hash: 4D211875900209CFDB14CF9AC844BEEFBF9FB88310F14842AE825A7250D778A945CFA5
                                                    Function 05A19D7C Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 365 5a19d7c-5a1b234 CreateIconFromResourceEx 367 5a1b236-5a1b23c 365->367 368 5a1b23d-5a1b25a 365->368 367->368
                                                    APIs
                                                    • CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?,?,?,?,05A1B182,?,?,?,?,?), ref: 05A1B227
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1606407585.0000000005A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_5a10000_QUOTATION-9044456778.jbxd
                                                    Similarity
                                                    • API ID: CreateFromIconResource
                                                    • String ID:
                                                    • API String ID: 3668623891-0
                                                    • Opcode ID: 928968186bb462f46dc362f9e7d13b671b4106f16fd080efd61959ad808190e8
                                                    • Instruction ID: 8992060e6bbb5051fef308c58a61da3f0475bd72f8d212f9815e0638a22fdfc5
                                                    • Opcode Fuzzy Hash: 928968186bb462f46dc362f9e7d13b671b4106f16fd080efd61959ad808190e8
                                                    • Instruction Fuzzy Hash: 371114B590034D9FDB10CF9AD944BEEBFF8EB48320F14841AE918A7250C379A954CFA5
                                                    Function 0188C1F0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 371 188c1f0-188c230 372 188c238-188c263 GetModuleHandleW 371->372 373 188c232-188c235 371->373 374 188c26c-188c280 372->374 375 188c265-188c26b 372->375 373->372 375->374
                                                    APIs
                                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 0188C256
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1573656798.0000000001880000.00000040.00000800.00020000.00000000.sdmp, Offset: 01880000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_1880000_QUOTATION-9044456778.jbxd
                                                    Similarity
                                                    • API ID: HandleModule
                                                    • String ID:
                                                    • API String ID: 4139908857-0
                                                    • Opcode ID: c985eec37e3046847addd32f4652411118be0e1b94b478845aafb5ff9bd886d3
                                                    • Instruction ID: cb22fb0fe1b31c94f5753021d7c03d70e403675a73d26f4938ae29aea2b36d97
                                                    • Opcode Fuzzy Hash: c985eec37e3046847addd32f4652411118be0e1b94b478845aafb5ff9bd886d3
                                                    • Instruction Fuzzy Hash: 1E1110B5C002498FDB20DF9AC444BDEFBF4EB88310F10841AD929A7650D379A645CFA5
                                                    Function 05A12010 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 377 5a12010-5a12013 378 5a12018-5a12082 SetWindowLongW 377->378 379 5a12084-5a1208a 378->379 380 5a1208b-5a1209f 378->380 379->380
                                                    APIs
                                                    • SetWindowLongW.USER32(?,?,?), ref: 05A12075
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1606407585.0000000005A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_5a10000_QUOTATION-9044456778.jbxd
                                                    Similarity
                                                    • API ID: LongWindow
                                                    • String ID:
                                                    • API String ID: 1378638983-0
                                                    • Opcode ID: 2edd93ff1463d9258b42652806d8de5b8e72062b6025faaa522c135d90d62423
                                                    • Instruction ID: 4697277477be6e244cc870c5b958ee36e660650da414f569bae4b6f0eaec5dc8
                                                    • Opcode Fuzzy Hash: 2edd93ff1463d9258b42652806d8de5b8e72062b6025faaa522c135d90d62423
                                                    • Instruction Fuzzy Hash: 7F11F2B5800349DFDB20CF9AD485BDEBBF8EB48320F20851AD959A3700D379A944CFA5
                                                    Function 05A19DC0 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 382 5a19dc0-5a1b59a SendMessageW 384 5a1b5a3-5a1b5b7 382->384 385 5a1b59c-5a1b5a2 382->385 385->384
                                                    APIs
                                                    • SendMessageW.USER32(?,?,?,?), ref: 05A1B58D
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1606407585.0000000005A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_5a10000_QUOTATION-9044456778.jbxd
                                                    Similarity
                                                    • API ID: MessageSend
                                                    • String ID:
                                                    • API String ID: 3850602802-0
                                                    • Opcode ID: f9f7c94513057356d9ac33bbbb18fb6d81a24429ca8e5be0ea280bc6131bbc71
                                                    • Instruction ID: 9d16b6abba2a9bbcdd42f1d3729dfa56b53003201e60994cb91da997ff1e9904
                                                    • Opcode Fuzzy Hash: f9f7c94513057356d9ac33bbbb18fb6d81a24429ca8e5be0ea280bc6131bbc71
                                                    • Instruction Fuzzy Hash: AA11F2B580034C9FDB20DF9AD485BDEBBF8EB48320F108419E929A7200D379A944CFA5
                                                    Function 05A1B52B Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 388 5a1b52b-5a1b59a SendMessageW 390 5a1b5a3-5a1b5b7 388->390 391 5a1b59c-5a1b5a2 388->391 391->390
                                                    APIs
                                                    • SendMessageW.USER32(?,?,?,?), ref: 05A1B58D
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1606407585.0000000005A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_5a10000_QUOTATION-9044456778.jbxd
                                                    Similarity
                                                    • API ID: MessageSend
                                                    • String ID:
                                                    • API String ID: 3850602802-0
                                                    • Opcode ID: 4d4f80896e4a64a754dfe087f268baea2cc132ad968d87c5965dc282ad1fe630
                                                    • Instruction ID: 47374ae28fb54ad4b1ea8495e9df6d73b1f72b90a09108a237dea762cd7256ca
                                                    • Opcode Fuzzy Hash: 4d4f80896e4a64a754dfe087f268baea2cc132ad968d87c5965dc282ad1fe630
                                                    • Instruction Fuzzy Hash: B111D3B58003499FDB10DF9AD885BDEBFF8EB48324F148419E929A7200D379A944CFA5
                                                    Function 05A12018 Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetWindowLongW.USER32(?,?,?), ref: 05A12075
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1606407585.0000000005A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_5a10000_QUOTATION-9044456778.jbxd
                                                    Similarity
                                                    • API ID: LongWindow
                                                    • String ID:
                                                    • API String ID: 1378638983-0
                                                    • Opcode ID: b50956b0a52411e462066a2321e9fdb673ed60f41b31e034fa68c9fe72918c35
                                                    • Instruction ID: 6adef02af354ca358ab9c193eebe5b4330b1ee8e49c5543724815ad45a67061e
                                                    • Opcode Fuzzy Hash: b50956b0a52411e462066a2321e9fdb673ed60f41b31e034fa68c9fe72918c35
                                                    • Instruction Fuzzy Hash: 8D1103B58002498FDB20CF9AC485BDEBBF8EB48320F10851AD959A3300D379A944CFA5
                                                    Function 0183D01C Relevance: .1, Instructions: 72COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1571922395.000000000183D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0183D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_183d000_QUOTATION-9044456778.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 53e938bf52e329d0e5b1fdf799f927d58bcf69a8d6dee808a612917070ad121b
                                                    • Instruction ID: 6727b008f74e0b538e3ad8aa9b49d0d4f31d3eb71c0f7c536464c4a44972f415
                                                    • Opcode Fuzzy Hash: 53e938bf52e329d0e5b1fdf799f927d58bcf69a8d6dee808a612917070ad121b
                                                    • Instruction Fuzzy Hash: 6D213071604304DFDB15DFA4D8D0B16FB61EBC8714F68C669E80A8B242C33AD907CAA2
                                                    Function 0183D017 Relevance: .1, Instructions: 53COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000003.00000002.1571922395.000000000183D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0183D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_3_2_183d000_QUOTATION-9044456778.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5930c3722e95abe2067eb95ddfb8aa1848112c8b53b048d5b6b565b5491e75cf
                                                    • Instruction ID: 6eac4b1e25d17f32ba8761ba13f886a015c183d72aeb136029b8171eaeda811f
                                                    • Opcode Fuzzy Hash: 5930c3722e95abe2067eb95ddfb8aa1848112c8b53b048d5b6b565b5491e75cf
                                                    • Instruction Fuzzy Hash: 8B11BB75504280CFCB16CF54D5D4B15FFA2FB88714F28C6AAD8498B656C33AD50BCBA2

                                                    Execution Graph

                                                    Execution Coverage:11%
                                                    Dynamic/Decrypted Code Coverage:100%
                                                    Signature Coverage:0%
                                                    Total number of Nodes:295
                                                    Total number of Limit Nodes:15
                                                    execution_graph 43913 3426274 43914 34262d7 43913->43914 43915 342627a 43913->43915 43920 3426b78 43915->43920 43941 3426bee 43915->43941 43963 3426b88 43915->43963 43916 3426613 43921 3426b88 43920->43921 43922 3426baa 43921->43922 43984 342717e 43921->43984 43989 34272fe 43921->43989 43994 3427479 43921->43994 43999 3426fbb 43921->43999 44004 342713a 43921->44004 44009 3427335 43921->44009 44013 34274d5 43921->44013 44018 3427274 43921->44018 44023 3427256 43921->44023 44028 34271f0 43921->44028 44033 342702e 43921->44033 44038 34275e5 43921->44038 44042 34276a4 43921->44042 44047 3427140 43921->44047 44052 342721d 43921->44052 44060 3426fdd 43921->44060 44065 34270ff 43921->44065 44071 34272bf 43921->44071 43922->43916 43942 3426b7c 43941->43942 43944 3426bf1 43941->43944 43943 3426baa 43942->43943 43945 3427140 2 API calls 43942->43945 43946 34276a4 2 API calls 43942->43946 43947 34275e5 2 API calls 43942->43947 43948 342702e 2 API calls 43942->43948 43949 34271f0 2 API calls 43942->43949 43950 3427256 2 API calls 43942->43950 43951 3427274 2 API calls 43942->43951 43952 34274d5 2 API calls 43942->43952 43953 3427335 2 API calls 43942->43953 43954 342713a 2 API calls 43942->43954 43955 3426fbb 2 API calls 43942->43955 43956 3427479 2 API calls 43942->43956 43957 34272fe 2 API calls 43942->43957 43958 342717e 2 API calls 43942->43958 43959 34272bf 2 API calls 43942->43959 43960 34270ff 2 API calls 43942->43960 43961 3426fdd 2 API calls 43942->43961 43962 342721d 4 API calls 43942->43962 43943->43916 43944->43916 43945->43943 43946->43943 43947->43943 43948->43943 43949->43943 43950->43943 43951->43943 43952->43943 43953->43943 43954->43943 43955->43943 43956->43943 43957->43943 43958->43943 43959->43943 43960->43943 43961->43943 43962->43943 43964 3426ba2 43963->43964 43965 3426baa 43964->43965 43966 3427140 2 API calls 43964->43966 43967 34276a4 2 API calls 43964->43967 43968 34275e5 2 API calls 43964->43968 43969 342702e 2 API calls 43964->43969 43970 34271f0 2 API calls 43964->43970 43971 3427256 2 API calls 43964->43971 43972 3427274 2 API calls 43964->43972 43973 34274d5 2 API calls 43964->43973 43974 3427335 2 API calls 43964->43974 43975 342713a 2 API calls 43964->43975 43976 3426fbb 2 API calls 43964->43976 43977 3427479 2 API calls 43964->43977 43978 34272fe 2 API calls 43964->43978 43979 342717e 2 API calls 43964->43979 43980 34272bf 2 API calls 43964->43980 43981 34270ff 2 API calls 43964->43981 43982 3426fdd 2 API calls 43964->43982 43983 342721d 4 API calls 43964->43983 43965->43916 43966->43965 43967->43965 43968->43965 43969->43965 43970->43965 43971->43965 43972->43965 43973->43965 43974->43965 43975->43965 43976->43965 43977->43965 43978->43965 43979->43965 43980->43965 43981->43965 43982->43965 43983->43965 43985 34271a7 43984->43985 44076 3425c40 43985->44076 44080 3425c48 43985->44080 43986 34276cd 43990 34272a0 43989->43990 43991 342728b 43989->43991 43990->43922 44084 34250a0 43991->44084 44088 3425099 43991->44088 43995 342747c 43994->43995 44092 3425580 43995->44092 44096 3425588 43995->44096 43996 34274ef 44000 3427036 43999->44000 44100 3425de0 44000->44100 44104 3425dd4 44000->44104 44005 34271a7 44004->44005 44007 3425c40 ReadProcessMemory 44005->44007 44008 3425c48 ReadProcessMemory 44005->44008 44006 34276cd 44006->44006 44007->44006 44008->44006 44108 3425a90 44009->44108 44112 3425a98 44009->44112 44010 3427353 44014 34274db 44013->44014 44016 3425580 Wow64SetThreadContext 44014->44016 44017 3425588 Wow64SetThreadContext 44014->44017 44015 34274ef 44016->44015 44017->44015 44019 342727a 44018->44019 44021 34250a0 ResumeThread 44019->44021 44022 3425099 ResumeThread 44019->44022 44020 34272a0 44020->43922 44021->44020 44022->44020 44024 34271a8 44023->44024 44026 3425c40 ReadProcessMemory 44024->44026 44027 3425c48 ReadProcessMemory 44024->44027 44025 34276cd 44026->44025 44027->44025 44029 34271f9 44028->44029 44116 3425b58 44029->44116 44120 3425b50 44029->44120 44030 3427878 44034 3427040 44033->44034 44036 3425de0 CreateProcessA 44034->44036 44037 3425dd4 CreateProcessA 44034->44037 44035 34270cb 44035->43922 44036->44035 44037->44035 44040 3425b50 WriteProcessMemory 44038->44040 44041 3425b58 WriteProcessMemory 44038->44041 44039 34270f3 44039->43922 44040->44039 44041->44039 44043 34276aa 44042->44043 44044 34276cd 44043->44044 44045 3425c40 ReadProcessMemory 44043->44045 44046 3425c48 ReadProcessMemory 44043->44046 44045->44044 44046->44044 44048 342714d 44047->44048 44050 3425b50 WriteProcessMemory 44048->44050 44051 3425b58 WriteProcessMemory 44048->44051 44049 34270f3 44049->43922 44050->44049 44051->44049 44056 3425580 Wow64SetThreadContext 44052->44056 44057 3425588 Wow64SetThreadContext 44052->44057 44053 342799a 44054 34271a8 44054->44053 44058 3425c40 ReadProcessMemory 44054->44058 44059 3425c48 ReadProcessMemory 44054->44059 44055 34276cd 44056->44054 44057->44054 44058->44055 44059->44055 44061 3426fbf 44060->44061 44063 3425de0 CreateProcessA 44061->44063 44064 3425dd4 CreateProcessA 44061->44064 44062 34270cb 44062->43922 44063->44062 44064->44062 44066 3427146 44065->44066 44067 3427104 44065->44067 44066->43922 44069 3425c40 ReadProcessMemory 44067->44069 44070 3425c48 ReadProcessMemory 44067->44070 44068 34276cd 44069->44068 44070->44068 44072 342728c 44071->44072 44073 34272a0 44072->44073 44074 34250a0 ResumeThread 44072->44074 44075 3425099 ResumeThread 44072->44075 44073->43922 44074->44073 44075->44073 44077 3425c48 ReadProcessMemory 44076->44077 44079 3425cd7 44077->44079 44079->43986 44081 3425c93 ReadProcessMemory 44080->44081 44083 3425cd7 44081->44083 44083->43986 44085 34250e0 ResumeThread 44084->44085 44087 3425111 44085->44087 44087->43990 44089 34250e0 ResumeThread 44088->44089 44091 3425111 44089->44091 44091->43990 44093 3425588 Wow64SetThreadContext 44092->44093 44095 3425615 44093->44095 44095->43996 44097 34255cd Wow64SetThreadContext 44096->44097 44099 3425615 44097->44099 44099->43996 44101 3425e69 44100->44101 44101->44101 44102 3425fce CreateProcessA 44101->44102 44103 342602b 44102->44103 44105 3425e69 44104->44105 44105->44105 44106 3425fce CreateProcessA 44105->44106 44107 342602b 44106->44107 44109 3425ad8 VirtualAllocEx 44108->44109 44111 3425b15 44109->44111 44111->44010 44113 3425ad8 VirtualAllocEx 44112->44113 44115 3425b15 44113->44115 44115->44010 44117 3425ba0 WriteProcessMemory 44116->44117 44119 3425bf7 44117->44119 44119->44030 44121 3425ba0 WriteProcessMemory 44120->44121 44123 3425bf7 44121->44123 44123->44030 43807 5b73fb0 43808 5b74018 CreateWindowExW 43807->43808 43810 5b740d4 43808->43810 43810->43810 44128 1af64f8 44129 1af6501 44128->44129 44130 1af6539 44129->44130 44133 1af6580 44129->44133 44139 1af6570 44129->44139 44134 1af65a3 44133->44134 44135 1af663b 44134->44135 44137 1af6580 CreateActCtxA 44134->44137 44138 1af6570 CreateActCtxA 44134->44138 44145 1af6743 44134->44145 44135->44129 44137->44134 44138->44134 44141 1af6580 44139->44141 44140 1af663b 44140->44129 44141->44140 44142 1af6743 CreateActCtxA 44141->44142 44143 1af6580 CreateActCtxA 44141->44143 44144 1af6570 CreateActCtxA 44141->44144 44142->44141 44143->44141 44144->44141 44146 1af6765 44145->44146 44150 1af6841 44146->44150 44154 1af6850 44146->44154 44151 1af6850 44150->44151 44152 1af6954 44151->44152 44158 1af6404 44151->44158 44155 1af6877 44154->44155 44156 1af6954 44155->44156 44157 1af6404 CreateActCtxA 44155->44157 44157->44156 44159 1af7ce0 CreateActCtxA 44158->44159 44161 1af7da3 44159->44161 44162 1affd48 DuplicateHandle 44163 1affdde 44162->44163 44164 3427ea8 44165 3427ece 44164->44165 44166 3428033 44164->44166 44165->44166 44168 34243d8 44165->44168 44169 3428128 PostMessageW 44168->44169 44170 3428194 44169->44170 44170->44165 43811 181d01c 43812 181d034 43811->43812 43813 181d08e 43812->43813 43818 5b708a4 43812->43818 43827 5b74168 43812->43827 43831 5b752c8 43812->43831 43840 5b74160 43812->43840 43819 5b708af 43818->43819 43820 5b75339 43819->43820 43822 5b75329 43819->43822 43864 5b74e14 43820->43864 43844 5b75453 43822->43844 43851 5b75460 43822->43851 43858 5b7552c 43822->43858 43823 5b75337 43828 5b7418e 43827->43828 43829 5b708a4 5 API calls 43828->43829 43830 5b741af 43829->43830 43830->43813 43832 5b752d8 43831->43832 43833 5b75339 43832->43833 43835 5b75329 43832->43835 43834 5b74e14 5 API calls 43833->43834 43836 5b75337 43834->43836 43837 5b75453 5 API calls 43835->43837 43838 5b75460 5 API calls 43835->43838 43839 5b7552c 5 API calls 43835->43839 43837->43836 43838->43836 43839->43836 43841 5b7418e 43840->43841 43842 5b708a4 5 API calls 43841->43842 43843 5b741af 43842->43843 43843->43813 43845 5b75460 43844->43845 43848 5b75474 43845->43848 43882 5b74e54 CallWindowProcW CallWindowProcW CallWindowProcW CallWindowProcW CallWindowProcW 43845->43882 43846 5b75500 43846->43823 43871 5b75507 43848->43871 43877 5b75518 43848->43877 43852 5b75474 43851->43852 43853 5b7548e 43851->43853 43856 5b75507 5 API calls 43852->43856 43857 5b75518 5 API calls 43852->43857 43853->43852 43912 5b74e54 CallWindowProcW CallWindowProcW CallWindowProcW CallWindowProcW CallWindowProcW 43853->43912 43854 5b75500 43854->43823 43856->43854 43857->43854 43859 5b754ea 43858->43859 43860 5b7553a 43858->43860 43862 5b75507 5 API calls 43859->43862 43863 5b75518 5 API calls 43859->43863 43861 5b75500 43861->43823 43862->43861 43863->43861 43865 5b74e1f 43864->43865 43866 5b76742 43865->43866 43867 5b767ec 43865->43867 43868 5b7679a CallWindowProcW 43866->43868 43870 5b76749 43866->43870 43869 5b708a4 4 API calls 43867->43869 43868->43870 43869->43870 43870->43823 43872 5b75518 43871->43872 43873 5b75529 43872->43873 43883 5b766d2 43872->43883 43892 5b765b9 43872->43892 43902 5b765ec 43872->43902 43873->43846 43878 5b75529 43877->43878 43879 5b766d2 5 API calls 43877->43879 43880 5b765ec 5 API calls 43877->43880 43881 5b765b9 5 API calls 43877->43881 43878->43846 43879->43878 43880->43878 43881->43878 43882->43848 43884 5b766d9 43883->43884 43885 5b74e14 4 API calls 43884->43885 43886 5b766e9 43885->43886 43886->43873 43887 5b76742 43886->43887 43888 5b767ec 43886->43888 43889 5b7679a CallWindowProcW 43887->43889 43891 5b76749 43887->43891 43890 5b708a4 4 API calls 43888->43890 43889->43891 43890->43891 43891->43873 43894 5b765ce 43892->43894 43893 5b7668a 43893->43873 43894->43893 43895 5b74e14 4 API calls 43894->43895 43896 5b76676 43894->43896 43895->43896 43896->43873 43896->43893 43897 5b76742 43896->43897 43898 5b767ec 43896->43898 43899 5b7679a CallWindowProcW 43897->43899 43901 5b76749 43897->43901 43900 5b708a4 4 API calls 43898->43900 43899->43901 43900->43901 43901->43873 43904 5b76606 43902->43904 43903 5b76676 43903->43873 43906 5b76742 43903->43906 43907 5b767ec 43903->43907 43910 5b7668a 43903->43910 43904->43903 43905 5b74e14 4 API calls 43904->43905 43905->43903 43908 5b7679a CallWindowProcW 43906->43908 43911 5b76749 43906->43911 43909 5b708a4 4 API calls 43907->43909 43908->43911 43909->43911 43910->43873 43911->43873 43912->43852 44124 1afda60 44125 1afdaa8 GetModuleHandleW 44124->44125 44126 1afdaa2 44124->44126 44127 1afdad5 44125->44127 44126->44125

                                                    Executed Functions

                                                    Function 05BBCBE8 Relevance: 5.3, Strings: 4, Instructions: 323COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 0 5bbcbe8-5bbcc12 1 5bbcc1b-5bbcc1f 0->1 2 5bbcc14 0->2 3 5bbcc21-5bbcc25 1->3 4 5bbcc36-5bbcc51 1->4 2->1 5 5bbcc2b-5bbcc33 3->5 6 5bbcef6-5bbcf01 3->6 12 5bbcc5c-5bbcc60 4->12 13 5bbcc53 4->13 5->4 11 5bbcf08-5bbcf6c 6->11 34 5bbcf73-5bbcfd7 11->34 14 5bbcc6b-5bbcc8f 12->14 15 5bbcc62-5bbcc68 12->15 13->12 23 5bbce2a-5bbce45 14->23 24 5bbcc95-5bbcc9a 14->24 15->14 29 5bbcee7-5bbceee 23->29 106 5bbcc9d call 5bbd0af 24->106 107 5bbcc9d call 5bbd0c0 24->107 25 5bbcca3-5bbcca7 25->11 28 5bbccad-5bbccb1 25->28 28->11 30 5bbccb7-5bbccc1 28->30 30->34 35 5bbccc7-5bbcccb 30->35 66 5bbcfde-5bbd042 34->66 35->23 37 5bbccd1-5bbccd5 35->37 39 5bbccd7-5bbccde 37->39 40 5bbcce4-5bbcce8 37->40 39->23 39->40 41 5bbd049-5bbd06b 40->41 42 5bbccee-5bbccfe 40->42 47 5bbd0a8 41->47 48 5bbd06d-5bbd079 41->48 49 5bbcd2e-5bbcd34 42->49 50 5bbcd00-5bbcd06 42->50 53 5bbd0aa-5bbd0ad 47->53 48->47 62 5bbd07b-5bbd084 48->62 51 5bbcd38-5bbcd44 49->51 52 5bbcd36 49->52 54 5bbcd0a-5bbcd16 50->54 55 5bbcd08 50->55 56 5bbcd46-5bbcd64 51->56 52->56 59 5bbcd18-5bbcd28 54->59 55->59 56->23 67 5bbcd6a-5bbcd6c 56->67 59->49 59->66 62->47 69 5bbd086-5bbd094 62->69 66->41 70 5bbcd6e-5bbcd79 67->70 71 5bbcd87-5bbcd8b 67->71 69->47 78 5bbd096-5bbd0a4 69->78 104 5bbcd7c call 5bbd35b 70->104 105 5bbcd7c call 5bbd360 70->105 71->23 73 5bbcd91-5bbcd9b 71->73 73->23 82 5bbcda1-5bbcda7 73->82 77 5bbcd82 77->29 78->47 87 5bbd0a6 78->87 84 5bbcdad-5bbcdb0 82->84 85 5bbcef1 82->85 84->41 88 5bbcdb6-5bbcdd3 84->88 85->6 87->53 94 5bbce11-5bbce25 88->94 95 5bbcdd5-5bbcdf0 88->95 94->29 101 5bbcdf8-5bbce0c 95->101 102 5bbcdf2-5bbcdf6 95->102 101->29 102->23 102->101 104->77 105->77 106->25 107->25
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1659006365.0000000005BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_5bb0000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: ,q$,q$Hq$d8q
                                                    • API String ID: 0-2404486864
                                                    • Opcode ID: 0a2ce17f80088bc034f58b54625fe5dc157aeb0561f3d5b594b9f08eefe253e4
                                                    • Instruction ID: 53bddfd12f9767cde6a73edf650cda3531996779edfcaaf970f596c3fba2cb7e
                                                    • Opcode Fuzzy Hash: 0a2ce17f80088bc034f58b54625fe5dc157aeb0561f3d5b594b9f08eefe253e4
                                                    • Instruction Fuzzy Hash: B1C14E30B102199FEB14DF69D954ABE7BB6FF88640F148069E406E7390DBB5EC41CB91
                                                    Function 05BB806E Relevance: 4.1, Strings: 3, Instructions: 360COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 108 5bb806e-5bb806f 109 5bb80df 108->109 110 5bb8072-5bb809c call 5bb7a54 108->110 111 5bb80e1-5bb80e3 109->111 112 5bb80e5-5bb80f1 109->112 121 5bb80a1-5bb80a4 110->121 113 5bb80f3-5bb8116 111->113 112->113 120 5bb811e-5bb815f 113->120 179 5bb8167-5bb816c 120->179 122 5bb80ad-5bb80bc 121->122 123 5bb80a6 121->123 128 5bb80bf-5bb80c9 122->128 123->120 123->122 125 5bb821a-5bb8229 123->125 126 5bb80d9 123->126 127 5bb81e8-5bb81f5 123->127 123->128 129 5bb81bd-5bb81cc 123->129 130 5bb81fd 123->130 131 5bb8192-5bb81a5 123->131 132 5bb83e1-5bb83e9 123->132 133 5bb8331-5bb8344 123->133 147 5bb822b-5bb8231 125->147 148 5bb8241-5bb8266 125->148 126->109 127->130 137 5bb80cf-5bb80d7 128->137 138 5bb81a7 128->138 149 5bb81ce-5bb81d5 129->149 150 5bb81e1-5bb81e6 129->150 139 5bb8205-5bb8208 130->139 134 5bb81ac 131->134 152 5bb834a-5bb8352 133->152 153 5bb8556-5bb8566 133->153 140 5bb81b1-5bb81b4 134->140 137->121 138->134 139->125 145 5bb820a 139->145 140->129 146 5bb81b6 140->146 145->125 145->132 145->133 154 5bb8278-5bb827c 145->154 155 5bb82fd-5bb8321 145->155 156 5bb8533-5bb8547 145->156 157 5bb8452-5bb8456 145->157 158 5bb854a-5bb8553 145->158 159 5bb8448-5bb844d 145->159 160 5bb84ce-5bb84e1 145->160 161 5bb83ee-5bb8401 145->161 162 5bb83c6-5bb83cd 145->162 163 5bb8324-5bb832c 145->163 146->125 146->127 146->129 146->130 146->132 146->133 146->154 146->155 146->156 146->157 146->158 146->159 146->160 146->161 146->162 146->163 164 5bb8233 147->164 165 5bb8235-5bb8237 147->165 249 5bb8268 call 5bb9388 148->249 250 5bb8268 call 5bb9378 148->250 149->153 166 5bb81db 149->166 167 5bb81df 150->167 168 5bb8375 152->168 169 5bb8354-5bb835d 152->169 172 5bb829f 154->172 173 5bb827e-5bb8287 154->173 155->163 174 5bb8479 157->174 175 5bb8458-5bb8461 157->175 159->139 206 5bb84e3-5bb84ec 160->206 207 5bb8502 160->207 208 5bb8403-5bb840d 161->208 209 5bb8422-5bb8429 161->209 162->153 178 5bb83d3-5bb83dc 162->178 163->139 164->148 165->148 166->167 167->140 176 5bb8378-5bb837a 168->176 170 5bb835f-5bb8362 169->170 171 5bb8364-5bb8371 169->171 181 5bb8373 170->181 171->181 188 5bb82a2-5bb82a6 172->188 182 5bb8289-5bb828c 173->182 183 5bb828e-5bb829b 173->183 190 5bb847c-5bb8483 174->190 184 5bb8468-5bb8475 175->184 185 5bb8463-5bb8466 175->185 186 5bb8398 176->186 187 5bb837c-5bb8382 176->187 194 5bb818b-5bb8190 179->194 195 5bb816e-5bb8178 179->195 181->176 197 5bb829d 182->197 183->197 198 5bb8477 184->198 185->198 205 5bb839a-5bb839c 186->205 199 5bb8388-5bb8394 187->199 200 5bb8384-5bb8386 187->200 201 5bb82c9 188->201 202 5bb82a8-5bb82b1 188->202 203 5bb8499 190->203 204 5bb8485-5bb8497 190->204 211 5bb8186 194->211 195->138 210 5bb817a-5bb8181 195->210 197->188 198->190 216 5bb8396 199->216 200->216 222 5bb82cc-5bb82f8 201->222 217 5bb82b8-5bb82c5 202->217 218 5bb82b3-5bb82b6 202->218 219 5bb849c-5bb84a9 203->219 204->219 220 5bb839e-5bb83a4 205->220 221 5bb83b6-5bb83bf 205->221 224 5bb84ee-5bb84f1 206->224 225 5bb84f3-5bb84f6 206->225 227 5bb8505-5bb8513 207->227 208->153 226 5bb8413-5bb841a 208->226 209->153 213 5bb842f-5bb843a 209->213 210->211 211->121 212 5bb826e-5bb8276 212->139 213->153 228 5bb8440-5bb8446 213->228 216->205 230 5bb82c7 217->230 218->230 241 5bb84ab-5bb84b1 219->241 242 5bb84c1-5bb84c9 219->242 231 5bb83a8-5bb83b4 220->231 232 5bb83a6 220->232 221->162 222->139 233 5bb8500 224->233 225->233 234 5bb841d 226->234 239 5bb852c-5bb8531 227->239 240 5bb8515-5bb851c 227->240 228->234 230->222 231->221 232->221 233->227 234->139 245 5bb8527 239->245 240->153 244 5bb851e-5bb8522 240->244 246 5bb84b3 241->246 247 5bb84b5-5bb84b7 241->247 242->139 244->245 245->139 246->242 247->242 249->212 250->212
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1659006365.0000000005BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_5bb0000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: fq$ fq$ fq
                                                    • API String ID: 0-2888945447
                                                    • Opcode ID: 8b4274c4c73aa841c8440c8121366840946042350bd23a8ce03260c1334af25b
                                                    • Instruction ID: e41d3758496981d80c6b1773aba802cc8da01ab4bee598a6ff5cb22d4ac44115
                                                    • Opcode Fuzzy Hash: 8b4274c4c73aa841c8440c8121366840946042350bd23a8ce03260c1334af25b
                                                    • Instruction Fuzzy Hash: 54D16930A04258CFEB14CA94C854BBDB7BAFB84310F2485A6F516AB395DBF4EC81CB51
                                                    Function 05BBD5A0 Relevance: 2.7, Strings: 2, Instructions: 239COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 251 5bbd5a0-5bbd5c7 253 5bbd629-5bbd649 251->253 254 5bbd5c9-5bbd5d6 251->254 257 5bbd64f-5bbd661 253->257 258 5bbd71e-5bbd721 253->258 254->253 255 5bbd5d8-5bbd628 254->255 262 5bbd663-5bbd666 257->262 263 5bbd676-5bbd679 257->263 264 5bbd6eb-5bbd6f1 262->264 265 5bbd66c-5bbd66f 262->265 267 5bbd67b-5bbd67e 263->267 268 5bbd689-5bbd68f 263->268 273 5bbd6f3-5bbd6f5 264->273 274 5bbd6f7-5bbd703 264->274 269 5bbd6ba-5bbd6c0 265->269 270 5bbd671 265->270 271 5bbd71a-5bbd71c 267->271 272 5bbd684 267->272 275 5bbd691-5bbd693 268->275 276 5bbd695-5bbd6a1 268->276 280 5bbd6c2-5bbd6c4 269->280 281 5bbd6c6-5bbd6d2 269->281 270->271 271->258 282 5bbd722-5bbd7ad 271->282 272->271 278 5bbd705-5bbd718 273->278 274->278 279 5bbd6a3-5bbd6b8 275->279 276->279 278->271 279->271 285 5bbd6d4-5bbd6e9 280->285 281->285 300 5bbd7de-5bbd80e call 5bb5590 282->300 285->271 304 5bbd816-5bbd81f 300->304 305 5bbd825-5bbd836 304->305 306 5bbd8a4-5bbd8ae 304->306 305->306 307 5bbd838-5bbd840 305->307 307->306 308 5bbd842-5bbd852 307->308 308->306 310 5bbd854-5bbd85f 308->310 311 5bbd7af-5bbd7b2 310->311 312 5bbd7bb-5bbd7cf 311->312 313 5bbd7b4 311->313 312->306 320 5bbd7d5-5bbd7dc 312->320 313->300 313->312 314 5bbd864-5bbd866 313->314 315 5bbd868-5bbd86e 314->315 316 5bbd880-5bbd884 314->316 318 5bbd872-5bbd87e 315->318 319 5bbd870 315->319 321 5bbd89c-5bbd8a3 316->321 322 5bbd886-5bbd88c 316->322 318->316 319->316 320->311 323 5bbd88e 322->323 324 5bbd890-5bbd892 322->324 323->321 324->321
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1659006365.0000000005BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_5bb0000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 8q$8q
                                                    • API String ID: 0-4291441500
                                                    • Opcode ID: c1d49607589af96727fe63ba24daf5d1ecd33981e8c84a3241d97f1c47da7798
                                                    • Instruction ID: b9f4218b57b2a2c21b74c05d3cd07127bdea6d312fa989d215bdf002ac6e3507
                                                    • Opcode Fuzzy Hash: c1d49607589af96727fe63ba24daf5d1ecd33981e8c84a3241d97f1c47da7798
                                                    • Instruction Fuzzy Hash: EE81C230B141058FEB14DB698854BBE7BA2FF85201F2840AAD44ACB391DAF9ED45C796
                                                    Function 05BB0448 Relevance: 2.7, Strings: 2, Instructions: 212COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 326 5bb0448-5bb04aa call 5bb0448 331 5bb04ac-5bb04ae 326->331 332 5bb0510-5bb053c 326->332 333 5bb0543-5bb054b 331->333 334 5bb04b4-5bb04c0 331->334 332->333 339 5bb0552-5bb068d 333->339 334->339 340 5bb04c6-5bb04ff 334->340 356 5bb0693-5bb06a1 339->356 367 5bb0501 call 5bb0a19 340->367 368 5bb0501 call 5bb0a28 340->368 349 5bb0506-5bb050f 357 5bb06aa-5bb06f0 356->357 358 5bb06a3-5bb06a9 356->358 363 5bb06fd 357->363 364 5bb06f2-5bb06f5 357->364 358->357 365 5bb06fe 363->365 364->363 365->365 367->349 368->349
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1659006365.0000000005BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_5bb0000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: Hq$Hq
                                                    • API String ID: 0-925789375
                                                    • Opcode ID: e2f6889e5b0af4452c4731885b039183dd80f5f0c251da23d77bb6fe6da45b38
                                                    • Instruction ID: d4abe7841dc7d994bd86230aa3a653b95a947c27683b7e07d81f8f1de57c649b
                                                    • Opcode Fuzzy Hash: e2f6889e5b0af4452c4731885b039183dd80f5f0c251da23d77bb6fe6da45b38
                                                    • Instruction Fuzzy Hash: 91816C70E003199FDB14DFA9C8946EEBBB2FF88300F24856AE405AB350DBB49941CB91
                                                    Function 05BB8219 Relevance: 2.7, Strings: 2, Instructions: 204COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 369 5bb8219 370 5bb821a-5bb8229 369->370 372 5bb822b-5bb8231 370->372 373 5bb8241-5bb8266 370->373 374 5bb8233 372->374 375 5bb8235-5bb8237 372->375 469 5bb8268 call 5bb9388 373->469 470 5bb8268 call 5bb9378 373->470 374->373 375->373 377 5bb826e-5bb8276 378 5bb8205-5bb8208 377->378 378->370 379 5bb820a 378->379 379->370 380 5bb8278-5bb827c 379->380 381 5bb82fd-5bb8321 379->381 382 5bb8533-5bb8547 379->382 383 5bb8452-5bb8456 379->383 384 5bb8331-5bb8344 379->384 385 5bb854a-5bb8553 379->385 386 5bb8448-5bb844d 379->386 387 5bb84ce-5bb84e1 379->387 388 5bb83ee-5bb8401 379->388 389 5bb83e1-5bb83e9 379->389 390 5bb83c6-5bb83cd 379->390 391 5bb8324-5bb832c 379->391 392 5bb829f 380->392 393 5bb827e-5bb8287 380->393 381->391 394 5bb8479 383->394 395 5bb8458-5bb8461 383->395 397 5bb8556-5bb8566 384->397 420 5bb834a-5bb8352 384->420 386->378 413 5bb84e3-5bb84ec 387->413 414 5bb8502 387->414 418 5bb8403-5bb840d 388->418 419 5bb8422-5bb8429 388->419 396 5bb83d3-5bb83dc 390->396 390->397 391->378 403 5bb82a2-5bb82a6 392->403 398 5bb8289-5bb828c 393->398 399 5bb828e-5bb829b 393->399 406 5bb847c-5bb8483 394->406 400 5bb8468-5bb8475 395->400 401 5bb8463-5bb8466 395->401 409 5bb829d 398->409 399->409 410 5bb8477 400->410 401->410 411 5bb82c9 403->411 412 5bb82a8-5bb82b1 403->412 415 5bb8499 406->415 416 5bb8485-5bb8497 406->416 409->403 410->406 427 5bb82cc-5bb82f8 411->427 424 5bb82b8-5bb82c5 412->424 425 5bb82b3-5bb82b6 412->425 429 5bb84ee-5bb84f1 413->429 430 5bb84f3-5bb84f6 413->430 432 5bb8505-5bb8513 414->432 426 5bb849c-5bb84a9 415->426 416->426 418->397 431 5bb8413-5bb841a 418->431 419->397 421 5bb842f-5bb843a 419->421 433 5bb8375 420->433 434 5bb8354-5bb835d 420->434 421->397 437 5bb8440-5bb8446 421->437 439 5bb82c7 424->439 425->439 455 5bb84ab-5bb84b1 426->455 456 5bb84c1-5bb84c9 426->456 427->378 440 5bb8500 429->440 430->440 441 5bb841d 431->441 449 5bb852c-5bb8531 432->449 450 5bb8515-5bb851c 432->450 438 5bb8378-5bb837a 433->438 435 5bb835f-5bb8362 434->435 436 5bb8364-5bb8371 434->436 443 5bb8373 435->443 436->443 437->441 444 5bb8398 438->444 445 5bb837c-5bb8382 438->445 439->427 440->432 441->378 443->438 454 5bb839a-5bb839c 444->454 452 5bb8388-5bb8394 445->452 453 5bb8384-5bb8386 445->453 458 5bb8527 449->458 450->397 457 5bb851e-5bb8522 450->457 459 5bb8396 452->459 453->459 460 5bb839e-5bb83a4 454->460 461 5bb83b6-5bb83bf 454->461 462 5bb84b3 455->462 463 5bb84b5-5bb84b7 455->463 456->378 457->458 458->378 459->454 466 5bb83a8-5bb83b4 460->466 467 5bb83a6 460->467 461->390 462->456 463->456 466->461 467->461 469->377 470->377
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1659006365.0000000005BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_5bb0000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: fq$ fq
                                                    • API String ID: 0-1977554630
                                                    • Opcode ID: eebf0be14ca952af635ff2f9aee30b7c1e6ce91503b3803919d593c351fbb9d5
                                                    • Instruction ID: eca930e92dd4bd3181d9b4e6a8b4c0140d755e9240a37f3b8c9c6ebcb2d070f2
                                                    • Opcode Fuzzy Hash: eebf0be14ca952af635ff2f9aee30b7c1e6ce91503b3803919d593c351fbb9d5
                                                    • Instruction Fuzzy Hash: 0A715730A44618DFEB24CA94D945BFCB7BAFB40310F1581A6F516AB291DBF0E882CF51
                                                    Function 05BB8200 Relevance: 2.7, Strings: 2, Instructions: 192COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 537 5bb8200 538 5bb8205-5bb8208 537->538 539 5bb821a-5bb8229 538->539 540 5bb820a 538->540 565 5bb822b-5bb8231 539->565 566 5bb8241-5bb8266 539->566 540->539 541 5bb8278-5bb827c 540->541 542 5bb82fd-5bb8321 540->542 543 5bb8533-5bb8547 540->543 544 5bb8452-5bb8456 540->544 545 5bb8331-5bb8344 540->545 546 5bb854a-5bb8553 540->546 547 5bb8448-5bb844d 540->547 548 5bb84ce-5bb84e1 540->548 549 5bb83ee-5bb8401 540->549 550 5bb83e1-5bb83e9 540->550 551 5bb83c6-5bb83cd 540->551 552 5bb8324-5bb832c 540->552 553 5bb829f 541->553 554 5bb827e-5bb8287 541->554 542->552 555 5bb8479 544->555 556 5bb8458-5bb8461 544->556 559 5bb8556-5bb8566 545->559 586 5bb834a-5bb8352 545->586 547->538 582 5bb84e3-5bb84ec 548->582 583 5bb8502 548->583 584 5bb8403-5bb840d 549->584 585 5bb8422-5bb8429 549->585 558 5bb83d3-5bb83dc 551->558 551->559 552->538 567 5bb82a2-5bb82a6 553->567 560 5bb8289-5bb828c 554->560 561 5bb828e-5bb829b 554->561 570 5bb847c-5bb8483 555->570 562 5bb8468-5bb8475 556->562 563 5bb8463-5bb8466 556->563 573 5bb829d 560->573 561->573 574 5bb8477 562->574 563->574 580 5bb8233 565->580 581 5bb8235-5bb8237 565->581 637 5bb8268 call 5bb9388 566->637 638 5bb8268 call 5bb9378 566->638 575 5bb82c9 567->575 576 5bb82a8-5bb82b1 567->576 577 5bb8499 570->577 578 5bb8485-5bb8497 570->578 573->567 574->570 593 5bb82cc-5bb82f8 575->593 590 5bb82b8-5bb82c5 576->590 591 5bb82b3-5bb82b6 576->591 592 5bb849c-5bb84a9 577->592 578->592 580->566 581->566 595 5bb84ee-5bb84f1 582->595 596 5bb84f3-5bb84f6 582->596 599 5bb8505-5bb8513 583->599 584->559 598 5bb8413-5bb841a 584->598 585->559 587 5bb842f-5bb843a 585->587 600 5bb8375 586->600 601 5bb8354-5bb835d 586->601 587->559 604 5bb8440-5bb8446 587->604 606 5bb82c7 590->606 591->606 623 5bb84ab-5bb84b1 592->623 624 5bb84c1-5bb84c9 592->624 593->538 607 5bb8500 595->607 596->607 608 5bb841d 598->608 617 5bb852c-5bb8531 599->617 618 5bb8515-5bb851c 599->618 605 5bb8378-5bb837a 600->605 602 5bb835f-5bb8362 601->602 603 5bb8364-5bb8371 601->603 610 5bb8373 602->610 603->610 604->608 611 5bb8398 605->611 612 5bb837c-5bb8382 605->612 606->593 607->599 608->538 610->605 622 5bb839a-5bb839c 611->622 620 5bb8388-5bb8394 612->620 621 5bb8384-5bb8386 612->621 616 5bb826e-5bb8276 616->538 626 5bb8527 617->626 618->559 625 5bb851e-5bb8522 618->625 627 5bb8396 620->627 621->627 628 5bb839e-5bb83a4 622->628 629 5bb83b6-5bb83bf 622->629 630 5bb84b3 623->630 631 5bb84b5-5bb84b7 623->631 624->538 625->626 626->538 627->622 634 5bb83a8-5bb83b4 628->634 635 5bb83a6 628->635 629->551 630->624 631->624 634->629 635->629 637->616 638->616
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1659006365.0000000005BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_5bb0000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: fq$ fq
                                                    • API String ID: 0-1977554630
                                                    • Opcode ID: 46e16725ea087fab6967a4b97798e74159ec7cfebbb349a5587b0f7cf8a0c6c7
                                                    • Instruction ID: 58cc1d5995d27ddb088bcd07ce58008e929050bf6a2e55511a1c75ea125e2cbf
                                                    • Opcode Fuzzy Hash: 46e16725ea087fab6967a4b97798e74159ec7cfebbb349a5587b0f7cf8a0c6c7
                                                    • Instruction Fuzzy Hash: FF713630A44618DFEB24CA94D944BFCB7BAFB40311F1581A6F516AB291DBF4E881CF42
                                                    Function 05BB00E8 Relevance: 2.7, Strings: 2, Instructions: 155COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 733 5bb00e8-5bb0e7a 736 5bb0e7c-5bb0f57 733->736 737 5bb0e83-5bb0e93 733->737 740 5bb0f5e-5bb1030 736->740 739 5bb0e99-5bb0ea9 737->739 737->740 739->740 741 5bb0eaf-5bb0eb3 739->741 759 5bb1037-5bb1053 740->759 742 5bb0ebb-5bb0eda 741->742 743 5bb0eb5 741->743 746 5bb0edc-5bb0eea call 5bb0134 742->746 747 5bb0f01-5bb0f06 742->747 743->740 743->742 760 5bb0eef-5bb0efc call 5bb00c8 call 5bb00d8 746->760 749 5bb0f08-5bb0f0a call 5bb0144 747->749 750 5bb0f0f-5bb0f22 747->750 749->750 758 5bb0f28-5bb0f2f 750->758 750->759 760->747
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1659006365.0000000005BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_5bb0000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: (q$Hq
                                                    • API String ID: 0-1154169777
                                                    • Opcode ID: 9fe267303087f4deae7c2afea3827f9fa35a15f4f4846ef60cf9dc9d05de1171
                                                    • Instruction ID: 93e5396576d78cac7459c8ea461e954439a95e96641732d157b2518239b27d7b
                                                    • Opcode Fuzzy Hash: 9fe267303087f4deae7c2afea3827f9fa35a15f4f4846ef60cf9dc9d05de1171
                                                    • Instruction Fuzzy Hash: 3051F97070020A9FEB19EB68D8597BF7AE6FBC4300F204468E406D73D4DEB49D058799
                                                    Function 05BBBF78 Relevance: 2.6, Strings: 2, Instructions: 59COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 794 5bbbf78-5bbbf80 795 5bbbf82-5bbbf84 794->795 796 5bbbf90-5bbbfb7 794->796 797 5bbbfbf-5bbc03b 795->797 798 5bbbf86 795->798 796->797 801 5bbbf8c-5bbbf8f 798->801
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1659006365.0000000005BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_5bb0000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: (q$(q
                                                    • API String ID: 0-2485164810
                                                    • Opcode ID: 1f0440f025cd51c156472e0d5a899cc42770924f65b7dac7f5714b7e2d320940
                                                    • Instruction ID: 98be09ae078b3659b4d5eb0b49bbab5b1878e360ae1798dce78038a8d8e067f0
                                                    • Opcode Fuzzy Hash: 1f0440f025cd51c156472e0d5a899cc42770924f65b7dac7f5714b7e2d320940
                                                    • Instruction Fuzzy Hash: 4811E6306093055FE719EFB9E85065EBBB2EFC1101B2481ADD80A97295DEB0AE04CB51
                                                    Function 03425DD4 Relevance: 1.7, APIs: 1, Instructions: 246processCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 829 3425dd4-3425e75 831 3425e77-3425e81 829->831 832 3425eae-3425ece 829->832 831->832 833 3425e83-3425e85 831->833 837 3425ed0-3425eda 832->837 838 3425f07-3425f36 832->838 835 3425e87-3425e91 833->835 836 3425ea8-3425eab 833->836 839 3425e93 835->839 840 3425e95-3425ea4 835->840 836->832 837->838 841 3425edc-3425ede 837->841 848 3425f38-3425f42 838->848 849 3425f6f-3426029 CreateProcessA 838->849 839->840 840->840 842 3425ea6 840->842 843 3425ee0-3425eea 841->843 844 3425f01-3425f04 841->844 842->836 846 3425eee-3425efd 843->846 847 3425eec 843->847 844->838 846->846 850 3425eff 846->850 847->846 848->849 851 3425f44-3425f46 848->851 860 3426032-34260b8 849->860 861 342602b-3426031 849->861 850->844 853 3425f48-3425f52 851->853 854 3425f69-3425f6c 851->854 855 3425f56-3425f65 853->855 856 3425f54 853->856 854->849 855->855 857 3425f67 855->857 856->855 857->854 871 34260ba-34260be 860->871 872 34260c8-34260cc 860->872 861->860 871->872 875 34260c0 871->875 873 34260ce-34260d2 872->873 874 34260dc-34260e0 872->874 873->874 876 34260d4 873->876 877 34260e2-34260e6 874->877 878 34260f0-34260f4 874->878 875->872 876->874 877->878 879 34260e8 877->879 880 3426106-342610d 878->880 881 34260f6-34260fc 878->881 879->878 882 3426124 880->882 883 342610f-342611e 880->883 881->880 884 3426125 882->884 883->882 884->884
                                                    APIs
                                                    • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 03426016
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1616392444.0000000003420000.00000040.00000800.00020000.00000000.sdmp, Offset: 03420000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_3420000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID: CreateProcess
                                                    • String ID:
                                                    • API String ID: 963392458-0
                                                    • Opcode ID: b9b796141d237ca65147b796287bfd68ddaab49a3c77c23c2ecf719cb5362827
                                                    • Instruction ID: 101ba37c6d1462bd86c4fa2560a08e3a350b8904b1de0a92c73a090caab7f317
                                                    • Opcode Fuzzy Hash: b9b796141d237ca65147b796287bfd68ddaab49a3c77c23c2ecf719cb5362827
                                                    • Instruction Fuzzy Hash: B2A15B71D00229DFEB20DF68C94079EFBB2BF49310F1585AAE818BB240DB759985CF95
                                                    Function 03425DE0 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 886 3425de0-3425e75 888 3425e77-3425e81 886->888 889 3425eae-3425ece 886->889 888->889 890 3425e83-3425e85 888->890 894 3425ed0-3425eda 889->894 895 3425f07-3425f36 889->895 892 3425e87-3425e91 890->892 893 3425ea8-3425eab 890->893 896 3425e93 892->896 897 3425e95-3425ea4 892->897 893->889 894->895 898 3425edc-3425ede 894->898 905 3425f38-3425f42 895->905 906 3425f6f-3426029 CreateProcessA 895->906 896->897 897->897 899 3425ea6 897->899 900 3425ee0-3425eea 898->900 901 3425f01-3425f04 898->901 899->893 903 3425eee-3425efd 900->903 904 3425eec 900->904 901->895 903->903 907 3425eff 903->907 904->903 905->906 908 3425f44-3425f46 905->908 917 3426032-34260b8 906->917 918 342602b-3426031 906->918 907->901 910 3425f48-3425f52 908->910 911 3425f69-3425f6c 908->911 912 3425f56-3425f65 910->912 913 3425f54 910->913 911->906 912->912 914 3425f67 912->914 913->912 914->911 928 34260ba-34260be 917->928 929 34260c8-34260cc 917->929 918->917 928->929 932 34260c0 928->932 930 34260ce-34260d2 929->930 931 34260dc-34260e0 929->931 930->931 933 34260d4 930->933 934 34260e2-34260e6 931->934 935 34260f0-34260f4 931->935 932->929 933->931 934->935 936 34260e8 934->936 937 3426106-342610d 935->937 938 34260f6-34260fc 935->938 936->935 939 3426124 937->939 940 342610f-342611e 937->940 938->937 941 3426125 939->941 940->939 941->941
                                                    APIs
                                                    • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 03426016
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1616392444.0000000003420000.00000040.00000800.00020000.00000000.sdmp, Offset: 03420000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_3420000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID: CreateProcess
                                                    • String ID:
                                                    • API String ID: 963392458-0
                                                    • Opcode ID: cc22ce184e85e26bde2c4b0ed152b9b17a19680d4baa00d22d93d3ac2c3ef4ef
                                                    • Instruction ID: c65b430c1fb509f153d8ddba10c789a129b3a9a26204d38ff90347fc7669b049
                                                    • Opcode Fuzzy Hash: cc22ce184e85e26bde2c4b0ed152b9b17a19680d4baa00d22d93d3ac2c3ef4ef
                                                    • Instruction Fuzzy Hash: 14914C71D00229DFEB20DF68C94079EFBB2BF49310F1585AAE818BB240DB759985CF95
                                                    Function 05B73FB0 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05B740C2
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1658550062.0000000005B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B70000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_5b70000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID: CreateWindow
                                                    • String ID:
                                                    • API String ID: 716092398-0
                                                    • Opcode ID: 4256d7b327b4eece2c7c254b4cabf85b2be77f61c6dcadfcbec36c520c327866
                                                    • Instruction ID: 211a1d07f098c5764cf9784c22caea4d2f8fa36a0576c2382f577b1f7026ffd6
                                                    • Opcode Fuzzy Hash: 4256d7b327b4eece2c7c254b4cabf85b2be77f61c6dcadfcbec36c520c327866
                                                    • Instruction Fuzzy Hash: 86419DB1D002499FDB14CF9AC884ADEBFB5FF48310F24856AE819AB250D775A985CF90
                                                    Function 05B73FAD Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05B740C2
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1658550062.0000000005B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B70000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_5b70000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID: CreateWindow
                                                    • String ID:
                                                    • API String ID: 716092398-0
                                                    • Opcode ID: f74a4f076c697d92b5a57248371b3f0647002ba9ff646099831a9109fb9fb354
                                                    • Instruction ID: 65617190ddebdc6444e5d1932112141e6b9c64a8042be11a13573cda391cb3fb
                                                    • Opcode Fuzzy Hash: f74a4f076c697d92b5a57248371b3f0647002ba9ff646099831a9109fb9fb354
                                                    • Instruction Fuzzy Hash: 1641ADB5D002499FDB14CF99C984ADEBFB5FF48300F24866AE819AB250D775A885CF90
                                                    Function 05B74E14 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CallWindowProcW.USER32(?,?,?,?,?), ref: 05B767C1
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1658550062.0000000005B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B70000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_5b70000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID: CallProcWindow
                                                    • String ID:
                                                    • API String ID: 2714655100-0
                                                    • Opcode ID: 8f4e93cfd64edd1f2de2bc6c8b3b249c033dce1b0aab9e30ccbce9792cbe92b6
                                                    • Instruction ID: a4b6e2c2f560d1645b9b9950cf2e9d1b1715f777579b3ffa3a4b6f975a2fa640
                                                    • Opcode Fuzzy Hash: 8f4e93cfd64edd1f2de2bc6c8b3b249c033dce1b0aab9e30ccbce9792cbe92b6
                                                    • Instruction Fuzzy Hash: F8410DB59007099FDB14CF55C488EAABBF5FF88314F24C499D919A7321D774A845CFA0
                                                    Function 01AF6404 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateActCtxA.KERNEL32(?), ref: 01AF7D91
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1615134213.0000000001AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01AF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1af0000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID: Create
                                                    • String ID:
                                                    • API String ID: 2289755597-0
                                                    • Opcode ID: 616d8602710a4986442d05e2656b09386cb87b87bc60c8c0d8645535495d404a
                                                    • Instruction ID: 22ed5e47e74554c72f0ede36eb2388198bcd0695d9f32f069cd1ec14cae231c2
                                                    • Opcode Fuzzy Hash: 616d8602710a4986442d05e2656b09386cb87b87bc60c8c0d8645535495d404a
                                                    • Instruction Fuzzy Hash: 3441D2B1C00718DBEB24CFA9C844B9DBBB5BF48314F60846AE508AB255D7B56946CF90
                                                    Function 01AF7CD5 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateActCtxA.KERNEL32(?), ref: 01AF7D91
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1615134213.0000000001AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01AF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1af0000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID: Create
                                                    • String ID:
                                                    • API String ID: 2289755597-0
                                                    • Opcode ID: 0e6f27824750107facc34ca35734f9975d48e46587061208c4b99be5c4a70ffe
                                                    • Instruction ID: 443e4a82c83d79d0253f83a27844cd8fa9ea9d3b99e7886934e95ebaa4ee5001
                                                    • Opcode Fuzzy Hash: 0e6f27824750107facc34ca35734f9975d48e46587061208c4b99be5c4a70ffe
                                                    • Instruction Fuzzy Hash: 3641E2B1C00718CFEB24CFA9C884BDDBBB2BF48314F64846AD508AB255D7756946CF90
                                                    Function 03425B50 Relevance: 1.6, APIs: 1, Instructions: 71injectionCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 03425BE8
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1616392444.0000000003420000.00000040.00000800.00020000.00000000.sdmp, Offset: 03420000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_3420000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID: MemoryProcessWrite
                                                    • String ID:
                                                    • API String ID: 3559483778-0
                                                    • Opcode ID: 45761521631f600913e4076e4ee3a2febfa431e701c534afb6bf2412d7a87e16
                                                    • Instruction ID: 093b5f03891d2e91df0a0f91a070e58ce0f4e5a78091b718574fea1b02a2128c
                                                    • Opcode Fuzzy Hash: 45761521631f600913e4076e4ee3a2febfa431e701c534afb6bf2412d7a87e16
                                                    • Instruction Fuzzy Hash: 112124759003199FDB10CFAAC881BEEBBF1FF48310F14842AE918A7240CB799951CBA4
                                                    Function 03425B58 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 03425BE8
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1616392444.0000000003420000.00000040.00000800.00020000.00000000.sdmp, Offset: 03420000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_3420000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID: MemoryProcessWrite
                                                    • String ID:
                                                    • API String ID: 3559483778-0
                                                    • Opcode ID: 8e2c942412266767e6409f593f24909a47bf45548a1ee3d6124025c119022296
                                                    • Instruction ID: 22043f46bd4de112d536425765909e8b0730b643d71aab8b6975ebe763ab6e8f
                                                    • Opcode Fuzzy Hash: 8e2c942412266767e6409f593f24909a47bf45548a1ee3d6124025c119022296
                                                    • Instruction Fuzzy Hash: 3C2124759003599FDB10CFAAC885BEEFBF5FF48310F54842AE919A7240DB789941CBA4
                                                    Function 03425C40 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 03425CC8
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1616392444.0000000003420000.00000040.00000800.00020000.00000000.sdmp, Offset: 03420000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_3420000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID: MemoryProcessRead
                                                    • String ID:
                                                    • API String ID: 1726664587-0
                                                    • Opcode ID: e7f68b849e4097d8dce4a31eaa8ed4c22d4be91c0da51ec05e173ededd4cc6e6
                                                    • Instruction ID: 27f9d209f6c995337c8618dc180f21ec894276a9557a417f56a839e44b743021
                                                    • Opcode Fuzzy Hash: e7f68b849e4097d8dce4a31eaa8ed4c22d4be91c0da51ec05e173ededd4cc6e6
                                                    • Instruction Fuzzy Hash: 2F2127718003599FDB10CFAAC981BEEFBF5FF48310F10892AE518A7240D7789541CBA5
                                                    Function 03425580 Relevance: 1.6, APIs: 1, Instructions: 67threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 03425606
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1616392444.0000000003420000.00000040.00000800.00020000.00000000.sdmp, Offset: 03420000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_3420000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID: ContextThreadWow64
                                                    • String ID:
                                                    • API String ID: 983334009-0
                                                    • Opcode ID: adac7bd9eea92c134260494b0e278f934523c9f6d4c566b52a3ccdb7cf920181
                                                    • Instruction ID: d287ceb94ef7bd212f8cd7a5d4eb2d6365a9f5703e88a6e55a7924cca6013c89
                                                    • Opcode Fuzzy Hash: adac7bd9eea92c134260494b0e278f934523c9f6d4c566b52a3ccdb7cf920181
                                                    • Instruction Fuzzy Hash: 85213971D103088FDB20DFAAC485BEEFBF5EF48220F54842AD419A7240DB789945CFA5
                                                    Function 03425588 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 03425606
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1616392444.0000000003420000.00000040.00000800.00020000.00000000.sdmp, Offset: 03420000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_3420000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID: ContextThreadWow64
                                                    • String ID:
                                                    • API String ID: 983334009-0
                                                    • Opcode ID: 810b27df12634144da3421f8021e39893cd2cf3e3d9a1c0a03452393a2ee6383
                                                    • Instruction ID: 5e511db10459391258aa7148ff642250eb75510c46097022bdecda1283eaafb4
                                                    • Opcode Fuzzy Hash: 810b27df12634144da3421f8021e39893cd2cf3e3d9a1c0a03452393a2ee6383
                                                    • Instruction Fuzzy Hash: 99213771D003088FDB10DFAAC4857EEFBF5EF48220F54842AD419A7240CB78A945CFA4
                                                    Function 03425C48 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 03425CC8
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1616392444.0000000003420000.00000040.00000800.00020000.00000000.sdmp, Offset: 03420000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_3420000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID: MemoryProcessRead
                                                    • String ID:
                                                    • API String ID: 1726664587-0
                                                    • Opcode ID: f253ecf6fdf1d1f1adab695ac341489f763b5a9c24cd28f5767855f8d2fc0779
                                                    • Instruction ID: 356c7516f364818691435fbed0de8ad9ffecec3ff572c128c5c48097b805e42c
                                                    • Opcode Fuzzy Hash: f253ecf6fdf1d1f1adab695ac341489f763b5a9c24cd28f5767855f8d2fc0779
                                                    • Instruction Fuzzy Hash: A12105B18003599FDB10CFAAC880BEEFBF5FF48310F50842AE518A7240D77899458BA4
                                                    Function 01AFFD48 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01AFFDCF
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1615134213.0000000001AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01AF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1af0000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID: DuplicateHandle
                                                    • String ID:
                                                    • API String ID: 3793708945-0
                                                    • Opcode ID: b645de0975b912750b51d66312251cf516773d16ee3a301ffa8a82609594ddaa
                                                    • Instruction ID: 7ddbeba6e2c6849781fb31bf587a27d6fdd189a75c380bdebb74a531da2ecfc9
                                                    • Opcode Fuzzy Hash: b645de0975b912750b51d66312251cf516773d16ee3a301ffa8a82609594ddaa
                                                    • Instruction Fuzzy Hash: D021C4B59002499FDB10CF9AD584ADEFBF9FB48310F14841AE918A3350D378A955CF65
                                                    Function 03425A90 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 03425B06
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1616392444.0000000003420000.00000040.00000800.00020000.00000000.sdmp, Offset: 03420000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_3420000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID: AllocVirtual
                                                    • String ID:
                                                    • API String ID: 4275171209-0
                                                    • Opcode ID: a7356fc5d16af98e7d9471eda7bd990aad58a5a6f4e4fcc252e3d0cda01a0fc5
                                                    • Instruction ID: 86c69be3d0f24e6c02245439fe8694e939bd28daea1d63ffb5afb0c2dedbd668
                                                    • Opcode Fuzzy Hash: a7356fc5d16af98e7d9471eda7bd990aad58a5a6f4e4fcc252e3d0cda01a0fc5
                                                    • Instruction Fuzzy Hash: AD1136729002498BDB20DFAAC845BDEFBF5EB48320F14881AE519A7250CB799541CBA0
                                                    Function 03425A98 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 03425B06
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1616392444.0000000003420000.00000040.00000800.00020000.00000000.sdmp, Offset: 03420000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_3420000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID: AllocVirtual
                                                    • String ID:
                                                    • API String ID: 4275171209-0
                                                    • Opcode ID: 966e260fa90e4b54499670f7f8588fbc3d3ec27ecdb24d6282cad1af7f9d7a63
                                                    • Instruction ID: 9408cd4febf96cc3add17d545e235043a4809b0dfbe1d78d431d544d878373f4
                                                    • Opcode Fuzzy Hash: 966e260fa90e4b54499670f7f8588fbc3d3ec27ecdb24d6282cad1af7f9d7a63
                                                    • Instruction Fuzzy Hash: 9B1117759002489FDB20DFAAC844BDEFFF5EB48320F148419E519A7250CB799541CBA4
                                                    Function 03425099 Relevance: 1.6, APIs: 1, Instructions: 50threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1616392444.0000000003420000.00000040.00000800.00020000.00000000.sdmp, Offset: 03420000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_3420000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID: ResumeThread
                                                    • String ID:
                                                    • API String ID: 947044025-0
                                                    • Opcode ID: b86fe07619df82808d75da59f28d311d26f56075be3e68e616f8f9290a9de869
                                                    • Instruction ID: adcbff7feec3ebe1564f0c4dbe8fa2b98dc638fadf6ae6bb7ca777e2310b94d3
                                                    • Opcode Fuzzy Hash: b86fe07619df82808d75da59f28d311d26f56075be3e68e616f8f9290a9de869
                                                    • Instruction Fuzzy Hash: 5A110771D002598FDB20DFAAC4857EEFBF5EF88324F24845AD419A7240CB796941CFA4
                                                    Function 03428120 Relevance: 1.5, APIs: 1, Instructions: 49windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • PostMessageW.USER32(?,00000010,00000000,?), ref: 03428185
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1616392444.0000000003420000.00000040.00000800.00020000.00000000.sdmp, Offset: 03420000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_3420000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID: MessagePost
                                                    • String ID:
                                                    • API String ID: 410705778-0
                                                    • Opcode ID: 3587d4d5e22507e256c297900b63e9f49376c6e032ce036af6d21f59d3b1c275
                                                    • Instruction ID: 66ef36310b125dc70dcf537272894f8d6b0e5db4c1804b0d79df16188e2f1e36
                                                    • Opcode Fuzzy Hash: 3587d4d5e22507e256c297900b63e9f49376c6e032ce036af6d21f59d3b1c275
                                                    • Instruction Fuzzy Hash: 3C11F5B58003599FDB20CF9AD885BDEFFF8EB48310F14885AE518A7640C375A584CFA5
                                                    Function 034250A0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1616392444.0000000003420000.00000040.00000800.00020000.00000000.sdmp, Offset: 03420000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_3420000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID: ResumeThread
                                                    • String ID:
                                                    • API String ID: 947044025-0
                                                    • Opcode ID: cfc1a4ea3b47375ae2318be9bdcf60a12cd033167b7fb7fee1b1f66b29e4332e
                                                    • Instruction ID: ec8ece98eaf80b4e83132e60b8e1ce4300547add1e3dae5819d01ea8e7ebea71
                                                    • Opcode Fuzzy Hash: cfc1a4ea3b47375ae2318be9bdcf60a12cd033167b7fb7fee1b1f66b29e4332e
                                                    • Instruction Fuzzy Hash: 57113A71D003588FDB20DFAAC4457EEFBF5EF88220F24845AD419A7240CB79A941CFA4
                                                    Function 034243D8 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • PostMessageW.USER32(?,00000010,00000000,?), ref: 03428185
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1616392444.0000000003420000.00000040.00000800.00020000.00000000.sdmp, Offset: 03420000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_3420000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID: MessagePost
                                                    • String ID:
                                                    • API String ID: 410705778-0
                                                    • Opcode ID: 03d0748a1ac53b7955fc94073e53cfb9d02223860146db3934f4c8d96417d58c
                                                    • Instruction ID: 36a56e0448278602ebcab2e861bab83bb3b74a7cb1f8fba88c2a79d13e3e567e
                                                    • Opcode Fuzzy Hash: 03d0748a1ac53b7955fc94073e53cfb9d02223860146db3934f4c8d96417d58c
                                                    • Instruction Fuzzy Hash: 1911F5B58003599FDB20CF9AC445BEEFBF8EB48310F10885AE518B7240C379A944CFA5
                                                    Function 01AFDA60 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 01AFDAC6
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1615134213.0000000001AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 01AF0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1af0000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID: HandleModule
                                                    • String ID:
                                                    • API String ID: 4139908857-0
                                                    • Opcode ID: 2aeac75357f5cadf7ab7068a6a6f6cf2297bc57863e232015bad54e9cbb2362f
                                                    • Instruction ID: 9fe62c6e5400e49dc0f7446b3b94e5545e364f506d1666cc5b47471166b9122b
                                                    • Opcode Fuzzy Hash: 2aeac75357f5cadf7ab7068a6a6f6cf2297bc57863e232015bad54e9cbb2362f
                                                    • Instruction Fuzzy Hash: 331110B6C002498FDB20DF9AC444BDEFBF4EB88320F10845AD928B7600C379A546CFA5
                                                    Function 05BB017C Relevance: 1.5, Strings: 1, Instructions: 294COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1659006365.0000000005BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_5bb0000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: (q
                                                    • API String ID: 0-2414175341
                                                    • Opcode ID: 14a58990d86149e309e69c7bd649e6b41183201758dcb7e4a2be80d265248a78
                                                    • Instruction ID: 81f5c0080e80e5e584758e828a8c31353180c1360e89c82f9fa466d861a92343
                                                    • Opcode Fuzzy Hash: 14a58990d86149e309e69c7bd649e6b41183201758dcb7e4a2be80d265248a78
                                                    • Instruction Fuzzy Hash: 3391E471A01208DFDB18DFA9D854BEEBBF6FF85300F2484A9E445A7750DBB4A806CB51
                                                    Function 05BBCBD8 Relevance: 1.4, Strings: 1, Instructions: 128COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1659006365.0000000005BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_5bb0000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: ,q
                                                    • API String ID: 0-196045463
                                                    • Opcode ID: b04a7cb0e229d2d51611ef153f7184c55eaacad0c26d47f672f5629483058437
                                                    • Instruction ID: e680b6398d70ec5a8c2659b9b50c6c5708c456651dfe1137ab9695fe5d646bdd
                                                    • Opcode Fuzzy Hash: b04a7cb0e229d2d51611ef153f7184c55eaacad0c26d47f672f5629483058437
                                                    • Instruction Fuzzy Hash: 0F51E934A1061ADFDB24CF68D985AADBFF1FF48711F1481A9E806A7260D7F0AD44CB90
                                                    Function 05BBC3F0 Relevance: 1.3, Strings: 1, Instructions: 74COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1659006365.0000000005BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_5bb0000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: Hq
                                                    • API String ID: 0-1594803414
                                                    • Opcode ID: 004d313b27d7ed42f72857d07cdd5d8e7d1b8818a58e78c2e8a7d0f7f7e5b76b
                                                    • Instruction ID: 2811caaff112138f5dc3a476b58aa01983482740680e0efd4b5bb7f8a5d150c5
                                                    • Opcode Fuzzy Hash: 004d313b27d7ed42f72857d07cdd5d8e7d1b8818a58e78c2e8a7d0f7f7e5b76b
                                                    • Instruction Fuzzy Hash: DD21C270B14205AFEB05DF748D0ABBE3F76EB84700F20C4A9E506DB285DEB06E058B91
                                                    Function 05BBC400 Relevance: 1.3, Strings: 1, Instructions: 73COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1659006365.0000000005BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_5bb0000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: Hq
                                                    • API String ID: 0-1594803414
                                                    • Opcode ID: 3f6468b5ab481ebd57854af2b755d10782bda706d07f9ae3af875d7f9d65be80
                                                    • Instruction ID: d94afac3a3f606efb4bcb2d739deeb333fe8447ea57d280821fa7db58db6c3f0
                                                    • Opcode Fuzzy Hash: 3f6468b5ab481ebd57854af2b755d10782bda706d07f9ae3af875d7f9d65be80
                                                    • Instruction Fuzzy Hash: BA21D470A14209AFFB04DF688D05BFE7F76EB84700F10C0A5E506DB284DEB06E0587A5
                                                    Function 05BB2670 Relevance: .8, Instructions: 781COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1659006365.0000000005BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_5bb0000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 13c83c6ebff1b8d499c492f688fa3b38b5dcf44fcda4cdfe272d14757eff6cb8
                                                    • Instruction ID: 6595a676a5f661a2a1a8bd10939bb022f00d39582986896df0b165574b0c54d4
                                                    • Opcode Fuzzy Hash: 13c83c6ebff1b8d499c492f688fa3b38b5dcf44fcda4cdfe272d14757eff6cb8
                                                    • Instruction Fuzzy Hash: EC62DD74E00B414AE7745F6489987FEBAE9FB42700F204D5ED1BACB380DBF8A4458B59
                                                    Function 05BB26B0 Relevance: .5, Instructions: 453COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1659006365.0000000005BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_5bb0000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6c99f69f30500c001e14b2d0b8502c58049a544a85b690eff21d5fee59a8442d
                                                    • Instruction ID: 43718dd039129ca4257b3c1a706f2a198c81659bc157dd3583766fc567322a5d
                                                    • Opcode Fuzzy Hash: 6c99f69f30500c001e14b2d0b8502c58049a544a85b690eff21d5fee59a8442d
                                                    • Instruction Fuzzy Hash: AB124DB0A05B424AE7745B6488843EDB6D8FB06700F304D5FC0FAC9355E7F9E08A8B89
                                                    Function 05BBFA80 Relevance: .2, Instructions: 227COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1659006365.0000000005BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_5bb0000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 549fedbae96497d6d759882828e375fe4e01f4d33e1588735e31f8ce745922bc
                                                    • Instruction ID: 9107c1971c4cee938b02c31c3204eec332052cb24ffb5eec604024674bce53ed
                                                    • Opcode Fuzzy Hash: 549fedbae96497d6d759882828e375fe4e01f4d33e1588735e31f8ce745922bc
                                                    • Instruction Fuzzy Hash: C1912D75A106098FDF04DFA8D8949FDBBB2FF88314F1441A9D906AB355EBB0E895CB40
                                                    Function 05BBE858 Relevance: .2, Instructions: 198COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1659006365.0000000005BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_5bb0000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1d19d158fcf6ef6a6531703cb6b8c6d581113e2f6f54790a85992fae889104f1
                                                    • Instruction ID: a72e7a0592085765af38b3df27a84772c4130aac1f68a841bfec0c69380037f0
                                                    • Opcode Fuzzy Hash: 1d19d158fcf6ef6a6531703cb6b8c6d581113e2f6f54790a85992fae889104f1
                                                    • Instruction Fuzzy Hash: 7071B071A002198FEF15DFA8C8846EEBBB9FF84300F1485AAD455EB255DBF0E945CB90
                                                    Function 05BB4A58 Relevance: .2, Instructions: 168COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1659006365.0000000005BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_5bb0000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d5bef54d1cdbc4ac382ec501cac16a6aa353f124b6d1794ab772aae998d07e5b
                                                    • Instruction ID: 29372ff35530ca40547c7af8dfd3636e109a437f38a4babe10f897ae94fcfa20
                                                    • Opcode Fuzzy Hash: d5bef54d1cdbc4ac382ec501cac16a6aa353f124b6d1794ab772aae998d07e5b
                                                    • Instruction Fuzzy Hash: 9F719F74A01208AFDB14DF99D994DAEBBB6FF48714F114498F901AB362D7B1EC81CB50
                                                    Function 05BB22F0 Relevance: .2, Instructions: 156COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1659006365.0000000005BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_5bb0000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: cff84ede06bd63c073753d5f3c98b955ebb18cf5713f39f7ffba5ba3bab1abab
                                                    • Instruction ID: 026499f29b4e8efcaf5976e74fa180991d2585fa701b5d1064cdd1f67cd26783
                                                    • Opcode Fuzzy Hash: cff84ede06bd63c073753d5f3c98b955ebb18cf5713f39f7ffba5ba3bab1abab
                                                    • Instruction Fuzzy Hash: 62517A36A015199FEF00CFA4D884AEEB3B6FF45710F0580A6E905AB261D6F5E906CB80
                                                    Function 05BB7AB4 Relevance: .2, Instructions: 153COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1659006365.0000000005BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_5bb0000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a9e57778fdd2a762298cc8a25ccf89e613d38163714d307c59d3197713d0cf7d
                                                    • Instruction ID: ed488fe8ac9595e698bd8554de51c06ae870ea3a7b710efb1c98aabbdb79d64a
                                                    • Opcode Fuzzy Hash: a9e57778fdd2a762298cc8a25ccf89e613d38163714d307c59d3197713d0cf7d
                                                    • Instruction Fuzzy Hash: AE51AD35B002068FDB15DB7988889BEBBF6FFC4220B158569E419DB391EFB0E9058791
                                                    Function 05BB0A28 Relevance: .2, Instructions: 152COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1659006365.0000000005BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_5bb0000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6cb5f44f7d5510fefa78cb81fb8a28abd6d95c5c7f91dee1eabff97f835ab50c
                                                    • Instruction ID: e4e6213d1370a5ecc434722e7a6c2bc14d94a2d77d3db58c53949c3eae6806bb
                                                    • Opcode Fuzzy Hash: 6cb5f44f7d5510fefa78cb81fb8a28abd6d95c5c7f91dee1eabff97f835ab50c
                                                    • Instruction Fuzzy Hash: CF515F71E102499FDB14EFA9C848ABFFBF5EF88200F10846AD415E7250EAB4A9058B91
                                                    Function 05BB4220 Relevance: .1, Instructions: 148COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1659006365.0000000005BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_5bb0000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0a0f305a654006635cb84d41e2b05cb7984c10b9c39087aff9d571b34b33f175
                                                    • Instruction ID: 40f78d947957a1e7cc0b0762890c6cbfd4779afe06e11e5b30630dbb8f08d097
                                                    • Opcode Fuzzy Hash: 0a0f305a654006635cb84d41e2b05cb7984c10b9c39087aff9d571b34b33f175
                                                    • Instruction Fuzzy Hash: BB518C30A10309CFDB15EBA4C594BBEBBB2FF85300F148569D406A7255DFF4A94ACB51
                                                    Function 05BB3928 Relevance: .1, Instructions: 127COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1659006365.0000000005BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_5bb0000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8ab6114cdd624e80448c453be8cd9e299c5b6d17da3a2cecb02800f5fcbb9628
                                                    • Instruction ID: 8e2c2fbadc9953bf5faa37aceb7207c25a29a4e99161a1daa11243d7feb8b1ba
                                                    • Opcode Fuzzy Hash: 8ab6114cdd624e80448c453be8cd9e299c5b6d17da3a2cecb02800f5fcbb9628
                                                    • Instruction Fuzzy Hash: 80414A30B141588FEB14DB69D894EEEBBF6FF49614F1440A9E542EB361DAB1EC00CB50
                                                    Function 05BB4A48 Relevance: .1, Instructions: 125COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1659006365.0000000005BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_5bb0000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c78d00236c7957ce85790791d5fde82fcd2c6aa8161055b67f8ea9899443e472
                                                    • Instruction ID: 007b0e4c9beb4bac78b4fb985c0d79e13ce162a1cb7372054e52a66c5fcc40b9
                                                    • Opcode Fuzzy Hash: c78d00236c7957ce85790791d5fde82fcd2c6aa8161055b67f8ea9899443e472
                                                    • Instruction Fuzzy Hash: 1651A478600208EFDB14DF69D898DAD7BB2FF49720B154499F9029B362DBB1EC41CB50
                                                    Function 05BBD360 Relevance: .1, Instructions: 115COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1659006365.0000000005BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_5bb0000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 134fd97263c5eb49b320b8b75b0a9b4fc44a6dc753fc2e4bf121204b9f568b9d
                                                    • Instruction ID: 33021ef723c00c82ba8a253a596018ffc64a3b46a5e831ee050af66c0bf7b0c4
                                                    • Opcode Fuzzy Hash: 134fd97263c5eb49b320b8b75b0a9b4fc44a6dc753fc2e4bf121204b9f568b9d
                                                    • Instruction Fuzzy Hash: BF411B75A04209DFDB04CF59C885BAEBBB2FF88300F1585A8E9159B3A1CBB4F841CB51
                                                    Function 05BBAC18 Relevance: .1, Instructions: 101COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1659006365.0000000005BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_5bb0000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: bd97ce0859caa0fbd4e67e78d24eca07796626e129769205118eac5502a6cf35
                                                    • Instruction ID: 609f02eaec068a6725df7ca64be5990585ecdd1be55b6cbcbe640da9b7519636
                                                    • Opcode Fuzzy Hash: bd97ce0859caa0fbd4e67e78d24eca07796626e129769205118eac5502a6cf35
                                                    • Instruction Fuzzy Hash: 7C31E531E08218CFF714EA28CC416FABBF2EB81211F4848A7E421CB291D6F8E845C751
                                                    Function 05BBD35B Relevance: .1, Instructions: 100COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1659006365.0000000005BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_5bb0000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a59e4f5bf267826bc0629c8392a8e74a19d78b01fdb6edd3d405940eaa51c3b1
                                                    • Instruction ID: 57e1840ddf023acf14602c6aa2e6ebaf688f2884a39a8382cf8277ea7ec31d81
                                                    • Opcode Fuzzy Hash: a59e4f5bf267826bc0629c8392a8e74a19d78b01fdb6edd3d405940eaa51c3b1
                                                    • Instruction Fuzzy Hash: DB41D875A002099FDB14CF59C885BAEBBB2FF88710F1585A8E9159B3A1CBB4FC41CB51
                                                    Function 05BB0A19 Relevance: .1, Instructions: 100COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1659006365.0000000005BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_5bb0000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b0f79ac2faa3a183e46a33808f29ced5dbad9ec7f11af6d20faf2ff33e7b2da4
                                                    • Instruction ID: fccb742479bb8b3880986dab3d640c0a4fe9a98fd64d81b7271af606dd41f02b
                                                    • Opcode Fuzzy Hash: b0f79ac2faa3a183e46a33808f29ced5dbad9ec7f11af6d20faf2ff33e7b2da4
                                                    • Instruction Fuzzy Hash: D03164B5F001199BDB14EB99D948AFFBBFAEBC4300F14816AD555E3250EAF0A9058790
                                                    Function 05BB0895 Relevance: .1, Instructions: 98COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1659006365.0000000005BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_5bb0000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e82a0a59de25e73c4af7bca35b8160f03197e069dc2f993a49a8e3b16739c569
                                                    • Instruction ID: b3e506f8117dde4427c09fb52a8e78658f61553d8bd2a69ddac89ec1396695ef
                                                    • Opcode Fuzzy Hash: e82a0a59de25e73c4af7bca35b8160f03197e069dc2f993a49a8e3b16739c569
                                                    • Instruction Fuzzy Hash: 8D41D3B1D00309DBEB24DFA9C584ADEFBB1BF48304F248069D419BB210D7B56A4ACF50
                                                    Function 05BB08A0 Relevance: .1, Instructions: 96COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1659006365.0000000005BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_5bb0000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7426ec04bd25be10542f46cbb8d0fef4276cf80431cc71ffbf177ee419259445
                                                    • Instruction ID: 7020a0a0d240470450e124c71f87fac3b7376a10d9144b3d04a2ab2e5e8c7771
                                                    • Opcode Fuzzy Hash: 7426ec04bd25be10542f46cbb8d0fef4276cf80431cc71ffbf177ee419259445
                                                    • Instruction Fuzzy Hash: F141B3B1D0030D9BEB24DFAAC584ADEFBB5BF48304F248169D419AB210D7B5694ACF90
                                                    Function 05BBB440 Relevance: .1, Instructions: 93COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1659006365.0000000005BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_5bb0000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2737d34b4f779872d06efbd32ad9468b9d4142b58e2a2445fa88b85ad2307862
                                                    • Instruction ID: ab0483291d65665197cf98b454b2a471a9f792222f0ba18227a0ec98aa17a822
                                                    • Opcode Fuzzy Hash: 2737d34b4f779872d06efbd32ad9468b9d4142b58e2a2445fa88b85ad2307862
                                                    • Instruction Fuzzy Hash: B4313B74A142499FDB00CF98D884ABEBBB5FF49301F04809AF856D7291D7B4E941CB66
                                                    Function 05BB6DF8 Relevance: .1, Instructions: 92COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1659006365.0000000005BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_5bb0000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: dd53a4da534f94c41a21534f574d3e71e18a10591453e87d316ea9f3329a8e74
                                                    • Instruction ID: 7549c6c829b35ccbda8d63940f5e7a7c549f4cd4ddd55113f027a56f3bcba0f5
                                                    • Opcode Fuzzy Hash: dd53a4da534f94c41a21534f574d3e71e18a10591453e87d316ea9f3329a8e74
                                                    • Instruction Fuzzy Hash: 9B31C371A08264CFE7108FA4C8506FABBB2EB45211F0881E6F865DB285D2F5EC50CB61
                                                    Function 05BB3E57 Relevance: .1, Instructions: 92COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1659006365.0000000005BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_5bb0000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 75674e9a09b82d66197c5c7e29ea8cf96b2be5d53fd274d1d2bfab9b923a5556
                                                    • Instruction ID: dd07bd482f629b09020bfde007e5425b3c20efffa715d50a1c131a14c4051bc6
                                                    • Opcode Fuzzy Hash: 75674e9a09b82d66197c5c7e29ea8cf96b2be5d53fd274d1d2bfab9b923a5556
                                                    • Instruction Fuzzy Hash: 13212C313045114BE7259A3DD895BBD77F6EFC0610F1844BAE009CB391DAF5EC4587A0
                                                    Function 05BBE847 Relevance: .1, Instructions: 91COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1659006365.0000000005BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_5bb0000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3165e614d6f05f2ba402ba8b92ec0258488d6ea9dbe5c1202398ee128e1a12de
                                                    • Instruction ID: cd34a77b85344cf605b55870464af6f18ac2fddb7e3798363dd85b676bfba3d0
                                                    • Opcode Fuzzy Hash: 3165e614d6f05f2ba402ba8b92ec0258488d6ea9dbe5c1202398ee128e1a12de
                                                    • Instruction Fuzzy Hash: 1831F2702001209FEF55CF18C880BFABBE9FB80601F44C5AAD885CB256DBF0E905CBA1
                                                    Function 05BBB433 Relevance: .1, Instructions: 88COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1659006365.0000000005BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_5bb0000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c6ff56c289a48bfc11f756e1a8d8bd8f5ac524e46a05c9a7ceda0a362c3eb30a
                                                    • Instruction ID: 9a38621294abd6057e6a4f5b5461ba9fedab8c1c7e26ba1b7ca2fbe739727897
                                                    • Opcode Fuzzy Hash: c6ff56c289a48bfc11f756e1a8d8bd8f5ac524e46a05c9a7ceda0a362c3eb30a
                                                    • Instruction Fuzzy Hash: 9C317C74A102599FDB00CF98D884ABFBBB5FF48311F04809AF856D7291E7B4E901CB66
                                                    Function 05BB3FB0 Relevance: .1, Instructions: 88COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1659006365.0000000005BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_5bb0000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0774472ca0371f98f4b53336a94706d1734f6d1fdf696b2e90db26c339ff8e11
                                                    • Instruction ID: 6ffc07a28457350a2cb32f82e4ffa48adee8efefb1a024cbc644bdc7cbdcb2cb
                                                    • Opcode Fuzzy Hash: 0774472ca0371f98f4b53336a94706d1734f6d1fdf696b2e90db26c339ff8e11
                                                    • Instruction Fuzzy Hash: 8A31C471608A949FEB218B64C9406FABBF2FB42311F4486A7E4B6C6682C3F5F414C652
                                                    Function 05BBADD0 Relevance: .1, Instructions: 86COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1659006365.0000000005BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_5bb0000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4785ec8eeaf2b44fccfe23fa7281791012881432edc88d43911b62bab9d10d79
                                                    • Instruction ID: 5655780806dd8ec6d272da08583cff31ae167b8b35eee62a3e25038c9c8dbcf9
                                                    • Opcode Fuzzy Hash: 4785ec8eeaf2b44fccfe23fa7281791012881432edc88d43911b62bab9d10d79
                                                    • Instruction Fuzzy Hash: C121D631E441149FEB10CA68D985AFEBBF5FB45311F2481A6E865EB281D7F5FE0087A0
                                                    Function 05BBF890 Relevance: .1, Instructions: 85COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1659006365.0000000005BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_5bb0000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3915e863596be90ab741747d95750f45e2b7025299e428c6325ed5a67468cb26
                                                    • Instruction ID: 99941afbc93c5b7faa52b20c88a2acf084bbdbef6359ce8a165161c83361bc48
                                                    • Opcode Fuzzy Hash: 3915e863596be90ab741747d95750f45e2b7025299e428c6325ed5a67468cb26
                                                    • Instruction Fuzzy Hash: 912103327002115FEB289E65C881ABE77E7FBC4210F288069E287D3754E6B4FD828761
                                                    Function 05BB0798 Relevance: .1, Instructions: 82COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1659006365.0000000005BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_5bb0000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8e06200f8e747d72e635cc6ad204d0bd76972d60f2f0c83eed46164f1e8e7ca0
                                                    • Instruction ID: c3565361e0c6b0617688e7c25b65b29b4a73696f5edbcc744aae29d8de29f13d
                                                    • Opcode Fuzzy Hash: 8e06200f8e747d72e635cc6ad204d0bd76972d60f2f0c83eed46164f1e8e7ca0
                                                    • Instruction Fuzzy Hash: 9121D3326002088FC715EF79D8889ABBBF6FF85200B15C4A9D506DB350EF71E9058BD1
                                                    Function 05BB6DE8 Relevance: .1, Instructions: 80COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1659006365.0000000005BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_5bb0000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c0ea9bf6578dc64d14a867c1981ae04f8203f117a3b7132686edc034806f7616
                                                    • Instruction ID: b6026cf67ea360eb6bd4a0aac925c5a04f04579e008d29c1f07211ab8ff077b0
                                                    • Opcode Fuzzy Hash: c0ea9bf6578dc64d14a867c1981ae04f8203f117a3b7132686edc034806f7616
                                                    • Instruction Fuzzy Hash: C131F671908264CBEB10CFA4D8506FABBB3FB85211F0481E6F865CB285D6F9EC50CB51
                                                    Function 05BBD780 Relevance: .1, Instructions: 79COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1659006365.0000000005BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_5bb0000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 77b297b77f9c1d3b32c3b27b5649a8f14f7cfab06c7710664eb53049361794be
                                                    • Instruction ID: a7569691e960ca2acefa66c1680f4cc9755057ef11b72abd3110bf92de75aee5
                                                    • Opcode Fuzzy Hash: 77b297b77f9c1d3b32c3b27b5649a8f14f7cfab06c7710664eb53049361794be
                                                    • Instruction Fuzzy Hash: E521F870E05150DFFB109B189D00BFA7BB2FB86312F1841E5E8598B282D3FEA901C792
                                                    Function 05BB9EFC Relevance: .1, Instructions: 79COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1659006365.0000000005BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_5bb0000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 59347f73decba466a754f1c414a43c9d497b5a7e642e1b1187c91917737ee003
                                                    • Instruction ID: 1416acfc5fd5962ac4f0dad3422ad6a6e287e4d0dd6e92ec19ccee2aeb9f911b
                                                    • Opcode Fuzzy Hash: 59347f73decba466a754f1c414a43c9d497b5a7e642e1b1187c91917737ee003
                                                    • Instruction Fuzzy Hash: 9921B375E00208AFDF01DFA8C845EFEBBB5EF49310F1484A6F905D3211EAB0A916CB51
                                                    Function 05BBF8A0 Relevance: .1, Instructions: 79COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1659006365.0000000005BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_5bb0000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b139b2504e00ac3c7c495623b8355e55e2a68d7adabb05947a6deaff6d404911
                                                    • Instruction ID: 4a4bef689e28c6cf80dc32cd268f95409d8b9d05f615493e6cb66f90b14d52fe
                                                    • Opcode Fuzzy Hash: b139b2504e00ac3c7c495623b8355e55e2a68d7adabb05947a6deaff6d404911
                                                    • Instruction Fuzzy Hash: F721D4367006105FEF249E65C881ABE77E7FBC4210B248069E687D3754E6B4FD818761
                                                    Function 05BB9388 Relevance: .1, Instructions: 78COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1659006365.0000000005BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_5bb0000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a24f38b0e53858e58544aa5d5932d6e99964bc2fbbd523f7ed7d5adb4e986266
                                                    • Instruction ID: 56cac6554c2e22baed8da935110a7a03c63564bd9faaa39f45338c5aee357e10
                                                    • Opcode Fuzzy Hash: a24f38b0e53858e58544aa5d5932d6e99964bc2fbbd523f7ed7d5adb4e986266
                                                    • Instruction Fuzzy Hash: 4121E571908118CBEB24CF69C4406FEBBB6FB85710F1042A6EA66D7281C7F1FA00CB56
                                                    Function 05BB9378 Relevance: .1, Instructions: 76COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1659006365.0000000005BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_5bb0000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8b27f9f8bb61fdeeb453d6e9eeb6f255c07e6f22b4b470fc22fc03b8b1a14ea6
                                                    • Instruction ID: 4a504dde7f2e339a7e21eae8dfbc31a89cd09de85a4a9bed9d146aafc6026018
                                                    • Opcode Fuzzy Hash: 8b27f9f8bb61fdeeb453d6e9eeb6f255c07e6f22b4b470fc22fc03b8b1a14ea6
                                                    • Instruction Fuzzy Hash: A921A371908518CBEB24CF59C440AFEBBB6FB85710F0442A6EA66D7281C3F5F600CB52
                                                    Function 0180D4C4 Relevance: .1, Instructions: 75COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1612769983.000000000180D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0180D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_180d000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 44303b8348968df7ac43ef9e72bf6495a8d6b8663328f0300932e07616ca86f2
                                                    • Instruction ID: 3079d9f51b586d93cc29671f053a2d92cb7e3e81f0f94d0034c67c380d19fd2c
                                                    • Opcode Fuzzy Hash: 44303b8348968df7ac43ef9e72bf6495a8d6b8663328f0300932e07616ca86f2
                                                    • Instruction Fuzzy Hash: DC210372500248DFDB56DF94D9C0F26BF65FB88318F20C669EC098B296C336D556CAA2
                                                    Function 0180D3D8 Relevance: .1, Instructions: 75COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1612769983.000000000180D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0180D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_180d000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 41e217b3f2bade9ff6d4c1053656aa49851d2a5e46ed417981a35556062df733
                                                    • Instruction ID: 3893b097c745a075b373ed242c70c9a532a6c2b85c9800f538d8d38283617319
                                                    • Opcode Fuzzy Hash: 41e217b3f2bade9ff6d4c1053656aa49851d2a5e46ed417981a35556062df733
                                                    • Instruction Fuzzy Hash: EE213671500608DFDB06DF84D9C0B56BB65FB88324F20C269E9098B296C33AE546CAA2
                                                    Function 05BB3FA1 Relevance: .1, Instructions: 74COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1659006365.0000000005BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_5bb0000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6fd7d1e1ef21274852533d6ebd4ada1f6a1c49c2bb2efaf2fbb109792a8b3dcf
                                                    • Instruction ID: ffde898e96fc4e6edd694d54be68cb4d774447a8fc7c76236c349c37a0899edc
                                                    • Opcode Fuzzy Hash: 6fd7d1e1ef21274852533d6ebd4ada1f6a1c49c2bb2efaf2fbb109792a8b3dcf
                                                    • Instruction Fuzzy Hash: 8A21D631608A549BEB208B65DD41BFBB7F6FB41321F4486A7E4A6C6281C3F9F414C692
                                                    Function 0181D1D4 Relevance: .1, Instructions: 72COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1612978002.000000000181D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0181D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_181d000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5f456857e848fc1dffa94c5074000b7282ac2a6e55b6bf04efd1b5623c2b9fb1
                                                    • Instruction ID: 56d34c392d2eb471093b7b41bf9e46575c17431adb6873bff57091ebd289973d
                                                    • Opcode Fuzzy Hash: 5f456857e848fc1dffa94c5074000b7282ac2a6e55b6bf04efd1b5623c2b9fb1
                                                    • Instruction Fuzzy Hash: D8213772504304DFDB05DF94D5C4F55BBA9FB84324F20C76DD8198B25AC33AE546CA61
                                                    Function 0181D01C Relevance: .1, Instructions: 72COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1612978002.000000000181D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0181D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_181d000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9faac4db8ff748b6d7f681d62e4fbe16a2d2e8ff8c41ad70238c9dd9662542b4
                                                    • Instruction ID: 1e3f41d56649ca8d1b1b32c34f73e52f6a41c356eae35b10f87c8b289bdb3c5a
                                                    • Opcode Fuzzy Hash: 9faac4db8ff748b6d7f681d62e4fbe16a2d2e8ff8c41ad70238c9dd9662542b4
                                                    • Instruction Fuzzy Hash: 7F212276604304DFDB15DF54D8C8B16BB69EB88354F20C6ADD80A8B24AC33AD947CA62
                                                    Function 05BB1C00 Relevance: .1, Instructions: 68COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1659006365.0000000005BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_5bb0000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 15a49c2c822565932e781a62f0dd405e0379d2b4637ad540273a4f82a2a99c91
                                                    • Instruction ID: 2cc218ee652ae900c3aceb38b7dcf823e76f83e8300e3f1df23696f566e58831
                                                    • Opcode Fuzzy Hash: 15a49c2c822565932e781a62f0dd405e0379d2b4637ad540273a4f82a2a99c91
                                                    • Instruction Fuzzy Hash: 3B212171E1021A9FCB05DFADC8848EEFBF5FF98210B10C15AE414A7215E7B0A942CB90
                                                    Function 05BB4E60 Relevance: .1, Instructions: 68COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1659006365.0000000005BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_5bb0000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 522b7e102e474f3fc3d8eafa0264ac11c8350cf8f8020cd6dcb2df05176c8bd2
                                                    • Instruction ID: 5defcd117961e3e0a06ac9902f7a421ef8fd55e54b9d9c73d11c5816dec063f0
                                                    • Opcode Fuzzy Hash: 522b7e102e474f3fc3d8eafa0264ac11c8350cf8f8020cd6dcb2df05176c8bd2
                                                    • Instruction Fuzzy Hash: 09214D357006149FDB249E19D580EBAB3BBFB88620F11446EE64687751D7F2FC41CB60
                                                    Function 05BB987C Relevance: .1, Instructions: 68COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1659006365.0000000005BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_5bb0000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 88402305e3936badb6c71219d03373ef84c3567a9f3fe774461d6cfe4ba1323e
                                                    • Instruction ID: 74d728f703fde9575f144b34b55930ce15bc3a4c02d92340ea8865645f0ca8e6
                                                    • Opcode Fuzzy Hash: 88402305e3936badb6c71219d03373ef84c3567a9f3fe774461d6cfe4ba1323e
                                                    • Instruction Fuzzy Hash: D531E3B1D012189FDB20CF99C588BEEBBF1FB48314F248459E448B7250C7B96845CFA0
                                                    Function 05BB7C54 Relevance: .1, Instructions: 67COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1659006365.0000000005BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_5bb0000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 05e15fd633fd468604d8049a9f45ad0597ff07fdf185b24dfa3d89885b338d25
                                                    • Instruction ID: f4b91fa12d168dcb290498d638251225675376c73475630db98f57977cd14387
                                                    • Opcode Fuzzy Hash: 05e15fd633fd468604d8049a9f45ad0597ff07fdf185b24dfa3d89885b338d25
                                                    • Instruction Fuzzy Hash: 3531E2B0D012589FEB60CF99C588BEEBBF5FB48314F208059E545B7250C7B56845CBA1
                                                    Function 05BB1B78 Relevance: .1, Instructions: 67COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1659006365.0000000005BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_5bb0000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e4cf19045057a3b85e0e4c6ff5c3f2ba2bfe73d5310c13257d77b7153c1b804e
                                                    • Instruction ID: ce2b90c2c1fc92ef8a2a6a7f83645ba8ea2c7d512b1426491e1d6dc580d3fd5a
                                                    • Opcode Fuzzy Hash: e4cf19045057a3b85e0e4c6ff5c3f2ba2bfe73d5310c13257d77b7153c1b804e
                                                    • Instruction Fuzzy Hash: 8611D3323006054BE7259A2DD8987AA77F6EBC4210F18CCBAA04ACB755DAF4E8458751
                                                    Function 05BB4E50 Relevance: .1, Instructions: 65COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1659006365.0000000005BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_5bb0000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 13f7b5206677fb0b7678373f4ed6ce5d58f07897d9112dc0ea2ff66e683b10ee
                                                    • Instruction ID: 5eaee40a9560418e78a6ba76f2bed72819b2e3287a6b34e1cfec227610d22b11
                                                    • Opcode Fuzzy Hash: 13f7b5206677fb0b7678373f4ed6ce5d58f07897d9112dc0ea2ff66e683b10ee
                                                    • Instruction Fuzzy Hash: 39214A357006149FEB288E15D584EBA73BBFB98620F11446DE64687B51DBF2F8418B50
                                                    Function 05BBCB8C Relevance: .1, Instructions: 65COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1659006365.0000000005BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_5bb0000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 32590184356ea64dcd2b0f7b885103852542cb7d670d7d580137336e46fabfe9
                                                    • Instruction ID: 94d10cb88fffeb8140f83799ba1dc881bbd87c9466c4a45f37be7701dd6f6ef7
                                                    • Opcode Fuzzy Hash: 32590184356ea64dcd2b0f7b885103852542cb7d670d7d580137336e46fabfe9
                                                    • Instruction Fuzzy Hash: 2311B134B005188BEB19EB79C454ABC73B2BFC4A10F0080AAE456873A4DFF8AC41CB81
                                                    Function 05BB6209 Relevance: .1, Instructions: 65COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1659006365.0000000005BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_5bb0000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b42e3662e77d994422bd700d67aba62dfd3198b7adcb08c44ad0fbc5e55e5b2c
                                                    • Instruction ID: 917accc03aba2fcc37b5a4d4f75c82c5011820e6267f54a611c497754cb4c73a
                                                    • Opcode Fuzzy Hash: b42e3662e77d994422bd700d67aba62dfd3198b7adcb08c44ad0fbc5e55e5b2c
                                                    • Instruction Fuzzy Hash: AE21ED71E1020E9FCB04DFA9C8459AFFBF9FF98210B14C55AE518E7211E770A956CB90
                                                    Function 05BBE5C1 Relevance: .1, Instructions: 64COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1659006365.0000000005BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_5bb0000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2b1242240d5f5fd8923f752bf126dee6fe7e77ea2fe3a800d118f5cfd1bbfe80
                                                    • Instruction ID: 6510ce837c4b7491deab2db48f4905a57e59b595d668dadbefc752336558868f
                                                    • Opcode Fuzzy Hash: 2b1242240d5f5fd8923f752bf126dee6fe7e77ea2fe3a800d118f5cfd1bbfe80
                                                    • Instruction Fuzzy Hash: 3B212B31D1074A8BDB11DFA4C4407EDBBB2FF95310F248B55E015BB6A1EBB0A986C781
                                                    Function 05BB1C0C Relevance: .1, Instructions: 63COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1659006365.0000000005BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_5bb0000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b7e4dacf510d16621dd400f656774d9beaa031243c8d8816c9d63de3beae1b45
                                                    • Instruction ID: b29eaa144bd5df91b437e74a9eca1a4781249a135435d2165092525a1f93d890
                                                    • Opcode Fuzzy Hash: b7e4dacf510d16621dd400f656774d9beaa031243c8d8816c9d63de3beae1b45
                                                    • Instruction Fuzzy Hash: 6721DE71E1020A9F8B04DFA9C8849AFFBF9FF98210B10855AE515E7211E770A955CB90
                                                    Function 05BB7AA4 Relevance: .1, Instructions: 62COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1659006365.0000000005BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_5bb0000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 724f4e74924054a8dbb2b2eb9c6366e4707adb2c00a2594f6356908cbb05de65
                                                    • Instruction ID: 32d228b3914ea0c857fc852a73e76eb99735f47f0c7d9a5d00f533bd3767c36d
                                                    • Opcode Fuzzy Hash: 724f4e74924054a8dbb2b2eb9c6366e4707adb2c00a2594f6356908cbb05de65
                                                    • Instruction Fuzzy Hash: 23115E71B402098BDB14EBA998506FEB6B2FBC4310B5040A9C606E7240EFB6AD01CB95
                                                    Function 05BBDCD8 Relevance: .1, Instructions: 61COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1659006365.0000000005BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_5bb0000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b6bc16386fcc735080b45a389297d8a98183b83c05f3ba6d44463aeea572fe84
                                                    • Instruction ID: a5cac66a8cd5901ea829baaf04cd1c61221e35ac1f2bbfd6f7a798bb204b21a9
                                                    • Opcode Fuzzy Hash: b6bc16386fcc735080b45a389297d8a98183b83c05f3ba6d44463aeea572fe84
                                                    • Instruction Fuzzy Hash: EB012D713585688FF71C852DDC127FAB296E784220F04867BF85AC72C0D1FCF8454594
                                                    Function 05BB0789 Relevance: .1, Instructions: 60COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1659006365.0000000005BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_5bb0000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f412324f359869c8b3b973405c842cfaa2a9b13a801d2794a8cd98483c38bc5c
                                                    • Instruction ID: 29e04abca3b4ba41ed486fafe7e2d2964a2b7198eeea31c12c47d693f7cddd5f
                                                    • Opcode Fuzzy Hash: f412324f359869c8b3b973405c842cfaa2a9b13a801d2794a8cd98483c38bc5c
                                                    • Instruction Fuzzy Hash: 4F1181767006098FC711EB68C944ABE77F6FF84210B058969D516EB390EF70ED058F91
                                                    Function 05BB96C7 Relevance: .1, Instructions: 60COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1659006365.0000000005BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_5bb0000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ba9cfd23fd9ece5a1e8b886da7ed3d8e43451d4af894025807dad67ecbfbd74f
                                                    • Instruction ID: 3103b876a99b28c091e9565242f0fa9dc45f9feb2964249a375689b9aefe9a41
                                                    • Opcode Fuzzy Hash: ba9cfd23fd9ece5a1e8b886da7ed3d8e43451d4af894025807dad67ecbfbd74f
                                                    • Instruction Fuzzy Hash: A8118C75A0020A5F9B15DA798C849BFBBFBEFC82607154569E928D7240EFB0A90587A0
                                                    Function 05BBDCE8 Relevance: .1, Instructions: 59COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1659006365.0000000005BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_5bb0000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d72704ed28ba4aaaadaeabaf3b2880f33b197113bef15d3c78fd747a4b908d4c
                                                    • Instruction ID: 94757eaf63df5e48ce42c169705d79c647eca66f346bd8fe3008cee59eeeca53
                                                    • Opcode Fuzzy Hash: d72704ed28ba4aaaadaeabaf3b2880f33b197113bef15d3c78fd747a4b908d4c
                                                    • Instruction Fuzzy Hash: D801B5713585A89FF728C96DD8127FAA29AE784320F14467BE8AAC72C0D1EDF9404294
                                                    Function 05BBBEA8 Relevance: .1, Instructions: 58COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1659006365.0000000005BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_5bb0000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 91282628f1e01f0e2234fc433c32126b7ae2f7016992e84f92c8185225dea5cb
                                                    • Instruction ID: ae0fca58d7d965e5a08fbee034807b3fcb51eb6133b026fbc54c80141a9c8827
                                                    • Opcode Fuzzy Hash: 91282628f1e01f0e2234fc433c32126b7ae2f7016992e84f92c8185225dea5cb
                                                    • Instruction Fuzzy Hash: 1E110172A00924DFEB24CB79C4806FAFBA1FB05311F0445A3EA65A7281C3F0FA40CB91
                                                    Function 05BBF9E0 Relevance: .1, Instructions: 58COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1659006365.0000000005BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_5bb0000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: aef372ea55b8635a08ff0e6245f6b509764fba9130087b15573ea9b70daa7c0a
                                                    • Instruction ID: ecc734c5450586aa258e0f13d1129743adad692694290705efe6ec86b282e24e
                                                    • Opcode Fuzzy Hash: aef372ea55b8635a08ff0e6245f6b509764fba9130087b15573ea9b70daa7c0a
                                                    • Instruction Fuzzy Hash: 7D11C9B5E0021A9FCB44DFADC8809AEBBF5FF88210B10816AE918E7311E7349911CB90
                                                    Function 05BBDDA8 Relevance: .1, Instructions: 57COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1659006365.0000000005BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_5bb0000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 43b0960e934cacbad088e306d014a990ab28bf799e09c68ae48affd5eaae0f20
                                                    • Instruction ID: bcda79f682ec49a783385a0a7ed3e3eadef3e43d180f52bf70e1a20b3d325b00
                                                    • Opcode Fuzzy Hash: 43b0960e934cacbad088e306d014a990ab28bf799e09c68ae48affd5eaae0f20
                                                    • Instruction Fuzzy Hash: 5411A1317105148BEB29EA39D854BBC77A2AFC5A20F1485FAD165CB3A0DFF8EC018781
                                                    Function 05BB5C2E Relevance: .1, Instructions: 57COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1659006365.0000000005BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_5bb0000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 92ad564e6dbbb7168d6dd9be5fc226e1d69005c23fcf70c1444a6a626e6fa1cc
                                                    • Instruction ID: 17badcc3cc4f6457e7a0910d5d07323716eeb08b78b50e1fbe916b259a687d60
                                                    • Opcode Fuzzy Hash: 92ad564e6dbbb7168d6dd9be5fc226e1d69005c23fcf70c1444a6a626e6fa1cc
                                                    • Instruction Fuzzy Hash: C121AF30A09159CFE734CF28C944AF9BBB2FB46301F0589EAD0A19B1C1E3F5A585CB42
                                                    Function 0180D3D3 Relevance: .1, Instructions: 56COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1612769983.000000000180D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0180D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_180d000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1166f709330a6c50fb0ccab333658baa4cf0de4601631cd9e1789cef95a599a7
                                                    • Instruction ID: 8b8fa69734afee30d7d531af5a1c90f0b76c35d678e6b63aefc4495fc6bbb72e
                                                    • Opcode Fuzzy Hash: 1166f709330a6c50fb0ccab333658baa4cf0de4601631cd9e1789cef95a599a7
                                                    • Instruction Fuzzy Hash: B2110372504644CFDB06CF84D9C0B56BF71FB84324F24C2A9D8094B257C33AE556CBA1
                                                    Function 0180D4BF Relevance: .1, Instructions: 56COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1612769983.000000000180D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0180D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_180d000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1166f709330a6c50fb0ccab333658baa4cf0de4601631cd9e1789cef95a599a7
                                                    • Instruction ID: 535669548dcb029abfbe0130ac818c1eea92ae73644bb5ccc03231fa5b5eacc5
                                                    • Opcode Fuzzy Hash: 1166f709330a6c50fb0ccab333658baa4cf0de4601631cd9e1789cef95a599a7
                                                    • Instruction Fuzzy Hash: BA11DF72504284CFCB06CF54D9C0B16BF71FB88314F24C6A9EC494B296C336D55ACBA1
                                                    Function 0181D017 Relevance: .1, Instructions: 53COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1612978002.000000000181D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0181D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_181d000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5930c3722e95abe2067eb95ddfb8aa1848112c8b53b048d5b6b565b5491e75cf
                                                    • Instruction ID: 1dd3988a1e7daa5414ed5822f544a6100d06bb194e873a03ef15df5b8a44fe4d
                                                    • Opcode Fuzzy Hash: 5930c3722e95abe2067eb95ddfb8aa1848112c8b53b048d5b6b565b5491e75cf
                                                    • Instruction Fuzzy Hash: 3411BE76504280CFCB16CF54D5C4B15BF61FB44314F24C6A9D8498B65AC33AD54BCB62
                                                    Function 0181D1CF Relevance: .1, Instructions: 53COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1612978002.000000000181D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0181D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_181d000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5930c3722e95abe2067eb95ddfb8aa1848112c8b53b048d5b6b565b5491e75cf
                                                    • Instruction ID: 37d13456125fea0d0924173f21eb3d2c47871cd9285e988798c16c33e0173bd5
                                                    • Opcode Fuzzy Hash: 5930c3722e95abe2067eb95ddfb8aa1848112c8b53b048d5b6b565b5491e75cf
                                                    • Instruction Fuzzy Hash: 7211BB76504280DFCB06CF54C5C4B15BFA2FB84324F24C6A9D8498B69AC33AE40ACB61
                                                    Function 05BB5C8C Relevance: .1, Instructions: 52COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1659006365.0000000005BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_5bb0000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: da072dd23435209d6bd2a729bdb83cf024ad1f71381f07026000f5a1eb15b2a4
                                                    • Instruction ID: 4a092ffec87d2368e62c5ed0b0d7834539e31fb182bd6a8ed548b3e2405a561d
                                                    • Opcode Fuzzy Hash: da072dd23435209d6bd2a729bdb83cf024ad1f71381f07026000f5a1eb15b2a4
                                                    • Instruction Fuzzy Hash: 4B117C70909159CBE734CF68C544AF9BBB2FB45301F0589A6D0A18A0C1E3F4A585CB42
                                                    Function 05BBF9F0 Relevance: .1, Instructions: 52COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1659006365.0000000005BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_5bb0000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b4ba930972928c878eaf2bf1a38f6ccf3bc9a632e0234ffaaef205d22affc3f7
                                                    • Instruction ID: 750baaba46152ca8af0c9e327cdb737671c547a80c70cb56238ea294bd10dcfe
                                                    • Opcode Fuzzy Hash: b4ba930972928c878eaf2bf1a38f6ccf3bc9a632e0234ffaaef205d22affc3f7
                                                    • Instruction Fuzzy Hash: 4F119BB5E0011A9F8B44DFADC9449AEFBF5FF8C710B10816AE919E7315E7309911CBA0
                                                    Function 05BB00BC Relevance: .1, Instructions: 51COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1659006365.0000000005BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_5bb0000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2311c4c67bcc7c32f8dc0cfd97be72ffe47a71cc155d29a0fdd94827adef278d
                                                    • Instruction ID: ee3d994b078a956ecd5abeac6ee54c5753326dc3254d14d601125f4ac94f53e1
                                                    • Opcode Fuzzy Hash: 2311c4c67bcc7c32f8dc0cfd97be72ffe47a71cc155d29a0fdd94827adef278d
                                                    • Instruction Fuzzy Hash: E11126B5C006088FDB10DF9AC444BEEFBF4EB48210F10845AD858A7210D3B8A945CFA5
                                                    Function 05BB020C Relevance: .1, Instructions: 51COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1659006365.0000000005BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_5bb0000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: bd60f62efbcc22a6ca7e82d1f7fcb9db360bcfb14935cd9dfd01bb9c4e66a8ee
                                                    • Instruction ID: 9551ffb2113f5f5ba6e8625844996f64137f4211255aa36ac5677265265acc43
                                                    • Opcode Fuzzy Hash: bd60f62efbcc22a6ca7e82d1f7fcb9db360bcfb14935cd9dfd01bb9c4e66a8ee
                                                    • Instruction Fuzzy Hash: 631126B5C002488FDB10DF9AC444BEEFBF5EB48210F10845AD858A7210D3B8A545CFA5
                                                    Function 05BB0D39 Relevance: .0, Instructions: 50COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1659006365.0000000005BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_5bb0000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ef1d300d8f3c8907304f62cd4e441fb39bce99b77d1044e8b62e18eb95c6b7bf
                                                    • Instruction ID: 9c991e9b1628fb1f94f063daffa3197cbc000ad9d68e129e7312d25ecbcff6bf
                                                    • Opcode Fuzzy Hash: ef1d300d8f3c8907304f62cd4e441fb39bce99b77d1044e8b62e18eb95c6b7bf
                                                    • Instruction Fuzzy Hash: 741104B6D002489FDB20DF9AC445BDEFBF4FB88220F14845AD859A3310D7B8A545CFA5
                                                    Function 05BB01FC Relevance: .0, Instructions: 50COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1659006365.0000000005BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_5bb0000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ccb5e44e1868b4f0e8c6b8c02c04074b1be4c40800cb86012ecf7bf51a198ce5
                                                    • Instruction ID: 0e96a7d9ebc1ed960ad37c48e3ba55a5fd3375d79ecbe790f09694bfd2b4f422
                                                    • Opcode Fuzzy Hash: ccb5e44e1868b4f0e8c6b8c02c04074b1be4c40800cb86012ecf7bf51a198ce5
                                                    • Instruction Fuzzy Hash: 3001DB31B443186FEB08D6BD9855AFE7FEADB85220F1484BAA409D3341EDF4AC454295
                                                    Function 05BBE530 Relevance: .0, Instructions: 49COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1659006365.0000000005BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_5bb0000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a24d832af9e48b30f01a7710c5e1db9cf2f7ed2bba5069e2775e05e470b4e9fa
                                                    • Instruction ID: b3f05b94cb18652a0cd468fd3f6f7734d013f68f91582b1f862378dfedc02a4a
                                                    • Opcode Fuzzy Hash: a24d832af9e48b30f01a7710c5e1db9cf2f7ed2bba5069e2775e05e470b4e9fa
                                                    • Instruction Fuzzy Hash: C7117C70E0121C9FDB14DBE9D9006EDBBB6AF88300F14406AD406A7394DBF4AA45CB91
                                                    Function 05BB62B1 Relevance: .0, Instructions: 48COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1659006365.0000000005BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_5bb0000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7956b4549018e1464b78ba39082e4258c15adf529264a328aca2fcbd96039467
                                                    • Instruction ID: e9e1a4c8f5b08577e25037bb8596632a951fc82ddfb765d976dced184560110f
                                                    • Opcode Fuzzy Hash: 7956b4549018e1464b78ba39082e4258c15adf529264a328aca2fcbd96039467
                                                    • Instruction Fuzzy Hash: F2017C31310604CFE718DE69D845E6673AAFF84211F24C5BAD505CB360CBF5EC068A51
                                                    Function 05BB1270 Relevance: .0, Instructions: 48COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1659006365.0000000005BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_5bb0000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 25e42a60238957e40d57b9d8f21436e449844af00dee69b71e6050cddbfe0f51
                                                    • Instruction ID: efdb981747f00bf98a4ee1b008f0ef18de7bd18527d678ee96fad1fd507e0112
                                                    • Opcode Fuzzy Hash: 25e42a60238957e40d57b9d8f21436e449844af00dee69b71e6050cddbfe0f51
                                                    • Instruction Fuzzy Hash: 62F0A971B001295FDF0976689C59AFF7A79EB85550F200069F505E7340CAF45D0243D5
                                                    Function 05BB0418 Relevance: .0, Instructions: 47COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1659006365.0000000005BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_5bb0000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ac961e7002c175e1b0808a8b1a05c99a0be97372f2903ce50897d755aaae905d
                                                    • Instruction ID: 7f9e8b6a644d21a0b8b073751b206f6cc8951a6592ee29599f14bfbad7821b98
                                                    • Opcode Fuzzy Hash: ac961e7002c175e1b0808a8b1a05c99a0be97372f2903ce50897d755aaae905d
                                                    • Instruction Fuzzy Hash: AD1106B59047488FDB20DF9AC445BDEFBF4EB48320F208459D519A7300D7B9A944CFA5
                                                    Function 05BB1EA0 Relevance: .0, Instructions: 47COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1659006365.0000000005BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_5bb0000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: cb461457fae4ab1c42e18eb8228eebf5bbc482c5ee7c7cc5e24ce8e30f26be19
                                                    • Instruction ID: 08b3083016cddc05ba420f0d7704df55a0ef31c7787a5bf8ee60519efb3279fb
                                                    • Opcode Fuzzy Hash: cb461457fae4ab1c42e18eb8228eebf5bbc482c5ee7c7cc5e24ce8e30f26be19
                                                    • Instruction Fuzzy Hash: C81106B69007488FDB20DF9AD445BDEFBF4EB48320F208459D519A7300D7B8A545CFA5
                                                    Function 05BB19A4 Relevance: .0, Instructions: 47COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1659006365.0000000005BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_5bb0000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a8441cc7f896fadf72914a91de0a106d3ecc017851960577cc619c008801ebc1
                                                    • Instruction ID: 536012bbbeb60dd6e099a47da7fad0d406b2da7db86ebe5dd837249614c62033
                                                    • Opcode Fuzzy Hash: a8441cc7f896fadf72914a91de0a106d3ecc017851960577cc619c008801ebc1
                                                    • Instruction Fuzzy Hash: 0D1106B59047488FDB20DF9AD445BDEFBF4EB48320F208459D519A7300D7B9A944CFA5
                                                    Function 0180D745 Relevance: .0, Instructions: 45COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1612769983.000000000180D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0180D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_180d000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 88aaf547fe3220041b681f73f16c773c143f5f10a82da0a8f0b32f6e16a253b2
                                                    • Instruction ID: abf61eb2d0a0b1e33fb0fa975bb301b0705e4a82e356b891aa171a0d4c0368cb
                                                    • Opcode Fuzzy Hash: 88aaf547fe3220041b681f73f16c773c143f5f10a82da0a8f0b32f6e16a253b2
                                                    • Instruction Fuzzy Hash: 9901203110438C9FF7524ED9CC84B66FBA8DF41364F04C619DD044E1C2D7799541CA75
                                                    Function 05BB1B68 Relevance: .0, Instructions: 44COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1659006365.0000000005BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_5bb0000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 571a530124b508c5caf93faeef070a9bb01edff98f5b68ed2299bd056dcba058
                                                    • Instruction ID: a5f0553a77a08b8232605b91ae2aafabc743a46e12ab9c7ea535afd602201611
                                                    • Opcode Fuzzy Hash: 571a530124b508c5caf93faeef070a9bb01edff98f5b68ed2299bd056dcba058
                                                    • Instruction Fuzzy Hash: 62F044343441114BA729DA3E94949BE33DAAFC495130448AAE506C7360EEE5EC4587A1
                                                    Function 05BB3919 Relevance: .0, Instructions: 41COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1659006365.0000000005BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_5bb0000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 11129cd428d9a0cb5a558bd4ac8182e63d3e32179dd81f12c4338ddfce21b1f4
                                                    • Instruction ID: c497d9f84f2d2faf98c72f1518d579d72cf5eb5e069903fdc67fe9a1fe57d7a8
                                                    • Opcode Fuzzy Hash: 11129cd428d9a0cb5a558bd4ac8182e63d3e32179dd81f12c4338ddfce21b1f4
                                                    • Instruction Fuzzy Hash: 2C012C70E181989FDB14DB6AD894AEDBFF6EF4A300F1444AAE442E7361D6B5A900CB50
                                                    Function 05BB62C0 Relevance: .0, Instructions: 41COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1659006365.0000000005BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_5bb0000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a0269b8730453d9a32ed1c41944a9cd99583d8d1452b48f8ac4dbce8d3b67035
                                                    • Instruction ID: 226e39fcf7a600f783098ac3cf5c9beebfc1dc80cafd8d426c910a7587c9acb3
                                                    • Opcode Fuzzy Hash: a0269b8730453d9a32ed1c41944a9cd99583d8d1452b48f8ac4dbce8d3b67035
                                                    • Instruction Fuzzy Hash: 33016D30310600CFD718DF69D840E66B3AAFF85224B64C5AAD409C7361DBF6EC068B51
                                                    Function 05BB1280 Relevance: .0, Instructions: 40COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1659006365.0000000005BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_5bb0000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 93abdb5cfea1ae8a659291e42c276b9ff4e683ef79cd9c37192238144589ed3d
                                                    • Instruction ID: 1020995f52dbe3f9b42c8d1efd47ce355212094211ed5a4555e2e73a355804d1
                                                    • Opcode Fuzzy Hash: 93abdb5cfea1ae8a659291e42c276b9ff4e683ef79cd9c37192238144589ed3d
                                                    • Instruction Fuzzy Hash: 37F09671B002195B9F09B6A89C585FFBBBAAB89550B200069F505A7340CAF45E0187D5
                                                    Function 05BB9CD9 Relevance: .0, Instructions: 39COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1659006365.0000000005BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_5bb0000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ba36a78906ac5dc9c5ffe82937122abf2381e23850769ba0333dcfe17ca7e7a3
                                                    • Instruction ID: 716fb9dddccfc52f3fb650f61c72d20036bd469486bc015044429cac84e9bbaf
                                                    • Opcode Fuzzy Hash: ba36a78906ac5dc9c5ffe82937122abf2381e23850769ba0333dcfe17ca7e7a3
                                                    • Instruction Fuzzy Hash: E0F082727001286FE7189A6EDC85E6BBBEDFBC8664B558079F608D7351DE30DC02C6A0
                                                    Function 05BB9C3C Relevance: .0, Instructions: 39COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1659006365.0000000005BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_5bb0000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 246c84b901f2c725700caa78e4dd322fdefe82065503f3545457ff296da73f3a
                                                    • Instruction ID: b64890a689bd6a962f6e0385fef9d520dc143b00373387434d54a9c9f9aa56fe
                                                    • Opcode Fuzzy Hash: 246c84b901f2c725700caa78e4dd322fdefe82065503f3545457ff296da73f3a
                                                    • Instruction Fuzzy Hash: E2011A70800219DFEB14CF69C5483EEBAF1FF48310F258669E525AA2A0D7F55A44CB90
                                                    Function 05BBF979 Relevance: .0, Instructions: 38COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1659006365.0000000005BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_5bb0000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8197426d0bc1c7ee4f6fe2b7ae5b8a96c99c63f2e0b0a8e6140fc01e0331412f
                                                    • Instruction ID: bf8b91518b323111bcee6604bc02332c2af7e3a964b5810efa9629cdacb646c3
                                                    • Opcode Fuzzy Hash: 8197426d0bc1c7ee4f6fe2b7ae5b8a96c99c63f2e0b0a8e6140fc01e0331412f
                                                    • Instruction Fuzzy Hash: F7F0FC75A10505DFC710EBAED884DDEBBF8FF95310F00456AE10597360E7B0A905CBA2
                                                    Function 05BBC37D Relevance: .0, Instructions: 38COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1659006365.0000000005BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_5bb0000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ae7682329a1bf02963b6bbb98dfb04f7a23272fcd255a0aefa08217e15efbe17
                                                    • Instruction ID: c666233d9afe8ca7a47091f798503ab8013024651fd2d67ec16c85f29f813e95
                                                    • Opcode Fuzzy Hash: ae7682329a1bf02963b6bbb98dfb04f7a23272fcd255a0aefa08217e15efbe17
                                                    • Instruction Fuzzy Hash: 2CF0903564414BCFEB00CE98D8846FEBBA2FB48390F801672EA03C7201E6F2AD559661
                                                    Function 0180D744 Relevance: .0, Instructions: 36COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1612769983.000000000180D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0180D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_180d000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: fa476b2dbe1b1e673f662e397f653d22ee5e973a196cdaf37151425904dc55db
                                                    • Instruction ID: 2679cd262add2d781395eb36a1966c2a3e3936b929628aa52a8b44378cafda47
                                                    • Opcode Fuzzy Hash: fa476b2dbe1b1e673f662e397f653d22ee5e973a196cdaf37151425904dc55db
                                                    • Instruction Fuzzy Hash: D1F062724043889EF7218E59CC84B66FF98EB81774F18C55AED485E286C2799845CBB1
                                                    Function 05BB6F50 Relevance: .0, Instructions: 36COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1659006365.0000000005BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_5bb0000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 01ec7d526369c46c11f9da5ac7d26be009d3cf95d481b8543212636c10fe97fb
                                                    • Instruction ID: b5d0c8cd3526b1a2430a8eba5d0a3ccb7fd8741e066879d2bfbd6174b12e9dbe
                                                    • Opcode Fuzzy Hash: 01ec7d526369c46c11f9da5ac7d26be009d3cf95d481b8543212636c10fe97fb
                                                    • Instruction Fuzzy Hash: 02F0E5333509119BCB25A699E881B7A77AEEFC5964F24007AF608C7350CDA59C024295
                                                    Function 05BB1CC0 Relevance: .0, Instructions: 35COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1659006365.0000000005BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_5bb0000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4eaa38c6c48c43bdc0760444a819f49c1c5c5c39926341dd5965be10cacc0d4c
                                                    • Instruction ID: 4fe4e4b6c38d3d83e2c2f4bed82a38388909d81d2d06518a0b5f14d024b5540f
                                                    • Opcode Fuzzy Hash: 4eaa38c6c48c43bdc0760444a819f49c1c5c5c39926341dd5965be10cacc0d4c
                                                    • Instruction Fuzzy Hash: 33F0E5323409155BDB25A69D9890E7E77ABEFC5A64B2000AAF609C7351CEE5EC018295
                                                    Function 05BB9C48 Relevance: .0, Instructions: 34COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1659006365.0000000005BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_5bb0000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e8bdaa6281482e57febf12b2e9b907e781ff8f383bd4fe61e10a498d401c39ef
                                                    • Instruction ID: 8b3275a4df720c6fa63ac23d826277421ec5ca90417907281c0429152f063c80
                                                    • Opcode Fuzzy Hash: e8bdaa6281482e57febf12b2e9b907e781ff8f383bd4fe61e10a498d401c39ef
                                                    • Instruction Fuzzy Hash: 3401E870800219DFEB14CF6AC4483EEBAF5FF48350F208265E925AA2A4D7F55A40CB90
                                                    Function 05BB9CE8 Relevance: .0, Instructions: 32COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1659006365.0000000005BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_5bb0000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 234df5659f2cc920a329462fef8cf0c325bdec68e62817c09f36168844d3d26a
                                                    • Instruction ID: ac70d05ceb3d9ca5b8ac5f2df6a121218211a456439309946765c83041ee567c
                                                    • Opcode Fuzzy Hash: 234df5659f2cc920a329462fef8cf0c325bdec68e62817c09f36168844d3d26a
                                                    • Instruction Fuzzy Hash: 00E03972B002286F93149AAEDC84D6BBBEDFBCC664351807AF908D7311DA319C01C6A0
                                                    Function 05BB6338 Relevance: .0, Instructions: 30COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1659006365.0000000005BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_5bb0000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: bc21dd3be97aaea9bd930e58aefcf831b7de7c404ff8846422644350b86fbc4e
                                                    • Instruction ID: d4a827423c286ed6ac84d06765269be1eaf6061cbc5ae497f62255aa3d60bc4f
                                                    • Opcode Fuzzy Hash: bc21dd3be97aaea9bd930e58aefcf831b7de7c404ff8846422644350b86fbc4e
                                                    • Instruction Fuzzy Hash: F1F0EC357093448FD729592AA458FFA7773FBC1211F0442BED806C3144CBF09C058751
                                                    Function 05BB78E8 Relevance: .0, Instructions: 28COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1659006365.0000000005BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_5bb0000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 28fcaedbf153438c88a5704b358ffc429b91bb946cd38affd8112c61e5330e90
                                                    • Instruction ID: 2b2c1bc1c1fe2faa66cb4f0589bac0b7bed99b12aaf59988aebf272d7a11b1e8
                                                    • Opcode Fuzzy Hash: 28fcaedbf153438c88a5704b358ffc429b91bb946cd38affd8112c61e5330e90
                                                    • Instruction Fuzzy Hash: E3E0D8313406287FF7342598DC11BF2334EE7C6310F1100A2A681D52D0DDD2684587D1
                                                    Function 05BB2618 Relevance: .0, Instructions: 27COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1659006365.0000000005BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_5bb0000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8175da387076f4df52b11047e4197245ee48afdd70940512319762024f98fefe
                                                    • Instruction ID: 65231221fa6a825116903a0a285bfa7217371f87c537f39bd2df15ee43e9e60f
                                                    • Opcode Fuzzy Hash: 8175da387076f4df52b11047e4197245ee48afdd70940512319762024f98fefe
                                                    • Instruction Fuzzy Hash: A4E09B37211620878720EB48F4418B6B3E9F7486593188556E40DC7534D6A3D813D380
                                                    Function 05BB1F97 Relevance: .0, Instructions: 26COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1659006365.0000000005BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_5bb0000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b6d976e87c5584ba29fef9331693b42ec9c8c68ee908d524f59cebf69eccc410
                                                    • Instruction ID: d9f60c2506f05275cc300b1edaa06f7af720c2e1cfdffd9ce4be18a4af442470
                                                    • Opcode Fuzzy Hash: b6d976e87c5584ba29fef9331693b42ec9c8c68ee908d524f59cebf69eccc410
                                                    • Instruction Fuzzy Hash: 32E0927350015E6FCB02DE55D800BDA3FA8EB19215F048081F958C6112D2BAD967A7A5
                                                    Function 05BB6348 Relevance: .0, Instructions: 26COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1659006365.0000000005BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_5bb0000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0560d256971520bd8b1efeaf20992547309a06657bcc84c0f3c04be2e6d8f0e2
                                                    • Instruction ID: 1da8e7640dd04b18da4e9b3c925835d3a504c260f2e324f59f4cb210b0b04ec9
                                                    • Opcode Fuzzy Hash: 0560d256971520bd8b1efeaf20992547309a06657bcc84c0f3c04be2e6d8f0e2
                                                    • Instruction Fuzzy Hash: BAE0483170431587D729592EA454FBB73ABFBC5521F04417DE01AC2144DFF0EC014791
                                                    Function 05BB78F8 Relevance: .0, Instructions: 25COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1659006365.0000000005BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_5bb0000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5d7379c72c0d65afae33625069d543a0ed4406dc40d6cf9daf8881682972e4dd
                                                    • Instruction ID: acf4168b739ea9625a687604b8b531049b292b2e4f810275852459b2318618ee
                                                    • Opcode Fuzzy Hash: 5d7379c72c0d65afae33625069d543a0ed4406dc40d6cf9daf8881682972e4dd
                                                    • Instruction Fuzzy Hash: DDE08661351A2C7FF72426D85C10BB6339EFBCA750F1100A6E686EA2C0DDD65C458FE6
                                                    Function 05BB01BC Relevance: .0, Instructions: 24COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1659006365.0000000005BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_5bb0000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 99853782d368ccdda332c6be2a401db16c1963d998a2dbe933978c57ebe28320
                                                    • Instruction ID: a2364f9e045e99597d4c045b26f8c1353ea86b93039d485cf34b025a09023e44
                                                    • Opcode Fuzzy Hash: 99853782d368ccdda332c6be2a401db16c1963d998a2dbe933978c57ebe28320
                                                    • Instruction Fuzzy Hash: 2EE0DF7210425D6BCB029F58D840EEF3FADEF09251F00C481F95886152D3FAE966EBE6
                                                    Function 05BB1456 Relevance: .0, Instructions: 23COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1659006365.0000000005BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_5bb0000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 285cfbc8ae0439f571c0103e89ac32819bbe5a66b7a819ef53cf5daf9c63f592
                                                    • Instruction ID: 8194cc0390bb3da02bc78f01424cc5fc047d01f8a5ad0b5315612deb356f5737
                                                    • Opcode Fuzzy Hash: 285cfbc8ae0439f571c0103e89ac32819bbe5a66b7a819ef53cf5daf9c63f592
                                                    • Instruction Fuzzy Hash: 3BE0DF72D5020DDAEB109F85E6197FCBF70FB4521BF200062E102B2840C7F01991CFA1
                                                    Function 05BB2660 Relevance: .0, Instructions: 22COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1659006365.0000000005BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_5bb0000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0bf7f6f11f69cd39d9ca72963c115f00ef934a26e6fefbd7a831494fe26c7808
                                                    • Instruction ID: 43a35a881d28b018303498043dc5116039ae4636de1ed95b9acb6aa6c9eee20f
                                                    • Opcode Fuzzy Hash: 0bf7f6f11f69cd39d9ca72963c115f00ef934a26e6fefbd7a831494fe26c7808
                                                    • Instruction Fuzzy Hash: EEE02636510114AFE3105748D006BE0B7A8F704321F4684A1E20597140CBF8FC468F91
                                                    Function 05BB0730 Relevance: .0, Instructions: 21COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1659006365.0000000005BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_5bb0000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: bfcf762e6e40df9eccfd39280f7aea7e1be5ed7749aa12c888cdb25f81b287df
                                                    • Instruction ID: db2529d4fdb00217021f49e00aa07953f59eae6a5e4caa5dfbeadf67e8a1c3dc
                                                    • Opcode Fuzzy Hash: bfcf762e6e40df9eccfd39280f7aea7e1be5ed7749aa12c888cdb25f81b287df
                                                    • Instruction Fuzzy Hash: 56E092B5A15109DFC700DFF8EA4067D7BB1FB85206B118599D809D3380EA36AE09DB02
                                                    Function 05BB0740 Relevance: .0, Instructions: 19COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1659006365.0000000005BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_5bb0000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: efc28dda4172fbff5ae95e514b921794b8b6c62de82ac0ce69105af5af744921
                                                    • Instruction ID: 9248b3488db8f4dba8143056154e53420c7156871766151660cfeec2901f3537
                                                    • Opcode Fuzzy Hash: efc28dda4172fbff5ae95e514b921794b8b6c62de82ac0ce69105af5af744921
                                                    • Instruction Fuzzy Hash: 57E0867090120DEFC700DFA4E84095DBBB9FB45208B108599D804D3300EA336F08EF52
                                                    Function 05BB5CD8 Relevance: .0, Instructions: 17COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1659006365.0000000005BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_5bb0000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: fac9ed9e63c826e752a0f52a80ff51bc37e069978e4cd94ca009670aa6e273a9
                                                    • Instruction ID: 102b1fb4e38e120882fc912e3386c28a54c746e9ac4f4579be03348832dd50c0
                                                    • Opcode Fuzzy Hash: fac9ed9e63c826e752a0f52a80ff51bc37e069978e4cd94ca009670aa6e273a9
                                                    • Instruction Fuzzy Hash: 5ED0A7372101087FDB409AB0CC02FD27368EB54300F508000F6444A650C231F997D7A1
                                                    Function 05BBD0AF Relevance: .0, Instructions: 16COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1659006365.0000000005BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_5bb0000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 00a2809f8c6ad01bfa8e756395f49c5c3cb8dd5a359641b103742e2c3549b431
                                                    • Instruction ID: 0e8137d92f915c5b73388f47a5e591677d40e96b297655ba415ee2b668dfc4f3
                                                    • Opcode Fuzzy Hash: 00a2809f8c6ad01bfa8e756395f49c5c3cb8dd5a359641b103742e2c3549b431
                                                    • Instruction Fuzzy Hash: E2D012716052419FEB114F709A28B657F51EB51251F89C0ABE44A83191EBB4D415CF14
                                                    Function 05BBD0C0 Relevance: .0, Instructions: 13COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1659006365.0000000005BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_5bb0000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 050abc9dcf1eae79aa6e1905ac472c4d00000bb96e69c14aee34fdaa93c89ec0
                                                    • Instruction ID: b77d1efa27f6ed3e8476cb3f8c099cd12c356a28e2a01395087d59a77cb83ec4
                                                    • Opcode Fuzzy Hash: 050abc9dcf1eae79aa6e1905ac472c4d00000bb96e69c14aee34fdaa93c89ec0
                                                    • Instruction Fuzzy Hash: CDD0C9306042089FEB105E71DA19B65BA99EB00691F80C07AF80582150EFF5E451D660
                                                    Function 05BBF868 Relevance: .0, Instructions: 13COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1659006365.0000000005BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_5bb0000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: fc2d7106b7c42f3a8c6b12fe94385d259f605ab3e078d94271162dbc21b6f078
                                                    • Instruction ID: 9012b0cc64b87d2e198caef65eb7ad512a43c83b091a9c9cefa0edd57e33e051
                                                    • Opcode Fuzzy Hash: fc2d7106b7c42f3a8c6b12fe94385d259f605ab3e078d94271162dbc21b6f078
                                                    • Instruction Fuzzy Hash: 33D09239204108EFD7409FA5D985E49B765EF18320F0580A1F90D8F722C631E815AF91
                                                    Function 05BB5CE8 Relevance: .0, Instructions: 11COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1659006365.0000000005BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_5bb0000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3c746df4cab3cef3612b50c33bedd8a14a81602e989db67e9cf6d8a770ed27e0
                                                    • Instruction ID: fdbd6079a2be48d1364695d1f7acef85948f264fdfee2b175fca11a49d872db2
                                                    • Opcode Fuzzy Hash: 3c746df4cab3cef3612b50c33bedd8a14a81602e989db67e9cf6d8a770ed27e0
                                                    • Instruction Fuzzy Hash: 51C08C36200208BFDB80AFD4C800E6677ADAB58714F50D004FB080F201C272ECA3DBA0
                                                    Function 05BBF83E Relevance: .0, Instructions: 11COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1659006365.0000000005BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_5bb0000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 14bb3cea138d1f89b59a921bdefb4b9e7ac429f7b148f6fc4f3fb4c2c0e08a65
                                                    • Instruction ID: 38911bc9f4880d1c744c9e8a06ccd14aa0256a6b7fd4a5c4bbc4eebb7527530c
                                                    • Opcode Fuzzy Hash: 14bb3cea138d1f89b59a921bdefb4b9e7ac429f7b148f6fc4f3fb4c2c0e08a65
                                                    • Instruction Fuzzy Hash: 61D0C9B58456484FC7659A75CC417DD7B20BF66220F8BAB9A8090451D2DA904184CB51
                                                    Function 05BB95C0 Relevance: .0, Instructions: 10COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1659006365.0000000005BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_5bb0000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b55215b4da23cef1bf2ed7d5f5532a3a93c8618d41a40b69d2dcb4887512c069
                                                    • Instruction ID: abcb4b076a5d0e41a9dee7cdb4903929623d8b35e2c2fbd953dd95a889ae231d
                                                    • Opcode Fuzzy Hash: b55215b4da23cef1bf2ed7d5f5532a3a93c8618d41a40b69d2dcb4887512c069
                                                    • Instruction Fuzzy Hash: 4FC01276208284AFC702A7A48D49C027FB0AF9260074980D6E2988A072C6A09A2CD722
                                                    Function 05BBF878 Relevance: .0, Instructions: 9COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1659006365.0000000005BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_5bb0000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1d6f2623337c38ef8749255ff78b3cbedb78fba73e040c9434c39499d8169e63
                                                    • Instruction ID: 61412fa5721fa0801f19765b42d0f6ac58f054d2697597a3f249e516f761f0d5
                                                    • Opcode Fuzzy Hash: 1d6f2623337c38ef8749255ff78b3cbedb78fba73e040c9434c39499d8169e63
                                                    • Instruction Fuzzy Hash: 87C00235140108AFC740DF55D445D95BBA9EB59660B1180A1F9484B722C632E9119A90
                                                    Function 05BB7A94 Relevance: .0, Instructions: 9COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1659006365.0000000005BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BB0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_5bb0000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: bb3324970531e32559f4c07ae89d8c69c3eca0cf34872322c433be2f02c57338
                                                    • Instruction ID: 57a7320fa0e13519dd8949bdfe6fe90ac82b6b3c220bb03b726b76e48a83f6e9
                                                    • Opcode Fuzzy Hash: bb3324970531e32559f4c07ae89d8c69c3eca0cf34872322c433be2f02c57338
                                                    • Instruction Fuzzy Hash: F0C08C35040100AF9702A7548484C6A76B5FF81300B40C881A280450219AE0D928D713

                                                    Execution Graph

                                                    Execution Coverage:10.1%
                                                    Dynamic/Decrypted Code Coverage:100%
                                                    Signature Coverage:0%
                                                    Total number of Nodes:194
                                                    Total number of Limit Nodes:10
                                                    execution_graph 19983 110fb00 19984 110fb46 GetCurrentProcess 19983->19984 19986 110fb91 19984->19986 19987 110fb98 GetCurrentThread 19984->19987 19986->19987 19988 110fbd5 GetCurrentProcess 19987->19988 19989 110fbce 19987->19989 19990 110fc0b GetCurrentThreadId 19988->19990 19989->19988 19992 110fc64 19990->19992 19995 2c87ea8 19996 2c88033 19995->19996 19998 2c87ece 19995->19998 19998->19996 19999 2c843d8 19998->19999 20000 2c88128 PostMessageW 19999->20000 20001 2c88194 20000->20001 20001->19998 20027 110da60 20028 110daa2 20027->20028 20029 110daa8 GetModuleHandleW 20027->20029 20028->20029 20030 110dad5 20029->20030 19993 110fd48 DuplicateHandle 19994 110fdde 19993->19994 20002 11064f8 20003 1106501 20002->20003 20004 1106539 20003->20004 20006 1106607 20003->20006 20007 11065a3 20006->20007 20007->20006 20008 110663b 20007->20008 20010 1106741 20007->20010 20008->20003 20011 1106765 20010->20011 20015 1106850 20011->20015 20019 1106842 20011->20019 20017 1106877 20015->20017 20016 1106954 20016->20016 20017->20016 20023 1106404 20017->20023 20021 1106850 20019->20021 20020 1106954 20020->20020 20021->20020 20022 1106404 CreateActCtxA 20021->20022 20022->20020 20024 1107ce0 CreateActCtxA 20023->20024 20026 1107da3 20024->20026 20031 2c86274 20032 2c8627a 20031->20032 20033 2c862d7 20031->20033 20038 2c86b88 20032->20038 20058 2c86bee 20032->20058 20079 2c86b78 20032->20079 20034 2c86613 20039 2c86ba2 20038->20039 20040 2c86baa 20039->20040 20099 2c8702e 20039->20099 20104 2c87256 20039->20104 20109 2c87335 20039->20109 20113 2c874d5 20039->20113 20117 2c87274 20039->20117 20122 2c871f0 20039->20122 20127 2c872bf 20039->20127 20132 2c872fe 20039->20132 20137 2c8717e 20039->20137 20142 2c8721d 20039->20142 20150 2c86fdd 20039->20150 20155 2c86fbb 20039->20155 20160 2c8713a 20039->20160 20165 2c875e5 20039->20165 20169 2c876a4 20039->20169 20174 2c87104 20039->20174 20179 2c87140 20039->20179 20040->20034 20059 2c86b7c 20058->20059 20060 2c86bf1 20058->20060 20061 2c86baa 20059->20061 20062 2c8702e 2 API calls 20059->20062 20063 2c87140 2 API calls 20059->20063 20064 2c87104 2 API calls 20059->20064 20065 2c876a4 2 API calls 20059->20065 20066 2c875e5 2 API calls 20059->20066 20067 2c8713a 2 API calls 20059->20067 20068 2c86fbb 2 API calls 20059->20068 20069 2c86fdd 2 API calls 20059->20069 20070 2c8721d 4 API calls 20059->20070 20071 2c8717e 2 API calls 20059->20071 20072 2c872fe 2 API calls 20059->20072 20073 2c872bf 2 API calls 20059->20073 20074 2c871f0 2 API calls 20059->20074 20075 2c87274 2 API calls 20059->20075 20076 2c874d5 2 API calls 20059->20076 20077 2c87335 2 API calls 20059->20077 20078 2c87256 2 API calls 20059->20078 20060->20034 20061->20034 20062->20061 20063->20061 20064->20061 20065->20061 20066->20061 20067->20061 20068->20061 20069->20061 20070->20061 20071->20061 20072->20061 20073->20061 20074->20061 20075->20061 20076->20061 20077->20061 20078->20061 20080 2c86b7c 20079->20080 20081 2c8702e 2 API calls 20080->20081 20082 2c87140 2 API calls 20080->20082 20083 2c87104 2 API calls 20080->20083 20084 2c876a4 2 API calls 20080->20084 20085 2c86baa 20080->20085 20086 2c875e5 2 API calls 20080->20086 20087 2c8713a 2 API calls 20080->20087 20088 2c86fbb 2 API calls 20080->20088 20089 2c86fdd 2 API calls 20080->20089 20090 2c8721d 4 API calls 20080->20090 20091 2c8717e 2 API calls 20080->20091 20092 2c872fe 2 API calls 20080->20092 20093 2c872bf 2 API calls 20080->20093 20094 2c871f0 2 API calls 20080->20094 20095 2c87274 2 API calls 20080->20095 20096 2c874d5 2 API calls 20080->20096 20097 2c87335 2 API calls 20080->20097 20098 2c87256 2 API calls 20080->20098 20081->20085 20082->20085 20083->20085 20084->20085 20085->20034 20086->20085 20087->20085 20088->20085 20089->20085 20090->20085 20091->20085 20092->20085 20093->20085 20094->20085 20095->20085 20096->20085 20097->20085 20098->20085 20100 2c87040 20099->20100 20184 2c85de0 20100->20184 20188 2c85dd4 20100->20188 20105 2c871a8 20104->20105 20192 2c85c48 20105->20192 20196 2c85c40 20105->20196 20106 2c876cd 20200 2c85a90 20109->20200 20204 2c85a98 20109->20204 20110 2c87353 20208 2c85588 20113->20208 20212 2c85580 20113->20212 20114 2c874ef 20118 2c8727a 20117->20118 20216 2c85099 20118->20216 20220 2c850a0 20118->20220 20119 2c872a0 20119->20040 20123 2c871f9 20122->20123 20224 2c85b58 20123->20224 20228 2c85b50 20123->20228 20124 2c87878 20124->20040 20128 2c8728c 20127->20128 20129 2c872a0 20128->20129 20130 2c85099 ResumeThread 20128->20130 20131 2c850a0 ResumeThread 20128->20131 20129->20040 20130->20129 20131->20129 20133 2c8728b 20132->20133 20134 2c872a0 20132->20134 20135 2c85099 ResumeThread 20133->20135 20136 2c850a0 ResumeThread 20133->20136 20134->20040 20135->20134 20136->20134 20138 2c871a7 20137->20138 20140 2c85c48 ReadProcessMemory 20138->20140 20141 2c85c40 ReadProcessMemory 20138->20141 20139 2c876cd 20140->20139 20141->20139 20148 2c85588 Wow64SetThreadContext 20142->20148 20149 2c85580 Wow64SetThreadContext 20142->20149 20143 2c8799a 20144 2c871a8 20144->20143 20146 2c85c48 ReadProcessMemory 20144->20146 20147 2c85c40 ReadProcessMemory 20144->20147 20145 2c876cd 20146->20145 20147->20145 20148->20144 20149->20144 20151 2c86fbf 20150->20151 20153 2c85de0 CreateProcessA 20151->20153 20154 2c85dd4 CreateProcessA 20151->20154 20152 2c870cb 20152->20040 20153->20152 20154->20152 20156 2c87036 20155->20156 20158 2c85de0 CreateProcessA 20156->20158 20159 2c85dd4 CreateProcessA 20156->20159 20157 2c870cb 20157->20040 20158->20157 20159->20157 20161 2c871a7 20160->20161 20163 2c85c48 ReadProcessMemory 20161->20163 20164 2c85c40 ReadProcessMemory 20161->20164 20162 2c876cd 20163->20162 20164->20162 20167 2c85b58 WriteProcessMemory 20165->20167 20168 2c85b50 WriteProcessMemory 20165->20168 20166 2c870f3 20166->20040 20167->20166 20168->20166 20170 2c876aa 20169->20170 20171 2c876cd 20170->20171 20172 2c85c48 ReadProcessMemory 20170->20172 20173 2c85c40 ReadProcessMemory 20170->20173 20172->20171 20173->20171 20175 2c87116 20174->20175 20177 2c85c48 ReadProcessMemory 20175->20177 20178 2c85c40 ReadProcessMemory 20175->20178 20176 2c876cd 20177->20176 20178->20176 20180 2c8714d 20179->20180 20182 2c85b58 WriteProcessMemory 20180->20182 20183 2c85b50 WriteProcessMemory 20180->20183 20181 2c870f3 20181->20040 20182->20181 20183->20181 20185 2c85e69 CreateProcessA 20184->20185 20187 2c8602b 20185->20187 20189 2c85e69 CreateProcessA 20188->20189 20191 2c8602b 20189->20191 20193 2c85c93 ReadProcessMemory 20192->20193 20195 2c85cd7 20193->20195 20195->20106 20197 2c85c93 ReadProcessMemory 20196->20197 20199 2c85cd7 20197->20199 20199->20106 20201 2c85ad8 VirtualAllocEx 20200->20201 20203 2c85b15 20201->20203 20203->20110 20205 2c85ad8 VirtualAllocEx 20204->20205 20207 2c85b15 20205->20207 20207->20110 20209 2c855cd Wow64SetThreadContext 20208->20209 20211 2c85615 20209->20211 20211->20114 20213 2c855cd Wow64SetThreadContext 20212->20213 20215 2c85615 20213->20215 20215->20114 20217 2c850e0 ResumeThread 20216->20217 20219 2c85111 20217->20219 20219->20119 20221 2c850e0 ResumeThread 20220->20221 20223 2c85111 20221->20223 20223->20119 20225 2c85ba0 WriteProcessMemory 20224->20225 20227 2c85bf7 20225->20227 20227->20124 20229 2c85ba0 WriteProcessMemory 20228->20229 20231 2c85bf7 20229->20231 20231->20124

                                                    Executed Functions

                                                    Function 0110FB00 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    • GetCurrentProcess.KERNEL32 ref: 0110FB7E
                                                    • GetCurrentThread.KERNEL32 ref: 0110FBBB
                                                    • GetCurrentProcess.KERNEL32 ref: 0110FBF8
                                                    • GetCurrentThreadId.KERNEL32 ref: 0110FC51
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1678332023.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_1100000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID: Current$ProcessThread
                                                    • String ID:
                                                    • API String ID: 2063062207-0
                                                    • Opcode ID: 38d56fad5e67e3eff2b913856f22736bfc6d038cc0799a8277c359f4acd4c316
                                                    • Instruction ID: 0e4dd57885a8c7db405093b39926411ff0d8a4d39cb4b3454411f0ff38b2cf95
                                                    • Opcode Fuzzy Hash: 38d56fad5e67e3eff2b913856f22736bfc6d038cc0799a8277c359f4acd4c316
                                                    • Instruction Fuzzy Hash: DC5148B0D0074A8FDB18CFA9D549BDEBBF1EF88314F208419E419A7290D7789945CF65
                                                    Function 02C85DD4 Relevance: 1.7, APIs: 1, Instructions: 247processCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 21 2c85dd4-2c85e75 23 2c85eae-2c85ece 21->23 24 2c85e77-2c85e81 21->24 31 2c85ed0-2c85eda 23->31 32 2c85f07-2c85f36 23->32 24->23 25 2c85e83-2c85e85 24->25 26 2c85ea8-2c85eab 25->26 27 2c85e87-2c85e91 25->27 26->23 29 2c85e93 27->29 30 2c85e95-2c85ea4 27->30 29->30 30->30 33 2c85ea6 30->33 31->32 34 2c85edc-2c85ede 31->34 38 2c85f38-2c85f42 32->38 39 2c85f6f-2c86029 CreateProcessA 32->39 33->26 36 2c85ee0-2c85eea 34->36 37 2c85f01-2c85f04 34->37 40 2c85eec 36->40 41 2c85eee-2c85efd 36->41 37->32 38->39 43 2c85f44-2c85f46 38->43 52 2c8602b-2c86031 39->52 53 2c86032-2c860b8 39->53 40->41 41->41 42 2c85eff 41->42 42->37 44 2c85f48-2c85f52 43->44 45 2c85f69-2c85f6c 43->45 47 2c85f54 44->47 48 2c85f56-2c85f65 44->48 45->39 47->48 48->48 50 2c85f67 48->50 50->45 52->53 63 2c860c8-2c860cc 53->63 64 2c860ba-2c860be 53->64 66 2c860dc-2c860e0 63->66 67 2c860ce-2c860d2 63->67 64->63 65 2c860c0 64->65 65->63 69 2c860f0-2c860f4 66->69 70 2c860e2-2c860e6 66->70 67->66 68 2c860d4 67->68 68->66 71 2c86106-2c8610d 69->71 72 2c860f6-2c860fc 69->72 70->69 73 2c860e8 70->73 74 2c8610f-2c8611e 71->74 75 2c86124 71->75 72->71 73->69 74->75 77 2c86125 75->77 77->77
                                                    APIs
                                                    • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 02C86016
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1680943996.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_2c80000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID: CreateProcess
                                                    • String ID:
                                                    • API String ID: 963392458-0
                                                    • Opcode ID: bb93f8000b20cdd5e446804249e87f69159c4957d765735fde22005d2db513ef
                                                    • Instruction ID: caaf3a287524027a3a181282eb52fe509936443ef3bad76e9b6a9478c118d41d
                                                    • Opcode Fuzzy Hash: bb93f8000b20cdd5e446804249e87f69159c4957d765735fde22005d2db513ef
                                                    • Instruction Fuzzy Hash: 87A15A71D002598FEB20DF68C8817EDBBB2FF44318F14816AD809A7280DB799A85CF91
                                                    Function 02C85DE0 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 78 2c85de0-2c85e75 80 2c85eae-2c85ece 78->80 81 2c85e77-2c85e81 78->81 88 2c85ed0-2c85eda 80->88 89 2c85f07-2c85f36 80->89 81->80 82 2c85e83-2c85e85 81->82 83 2c85ea8-2c85eab 82->83 84 2c85e87-2c85e91 82->84 83->80 86 2c85e93 84->86 87 2c85e95-2c85ea4 84->87 86->87 87->87 90 2c85ea6 87->90 88->89 91 2c85edc-2c85ede 88->91 95 2c85f38-2c85f42 89->95 96 2c85f6f-2c86029 CreateProcessA 89->96 90->83 93 2c85ee0-2c85eea 91->93 94 2c85f01-2c85f04 91->94 97 2c85eec 93->97 98 2c85eee-2c85efd 93->98 94->89 95->96 100 2c85f44-2c85f46 95->100 109 2c8602b-2c86031 96->109 110 2c86032-2c860b8 96->110 97->98 98->98 99 2c85eff 98->99 99->94 101 2c85f48-2c85f52 100->101 102 2c85f69-2c85f6c 100->102 104 2c85f54 101->104 105 2c85f56-2c85f65 101->105 102->96 104->105 105->105 107 2c85f67 105->107 107->102 109->110 120 2c860c8-2c860cc 110->120 121 2c860ba-2c860be 110->121 123 2c860dc-2c860e0 120->123 124 2c860ce-2c860d2 120->124 121->120 122 2c860c0 121->122 122->120 126 2c860f0-2c860f4 123->126 127 2c860e2-2c860e6 123->127 124->123 125 2c860d4 124->125 125->123 128 2c86106-2c8610d 126->128 129 2c860f6-2c860fc 126->129 127->126 130 2c860e8 127->130 131 2c8610f-2c8611e 128->131 132 2c86124 128->132 129->128 130->126 131->132 134 2c86125 132->134 134->134
                                                    APIs
                                                    • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 02C86016
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1680943996.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_2c80000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID: CreateProcess
                                                    • String ID:
                                                    • API String ID: 963392458-0
                                                    • Opcode ID: e19ee1f7b742babf4083e521ab9c5a777e7d655e0b518483e1d459cce24db5e3
                                                    • Instruction ID: 2afcb0270aaa7b721fb88f43430f3c4dae542cef084423014d050226e7a8791c
                                                    • Opcode Fuzzy Hash: e19ee1f7b742babf4083e521ab9c5a777e7d655e0b518483e1d459cce24db5e3
                                                    • Instruction Fuzzy Hash: E1914A71D002599FEB20DF68CC807DDBBB2FF48318F158169E809A7280DB799A85CF95
                                                    Function 01106404 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 135 1106404-1107da1 CreateActCtxA 138 1107da3-1107da9 135->138 139 1107daa-1107e04 135->139 138->139 146 1107e13-1107e17 139->146 147 1107e06-1107e09 139->147 148 1107e28 146->148 149 1107e19-1107e25 146->149 147->146 150 1107e29 148->150 149->148 150->150
                                                    APIs
                                                    • CreateActCtxA.KERNEL32(?), ref: 01107D91
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1678332023.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_1100000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID: Create
                                                    • String ID:
                                                    • API String ID: 2289755597-0
                                                    • Opcode ID: b94cccd441060baacbbadeb8544f87720942c044fc1c3bf47eb29bf0eb8edbe0
                                                    • Instruction ID: 86b0ebf14d73f6265580b605d09af308072105836cb2d449524d1387cdaf79ca
                                                    • Opcode Fuzzy Hash: b94cccd441060baacbbadeb8544f87720942c044fc1c3bf47eb29bf0eb8edbe0
                                                    • Instruction Fuzzy Hash: A241D2B1C00719CBEB29DFA9C884BDDBBB5BF49304F20845AD408AB291D7B56946CF90
                                                    Function 01107CD5 Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 152 1107cd5-1107da1 CreateActCtxA 154 1107da3-1107da9 152->154 155 1107daa-1107e04 152->155 154->155 162 1107e13-1107e17 155->162 163 1107e06-1107e09 155->163 164 1107e28 162->164 165 1107e19-1107e25 162->165 163->162 166 1107e29 164->166 165->164 166->166
                                                    APIs
                                                    • CreateActCtxA.KERNEL32(?), ref: 01107D91
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1678332023.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_1100000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID: Create
                                                    • String ID:
                                                    • API String ID: 2289755597-0
                                                    • Opcode ID: fa32cd93579f57b8163ca6885caeb5df4878c9a8faf759b669b26affd106dfdd
                                                    • Instruction ID: 60092e4fb25a526e7257a9f5c5263a8f9998dc65e11bd9101e04c4944abed76d
                                                    • Opcode Fuzzy Hash: fa32cd93579f57b8163ca6885caeb5df4878c9a8faf759b669b26affd106dfdd
                                                    • Instruction Fuzzy Hash: 9F41C5B1C00719CFEB29CFA9C8857DDBBB2BF48304F24845AD418AB254D7B96946CF50
                                                    Function 02C85B50 Relevance: 1.6, APIs: 1, Instructions: 71injectionCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 168 2c85b50-2c85ba6 170 2c85ba8-2c85bb4 168->170 171 2c85bb6-2c85bf5 WriteProcessMemory 168->171 170->171 173 2c85bfe-2c85c2e 171->173 174 2c85bf7-2c85bfd 171->174 174->173
                                                    APIs
                                                    • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 02C85BE8
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1680943996.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_2c80000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID: MemoryProcessWrite
                                                    • String ID:
                                                    • API String ID: 3559483778-0
                                                    • Opcode ID: 18ce463f78422a64d691bee68be5284f89391c4baac9e92b126d781b89fcb676
                                                    • Instruction ID: e0c122f41006f63ba9989b8495afba854f6547658515770be19486a97e22dd5c
                                                    • Opcode Fuzzy Hash: 18ce463f78422a64d691bee68be5284f89391c4baac9e92b126d781b89fcb676
                                                    • Instruction Fuzzy Hash: 202146B1D003599FDB10DFA9C884BEEBBF1FF48314F10842AE918A7240CB789945CB60
                                                    Function 02C85B58 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 178 2c85b58-2c85ba6 180 2c85ba8-2c85bb4 178->180 181 2c85bb6-2c85bf5 WriteProcessMemory 178->181 180->181 183 2c85bfe-2c85c2e 181->183 184 2c85bf7-2c85bfd 181->184 184->183
                                                    APIs
                                                    • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 02C85BE8
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1680943996.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_2c80000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID: MemoryProcessWrite
                                                    • String ID:
                                                    • API String ID: 3559483778-0
                                                    • Opcode ID: f68f4f753ac6bf1b026f339f719457fea54025d5458fe7bee1120822b75061c1
                                                    • Instruction ID: 28bdbe70d54f6e32f6cd4b46f08d925596bce56343a8aec938474627957fc785
                                                    • Opcode Fuzzy Hash: f68f4f753ac6bf1b026f339f719457fea54025d5458fe7bee1120822b75061c1
                                                    • Instruction Fuzzy Hash: 43212AB5D003499FDB10DFAAC885BEEBBF5FF48314F508429E919A7240D7789941CBA0
                                                    Function 02C85C40 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 188 2c85c40-2c85cd5 ReadProcessMemory 191 2c85cde-2c85d0e 188->191 192 2c85cd7-2c85cdd 188->192 192->191
                                                    APIs
                                                    • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 02C85CC8
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1680943996.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_2c80000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID: MemoryProcessRead
                                                    • String ID:
                                                    • API String ID: 1726664587-0
                                                    • Opcode ID: 6b2dc20c9e1757bc8c5265e1329b31e36dc778494e2d5628be83693be59cc445
                                                    • Instruction ID: 0e512e27cdb029ecbbadb97672d8bf001191007d271a08b941e02f4a224a8fd3
                                                    • Opcode Fuzzy Hash: 6b2dc20c9e1757bc8c5265e1329b31e36dc778494e2d5628be83693be59cc445
                                                    • Instruction Fuzzy Hash: 68210771D007599FDB10DFAAC9817DEBBB1FF48310F50882AE958A7240D7789945CB60
                                                    Function 02C85C48 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 216 2c85c48-2c85cd5 ReadProcessMemory 219 2c85cde-2c85d0e 216->219 220 2c85cd7-2c85cdd 216->220 220->219
                                                    APIs
                                                    • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 02C85CC8
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1680943996.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_2c80000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID: MemoryProcessRead
                                                    • String ID:
                                                    • API String ID: 1726664587-0
                                                    • Opcode ID: 3ad5057d774ccbdc2c2abf6c80e94c2c70e116c467b37d520e7978d6fbc869de
                                                    • Instruction ID: 90782fbca1cd5f79d73e1c6344cae2eff1c4355788d31a1ee9e4debc69452f4a
                                                    • Opcode Fuzzy Hash: 3ad5057d774ccbdc2c2abf6c80e94c2c70e116c467b37d520e7978d6fbc869de
                                                    • Instruction Fuzzy Hash: 092116B1D003599FDB10DFAAC880BEEBBF5FF48310F50842AE518A7240C7789941CBA0
                                                    Function 02C85588 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 206 2c85588-2c855d3 208 2c855e3-2c85613 Wow64SetThreadContext 206->208 209 2c855d5-2c855e1 206->209 211 2c8561c-2c8564c 208->211 212 2c85615-2c8561b 208->212 209->208 212->211
                                                    APIs
                                                    • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 02C85606
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1680943996.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_2c80000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID: ContextThreadWow64
                                                    • String ID:
                                                    • API String ID: 983334009-0
                                                    • Opcode ID: 3c14d37003dac1e8c60bf4e15f27e142ad1e632a08ac1cfb3d87c64873df5872
                                                    • Instruction ID: 891fea8564939acd4d55055ed83806b4057500f44fe310a99e505d6058be74aa
                                                    • Opcode Fuzzy Hash: 3c14d37003dac1e8c60bf4e15f27e142ad1e632a08ac1cfb3d87c64873df5872
                                                    • Instruction Fuzzy Hash: EE2147B1D003098FDB10DFAAC4857EEBBF4EF88324F54842AD419A7240CB78A945CFA4
                                                    Function 02C85580 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 196 2c85580-2c855d3 198 2c855e3-2c85613 Wow64SetThreadContext 196->198 199 2c855d5-2c855e1 196->199 201 2c8561c-2c8564c 198->201 202 2c85615-2c8561b 198->202 199->198 202->201
                                                    APIs
                                                    • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 02C85606
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1680943996.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_2c80000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID: ContextThreadWow64
                                                    • String ID:
                                                    • API String ID: 983334009-0
                                                    • Opcode ID: b73066db7931bdb4e88f8e3791e1626b1f352febd977b7d1c063a0f45ff68d27
                                                    • Instruction ID: a888637fee5361a566502074c5fbde818d865eb150bdb744789d96d2a33d964f
                                                    • Opcode Fuzzy Hash: b73066db7931bdb4e88f8e3791e1626b1f352febd977b7d1c063a0f45ff68d27
                                                    • Instruction Fuzzy Hash: E62138B5D003098FDB10DFAAC5817EEBBF5EF48214F54C42AD419A7240CB789945CFA4
                                                    Function 0110FD48 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 224 110fd48-110fddc DuplicateHandle 225 110fde5-110fe02 224->225 226 110fdde-110fde4 224->226 226->225
                                                    APIs
                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0110FDCF
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1678332023.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_1100000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID: DuplicateHandle
                                                    • String ID:
                                                    • API String ID: 3793708945-0
                                                    • Opcode ID: e8831de448584c3e15dac00ff1819db59d6753a640d23b18798d050277ea828f
                                                    • Instruction ID: 10bd20dd0100a9f383e6326179fcc4517091b57049d6b03e3097f145140ccb48
                                                    • Opcode Fuzzy Hash: e8831de448584c3e15dac00ff1819db59d6753a640d23b18798d050277ea828f
                                                    • Instruction Fuzzy Hash: AA21C4B5D002499FDB10CF9AD585ADEBBF5EB48310F14841AE918A3350D378A945CF65
                                                    Function 02C85A90 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 229 2c85a90-2c85b13 VirtualAllocEx 232 2c85b1c-2c85b41 229->232 233 2c85b15-2c85b1b 229->233 233->232
                                                    APIs
                                                    • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 02C85B06
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1680943996.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_2c80000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID: AllocVirtual
                                                    • String ID:
                                                    • API String ID: 4275171209-0
                                                    • Opcode ID: a92a11a3bb5f4cabe5e4015d7b90c2f3f335abba6b332d437fe666f0fe8d67fb
                                                    • Instruction ID: 90f60f71a576ab0806c1abb3e1f55970210b11940fd10eaa47ee086b18c32818
                                                    • Opcode Fuzzy Hash: a92a11a3bb5f4cabe5e4015d7b90c2f3f335abba6b332d437fe666f0fe8d67fb
                                                    • Instruction Fuzzy Hash: 281147729002499FDB20DFAAC444BDEBBF5EF48310F208819E519A7250CB799941CFA0
                                                    Function 02C85A98 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 237 2c85a98-2c85b13 VirtualAllocEx 240 2c85b1c-2c85b41 237->240 241 2c85b15-2c85b1b 237->241 241->240
                                                    APIs
                                                    • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 02C85B06
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1680943996.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_2c80000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID: AllocVirtual
                                                    • String ID:
                                                    • API String ID: 4275171209-0
                                                    • Opcode ID: d85c0b4c7024f3e7a9ff08490868e0d5048b4e5890c6b2a7eff0d51797473c20
                                                    • Instruction ID: bc0f46996482999fcff5885598b231c151b6f61ef6f9784a1806f2cfed6a147f
                                                    • Opcode Fuzzy Hash: d85c0b4c7024f3e7a9ff08490868e0d5048b4e5890c6b2a7eff0d51797473c20
                                                    • Instruction Fuzzy Hash: E41129719003499FDB20DFAAC844BDEBBF5EF48324F148419E519A7250CB79A941CFA4
                                                    Function 02C85099 Relevance: 1.6, APIs: 1, Instructions: 50threadCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 245 2c85099-2c8510f ResumeThread 248 2c85118-2c8513d 245->248 249 2c85111-2c85117 245->249 249->248
                                                    APIs
                                                    • ResumeThread.KERNELBASE(?), ref: 02C85102
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1680943996.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_2c80000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID: ResumeThread
                                                    • String ID:
                                                    • API String ID: 947044025-0
                                                    • Opcode ID: ddb3b27618ff696c74f45785630c954bfce5967ce7f30ec021886ecfdec964b3
                                                    • Instruction ID: 81dee74573a85c19b54d848a3f0ca8722776ddc326ce0c86ab8d5f19cff4ef50
                                                    • Opcode Fuzzy Hash: ddb3b27618ff696c74f45785630c954bfce5967ce7f30ec021886ecfdec964b3
                                                    • Instruction Fuzzy Hash: E0112EB1D003498FDB20DFAAC4857EEBBF5EF88314F148459D419A7240CB795545CFA4
                                                    Function 02C850A0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ResumeThread.KERNELBASE(?), ref: 02C85102
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1680943996.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_2c80000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID: ResumeThread
                                                    • String ID:
                                                    • API String ID: 947044025-0
                                                    • Opcode ID: a13c795338d481913b6cba4286ec7ddc3d443b8f48a0bccae5569ff13aea1dfa
                                                    • Instruction ID: 63194a45b6fbda72f7c3a4bda11adf4f59afedddae1783ae738a4d1338919bfb
                                                    • Opcode Fuzzy Hash: a13c795338d481913b6cba4286ec7ddc3d443b8f48a0bccae5569ff13aea1dfa
                                                    • Instruction Fuzzy Hash: C511FB75D003498FDB20DFAAC4457DEFBF5EB88324F248419D519A7240CB79A545CBA4
                                                    Function 02C843D8 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • PostMessageW.USER32(?,00000010,00000000,?), ref: 02C88185
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1680943996.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_2c80000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID: MessagePost
                                                    • String ID:
                                                    • API String ID: 410705778-0
                                                    • Opcode ID: de10fc273e8c6bfcda7adbb2c4adb02ad7abc87d0969da429de535dfc4338496
                                                    • Instruction ID: 5915fd25c2cd63ac6245614b9c666e645f02db1b0eb122c4fd449d7a62a9124d
                                                    • Opcode Fuzzy Hash: de10fc273e8c6bfcda7adbb2c4adb02ad7abc87d0969da429de535dfc4338496
                                                    • Instruction Fuzzy Hash: BA1106B590034D9FDB20DF9AC885BEEFBF8EB48314F108819E518A7600C379A944CFA5
                                                    Function 0110DA60 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 0110DAC6
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1678332023.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_1100000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID: HandleModule
                                                    • String ID:
                                                    • API String ID: 4139908857-0
                                                    • Opcode ID: f444f2949f2ac138fcd7a76818c20f8a0af2692214c31669be466ac774e50679
                                                    • Instruction ID: e018c1bd653d7a9924f5a4cb56566a72bee1e069f6a5dba61a500e0d64b44812
                                                    • Opcode Fuzzy Hash: f444f2949f2ac138fcd7a76818c20f8a0af2692214c31669be466ac774e50679
                                                    • Instruction Fuzzy Hash: F11110B6C00249CFDB24DF9AD444BDEFBF4EB88220F10841AD929B7250C379A545CFA1
                                                    Function 02C88120 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • PostMessageW.USER32(?,00000010,00000000,?), ref: 02C88185
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1680943996.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_2c80000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID: MessagePost
                                                    • String ID:
                                                    • API String ID: 410705778-0
                                                    • Opcode ID: fd87c1e0b8421753f7eb46a0a9a21532acc0f213e8af4858a66207444f9dc951
                                                    • Instruction ID: db5567efafc34c537d2851c9bb9413ed9d74439b4b7b41b709cc2eb246eda5ad
                                                    • Opcode Fuzzy Hash: fd87c1e0b8421753f7eb46a0a9a21532acc0f213e8af4858a66207444f9dc951
                                                    • Instruction Fuzzy Hash: 151103B5900349CFDB10DF99C985BEEBBF4FB48314F20885AD918A7600C379A944CFA0
                                                    Function 010AD3D8 Relevance: .1, Instructions: 75COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1677658649.00000000010AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010AD000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_10ad000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: dae734ed2fe46efeb6adc02835812bb32d30b0f6fa1a89604248400147d3b57d
                                                    • Instruction ID: 428ddc6a68ca323d25f3c868a9ae94a9e0ca75dcfb3feaea9224c228959eade9
                                                    • Opcode Fuzzy Hash: dae734ed2fe46efeb6adc02835812bb32d30b0f6fa1a89604248400147d3b57d
                                                    • Instruction Fuzzy Hash: 1F212572500304DFDB05DF94D9C0F5ABFA5FB88324F60C1A9E9490B656C73AE456CBA2
                                                    Function 010BD01C Relevance: .1, Instructions: 72COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1677824493.00000000010BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010BD000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_10bd000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 05c34d269a6e87cf0b1089fcde68da05acd1fcb4021849ecfbdae77c20aed258
                                                    • Instruction ID: a5d8fc45943c59c1674166a5c33d85623a4f11d7a9e99999219fbc915e2b2787
                                                    • Opcode Fuzzy Hash: 05c34d269a6e87cf0b1089fcde68da05acd1fcb4021849ecfbdae77c20aed258
                                                    • Instruction Fuzzy Hash: 4F212271614300DFDB15DF94D8C0B56FBA1EB88358F20C5ADE88A0B242C33AD847CB62
                                                    Function 010BD1D4 Relevance: .1, Instructions: 72COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1677824493.00000000010BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010BD000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_10bd000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2bd7e7e28186a780ea443d7b39b6f02acc52d3dc87f021c0f2ee86e1874ffaa0
                                                    • Instruction ID: 3255525d6c4e7c70f859c9bc97d3a3cf670ec0b2ed339f992302d9d77c6226d4
                                                    • Opcode Fuzzy Hash: 2bd7e7e28186a780ea443d7b39b6f02acc52d3dc87f021c0f2ee86e1874ffaa0
                                                    • Instruction Fuzzy Hash: 1821F571504384EFDB05DF94D5C0B55FBA5FB94328F20C5ADD8894B252C336D846CB61
                                                    Function 010BD006 Relevance: .1, Instructions: 63COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1677824493.00000000010BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010BD000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_10bd000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 74c034c4993796f0a0c3b9283d4e444a961cbe9140dee0361f2cde3aec36ce93
                                                    • Instruction ID: 63aa3140d354fce299f927c1292de087e45fdee6ba2b014560c75af5d019edb2
                                                    • Opcode Fuzzy Hash: 74c034c4993796f0a0c3b9283d4e444a961cbe9140dee0361f2cde3aec36ce93
                                                    • Instruction Fuzzy Hash: DC2183755083809FCB02CF54D9D4711BFB1EB46214F28C5DAD8898F2A7C33A9816CB62
                                                    Function 010AD3D3 Relevance: .1, Instructions: 56COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1677658649.00000000010AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010AD000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_10ad000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1166f709330a6c50fb0ccab333658baa4cf0de4601631cd9e1789cef95a599a7
                                                    • Instruction ID: 2568b3e444050d429bfbd74bc664516e71e91920bcb6a5cfcf51f98f81dde398
                                                    • Opcode Fuzzy Hash: 1166f709330a6c50fb0ccab333658baa4cf0de4601631cd9e1789cef95a599a7
                                                    • Instruction Fuzzy Hash: C311E176404240CFDB06CF84D5C4B56BFB1FB84324F24C2A9D8490B657C33AE456CBA1
                                                    Function 010BD1CF Relevance: .1, Instructions: 53COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1677824493.00000000010BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010BD000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_10bd000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5930c3722e95abe2067eb95ddfb8aa1848112c8b53b048d5b6b565b5491e75cf
                                                    • Instruction ID: f3813b8c20686dfc0ffa760ca2984abdd8c1f550196b46fedecc9ab62d8f6bc8
                                                    • Opcode Fuzzy Hash: 5930c3722e95abe2067eb95ddfb8aa1848112c8b53b048d5b6b565b5491e75cf
                                                    • Instruction Fuzzy Hash: A411BB75504280DFCB06CF54C5C0B15FFA1FB84228F24C6A9D8894B296C33AD80ACB61
                                                    Function 010AD745 Relevance: .0, Instructions: 45COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1677658649.00000000010AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010AD000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_10ad000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ca3f46f0262faa3be877d55ef7a2f530b5b9da76c9e5e3e7d2d63f0d8aed7600
                                                    • Instruction ID: 672e125061dad46cbe7b9fb6c72605fa87d30b8965dc8e1aeb292d4548f5e04d
                                                    • Opcode Fuzzy Hash: ca3f46f0262faa3be877d55ef7a2f530b5b9da76c9e5e3e7d2d63f0d8aed7600
                                                    • Instruction Fuzzy Hash: 8301F7311043809AF7259AD5CC84B6EBFE8FF41264F44C55AEE490A682E7799841CBB5
                                                    Function 010AD744 Relevance: .0, Instructions: 36COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.1677658649.00000000010AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010AD000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_10ad000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3d9c4a9fc4a34c8c33397e30f2c650d2490616f25d7d34cc36cb99c120fbd78f
                                                    • Instruction ID: 413c6ed84a35f23e36e172fd427e0b05fc8b7476493c7adb35330142fdcb4e83
                                                    • Opcode Fuzzy Hash: 3d9c4a9fc4a34c8c33397e30f2c650d2490616f25d7d34cc36cb99c120fbd78f
                                                    • Instruction Fuzzy Hash: 1EF0C231404384AEE7248E59C8C4B6AFFE8EB41274F18C45AED480E696D2799841CBB1

                                                    Execution Graph

                                                    Execution Coverage:9.1%
                                                    Dynamic/Decrypted Code Coverage:100%
                                                    Signature Coverage:0%
                                                    Total number of Nodes:88
                                                    Total number of Limit Nodes:11
                                                    execution_graph 23178 15d4668 23179 15d4676 23178->23179 23184 15d6de0 23179->23184 23182 15d4704 23185 15d6e05 23184->23185 23193 15d6edf 23185->23193 23197 15d6ef0 23185->23197 23186 15d46e9 23189 15d421c 23186->23189 23190 15d4227 23189->23190 23205 15d8560 23190->23205 23192 15d8806 23192->23182 23194 15d6f17 23193->23194 23195 15d6ff4 23194->23195 23201 15d6414 23194->23201 23199 15d6f17 23197->23199 23198 15d6ff4 23199->23198 23200 15d6414 CreateActCtxA 23199->23200 23200->23198 23202 15d7370 CreateActCtxA 23201->23202 23204 15d7433 23202->23204 23206 15d856b 23205->23206 23209 15d8580 23206->23209 23208 15d88dd 23208->23192 23210 15d858b 23209->23210 23213 15d85b0 23210->23213 23212 15d89ba 23212->23208 23214 15d85bb 23213->23214 23217 15d85e0 23214->23217 23216 15d8aad 23216->23212 23218 15d85eb 23217->23218 23220 15d9e93 23218->23220 23224 15dbed1 23218->23224 23219 15d9ed1 23219->23216 23220->23219 23230 15ddf60 23220->23230 23236 15ddf70 23220->23236 23225 15dbeda 23224->23225 23227 15dbe91 23224->23227 23242 15dbf08 23225->23242 23245 15dbef8 23225->23245 23226 15dbee6 23226->23220 23227->23220 23232 15ddf70 23230->23232 23231 15ddfb5 23231->23219 23232->23231 23253 15de110 23232->23253 23257 15de120 23232->23257 23233 15de045 23233->23219 23237 15ddf91 23236->23237 23238 15ddfb5 23237->23238 23240 15de110 3 API calls 23237->23240 23241 15de120 3 API calls 23237->23241 23238->23219 23239 15de045 23239->23219 23240->23239 23241->23239 23248 15dbff0 23242->23248 23243 15dbf17 23243->23226 23246 15dbf17 23245->23246 23247 15dbff0 GetModuleHandleW 23245->23247 23246->23226 23247->23246 23249 15dc011 23248->23249 23250 15dc034 23248->23250 23249->23250 23251 15dc238 GetModuleHandleW 23249->23251 23250->23243 23252 15dc265 23251->23252 23252->23243 23254 15de120 23253->23254 23255 15de166 23254->23255 23261 15dc464 23254->23261 23255->23233 23259 15de12d 23257->23259 23258 15de166 23258->23233 23259->23258 23260 15dc464 3 API calls 23259->23260 23260->23258 23262 15dc46f 23261->23262 23264 15de1d8 23262->23264 23265 15dc498 23262->23265 23264->23264 23266 15dc4a3 23265->23266 23267 15d85e0 3 API calls 23266->23267 23268 15de247 23267->23268 23271 15de2c0 23268->23271 23269 15de256 23269->23264 23272 15de2ee 23271->23272 23273 15dc530 GetFocus 23272->23273 23274 15de317 23272->23274 23276 15de3bf 23272->23276 23273->23274 23275 15de3ba KiUserCallbackDispatcher 23274->23275 23274->23276 23275->23276 23277 15d6788 DuplicateHandle 23278 15d681e 23277->23278 23279 15d6540 23280 15d6586 GetCurrentProcess 23279->23280 23282 15d65d8 GetCurrentThread 23280->23282 23283 15d65d1 23280->23283 23284 15d660e 23282->23284 23285 15d6615 GetCurrentProcess 23282->23285 23283->23282 23284->23285 23288 15d664b 23285->23288 23286 15d6673 GetCurrentThreadId 23287 15d66a4 23286->23287 23288->23286

                                                    Executed Functions

                                                    Function 0803B6D0 Relevance: 3.2, Strings: 2, Instructions: 719COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 280 803b6d0-803b6ec 281 803b6f2-803b6ff 280->281 282 803b776-803b7bd 280->282 285 803b701-803b70f call 803b110 281->285 286 803b716-803b722 281->286 298 803b831-803b85a 282->298 299 803b7bf-803b7cf 282->299 289 803b711-803b714 285->289 291 803b724-803b748 286->291 292 803b74a 286->292 293 803b753-803b773 289->293 291->292 291->293 292->293 300 803b890-803b8f1 299->300 301 803b7d5-803b7db 299->301 321 803b8f3-803b91a 300->321 322 803b91b-803b956 300->322 303 803b805-803b816 301->303 304 803b7dd-803b7e0 301->304 311 803b818 303->311 312 803b81e-803b822 303->312 306 803b7e2-803b804 304->306 307 803b85b-803b889 304->307 307->300 313 803b82a-803b830 311->313 314 803b81a-803b81c 311->314 312->313 313->298 314->312 314->313 328 803b958-803b95c 322->328 329 803b95d-803b969 322->329 328->329 330 803b96b-803b974 call 803b578 329->330 331 803b979-803b97d 329->331 330->331 332 803b993-803b9a4 331->332 333 803b97f-803b98e 331->333 336 803bea2-803bec2 332->336 337 803b9aa-803b9bf 332->337 335 803bd28-803bd2f 333->335 350 803bec4-803bec8 336->350 351 803bedb-803bf16 336->351 338 803b9c1-803b9c6 337->338 339 803b9cb-803b9de 337->339 338->335 340 803bd30-803bd4e 339->340 341 803b9e4-803b9f0 339->341 349 803bd55-803bd73 340->349 341->336 343 803b9f6-803ba2d 341->343 344 803ba39-803ba3d 343->344 345 803ba2f-803ba34 343->345 348 803ba43-803ba4f 344->348 344->349 345->335 348->336 352 803ba55-803ba8c 348->352 361 803bd7a-803bd98 349->361 354 803beca-803bed5 350->354 355 803bed8-803beda 350->355 382 803bf18-803bf1c 351->382 383 803bf1d-803bf26 351->383 357 803ba98-803ba9c 352->357 358 803ba8e-803ba93 352->358 354->355 360 803baa2-803baae 357->360 357->361 358->335 360->336 366 803bab4-803baeb 360->366 373 803bd9f-803bdbd 361->373 368 803baf7-803bafb 366->368 369 803baed-803baf2 366->369 372 803bb01-803bb0d 368->372 368->373 369->335 372->336 375 803bb13-803bb4a 372->375 381 803bdc4-803bde2 373->381 377 803bb56-803bb5a 375->377 378 803bb4c-803bb51 375->378 380 803bb60-803bb6c 377->380 377->381 378->335 380->336 386 803bb72-803bba9 380->386 395 803bde9-803be07 381->395 382->383 387 803bf35-803bf3a 383->387 388 803bf28-803bf34 383->388 389 803bbb5-803bbb9 386->389 390 803bbab-803bbb0 386->390 392 803bf78-803bf7c 387->392 393 803bf3c-803bf3f 387->393 389->395 396 803bbbf-803bbcb 389->396 390->335 398 803bf6d-803bf76 393->398 406 803be0e-803be2c 395->406 396->336 399 803bbd1-803bc08 396->399 398->392 400 803bf41-803bf55 398->400 402 803bc14-803bc18 399->402 403 803bc0a-803bc0f 399->403 410 803bf57-803bf6b call 8033820 400->410 411 803bf6c 400->411 402->406 407 803bc1e-803bc2a 402->407 403->335 419 803be33-803be51 406->419 407->336 412 803bc30-803bc67 407->412 411->398 415 803bc73-803bc77 412->415 416 803bc69-803bc6e 412->416 415->419 420 803bc7d-803bc89 415->420 416->335 427 803be58-803be76 419->427 420->336 422 803bc8f-803bcc6 420->422 424 803bcc8-803bccd 422->424 425 803bccf-803bcd3 422->425 424->335 426 803bcd9-803bce2 425->426 425->427 426->336 430 803bce8-803bd1d 426->430 432 803be7d-803be9b 427->432 431 803bd23 430->431 430->432 431->335 432->336
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.4012511399.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_8030000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: (q$(q
                                                    • API String ID: 0-2485164810
                                                    • Opcode ID: 2accf3a268824b9379a366ec487827b8c2517a5771152efa7f56f633052cbb59
                                                    • Instruction ID: 30847bb37f26686cb03bc3a789a0f4dd9595adcb8d8421ad4a64c98a24f5b94c
                                                    • Opcode Fuzzy Hash: 2accf3a268824b9379a366ec487827b8c2517a5771152efa7f56f633052cbb59
                                                    • Instruction Fuzzy Hash: C5428A74B007168FCB18DF69C4A466EFBF6FF88315F148929E55A97391DB34A802CB84
                                                    Function 08039700 Relevance: 9.2, Strings: 7, Instructions: 409COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 0 8039700-803970e 1 8039714-803971a 0->1 2 80399de-8039a03 0->2 3 8039720-8039722 1->3 4 8039808-803980b 1->4 15 8039a0a-8039a12 2->15 6 8039728-803972b 3->6 7 80398ad-80398b1 3->7 8 8039836-8039842 4->8 9 803980d-8039810 4->9 14 8039731-803973d 6->14 6->15 10 80398b3-80398c4 call 80391e0 7->10 11 80398c9-80398d5 7->11 12 8039874-803988f call 80396c8 8->12 13 8039844-8039848 8->13 9->15 16 8039816-8039831 call 80391e0 9->16 37 80399d8-80399dd 10->37 20 8039907-803991a 11->20 21 80398d7-80398db 11->21 12->37 18 8039860-803986b 13->18 19 803984a-803985e 13->19 23 8039763-803976e 14->23 24 803973f-8039743 14->24 29 8039a19-8039a36 15->29 16->37 18->12 19->12 19->18 20->29 33 8039920-8039934 20->33 30 80398f3-80398fe 21->30 31 80398dd-80398f1 21->31 28 8039774-8039783 23->28 23->29 34 8039894-80398a8 24->34 35 8039749-803975d 24->35 28->29 38 8039789-8039798 28->38 51 8039a48-8039a86 29->51 52 8039a38-8039a47 29->52 30->20 31->20 31->30 33->29 39 803993a-803994e 33->39 34->23 35->23 35->34 38->29 44 803979e-80397ad 38->44 39->29 48 8039954-8039968 39->48 44->29 50 80397b3-80397bc 44->50 48->29 53 803996e-8039982 48->53 50->29 54 80397c2-80397cc 50->54 72 8039a88-8039a8c 51->72 73 8039a8d-8039a9c 51->73 53->29 55 8039988-8039991 53->55 54->29 56 80397d2-80397dc 54->56 55->29 59 8039997-80399a1 55->59 56->29 61 80397e2-80397ec 56->61 59->29 60 80399a3-80399ad 59->60 60->29 64 80399af-80399b9 60->64 61->29 62 80397f2-8039803 call 80396c8 61->62 62->37 64->29 65 80399bb-80399c5 64->65 65->29 69 80399c7-80399ce 65->69 69->37 70 80399d3 call 80396c8 69->70 70->37 72->73 74 8039aa2-8039aa4 73->74 75 8039b7a-8039b9f 73->75 76 8039ba6-8039bcb 74->76 77 8039aaa-8039ab1 74->77 75->76 90 8039bd2-8039bf6 76->90 79 8039ab7 77->79 80 8039b6b-8039b73 77->80 79->80 81 8039b00-8039b03 79->81 82 8039b0b-8039b1d call 80391e0 79->82 83 8039abe-8039ac1 79->83 80->75 85 8039b09 81->85 86 8039bfd-8039c32 81->86 97 8039b27-8039b2b 82->97 98 8039b1f-8039b24 82->98 83->90 91 8039ac7-8039ad2 83->91 85->91 90->86 93 8039ad4-8039ad6 91->93 94 8039ade-8039afd call 80396c8 91->94 93->94 97->91 101 8039b2d-8039b33 97->101 101->91 105 8039b35-8039b68 101->105
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.4012511399.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_8030000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: (q$(q$(q$(q$(q$Hq$Hq
                                                    • API String ID: 0-1366513505
                                                    • Opcode ID: 14edf6adbe278357f2a3c29578b21a69af1b1d90f717ad5bbaaffe020c77045c
                                                    • Instruction ID: e4b7abc4f56d47610ee2f1b27d023fcfe32028a92b514ba2af93268536addc13
                                                    • Opcode Fuzzy Hash: 14edf6adbe278357f2a3c29578b21a69af1b1d90f717ad5bbaaffe020c77045c
                                                    • Instruction Fuzzy Hash: 64E1E030604B15CFD715CB68D48466EBBE7FF86216B548A1DD486CB785CB70EC02CB94
                                                    Function 015D6518 Relevance: 6.1, APIs: 4, Instructions: 142threadCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 114 15d6518-15d65cf GetCurrentProcess 120 15d65d8-15d660c GetCurrentThread 114->120 121 15d65d1-15d65d7 114->121 122 15d660e-15d6614 120->122 123 15d6615-15d6649 GetCurrentProcess 120->123 121->120 122->123 125 15d664b-15d6651 123->125 126 15d6652-15d666d call 15d670f 123->126 125->126 129 15d6673-15d66a2 GetCurrentThreadId 126->129 130 15d66ab-15d670d 129->130 131 15d66a4-15d66aa 129->131 131->130
                                                    APIs
                                                    • GetCurrentProcess.KERNEL32 ref: 015D65BE
                                                    • GetCurrentThread.KERNEL32 ref: 015D65FB
                                                    • GetCurrentProcess.KERNEL32 ref: 015D6638
                                                    • GetCurrentThreadId.KERNEL32 ref: 015D6691
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.3977519997.00000000015D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_15d0000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID: Current$ProcessThread
                                                    • String ID:
                                                    • API String ID: 2063062207-0
                                                    • Opcode ID: 1ecaf609b9e9ef057d72897ddf3824b3705946eb6e1972005036d097fd8c7ff6
                                                    • Instruction ID: 9e073c215dfbc3fe16b0017abf44da0dbcccea6d281d20a4a3b9802fcfa356b8
                                                    • Opcode Fuzzy Hash: 1ecaf609b9e9ef057d72897ddf3824b3705946eb6e1972005036d097fd8c7ff6
                                                    • Instruction Fuzzy Hash: F55166B09103498FEB14CFA9D549BDEBFF1FF48314F24845AE409AB290DB38A945CB65
                                                    Function 015D6540 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 138 15d6540-15d65cf GetCurrentProcess 142 15d65d8-15d660c GetCurrentThread 138->142 143 15d65d1-15d65d7 138->143 144 15d660e-15d6614 142->144 145 15d6615-15d6649 GetCurrentProcess 142->145 143->142 144->145 147 15d664b-15d6651 145->147 148 15d6652-15d666d call 15d670f 145->148 147->148 151 15d6673-15d66a2 GetCurrentThreadId 148->151 152 15d66ab-15d670d 151->152 153 15d66a4-15d66aa 151->153 153->152
                                                    APIs
                                                    • GetCurrentProcess.KERNEL32 ref: 015D65BE
                                                    • GetCurrentThread.KERNEL32 ref: 015D65FB
                                                    • GetCurrentProcess.KERNEL32 ref: 015D6638
                                                    • GetCurrentThreadId.KERNEL32 ref: 015D6691
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.3977519997.00000000015D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_15d0000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID: Current$ProcessThread
                                                    • String ID:
                                                    • API String ID: 2063062207-0
                                                    • Opcode ID: 4041580eca081661518e0abdcf092acf043a18d05b7003dd5dc14c9ebafadb79
                                                    • Instruction ID: 6157b2007968576a82eb6fa45652ee2dde23e4f436a0b7525581bf92284ff8cf
                                                    • Opcode Fuzzy Hash: 4041580eca081661518e0abdcf092acf043a18d05b7003dd5dc14c9ebafadb79
                                                    • Instruction Fuzzy Hash: 945145B0900309CFDB24CFA9D588B9EBBF1FF88314F24855AE419A7350DB786945CB65
                                                    Function 080328A0 Relevance: 4.1, Strings: 3, Instructions: 365COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 160 80328a0-80328b0 161 80328b6-80328ba 160->161 162 80329c9-80329ee 160->162 163 80328c0-80328c9 161->163 164 80329f5-8032a1a 161->164 162->164 165 8032a21-8032a57 163->165 166 80328cf-80328f6 163->166 164->165 183 8032a5e-8032a76 165->183 176 80329be-80329c8 166->176 177 80328fc-80328fe 166->177 180 8032900-8032903 177->180 181 803291f-8032921 177->181 182 8032909-8032913 180->182 180->183 184 8032924-8032928 181->184 182->183 186 8032919-803291d 182->186 191 8032a78-8032a7d 183->191 192 8032a7e-8032abd 183->192 187 803292a-8032939 184->187 188 8032989-8032995 184->188 186->181 186->184 187->183 195 803293f-8032986 187->195 188->183 189 803299b-80329b8 188->189 189->176 189->177 191->192 203 8032ae1-8032af8 192->203 204 8032abf-8032ac4 192->204 195->188 212 8032be8-8032bf8 203->212 213 8032afe-8032be3 call 80319d0 call 8030dc8 203->213 261 8032ac7 call 8032d78 204->261 262 8032ac7 call 8032d88 204->262 206 8032acd-8032ad6 call 80330a8 209 8032adc 206->209 211 8032d0a-8032d15 209->211 219 8032d17-8032d27 211->219 220 8032d44-8032d65 211->220 217 8032ce5-8032d01 212->217 218 8032bfe-8032cd7 call 80319d0 212->218 213->212 217->211 258 8032ce2 218->258 259 8032cd9 218->259 228 8032d37-8032d3d 219->228 229 8032d29-8032d2f 219->229 228->220 229->228 258->217 259->258 261->206 262->206
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.4012511399.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_8030000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: (q$(q$Hq
                                                    • API String ID: 0-2914423630
                                                    • Opcode ID: 5d4e8b4bce9875c85d80adc3d48a84a4a3e740c05aa4385a300be990075f4fb6
                                                    • Instruction ID: a147cf3f65ce8c0fe4c9506e4c272d41139f12badcc034b33acf4e0a79741940
                                                    • Opcode Fuzzy Hash: 5d4e8b4bce9875c85d80adc3d48a84a4a3e740c05aa4385a300be990075f4fb6
                                                    • Instruction Fuzzy Hash: 01E1A634A00219DFCB58EFA4D5949AEB7B6FF89301F118569E402AB364DF34ED42CB91
                                                    Function 015D7364 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 264 15d7364-15d7431 CreateActCtxA 266 15d743a-15d7494 264->266 267 15d7433-15d7439 264->267 274 15d7496-15d7499 266->274 275 15d74a3-15d74a7 266->275 267->266 274->275 276 15d74a9-15d74b5 275->276 277 15d74b8 275->277 276->277 279 15d74b9 277->279 279->279
                                                    APIs
                                                    • CreateActCtxA.KERNEL32(?), ref: 015D7421
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.3977519997.00000000015D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_15d0000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID: Create
                                                    • String ID: U
                                                    • API String ID: 2289755597-3372436214
                                                    • Opcode ID: e294e25afb3f6e5b8d7adda58ecc670f208f87e2d8c8d25f268b3e7979c26696
                                                    • Instruction ID: cc6a61a7667ec9b837c6220919e83e782b5a57a2c865133dafd40837bacdd122
                                                    • Opcode Fuzzy Hash: e294e25afb3f6e5b8d7adda58ecc670f208f87e2d8c8d25f268b3e7979c26696
                                                    • Instruction Fuzzy Hash: 7341B170C00719CFEB25CFA9C884BDDBBB5BF49318F20846AD419AB251DB796946CF90
                                                    Function 0803BF90 Relevance: 2.9, Strings: 2, Instructions: 434COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 441 803bf90-803bf97 442 803bf9f-803bfa1 441->442 443 803bfa3-803bfa6 442->443 444 803bfb1-803bfb6 442->444 445 803bfb7-803c00c 443->445 446 803bfa8-803bfb0 443->446 452 803c012-803c015 445->452 453 803c0c0-803c0cd 445->453 454 803c01b-803c01e 452->454 455 803c0ce-803c0d8 452->455 457 803c0e3-803c111 454->457 458 803c024-803c028 454->458 466 803c0da-803c0dd 455->466 467 803c0de 455->467 465 803c118-803c152 call 803b2b0 457->465 459 803c02a-803c033 call 803b578 458->459 460 803c038-803c05d 458->460 459->460 464 803c063-803c074 460->464 460->465 464->465 468 803c07a-803c092 464->468 476 803c177-803c1cb 465->476 477 803c154-803c176 465->477 467->457 468->465 470 803c098-803c0b0 468->470 470->465 472 803c0b2-803c0bf 470->472 483 803c1d1-803c1d7 476->483 484 803c26b-803c290 476->484 485 803c211-803c21f 483->485 486 803c1d9-803c1dd 483->486 496 803c297-803c2c5 484->496 487 803c221 485->487 488 803c22f-803c237 485->488 490 803c1ef-803c1f7 486->490 491 803c1df 486->491 492 803c301-803c398 487->492 493 803c227-803c229 487->493 494 803c239-803c23b 488->494 495 803c23d-803c243 488->495 498 803c1fd-803c20e 490->498 499 803c2cc-803c2fa 490->499 491->496 497 803c1e5-803c1e9 491->497 502 803c39f-803c3e6 492->502 493->488 493->492 494->495 500 803c252-803c268 494->500 501 803c249-803c24c 495->501 495->502 496->499 497->490 497->496 499->492 501->500 501->502 523 803c3e8-803c3eb 502->523 524 803c3ed-803c3f2 502->524 523->524 526 803c3f3-803c3fa 524->526 527 803c400-803c404 524->527 529 803c434-803c492 call 803a058 526->529 530 803c3fc-803c3ff 526->530 527->530 531 803c406-803c42c 527->531 543 803c4a3-803c4a8 529->543 544 803c494-803c4a0 529->544 531->529 545 803c4b2-803c4b4 543->545 546 803c4aa 543->546 544->543 546->545
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.4012511399.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_8030000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: (q$Hq
                                                    • API String ID: 0-1154169777
                                                    • Opcode ID: 2662286b0077e1ae8e1b9d5fc9a20eb387de886d30925edc1e70d436ddb83387
                                                    • Instruction ID: e3dd5eeb8a18c107bca041541d04b8cf3bb80b5912108daba80f58bfc5e67363
                                                    • Opcode Fuzzy Hash: 2662286b0077e1ae8e1b9d5fc9a20eb387de886d30925edc1e70d436ddb83387
                                                    • Instruction Fuzzy Hash: 7DE1DE30B003168FDB289B69C45026EBBF7FFC5214B24892ED44ADB791DE35E802DB84
                                                    Function 0803AE30 Relevance: 2.7, Strings: 2, Instructions: 175COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 548 803ae30-803ae3f 549 803af55-803af7a 548->549 550 803ae45-803ae51 548->550 553 803af81-803afe8 549->553 550->553 554 803ae57-803ae6d 550->554 577 803afea-803aff7 553->577 578 803b00f-803b038 553->578 561 803ae80-803ae97 554->561 562 803ae6f-803ae7e 554->562 568 803aea1-803aea3 561->568 569 803ae99 561->569 562->561 573 803aeaa-803aeb7 568->573 571 803aea5 569->571 572 803ae9b-803ae9f 569->572 571->573 572->568 572->571 575 803aeb9-803aebd 573->575 576 803aebf-803aec2 573->576 579 803aec5-803aecd 575->579 576->579 577->578 585 803aff9-803b006 call 803b110 577->585 580 803aed7 579->580 581 803aecf-803aed5 579->581 583 803aedb-803af3a 580->583 581->583 588 803af4e-803af52 583->588 589 803af3c-803af46 583->589 587 803b008-803b00c 585->587 589->588
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.4012511399.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_8030000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: (q$Hq
                                                    • API String ID: 0-1154169777
                                                    • Opcode ID: 5492b79992acc81fffa9e99d35bfe7ebdd20154819057bd3d2fac6d74f8ad667
                                                    • Instruction ID: 0f7c95f8a2c4004e77468bc8f77a801b8f750feef95ca50d42c47324c5b3ac33
                                                    • Opcode Fuzzy Hash: 5492b79992acc81fffa9e99d35bfe7ebdd20154819057bd3d2fac6d74f8ad667
                                                    • Instruction Fuzzy Hash: 1D51F231300B219FE725DF2AC840B5BB7EAEF85720F10852EE55A8B390DB78D945CB91
                                                    Function 08037238 Relevance: 2.7, Strings: 2, Instructions: 164COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 592 8037238-803724d 595 80372b1-80372e8 592->595 596 803724f-803725f 592->596 604 803726d 595->604 610 80372ea-8037313 595->610 599 8037261-803726b 596->599 600 8037298-80372b0 596->600 599->604 606 803726f-803728d 604->606 607 803728e-8037297 604->607 611 8037315-8037338 610->611 612 803738f-80373be 610->612 611->612 616 803733a-803738c 611->616 617 80373c6-80373cf 612->617
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.4012511399.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_8030000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: (q$,q
                                                    • API String ID: 0-275420656
                                                    • Opcode ID: cdf2a13aadb54f938956dd4633fa87bc5857dc8ecf5a6575a34c697fb7d25ec3
                                                    • Instruction ID: e6a1097930d89ce373afb70273c1da54b2a1063d2c6f265ef207f7c37ddf67bf
                                                    • Opcode Fuzzy Hash: cdf2a13aadb54f938956dd4633fa87bc5857dc8ecf5a6575a34c697fb7d25ec3
                                                    • Instruction Fuzzy Hash: BE41D6327001596FDF159EEA9C509FFBBEEEF88111F14403AFA15E3241DA35C92597A0
                                                    Function 015DBFF0 Relevance: 1.7, APIs: 1, Instructions: 197COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 620 15dbff0-15dc00f 621 15dc03b-15dc03f 620->621 622 15dc011-15dc01e call 15daf60 620->622 624 15dc041-15dc04b 621->624 625 15dc053-15dc094 621->625 629 15dc034 622->629 630 15dc020 622->630 624->625 631 15dc096-15dc09e 625->631 632 15dc0a1-15dc0af 625->632 629->621 675 15dc026 call 15dc689 630->675 676 15dc026 call 15dc698 630->676 631->632 633 15dc0b1-15dc0b6 632->633 634 15dc0d3-15dc0d5 632->634 636 15dc0b8-15dc0bf call 15daf6c 633->636 637 15dc0c1 633->637 639 15dc0d8-15dc0df 634->639 635 15dc02c-15dc02e 635->629 638 15dc170-15dc230 635->638 643 15dc0c3-15dc0d1 636->643 637->643 670 15dc238-15dc263 GetModuleHandleW 638->670 671 15dc232-15dc235 638->671 640 15dc0ec-15dc0f3 639->640 641 15dc0e1-15dc0e9 639->641 644 15dc0f5-15dc0fd 640->644 645 15dc100-15dc109 call 15daf7c 640->645 641->640 643->639 644->645 651 15dc10b-15dc113 645->651 652 15dc116-15dc11b 645->652 651->652 653 15dc11d-15dc124 652->653 654 15dc139-15dc146 652->654 653->654 656 15dc126-15dc136 call 15daf8c call 15daf9c 653->656 660 15dc169-15dc16f 654->660 661 15dc148-15dc166 654->661 656->654 661->660 672 15dc26c-15dc280 670->672 673 15dc265-15dc26b 670->673 671->670 673->672 675->635 676->635
                                                    APIs
                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 015DC256
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.3977519997.00000000015D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_15d0000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID: HandleModule
                                                    • String ID:
                                                    • API String ID: 4139908857-0
                                                    • Opcode ID: 993b57cd4ce966f0f7cd78f3e8869aaa6ea3ffc468f78e4e2486031315be58d2
                                                    • Instruction ID: 70f7fcadc2114f8f32b850279ff9023be16f99edfb229be0210b2a90730bc1a5
                                                    • Opcode Fuzzy Hash: 993b57cd4ce966f0f7cd78f3e8869aaa6ea3ffc468f78e4e2486031315be58d2
                                                    • Instruction Fuzzy Hash: FA8139B0A00B058FE725DF6DC44075ABBF5FF88204F04896ED49ADBA50DB75E846CB91
                                                    Function 015D6414 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 677 15d6414-15d7431 CreateActCtxA 680 15d743a-15d7494 677->680 681 15d7433-15d7439 677->681 688 15d7496-15d7499 680->688 689 15d74a3-15d74a7 680->689 681->680 688->689 690 15d74a9-15d74b5 689->690 691 15d74b8 689->691 690->691 693 15d74b9 691->693 693->693
                                                    APIs
                                                    • CreateActCtxA.KERNEL32(?), ref: 015D7421
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.3977519997.00000000015D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_15d0000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID: Create
                                                    • String ID:
                                                    • API String ID: 2289755597-0
                                                    • Opcode ID: 03facec97920fbb6cbe3c761ab3e6d85b72e259a2f929b3021a1c0148132a317
                                                    • Instruction ID: 9f935b68cf92d81e782d49a4b544d2a2c768743d81b4feededdd6b70c0fcba9e
                                                    • Opcode Fuzzy Hash: 03facec97920fbb6cbe3c761ab3e6d85b72e259a2f929b3021a1c0148132a317
                                                    • Instruction Fuzzy Hash: 1841C170C00719CBEB25DFA9C884B9DBBF5BF48318F20805AD409AB251DB796946CF90
                                                    Function 015D6780 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 694 15d6780-15d6783 696 15d6788-15d681c DuplicateHandle 694->696 697 15d681e-15d6824 696->697 698 15d6825-15d6842 696->698 697->698
                                                    APIs
                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 015D680F
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.3977519997.00000000015D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_15d0000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID: DuplicateHandle
                                                    • String ID:
                                                    • API String ID: 3793708945-0
                                                    • Opcode ID: be9077cacf3af3153d187223ed5b07e6c4a2fe6d8c1188b2178b0610d64a5711
                                                    • Instruction ID: af81af42c9dbd3fbca5f68799fc57f03c16e42a3fff1e13e3a8aa5e92f80b8fd
                                                    • Opcode Fuzzy Hash: be9077cacf3af3153d187223ed5b07e6c4a2fe6d8c1188b2178b0610d64a5711
                                                    • Instruction Fuzzy Hash: A821F4B5D003499FDB10CFAAD985ADEBBF4FB48320F14841AE914A7311D778AA45CFA1
                                                    Function 015D6788 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 701 15d6788-15d681c DuplicateHandle 702 15d681e-15d6824 701->702 703 15d6825-15d6842 701->703 702->703
                                                    APIs
                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 015D680F
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.3977519997.00000000015D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_15d0000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID: DuplicateHandle
                                                    • String ID:
                                                    • API String ID: 3793708945-0
                                                    • Opcode ID: 06711211f80dc80f82aa5117cfa49865f50ea55e035af7225af21c0e476667b9
                                                    • Instruction ID: 0adc83e25e5c2c9bce190a1f1870c9c6ed661f310d21c1e4f92b0d8689721e2e
                                                    • Opcode Fuzzy Hash: 06711211f80dc80f82aa5117cfa49865f50ea55e035af7225af21c0e476667b9
                                                    • Instruction Fuzzy Hash: 6F21E4B5D003489FDB10CF9AD984ADEBBF5FB48310F14841AE918A7310D778A941CFA1
                                                    Function 015DC1F0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 706 15dc1f0-15dc230 707 15dc238-15dc263 GetModuleHandleW 706->707 708 15dc232-15dc235 706->708 709 15dc26c-15dc280 707->709 710 15dc265-15dc26b 707->710 708->707 710->709
                                                    APIs
                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 015DC256
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.3977519997.00000000015D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015D0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_15d0000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID: HandleModule
                                                    • String ID:
                                                    • API String ID: 4139908857-0
                                                    • Opcode ID: 8ef5eabe378047a398f55419826d6ee779ef03a0f4e02412d8fcf2329469a916
                                                    • Instruction ID: 0c1509d5ec712b21a9570b9705bac1836739aded12be55d69306a99ebfc1b7b4
                                                    • Opcode Fuzzy Hash: 8ef5eabe378047a398f55419826d6ee779ef03a0f4e02412d8fcf2329469a916
                                                    • Instruction Fuzzy Hash: 4711E0B5C003498FDB20DF9AC444BDEFBF5EF88214F10851AD969A7210D379A545CFA1
                                                    Function 08030F18 Relevance: 1.4, Strings: 1, Instructions: 171COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 712 8030f18-8030f58 716 8030fb5-8030ff5 712->716 717 8030f5a-8030f74 712->717 728 8030ffc-8031044 716->728 722 8030f76-8030f84 717->722 723 8030faf-8030fb3 717->723 722->723 727 8030f86-8030f8a 722->727 723->716 723->717 727->728 729 8030f8c-8030fa3 727->729 735 80310b0-80310d6 728->735 736 8031046-8031075 728->736 729->723 737 8030fa5-8030fae 729->737 742 80310de-80310f4 735->742 749 8031077 call 80306f0 736->749 750 8031077 call 8030700 736->750 745 803107d-80310ae 745->742 749->745 750->745
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.4012511399.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_8030000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: Hq
                                                    • API String ID: 0-1594803414
                                                    • Opcode ID: 4699780b2dc18fa0db91ae48b3d40ffe033c3288a506ad702388abf1155f565d
                                                    • Instruction ID: bf5ea157bbde011cfedcdd51dd0e198b8d2163800a52dc1f054e441e05cc8543
                                                    • Opcode Fuzzy Hash: 4699780b2dc18fa0db91ae48b3d40ffe033c3288a506ad702388abf1155f565d
                                                    • Instruction Fuzzy Hash: 5951A274B00A168FCB54EF68C954A6EB7FAFF89310B10416AE506DB360DB30ED06CB91
                                                    Function 080330A8 Relevance: 1.3, Strings: 1, Instructions: 69COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.4012511399.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_8030000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: (q
                                                    • API String ID: 0-2414175341
                                                    • Opcode ID: 12d341ddb9841c7f785a7f443ae398449bfbc31865a18f3ef042d6ebc36b2d0b
                                                    • Instruction ID: 2970013ead369e1a660f09a71f88d9e87d670494f8dace122c274c80a2aa0e97
                                                    • Opcode Fuzzy Hash: 12d341ddb9841c7f785a7f443ae398449bfbc31865a18f3ef042d6ebc36b2d0b
                                                    • Instruction Fuzzy Hash: 6B21C032604214AFC70A8F65D804D59BFB7FF8922071680AAE109DB332DB35D811DB95
                                                    Function 08030E88 Relevance: 1.3, Strings: 1, Instructions: 50COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.4012511399.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_8030000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: (q
                                                    • API String ID: 0-2414175341
                                                    • Opcode ID: fddcd9788eea93df3531375c44f72d2693addd0ead9ca5ab0b345d3eb14487f0
                                                    • Instruction ID: 0cfaa7a43b1b213acfc2ca7b2147f3b62b5cd6471eec754a377da2bf22062d64
                                                    • Opcode Fuzzy Hash: fddcd9788eea93df3531375c44f72d2693addd0ead9ca5ab0b345d3eb14487f0
                                                    • Instruction Fuzzy Hash: 6A01F2213087628FD75A2628582077E3ADB9FC6601F15406EE942DB382DE799C06C3A6
                                                    Function 0803A550 Relevance: 1.3, Strings: 1, Instructions: 27COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.4012511399.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_8030000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: xq
                                                    • API String ID: 0-3670251435
                                                    • Opcode ID: fcbd393072c6dffbc83529833215acc2354cd1aeae700dc8b3cdd512e251a3c7
                                                    • Instruction ID: 1a8a42cef3e134ffd92ff6e73dc6abc42eb49b5137ff9ec9aac30a8eead273bf
                                                    • Opcode Fuzzy Hash: fcbd393072c6dffbc83529833215acc2354cd1aeae700dc8b3cdd512e251a3c7
                                                    • Instruction Fuzzy Hash: 17F0A0347001109FDB04CB18D941A99B7F5FF88614F158199E50A9F361C772FC028F90
                                                    Function 080321B0 Relevance: .4, Instructions: 437COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.4012511399.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_8030000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d07841b9025a4d639f7ec9971ad7b0ee9ec8b8038c1eaf97047618567681b17e
                                                    • Instruction ID: 38750b8add1e290c0a9c7cd357e511be034742f03241670d4e747c663995ea70
                                                    • Opcode Fuzzy Hash: d07841b9025a4d639f7ec9971ad7b0ee9ec8b8038c1eaf97047618567681b17e
                                                    • Instruction Fuzzy Hash: 04125C34A002288FCB54EF68C994B9DB7B6BF89301F5185A9D54AAB365DF30ED85CF40
                                                    Function 080378F1 Relevance: .3, Instructions: 325COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.4012511399.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_8030000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1c69e1a6f7d26408542b83891732039c9634c563c2a17e902dc0c10a7da6b8b1
                                                    • Instruction ID: e70da828c3d0ef3224c9343417c426dab31d4ede5a66c4748400d1164b83f055
                                                    • Opcode Fuzzy Hash: 1c69e1a6f7d26408542b83891732039c9634c563c2a17e902dc0c10a7da6b8b1
                                                    • Instruction Fuzzy Hash: 84D13E75B00228CFDB44EFA4C994AADB7B6FF88301F114169E502AB3A1DB75EC42CB50
                                                    Function 08035988 Relevance: .3, Instructions: 322COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.4012511399.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_8030000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7deffd0712991f362154757327c606fa4fcb4c8d9ec46000f77aa2446dcd3735
                                                    • Instruction ID: d17e389c485ceb6fd1a6a32607d7e51d3039a591356ab3ad752a8aaada4507fd
                                                    • Opcode Fuzzy Hash: 7deffd0712991f362154757327c606fa4fcb4c8d9ec46000f77aa2446dcd3735
                                                    • Instruction Fuzzy Hash: E9C1D334B006258FDB65EF64D854BAE7BF7AF84301F10852DD5019B3A0DB74AD42CB91
                                                    Function 08036680 Relevance: .3, Instructions: 309COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.4012511399.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_8030000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3b075113101706b63a9c13f870e15c1f24c7590f348bed0b442f48b1581ff9a5
                                                    • Instruction ID: 7f7b123f8f703901a5ac2c42825cd28fa1fc5d32799fc7affdc57e9a9a1bb87b
                                                    • Opcode Fuzzy Hash: 3b075113101706b63a9c13f870e15c1f24c7590f348bed0b442f48b1581ff9a5
                                                    • Instruction Fuzzy Hash: 00D11F34B11228AFDB44EFA4D994E9EB7B7FF88701F118059E502AB3A5DB75AC01CB50
                                                    Function 08036B14 Relevance: .3, Instructions: 295COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.4012511399.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_8030000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e8fc183ab35e9d2c2baed2cf618bbd9c14094442a420649564467f7ac3eb41b7
                                                    • Instruction ID: 8112d6aa256b17c38159c41c9eda1945eeba73a2a60a5c884d9de921ee70bc34
                                                    • Opcode Fuzzy Hash: e8fc183ab35e9d2c2baed2cf618bbd9c14094442a420649564467f7ac3eb41b7
                                                    • Instruction Fuzzy Hash: 2EB1BF347006248FCB44EF68C8A0AAE7BF7BF89700B104569E5129B3A1DF75EC46DB91
                                                    Function 08037920 Relevance: .3, Instructions: 295COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.4012511399.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_8030000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2a76ff65923c068d5125bc6fc12f8bd12e65afbedf9f3bfb8a4ddba8907e93a8
                                                    • Instruction ID: 6e616bc869152b63111ad0e51da24178876b5b3c403da0b20b3dd0639aae5e4e
                                                    • Opcode Fuzzy Hash: 2a76ff65923c068d5125bc6fc12f8bd12e65afbedf9f3bfb8a4ddba8907e93a8
                                                    • Instruction Fuzzy Hash: 53C1E874B00628CFDB44EFA4C994AADB7B6BF88301F104169E506AB3A5DB71AC42CB50
                                                    Function 08036653 Relevance: .3, Instructions: 272COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.4012511399.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_8030000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 90eca9cad1da9b42bd2a47afcf411e7391e002b6913dba9b3847f89d97fa896e
                                                    • Instruction ID: bc97388e2041c0f89024bdfd864e2a1e16729ac20c01723dbd5c4eeadf965623
                                                    • Opcode Fuzzy Hash: 90eca9cad1da9b42bd2a47afcf411e7391e002b6913dba9b3847f89d97fa896e
                                                    • Instruction Fuzzy Hash: 03B13034B112289FDB44EFA8D994F9EBBB7BF88701F104159E502AB3A5DB75AC01CB50
                                                    Function 08036B48 Relevance: .3, Instructions: 256COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.4012511399.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_8030000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1d42e5cc69ae4e078dc7a9b0f50ae000c9e2668cab7e929f5175cdd612fced59
                                                    • Instruction ID: 4dbd5ee4031c68bd387f4062795dd5ab4a4dd5d7434db0d7e22f7d567c0bf75e
                                                    • Opcode Fuzzy Hash: 1d42e5cc69ae4e078dc7a9b0f50ae000c9e2668cab7e929f5175cdd612fced59
                                                    • Instruction Fuzzy Hash: ECA18D347006188FCB44EF68C8A4AAE77B7BF89700F008569E5129B3A4DF75AD46DB91
                                                    Function 08033170 Relevance: .2, Instructions: 225COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.4012511399.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_8030000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 898d61b0eb7d23cb89abf4974138cb4f5ef6ff05b72f02cc3fbf9b0f041d7f25
                                                    • Instruction ID: 8bec067fc7aef8ca0030c570763aa4ed265bd029c01645e650c2f6cb1f605268
                                                    • Opcode Fuzzy Hash: 898d61b0eb7d23cb89abf4974138cb4f5ef6ff05b72f02cc3fbf9b0f041d7f25
                                                    • Instruction Fuzzy Hash: C7913C34700215CFCB54EF68D894AADB7BABF89711F1581A9E506DB3A1CB34EC41CB90
                                                    Function 0803B2B0 Relevance: .2, Instructions: 205COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.4012511399.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_8030000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e52a1a8d1d365d7a6222c28bf91917682d41bcbe5c4d7eaf8f939d8630f2f05a
                                                    • Instruction ID: ca9c7d24160b1af1552111207d25b3afdb46bdb4d86599e201d9b6572eea1b20
                                                    • Opcode Fuzzy Hash: e52a1a8d1d365d7a6222c28bf91917682d41bcbe5c4d7eaf8f939d8630f2f05a
                                                    • Instruction Fuzzy Hash: 6171B7717002648FDB398B28C0657297BEBBB8532AF19956DE48B8B391CB34DC42D748
                                                    Function 0803A6C3 Relevance: .2, Instructions: 199COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.4012511399.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_8030000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d07339bbf22c93f040662dfa848dfee168b8e78d2d38fa0f3c5d37198cd5e020
                                                    • Instruction ID: 350dd30097bf89e43ac18db0cd9a0c7de65d2ab133a36059ef1dcd73450e6845
                                                    • Opcode Fuzzy Hash: d07339bbf22c93f040662dfa848dfee168b8e78d2d38fa0f3c5d37198cd5e020
                                                    • Instruction Fuzzy Hash: EA81F274B21628EFDB54CF98D980EAEB7B6BF48310F124159E545AB361E731EC41CB40
                                                    Function 08031ED7 Relevance: .2, Instructions: 185COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.4012511399.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_8030000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 61d2bf32de29c1e3fabb70f484e0b5516b0e293a5acaf5c5f80602738b4a37d0
                                                    • Instruction ID: 7448481055de15576226cd89a56247ea2123eef6eef682a333bc5563e2bd599d
                                                    • Opcode Fuzzy Hash: 61d2bf32de29c1e3fabb70f484e0b5516b0e293a5acaf5c5f80602738b4a37d0
                                                    • Instruction Fuzzy Hash: 35517B31A003618FD716EB28C4E579DBBFEAF89200F14841FD4419F292DF78580AC7A6
                                                    Function 08033160 Relevance: .2, Instructions: 166COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.4012511399.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_8030000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0bf568a6dc7bf6086f246bca8fd28b9b9ba7fc8c0df646b43126de8752ce9897
                                                    • Instruction ID: 8bfdc94ab7450a702669f721558005c8bbd50d54f77e212f2ee53f098f6758f8
                                                    • Opcode Fuzzy Hash: 0bf568a6dc7bf6086f246bca8fd28b9b9ba7fc8c0df646b43126de8752ce9897
                                                    • Instruction Fuzzy Hash: 17613C34B10614DFCB44EF68D894AADB7FABF88711F158169E5169B3A5CB30EC41CB90
                                                    Function 08032E38 Relevance: .1, Instructions: 137COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.4012511399.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_8030000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4c65200e9d66fe6f3c4ec23012d5437e56236566cc025da860e15b99364ba3ab
                                                    • Instruction ID: 2973ff415e23b9d89559ccd0ff698267c7c157b071bfc314791ce4a960dfab11
                                                    • Opcode Fuzzy Hash: 4c65200e9d66fe6f3c4ec23012d5437e56236566cc025da860e15b99364ba3ab
                                                    • Instruction Fuzzy Hash: BA416D353006119FD7699B28C894B3A77A7EFC9702F14856CE6068F7A5DB76EC42CB80
                                                    Function 08031F70 Relevance: .1, Instructions: 134COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.4012511399.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_8030000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6875586be56733bc96d50527196b68d65dbc30ac7af7315b8961382f396dd633
                                                    • Instruction ID: 1da434d09309b3cbd191f024d4616185e61ef7f2a5f779387118ff71a2cb199f
                                                    • Opcode Fuzzy Hash: 6875586be56733bc96d50527196b68d65dbc30ac7af7315b8961382f396dd633
                                                    • Instruction Fuzzy Hash: 0A41A534B102148FCB94BB64C8A49ADB7BBBFC9701F10441AE503AB394CF749C46CB91
                                                    Function 0803AA68 Relevance: .1, Instructions: 124COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.4012511399.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_8030000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ce963aff69fdc429184c697878aa431a8142fe2a1d9b0cdea09e31b6d047c8ae
                                                    • Instruction ID: 74b4e39d0baccdd6d655e11a087dd581812dfe4de32eba8fdd246dca8a7c18fe
                                                    • Opcode Fuzzy Hash: ce963aff69fdc429184c697878aa431a8142fe2a1d9b0cdea09e31b6d047c8ae
                                                    • Instruction Fuzzy Hash: CD41EF32B006159FC714DF68C844A9EBBF6FFC8210B2481AAD249EB361DB71EC01CB90
                                                    Function 0803B148 Relevance: .1, Instructions: 124COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.4012511399.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_8030000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 700d0f143cea427a3fee5b4dd3e7b9b2a3eee711217ce59013ba2e996cc8e02f
                                                    • Instruction ID: 8edeedb39545ba843cf6bcb96082866187cc2a2fd5f19c80e0e8b72533e0c195
                                                    • Opcode Fuzzy Hash: 700d0f143cea427a3fee5b4dd3e7b9b2a3eee711217ce59013ba2e996cc8e02f
                                                    • Instruction Fuzzy Hash: F941CE31B00B258FDB75DB78D45029FBBF6EF84224B44896ED45ACBA90DA30E941CB85
                                                    Function 08033CC0 Relevance: .1, Instructions: 121COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.4012511399.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_8030000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7f6cd24614f6eebcd3f3601d3cd76b7b67086df63e2c1b5140d7919a7f0ee9ba
                                                    • Instruction ID: 48eb19ca29d547613424cd86ed592b6f89487e3c49f84b9992776d66a874f46e
                                                    • Opcode Fuzzy Hash: 7f6cd24614f6eebcd3f3601d3cd76b7b67086df63e2c1b5140d7919a7f0ee9ba
                                                    • Instruction Fuzzy Hash: C1419D353006209FE358DB29D894B2B77EAAFC8701F114468E6068F7A1DFB5EC42CB91
                                                    Function 0803B578 Relevance: .1, Instructions: 118COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.4012511399.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_8030000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6b6d663f58da672b959be921571bfd97ab475ff0129472c388d7614a8f60c102
                                                    • Instruction ID: 183b6c1a757423553ca1b796f9361742452260e3da85fbc6483399a3ff3d5f4b
                                                    • Opcode Fuzzy Hash: 6b6d663f58da672b959be921571bfd97ab475ff0129472c388d7614a8f60c102
                                                    • Instruction Fuzzy Hash: 5F41AB75A00B14CFCB20CF69C954A6ABBF2FF88315F18891DE48697A61DB35EA04CF51
                                                    Function 08033CE8 Relevance: .1, Instructions: 109COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.4012511399.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_8030000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 68bda64b6e9ba9e896c9e663e03d005486a5965be987aa87a9c00a2a40cc53e8
                                                    • Instruction ID: 2c66d6a8a2bebb584375752b191e56d131d8f490261593dfdb04d9a1ca33cb21
                                                    • Opcode Fuzzy Hash: 68bda64b6e9ba9e896c9e663e03d005486a5965be987aa87a9c00a2a40cc53e8
                                                    • Instruction Fuzzy Hash: 86318E353006249FE358DB29D894F2B77EAAFC8745F114468E2068B7A1DF75EC42CB91
                                                    Function 08035E11 Relevance: .1, Instructions: 107COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.4012511399.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_8030000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7605556b728251ef89d1acd737cd73698fcfc1e4a5c0d4d353d348e9534d885d
                                                    • Instruction ID: 464b5cd12cefc94e817caaee1ff9132ddde7b8dbff0e0db1809826f07629e67f
                                                    • Opcode Fuzzy Hash: 7605556b728251ef89d1acd737cd73698fcfc1e4a5c0d4d353d348e9534d885d
                                                    • Instruction Fuzzy Hash: DB31BF34B106288FCB45EF24C8546AEBBBBAF89301F10855AE5029B361DB749D06CB91
                                                    Function 080334A0 Relevance: .1, Instructions: 94COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.4012511399.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_8030000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 576f09bcad1c3631a7995f6cd251023ee70849da516922ec9b75ff61338d5615
                                                    • Instruction ID: f9d0d1abff14dacc794da3f36f4fa6b7c56d7f4996ef55053dac115945e1f300
                                                    • Opcode Fuzzy Hash: 576f09bcad1c3631a7995f6cd251023ee70849da516922ec9b75ff61338d5615
                                                    • Instruction Fuzzy Hash: 16310A35A001189FDF54DFA8D895AEEB7BAFF88311F108169E901B7394CB75AD05CBA0
                                                    Function 08035E28 Relevance: .1, Instructions: 93COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.4012511399.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_8030000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 93757b4271d7d51ddf2f969ac93b7f1ba81cf2fbb5f216f48e4957455040c626
                                                    • Instruction ID: 0c7f816b510acf6ba72f3913567c18a822c3ee26a2be21dd53c71235f82bcf45
                                                    • Opcode Fuzzy Hash: 93757b4271d7d51ddf2f969ac93b7f1ba81cf2fbb5f216f48e4957455040c626
                                                    • Instruction Fuzzy Hash: FC315C34B106188FCB44FF64C994AAEB7BAAFC9701B10855AE5129B364DF7099029BD1
                                                    Function 0138D01C Relevance: .1, Instructions: 72COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.3975230924.000000000138D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0138D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_138d000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0cb95d37d7a2e11248528804ec04e798f7df18cfdbad174dc9b3c77a52be9f74
                                                    • Instruction ID: 3c40a474d18112940d4d4b192ddbc5707fd0b70ffb8c63f6959580f3dba9317f
                                                    • Opcode Fuzzy Hash: 0cb95d37d7a2e11248528804ec04e798f7df18cfdbad174dc9b3c77a52be9f74
                                                    • Instruction Fuzzy Hash: 602134B1604304DFDB15EF94D8C0B16BB65FB88358F20C56DD80A4B386C33AD847CA62
                                                    Function 0803ABB0 Relevance: .1, Instructions: 72COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.4012511399.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_8030000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 81d0093fe9c74213608bc26a0813f2e9ebc1e0f53834e2c32ce717413b33238f
                                                    • Instruction ID: 8a6d5530050a935588ba40ee5c8b2caa4cdcad44738bde6ccfc3b31a80fa5b59
                                                    • Opcode Fuzzy Hash: 81d0093fe9c74213608bc26a0813f2e9ebc1e0f53834e2c32ce717413b33238f
                                                    • Instruction Fuzzy Hash: 9B21AE31A10229DFCB149FA8C854AEE7BBBFF8C321F148529E811A7390DB749841CB90
                                                    Function 0803ABC0 Relevance: .1, Instructions: 67COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.4012511399.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_8030000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f7d78375510cf8422815e9690568065e1b42c6ceefc53ded85a685f0828375d0
                                                    • Instruction ID: 05fa6740b4e8662bae368876b82b660b33af05a48c87b2c18cdf73c0beaab8b5
                                                    • Opcode Fuzzy Hash: f7d78375510cf8422815e9690568065e1b42c6ceefc53ded85a685f0828375d0
                                                    • Instruction Fuzzy Hash: F1217C31A102289FCB159FA9C844AEE7BBBFF8C321F148529E915A7390DB719841CB90
                                                    Function 08032D78 Relevance: .1, Instructions: 65COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.4012511399.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_8030000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 271014292af92fc98e206a09c11575dfee07c33015d95960fd2265c931d46fb6
                                                    • Instruction ID: 2794962a514d93222d8ec2ac9165acfdeebea1f5c0d64845239280db42d99351
                                                    • Opcode Fuzzy Hash: 271014292af92fc98e206a09c11575dfee07c33015d95960fd2265c931d46fb6
                                                    • Instruction Fuzzy Hash: D421CA347003048FCB54EF28D994AAEB7F6FF89301F1445AAE5029B361DB70AD05CBA1
                                                    Function 08038F09 Relevance: .1, Instructions: 59COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.4012511399.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_8030000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8fd44618b4774c71954e5811e72d9018516aef8e31be7e5178e37628c9dd48ca
                                                    • Instruction ID: c3d748faff89acb610ee60bed9f2c47af1a758fc76dc0b845a4e9c91b49f1cde
                                                    • Opcode Fuzzy Hash: 8fd44618b4774c71954e5811e72d9018516aef8e31be7e5178e37628c9dd48ca
                                                    • Instruction Fuzzy Hash: F011D331A08755AFCB55CBA9C480699BFF6EF06314F14C1EEE459DB282D335A943CB41
                                                    Function 08032D88 Relevance: .1, Instructions: 59COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.4012511399.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_8030000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ffc5ed8e1e4701dc00ab3e4c7959847a5b7a1bfa160f8374d39015f290aaeb4e
                                                    • Instruction ID: 5690d56da5f4e6276ad903b4abc06268ddc4bc451f6a4108ec5510d3b0b8dd43
                                                    • Opcode Fuzzy Hash: ffc5ed8e1e4701dc00ab3e4c7959847a5b7a1bfa160f8374d39015f290aaeb4e
                                                    • Instruction Fuzzy Hash: 8D119D34B006048FCB54EF68D994AAEB7F6FF88301F14456AE5069B360DB70ED05CBA1
                                                    Function 0138D017 Relevance: .1, Instructions: 53COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.3975230924.000000000138D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0138D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_138d000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5930c3722e95abe2067eb95ddfb8aa1848112c8b53b048d5b6b565b5491e75cf
                                                    • Instruction ID: 81339b8ddfbdf38a61ff63fd058a96a655984a874905c515a674a0880ffb28d8
                                                    • Opcode Fuzzy Hash: 5930c3722e95abe2067eb95ddfb8aa1848112c8b53b048d5b6b565b5491e75cf
                                                    • Instruction Fuzzy Hash: D611BBB5504380CFDB16DF54D5C4B15BFA2FB88318F24C6AAD8494B696C33AD40BCBA2
                                                    Function 080335DB Relevance: .0, Instructions: 50COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.4012511399.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_8030000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 39844d0a67908ee46d2e672c94b8b5bee5998e4da32fbd3d6ea5d6eb817adfc8
                                                    • Instruction ID: ebf411cd276878dd9c24b47f0d1679648722e4bffa9a3f8d1ea3f036dc8c3d67
                                                    • Opcode Fuzzy Hash: 39844d0a67908ee46d2e672c94b8b5bee5998e4da32fbd3d6ea5d6eb817adfc8
                                                    • Instruction Fuzzy Hash: BC0126343007509FC7269B24D890A3B7BABABC5311F14856DE5528B7A1CB75ED02DB80
                                                    Function 0803A8C0 Relevance: .0, Instructions: 48COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.4012511399.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_8030000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9e4a7e6100e60ab8debdc60c1c765ebd0b47644d4242a69afdb78888e6007453
                                                    • Instruction ID: 354d3eefb79a10717414f8f50656b50474aaff8225880e603160dda85f71f2a2
                                                    • Opcode Fuzzy Hash: 9e4a7e6100e60ab8debdc60c1c765ebd0b47644d4242a69afdb78888e6007453
                                                    • Instruction Fuzzy Hash: 7E117030A11229DFCB55CF58D894EADB7F6FF49220F06015AF555AB3A2CB799C41CB40
                                                    Function 08030991 Relevance: .0, Instructions: 45COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.4012511399.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_8030000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 438519a03e88c2520985ea12c7e4103586740c9d54295d83f6b51b87b367f23f
                                                    • Instruction ID: 14a31af026348cdc75457b39488b307479183a6105448e29a242f3dd886c53db
                                                    • Opcode Fuzzy Hash: 438519a03e88c2520985ea12c7e4103586740c9d54295d83f6b51b87b367f23f
                                                    • Instruction Fuzzy Hash: 62018479300920DFC7189B24D814F2AB7A7EFC8751B108129EA058B790CF75EC02CBD6
                                                    Function 0803B6C0 Relevance: .0, Instructions: 44COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.4012511399.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_8030000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 95e391af9c461af07b8769039c58821d5f27b8f2f1105691910185ee70c1a5b6
                                                    • Instruction ID: fc42673830e0480aa80a12e54ed5fea9e65090cd74470db49c3187aa81cfcba7
                                                    • Opcode Fuzzy Hash: 95e391af9c461af07b8769039c58821d5f27b8f2f1105691910185ee70c1a5b6
                                                    • Instruction Fuzzy Hash: EB014035E006199FC711DF69D5159AEBBF9EF89311F10856AE415E3310EB30AA04CF61
                                                    Function 080335E8 Relevance: .0, Instructions: 44COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.4012511399.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_8030000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9e4ad5674285f46b43a3e96bf5cba15caea03e91d20726042e61d4e9cb6f3cc4
                                                    • Instruction ID: 1e6e654b2949d00cb637b4709d4e614e168cc9c571d23889fe5920418ea04860
                                                    • Opcode Fuzzy Hash: 9e4ad5674285f46b43a3e96bf5cba15caea03e91d20726042e61d4e9cb6f3cc4
                                                    • Instruction Fuzzy Hash: 2B01D8353006149FD3299B24D494A3BBBEBEBC5311F14856CE5564B7A0CF79EC42DB80
                                                    Function 08030718 Relevance: .0, Instructions: 41COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.4012511399.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_8030000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c55ecef7e544c07fcede1f745bf986cb1a92bd9bc552d4e0ab9f8df82cae82e0
                                                    • Instruction ID: 6db8a3a44574cdd71bbb212cbac8d678814e0cc6ca15b0bbf80a3b68e8d78653
                                                    • Opcode Fuzzy Hash: c55ecef7e544c07fcede1f745bf986cb1a92bd9bc552d4e0ab9f8df82cae82e0
                                                    • Instruction Fuzzy Hash: A901A4353413509FC7059B25C854D6ABBBBEF8A761B0585EEF942CB361CA31DC42CB91
                                                    Function 080309A0 Relevance: .0, Instructions: 39COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.4012511399.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_8030000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5aca6db1ff7d77783c6f37abdc59a4d8900d054f034dcaa4ab9371643f200961
                                                    • Instruction ID: d5d9cd93c388f73903d16072e1301c6235b93eebcc124cfadd6cd10551fb039c
                                                    • Opcode Fuzzy Hash: 5aca6db1ff7d77783c6f37abdc59a4d8900d054f034dcaa4ab9371643f200961
                                                    • Instruction Fuzzy Hash: 07013179300520DFC7199B24D46892AB7A7EFCC751B108169EA168B790CF75EC02CBD6
                                                    Function 0137D603 Relevance: .0, Instructions: 37COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.3975174158.000000000137D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0137D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_137d000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f0c06128fad1f27b4a868564f05259d93c5bcd3f753bda2eacacc574b429a31b
                                                    • Instruction ID: 73606e3a907e76ca38dd73be771b6eb6c5e02c52597b350f56a4bf8284eb462d
                                                    • Opcode Fuzzy Hash: f0c06128fad1f27b4a868564f05259d93c5bcd3f753bda2eacacc574b429a31b
                                                    • Instruction Fuzzy Hash: A3F0E776200604AFD7208F0AD984C23FBAEEFD4674715C59AE94A4B652D675FC41CAA0
                                                    Function 08030E78 Relevance: .0, Instructions: 36COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.4012511399.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_8030000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9253e05f18d14e20c9763c3e9f73f259a63028fab6c141538ab63a2f3c9f8a3e
                                                    • Instruction ID: b6f8854b9fd110d15903cab500127452350273b81b63f83e71df743cbdababd6
                                                    • Opcode Fuzzy Hash: 9253e05f18d14e20c9763c3e9f73f259a63028fab6c141538ab63a2f3c9f8a3e
                                                    • Instruction Fuzzy Hash: CCF0A076301A26A7C794251D9811B7F77DF9FC6662F10402AF9418B280DFB9D91283E6
                                                    Function 0137D5F4 Relevance: .0, Instructions: 35COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.3975174158.000000000137D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0137D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_137d000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2d9f691bb31be19d38dd8fbb49d06bc21abbd271e9ac55f5391cc31c0fe430db
                                                    • Instruction ID: 3456b9010007b0c5aac49941e903268ebbcd0f7211f57dadafad8169916c2cf2
                                                    • Opcode Fuzzy Hash: 2d9f691bb31be19d38dd8fbb49d06bc21abbd271e9ac55f5391cc31c0fe430db
                                                    • Instruction Fuzzy Hash: 5BF03775104680AFD725CF06CD84C23BBB9EF896647198489E89A8B762C735FC42CFA0
                                                    Function 08030728 Relevance: .0, Instructions: 32COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.4012511399.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_8030000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 549fcb40dae0417209e7ae7f923b42073a2f16c20e26afdd70761aedd58283d5
                                                    • Instruction ID: 7587d48ce97030914b9bd96480669032c853907a14461c9061b7c583719ea50d
                                                    • Opcode Fuzzy Hash: 549fcb40dae0417209e7ae7f923b42073a2f16c20e26afdd70761aedd58283d5
                                                    • Instruction Fuzzy Hash: 9AF05E353003109FC704DB19D854D2A77AAFFC9761B1581A9FA46CB360CA71EC42CB90
                                                    Function 0803AA18 Relevance: .0, Instructions: 22COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.4012511399.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_8030000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2f8600a729cfb1bd3329dd2ee3472636c9286d17e9f13f39ee139763ef8059e2
                                                    • Instruction ID: 66ceaceb0f367ea76862b225a554b936055a3a0635266ae9d131a2eb0d5dfb10
                                                    • Opcode Fuzzy Hash: 2f8600a729cfb1bd3329dd2ee3472636c9286d17e9f13f39ee139763ef8059e2
                                                    • Instruction Fuzzy Hash: 5EE0CDA13493949FD306A3BD5C1056A3FEFDF8A25071440BBD455C7751C9785C0287B9
                                                    Function 0803A964 Relevance: .0, Instructions: 22COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.4012511399.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_8030000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 52246f56e331d506cf04c8c1d7fbcac86e3b3c375997e22c948c6c910e7153ff
                                                    • Instruction ID: ffcab3dd58a55119a2da7d80436357bf932755abb7007bd7c60b5543442d92b6
                                                    • Opcode Fuzzy Hash: 52246f56e331d506cf04c8c1d7fbcac86e3b3c375997e22c948c6c910e7153ff
                                                    • Instruction Fuzzy Hash: 39F03970A0122ADFCB65DF44C999AFDBBFAFF48311F02404AE041A7261CB385C46DB00
                                                    Function 0803BF81 Relevance: .0, Instructions: 20COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.4012511399.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_8030000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b169f9254e9f8f31841cfca922cda9e9eb8b9f932ac1933d5b45eccf6f2091e9
                                                    • Instruction ID: 866f75278050f0fd9a7a10eb4566cc4bfb10040645e7d035e3fdfbd75902d236
                                                    • Opcode Fuzzy Hash: b169f9254e9f8f31841cfca922cda9e9eb8b9f932ac1933d5b45eccf6f2091e9
                                                    • Instruction Fuzzy Hash: 90D0A7312143315BD730551AE401766B7DDDB02676F20502DF849CA240DF5394209B97
                                                    Function 08039F68 Relevance: .0, Instructions: 17COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.4012511399.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_8030000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c9aff05f32634f820a46ec79cbcc2425ac5c84b6c038103314c7e35bdce39d99
                                                    • Instruction ID: b4dd44e4a21c3f7b558c8d2361769215da3b86414faa20466a2e46a07c3f61fd
                                                    • Opcode Fuzzy Hash: c9aff05f32634f820a46ec79cbcc2425ac5c84b6c038103314c7e35bdce39d99
                                                    • Instruction Fuzzy Hash: 55D0A930000329EFE7B05A90E80A7627FECEB0532BF2112ACEC080020197B384A2EA42
                                                    Function 0803AA28 Relevance: .0, Instructions: 16COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.4012511399.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_8030000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 91eeb5d958b4fa37d337bce7d7132992e4aaccdb77c88c4635e0cebe6846112f
                                                    • Instruction ID: 61e42a6afd624ae3e9930826b16385b238a05b6207fa1b6e6f72e30fa23bfbfd
                                                    • Opcode Fuzzy Hash: 91eeb5d958b4fa37d337bce7d7132992e4aaccdb77c88c4635e0cebe6846112f
                                                    • Instruction Fuzzy Hash: 5AD0C9B53002685BC649A6BAA81456F76DFABC9650B15802BD51AC3B44CE789C0246A9
                                                    Function 080306F0 Relevance: .0, Instructions: 12COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.4012511399.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_8030000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a21fa0da155ade6526e0f1dc36dd2f48753b63174329cb853a06b35a923f464e
                                                    • Instruction ID: 08d782c1bb9dd15f18392791c228caef23790502a164c3782e1ffdd815a567c2
                                                    • Opcode Fuzzy Hash: a21fa0da155ade6526e0f1dc36dd2f48753b63174329cb853a06b35a923f464e
                                                    • Instruction Fuzzy Hash: 43D0C9B5144206EFC7008B14E546B85B7A8EF14365F114050F9154A232D7359971EA41
                                                    Function 0803B110 Relevance: .0, Instructions: 12COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.4012511399.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_8030000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c35359c2da8ef5cd6acda28f5a63f1684f724ec0b6d8d58d127bd8479dddf629
                                                    • Instruction ID: 69cc2a6d22c17af08a4f209d94b5fe485e733356899909aca8cecaed76176dd1
                                                    • Opcode Fuzzy Hash: c35359c2da8ef5cd6acda28f5a63f1684f724ec0b6d8d58d127bd8479dddf629
                                                    • Instruction Fuzzy Hash: 32D01234100205DFD340DB10C945F02F7A5FF88704F28C89CA84547242C7339833EB04
                                                    Function 080338B0 Relevance: .0, Instructions: 11COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.4012511399.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_8030000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4f8b504f680e1d621255ccb8a189f94d00aee267cad831ec42446ca50fe7399b
                                                    • Instruction ID: 64bb4fea72ac6aad7ad681a183ae61caa1134695cb3c7882b66fe96ae91d92b8
                                                    • Opcode Fuzzy Hash: 4f8b504f680e1d621255ccb8a189f94d00aee267cad831ec42446ca50fe7399b
                                                    • Instruction Fuzzy Hash: B4D08C7100430AEBC3216F48DA01B4ABBBEEF08B04F108029FD4802402D737A832EB85
                                                    Function 08030E50 Relevance: .0, Instructions: 10COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.4012511399.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_8030000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a387eaa6fc82bc56fce5cdcbfda6455df2b48fa23c3f6be5d74e3254607d0609
                                                    • Instruction ID: 6b192cdf5a1e5796b687024752bde1fd2ef8bcf48ffda47bc75bbb80fa1a67d0
                                                    • Opcode Fuzzy Hash: a387eaa6fc82bc56fce5cdcbfda6455df2b48fa23c3f6be5d74e3254607d0609
                                                    • Instruction Fuzzy Hash: FBD0C971501306DFEB044B10D10275677A2EFA1702F118924FA0145154D3394831EB01
                                                    Function 08030700 Relevance: .0, Instructions: 8COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.4012511399.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_8030000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9145439845d19ed285ef8ed2e2731e53e84310996d3e08af64ba1494253e8755
                                                    • Instruction ID: a5ced1602b898661de329531365079a034e3d75a808f59c5ffcbefa728424f66
                                                    • Opcode Fuzzy Hash: 9145439845d19ed285ef8ed2e2731e53e84310996d3e08af64ba1494253e8755
                                                    • Instruction Fuzzy Hash: 58C0927A140208EFC700DF69E848C85BBB8EF1977171180A1FA088B332C732EC60DA94
                                                    Function 080338C0 Relevance: .0, Instructions: 7COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.4012511399.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_8030000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 38c26fe24b6533abd9040f46d6fec90de48124fdc5c2251906c534fac27b7938
                                                    • Instruction ID: 738b200ed90ea01297b059036f44b0eca420b9db23ba159835437abf3fd6c120
                                                    • Opcode Fuzzy Hash: 38c26fe24b6533abd9040f46d6fec90de48124fdc5c2251906c534fac27b7938
                                                    • Instruction Fuzzy Hash: 6CB09232004208ABC604AA84E904859BB6DAB58700B008066B649061118B33A822DB94

                                                    Execution Graph

                                                    Execution Coverage:7%
                                                    Dynamic/Decrypted Code Coverage:100%
                                                    Signature Coverage:0%
                                                    Total number of Nodes:97
                                                    Total number of Limit Nodes:11
                                                    execution_graph 15859 1366540 15860 1366586 15859->15860 15864 1366720 15860->15864 15867 136670f 15860->15867 15861 1366673 15871 136611c 15864->15871 15868 1366713 15867->15868 15870 136674e 15867->15870 15869 136611c DuplicateHandle 15868->15869 15869->15870 15870->15861 15872 1366788 DuplicateHandle 15871->15872 15874 136674e 15872->15874 15874->15861 15875 1364668 15876 1364676 15875->15876 15881 1366de0 15876->15881 15879 1364704 15882 1366e05 15881->15882 15890 1366ef0 15882->15890 15894 1366edf 15882->15894 15883 13646e9 15886 136421c 15883->15886 15887 1364227 15886->15887 15902 1368560 15887->15902 15889 1368806 15889->15879 15891 1366f17 15890->15891 15892 1366ff4 15891->15892 15898 1366414 15891->15898 15892->15892 15896 1366f17 15894->15896 15895 1366ff4 15895->15895 15896->15895 15897 1366414 CreateActCtxA 15896->15897 15897->15895 15899 1367370 CreateActCtxA 15898->15899 15901 1367433 15899->15901 15903 136856b 15902->15903 15906 1368580 15903->15906 15905 13688dd 15905->15889 15907 136858b 15906->15907 15910 13685b0 15907->15910 15909 13689ba 15909->15905 15911 13685bb 15910->15911 15914 13685e0 15911->15914 15913 1368aad 15913->15909 15915 13685eb 15914->15915 15917 1369e93 15915->15917 15920 136bed1 15915->15920 15916 1369ed1 15916->15913 15917->15916 15926 136df70 15917->15926 15921 136be91 15920->15921 15922 136beda 15920->15922 15921->15917 15930 136bf08 15922->15930 15934 136bef8 15922->15934 15923 136bee6 15923->15917 15927 136df91 15926->15927 15928 136dfb5 15927->15928 15969 136e120 15927->15969 15928->15916 15938 136c000 15930->15938 15948 136bff0 15930->15948 15931 136bf17 15931->15923 15935 136bf17 15934->15935 15936 136c000 2 API calls 15934->15936 15937 136bff0 2 API calls 15934->15937 15935->15923 15936->15935 15937->15935 15939 136c011 15938->15939 15942 136c034 15938->15942 15958 136af60 15939->15958 15942->15931 15943 136c02c 15943->15942 15944 136c238 GetModuleHandleW 15943->15944 15945 136c265 15944->15945 15945->15931 15949 136c011 15948->15949 15952 136c034 15948->15952 15950 136af60 GetModuleHandleW 15949->15950 15951 136c01c 15950->15951 15951->15952 15956 136c698 GetModuleHandleW 15951->15956 15957 136c689 GetModuleHandleW 15951->15957 15952->15931 15953 136c02c 15953->15952 15954 136c238 GetModuleHandleW 15953->15954 15955 136c265 15954->15955 15955->15931 15956->15953 15957->15953 15959 136c1f0 GetModuleHandleW 15958->15959 15961 136c01c 15959->15961 15961->15942 15962 136c689 15961->15962 15966 136c698 15961->15966 15963 136c698 15962->15963 15964 136af60 GetModuleHandleW 15963->15964 15965 136c6ac 15964->15965 15965->15943 15967 136af60 GetModuleHandleW 15966->15967 15968 136c6ac 15967->15968 15968->15943 15970 136e12d 15969->15970 15971 136e166 15970->15971 15973 136c464 15970->15973 15971->15928 15974 136c46f 15973->15974 15975 136e1d8 15974->15975 15977 136c498 15974->15977 15978 136c4a3 15977->15978 15979 13685e0 4 API calls 15978->15979 15980 136e247 15979->15980 15983 136e2c0 15980->15983 15981 136e256 15981->15975 15984 136e2ee 15983->15984 15985 136e3ba KiUserCallbackDispatcher 15984->15985 15986 136e3bf 15984->15986 15985->15986

                                                    Executed Functions

                                                    Function 0136C000 Relevance: 1.7, APIs: 1, Instructions: 196COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    Memory Dump Source
                                                    • Source File: 0000000E.00000002.1700531674.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_14_2_1360000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID: HandleModule
                                                    • String ID:
                                                    • API String ID: 4139908857-0
                                                    • Opcode ID: 5851616ff090fff586a4778b064aa12f8d854606f4746d44f8ef8765d6f3e7b7
                                                    • Instruction ID: ca4b26208d9b10a1f0f517afe11466f6e4470d07ccb68c7f319768c7aafc4fd1
                                                    • Opcode Fuzzy Hash: 5851616ff090fff586a4778b064aa12f8d854606f4746d44f8ef8765d6f3e7b7
                                                    • Instruction Fuzzy Hash: 61715A70A00B058FD724DF69C44079ABBF5FF48608F008A2DD58AD7B44DB75E845CB91
                                                    Function 01366414 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 57 1366414-1367431 CreateActCtxA 60 1367433-1367439 57->60 61 136743a-1367494 57->61 60->61 68 1367496-1367499 61->68 69 13674a3-13674a7 61->69 68->69 70 13674b8 69->70 71 13674a9-13674b5 69->71 73 13674b9 70->73 71->70 73->73
                                                    APIs
                                                    • CreateActCtxA.KERNEL32(?), ref: 01367421
                                                    Memory Dump Source
                                                    • Source File: 0000000E.00000002.1700531674.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_14_2_1360000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID: Create
                                                    • String ID:
                                                    • API String ID: 2289755597-0
                                                    • Opcode ID: f8c993eb2fab2d9468234292159da41854ffcc06ceb75bdad3936d99ffea3340
                                                    • Instruction ID: 61be23c9410b19b3d590ea18f3c02476595e7678b6fcf7f898ca0107bc632fe3
                                                    • Opcode Fuzzy Hash: f8c993eb2fab2d9468234292159da41854ffcc06ceb75bdad3936d99ffea3340
                                                    • Instruction Fuzzy Hash: D241B170C0071DCBEB25CFA9C888BDDBBB5BF48308F60805AD418AB255D7B96946CF90
                                                    Function 01367364 Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 74 1367364-1367431 CreateActCtxA 76 1367433-1367439 74->76 77 136743a-1367494 74->77 76->77 84 1367496-1367499 77->84 85 13674a3-13674a7 77->85 84->85 86 13674b8 85->86 87 13674a9-13674b5 85->87 89 13674b9 86->89 87->86 89->89
                                                    APIs
                                                    • CreateActCtxA.KERNEL32(?), ref: 01367421
                                                    Memory Dump Source
                                                    • Source File: 0000000E.00000002.1700531674.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_14_2_1360000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID: Create
                                                    • String ID:
                                                    • API String ID: 2289755597-0
                                                    • Opcode ID: fa687f1719dc5539f7b64e76d7d79d771fb0755fdb03ec69625384c4c06848d5
                                                    • Instruction ID: 8de91b4864e4f5c0bf42eb4bda7494c7301d076e3b169448aac913e5bd8ab9bd
                                                    • Opcode Fuzzy Hash: fa687f1719dc5539f7b64e76d7d79d771fb0755fdb03ec69625384c4c06848d5
                                                    • Instruction Fuzzy Hash: 1D41D2B1C00719CFEB25CFA9C884BCDBBB5BF48308F64815AD418AB255D779694ACF90
                                                    Function 0136611C Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 90 136611c-136681c DuplicateHandle 93 1366825-1366842 90->93 94 136681e-1366824 90->94 94->93
                                                    APIs
                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0136674E,?,?,?,?,?), ref: 0136680F
                                                    Memory Dump Source
                                                    • Source File: 0000000E.00000002.1700531674.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_14_2_1360000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID: DuplicateHandle
                                                    • String ID:
                                                    • API String ID: 3793708945-0
                                                    • Opcode ID: 0a8af779bb32f0e0e21ea8624d086adddf0483d4ac77bf85e3bcbee0594808e6
                                                    • Instruction ID: a99d4146f9db7d50f75ada267230201369f2c564032eaac15703fb91140c3bb5
                                                    • Opcode Fuzzy Hash: 0a8af779bb32f0e0e21ea8624d086adddf0483d4ac77bf85e3bcbee0594808e6
                                                    • Instruction Fuzzy Hash: FD21D4B59002499FDB10CFAAD485ADEBFF8EB48310F14841AE915A3310D378A944CFA5
                                                    Function 01366780 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 97 1366780-1366781 98 1366783-13667cb 97->98 99 13667cd-136681c DuplicateHandle 97->99 98->99 101 1366825-1366842 99->101 102 136681e-1366824 99->102 102->101
                                                    APIs
                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0136674E,?,?,?,?,?), ref: 0136680F
                                                    Memory Dump Source
                                                    • Source File: 0000000E.00000002.1700531674.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_14_2_1360000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID: DuplicateHandle
                                                    • String ID:
                                                    • API String ID: 3793708945-0
                                                    • Opcode ID: abf88f74a41e990ff291d2b91b57fed31754634842dc3ab7fb4cde4b3017a328
                                                    • Instruction ID: c7662ece3de357306f00d9326ef5a17610561863fbec70671fb478672718e87a
                                                    • Opcode Fuzzy Hash: abf88f74a41e990ff291d2b91b57fed31754634842dc3ab7fb4cde4b3017a328
                                                    • Instruction Fuzzy Hash: C021E3B5D002499FDB10CFAAD885ADEBFF8FB48314F14841AE918A3311D378A944CFA5
                                                    Function 0136AF60 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 105 136af60-136c230 107 136c232-136c235 105->107 108 136c238-136c263 GetModuleHandleW 105->108 107->108 109 136c265-136c26b 108->109 110 136c26c-136c280 108->110 109->110
                                                    APIs
                                                    • GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,0136C01C), ref: 0136C256
                                                    Memory Dump Source
                                                    • Source File: 0000000E.00000002.1700531674.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_14_2_1360000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID: HandleModule
                                                    • String ID:
                                                    • API String ID: 4139908857-0
                                                    • Opcode ID: bb3a60153056d86cfd0a190f734f4d5db82540a9f5930e038d45f0ba62d78513
                                                    • Instruction ID: de00d9b5f19c51cff672717ab38fad20303f34689feea25a58157b90d7f46bed
                                                    • Opcode Fuzzy Hash: bb3a60153056d86cfd0a190f734f4d5db82540a9f5930e038d45f0ba62d78513
                                                    • Instruction Fuzzy Hash: B6110FB5C006498FDB20DF9AC444BDEFBF8EB88614F10842AD969B7301D379A546CFA5
                                                    Function 012DD01C Relevance: .1, Instructions: 72COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000E.00000002.1699929368.00000000012DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DD000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_14_2_12dd000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 700708274121bc6b48bbffc78736b279d1d37089b75c4aecd2af5ce05b627ce4
                                                    • Instruction ID: 0587866b3d12cc656d1990304a4b491bd4023b4b9ff7327900d05ffc346786cf
                                                    • Opcode Fuzzy Hash: 700708274121bc6b48bbffc78736b279d1d37089b75c4aecd2af5ce05b627ce4
                                                    • Instruction Fuzzy Hash: B4214271614708DFDB15DF64D8C0B16BB61EBC8315F20C56DD90A0B282C37AD807CA62
                                                    Function 012DD006 Relevance: .1, Instructions: 60COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000E.00000002.1699929368.00000000012DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DD000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_14_2_12dd000_Exccelworkbook.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 92375054b48839098de7e31f2bf0b092bee76e4c68da36b6a416589c54b83fbe
                                                    • Instruction ID: 9dd42c8a01553f4edc03492c7fb7765f53426e0e02f20d9e2a2d0712dbebf99f
                                                    • Opcode Fuzzy Hash: 92375054b48839098de7e31f2bf0b092bee76e4c68da36b6a416589c54b83fbe
                                                    • Instruction Fuzzy Hash: 6521F3755083848FCB03CF24C990705BF71EB86314F28C5EAD9498B2A7C33AD80ACB62